The Evolving Threat Todays cyber security challenges and solutions - - PowerPoint PPT Presentation

The Evolving Threat

Today’s cyber security challenges and solutions

Are Water Lines At Risk?

n Security lacking in networks

controlling critical infrastructure

n Hackers, terrorists could find way into

controls of nuclear power stations, electrical grids, water lines.

n By Bob Keefe

WEST COAST BUREAU Monday, October 02, 2006

The Past

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Present

The earlier threat landscape

n

Human Agents

n

Hackers

n

Disgruntled employees

n

White collar criminals

n

Organized crime

n

Terrorists

n

Methods of Attack

n

Brute force

n

Denial of Service

n

Viruses & worms

n

Back door taps & misappropriation,

n

Information Warfare (IW) techniques Exposures

n

Information theft, loss & corruption

n

Monetary theft & embezzlement

n

Critical infrastructure failure

n

Hacker adventures, e-graffiti/ defacement

n

Business disruption Representative Incidents

n

Code Red, Nimda, Sircam

n

CD Universe extortion, e-Toys “Hactivist” campaign,

n

Love Bug, Melissa Viruses

n

SOBIG, SLAMMER

The earlier threat:

growth in vulnerabilities (CERT/cc)

4,129 2,437 171 345 311 262 417 1,090

500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500

1995 2002

The earlier threat:

cyber incidents

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 132 110,000 55,100 21,756 9,859 3,734 2,134 2,573 2,412 2,340 1,334 773 406 252 6

20000 40000 60000 80000 100000 120000

Anyone have a cell phone?

n “Companies have built into their

business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every company’s assumptions for growth.” ---The Manufacturing Institute July 2006

The changing threat

n The fast-moving virus or worm

pandemic is not the threat. 2002-2004 almost 100 medium-to-high risk attacks. 2005, there were only 6 This year, 0.

The changing threat

n Today, attackers are motivated to

perpetrate fraud, gather intelligence,

• r gain access to vulnerable systems.

n Vulnerabilities are now on client-side

devices and applications (word processing, spreadsheet programs, wireless devices) that require interaction, instead of on servers

The changing threat

n Cybercrime growth

n 6,110 Denial of Service attacks per day

n 4000 in January ’06 to 7,500 in June ‘06

n Bot nets are the engine driving growth n Increase in modular malicious code

(initially limited functionality but updates itself with new, more damaging capabilities)

n Insider threats

Economic Effects of Attacks

n 25% of our wealth---$3 trillion---is

transmitted over the Internet daily

n FBI: Cyber crime cost business $26

billion (probably a LOW estimate)

n Financial Institutions are generally

considered the safest---their losses were up 450% in the last year

n There are more electronic financial

transactions than paper checks now, 1% of cyber crooks are caught.

I’m too Small to Attack, Not.

n One of every three small businesses

in America were affected by MyDoom virus---- 2x the proportion of large companies effected by that virus.

n Small Businesses get attacked more

• ften, have less defenses, have

smaller margins to protect against loss

n Small businesses have needs and

require a special program

2006 Data Breach Laws

Enacted in: AZ, CO, KS, UT, NE, ID

Enacted in: IN, ME, WI Introduced in at least 35 states

Sources: National Conference of State Legislatures U.S. Public Interest Research Group

Pending Federal Legislation

n House Judiciary Committee: Ø Passed legislation on Thursday June 1st 2006 n House Energy and Commerce Committee Ø Passed legislation on Wednesday May 31st 2006 n Senate Judiciary Committee Ø S.1789 Personal Data and Privacy Act - Pending n Sponsor: Sen. Arlen Specter (PA) n Cosponsors: Sen. Patrick Leahy (VT), Sen. Russell D.

Fiengold (WI), Sen. Dianne Fienstein (CA)

What’s the result of all the legislative activity?

• 1. Confusion for business
• 2. Inaction in the Congress
• 3. Growing problems and costs

“August 2006 was the worst month for data security breeches on record” SANS Institute Sept 2006

Can it be stopped ? YES !

n PricewaterhouseCoopers conducted 2

International surveys (2004 & 2006) covering 15,000 corporations of all types

n Apx 25% of the companies surveyed

were found to have followed recognized “best practices” for cyber security.

Benefits of Best Practices

n Reduces the number of successful

attacks

n Reduces the amount of down-time

suffered from attacks

n Reduces the amount of money lost

from attacks

n Reduces the motivation to comply

with extortion threats

n Cited in US National

Draft Strategy to Protect Cyber Space (September 2002)

n Endorsed by TechNet

for CEO Security Initiative (April 2003)

n Endorsed US India

Business Council (April 2003)

ISALLIANCE BEST PRACTICES

n Practice #1: General Management n Practice #2: Policy n Practice #3: Risk Management n Practice #4: Security Architecture & Design n Practice #5: User Issues n Practice #6: System & Network Management n Practice #7: Authentication & Authorization n Practice #8: Monitor & Audit n Practice #9: Physical Security n Practice #10: Continuity Planning & Disaster

Recovery

Why Doesn’t Everyone Comply with the Best Practices?

n “Many organizations have found it

difficult to provide a business case to justify security investments and are reluctant to invest beyond the

• minimum. One of the main reasons

for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realized—Manufacturer’s Institute ‘06

But, management is wrong.

n Stanford Global Supply Chain Management

Forum/IBM Study: “Clearly demonstrated that investments in supply chain security can provide business value such as: * Improved Product Safety (38%)

• Improved Inventory management (14%)
• Increase in timeliness of shipping info

(30%)

There’s More !!!

n Increase in supply chain information

access (50%)

n Improved product handling (43%) n Reduction in cargo delays (48%

reduction in inspections)

n Reduction in transit time (29%) n Reduction in problem identification

time (30%)

n Higher customer satisfaction (26%)

Security, like Digital Technology must be Integrated in Bus Plan

n “Security is still viewed as a cost, not

as something that could add strategic value and translate into revenue and

• savings. But if one digs into the

results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan.” PricewaterhoseCoopers Sept 2006

So, how do we do that?

n We have a changing technology

environment

n We have a changing business model n We have a constantly changing legal

and regulatory environment

n Business must take the lead

Cyber Security is not an IT problem

n Issues must be addressed

simultaneously from the

n Legal Perspective n The Business Perspective n The Technology perspective n The Policy Perspective

ISAlliance Integrated Business Security Program

n Outsourcing n Risk Management n Security Breech Notification n Privacy n Insider Threats n Auditing n Contractual Relationships (suppliers,

partners, sub-contractors, customers)

ISAlliance Small Business Program

n Special Set of Best Practices Endorsed

by:

n DHS n Chamber of Commerce n NAM n NFIB n ABA n “Wholesale Memberships” through

trade associations

Sponsors

Larry Clinton Operations Officer Internet Security Alliance lclinton@eia.org 703-907-7028 202-236-0001