2008 11 19 larry clinton isa overview and international outreach to portugal
TRANSCRIPT
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
1/34
Larry ClintonPresident
Internet Security [email protected]
202-236-0001
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
2/34
ISA Board of Directors
Ken Silva, ChairmanCSO Verisgn
Ty Sagalow, Esq. 1st Vice ChairPresident Product Development, AIG
Tim McKnight, CSO, Northrop GrummanJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, Bank of New YorkLawrence Dobranski, Chief Strategic Security, NortelMarc-Anthony Signorino, Director Technology Policy, NationalAssociation of ManufacturersPradeep Khosla, Dean Carnegie Mellon School of ComputerSciences
Joe Buonomo, CEO DCR Software Inc.
J. Michael Hickey, 2nd Vice ChairVP Government Affairs, Verizon
Dr. M. Sagar Vidyasagar, TreasurerExec VP, Tata Consulting Services
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
3/34
Our Partners
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
4/34
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
5/34
The Old Web
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
6/34
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Web Today
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
7/34
The Web is InherentlyInsecure---and getting more so
The problems we see in cyber security are about to get muchworse because we continue to deploy base technologies
that were developed 30 years ago when security was not
an issue.TCP/IP was not designed to control power grids,financial networks and critical infrastructure. It will be used
in future networks (particularly wireless) but it lacks thebasic security controls to properly protect the network.
Source: Hancock, Cutter Technology Journal 06
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
8/34
The Earlier Threat:Growth in vulnerabilities (CERT/cc)
4,129
2,437
171345 311 262
417
1,090
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 2002
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
9/34
The Earlier Threat:Cyber incidents
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
10/34
The Changing ThreatA fast-moving virus or worm pandemic is not the threat it
was...
2002-2004 almost 100 medium-to-high risk attacks (Slammer;
SoBig).
2005, there were only 62006 and 2007..Zero
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
11/34
Faces of Attackers Then
Chen-Ing Hau
CIH Virus
Joseph McElroy
Hacked US Dept of Energy
Jeffrey Lee Parson
Blaster-B Copycat
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
12/34
Faces of Attackers Now
Andrew Schwarmkoff
Russian Mob Phisher
Jay Echouafni
Competitive DDoS
Jeremy Jaynes
$24M SPAM KING
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
13/34
The Changing Threat
Today, attackers perpetrate fraud, gather intelligence, or conductblackmail
Vulnerabilities are on client-side applications word, spreadsheets,printers, etc.
The problem is much more severe than the release of personaldata, modern attackers are stealing source code, corporate
intellectual property, entire business operations systems are being
vacuumed and transplanted
Our physical security is reliant on our cyber security
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
14/34
The Threat Landscape is
Changing
New Era Attacks
Organized criminals, corporate
spies, disgruntled employees,
terrorists
Who: Kids, researchers,hackers, isolated
criminals
Early Attacks
Why: Seeking fame & glory,
use widespread attacks for
maximum publicity
Seeking profits, revenge, use
targeted stealth attacks to avoid
detection
Risk Exposure: Downtime,
business disruption,
information loss, defacement
Direct financial loss via theft and/or
embezzlement, breach disclosure, IP
compromised, business disruption,
infrastructure failure
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
15/34
The Threat Landscape is
Changing
New Era Attacks
Multilayer pre-emptive andbehavioral systemsDefense: Reactive AVsignatures
Early Attacks
Recovery: Scan & remove System wide, sometimes impossible
without re-image of system
Type: Virus, worm, spyware Targeted malware, root kits, spearphishing, ransomware, denial of service,
back door taps, Trojans, IW
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
16/34
Newer ThreatsDesigner malware: Malware designed for a specific target or small set of
targets
Spear Phishing: Combines Phishing and social engineering
Ransomware: Malcode packs important files into encrypted archive & deletesoriginal then ransom is demanded
RootKits: shielding technology to make malcode invisible to the op system
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
17/34
Characteristics of the New Attackers
Shift to profit motive
Zero day exploits
Increased investment and innovation in
malcode
Increased use of stealth techniques
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
18/34
Digital Growth?
Companies have built into their business models theefficiencies of digital technologies such as real time
tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital
lifestyle is already built into almost every companys
assumptions for growth.
---Stanford University Study, July 2006
Sure
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
19/34
Digital Defense?
29% of Senior Executives acknowledged that they did not know how many
negative security events they had in the past year
50% of Senior Executives said they did not know how much money was lost due toattacks
Maybe Not
Source: PricewaterhouseCoopers survey of 7,000 companies 9/06
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
20/34
CSO Magazine Study 10/087,000 companies world wide
Only 59% of respondents attest to even having an overall securitypolicy
Nearly half of all respondents said cant identify the source ofinformation security incidents they have suffered in the past year
Employees and former employees are the biggest source of securityincidents accounting for half of the ones we can trace
* Only half of respondents provide employees with security awareness
training
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
21/34
Not so much
Only 56% of respondents employ a security executive atthe C-level---down 4% from the previous survey
Only 43% audit or monitor compliance with securitypolicies (if they have them)
Just over half of companies (55%) use encryption 1/3 of respondents dont even use firewalls Only 22% of companies keep an inventory of all outside
parties use of their data
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
22/34
Not So Much
23% of CTOs did not know if cyber losses were covered byinsurance.
34% of CTOs thought cyber losses would be covered byinsurance----and were wrong.
The biggest network vulnerability in American corporationsare extra connections added for senior executives without
proper security.
---Source: DHS Chief Economist Scott Borg
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
23/34
The Good News: We know(mostly) what to do
2005 CIO/Priceaterhouse study of 7,000organizations world-wide found 20% best
practices group (although attacked more) suffered
less downtime, less financial lossnone at times.
2008 Verizon study 500 forensic cases andthousands of data points found following best
practices could stop 90% of breaches CIA due diligence can stop 90% of attacks,
implementation is the key.
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
24/34
How do we really protectourselves?
1. Adopt an enterprise wide, risk managementapproach
2. Since this is an enterprise wide problem, youhave to get all the critical silos at the table
3. Determine who really is involved (other than IT)4. Determine what you are going to answer5. THEN decide what to do (software? training?
contracts w/affiliates? Insurance? outreach?)
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
25/34
Legal/Regulatory Issues
Have cyber liabilities been analyzed? What regulations apply to lines of business?
Exposed to class action/shareholder suits? Is org protected from business interruptions? Org protected from fed/state govt. investigations? What jurisdictions does date move through? What is in our contracts? What does our privacy policy say?
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
26/34
Compliance/Regulatory
Have an inventory of what regs apply to us? Know what reg data is and where its located?
Valid reasons for keeping this data? What have we done to protect the data? Incident response program/notification program? What is impact of possible data loss? Procedures in place for tracking compliance? How are we tracking vendors procedures?
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
27/34
External Rel & Comm.
Analyzed impact of events on reputation/stakeholders/customers etc?
Plan for communicating with stakeholders? Identified resources/budget needed for plan? Clear roles and responsibilities for comm? Thought through segmenting messages for different
stakeholders?
Legal requirements for notification? Tested it?
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
28/34
Risk transfer
What is exposure (brand/confidence/physicalloss?how do we measure?
Are you already covered? D&O? Do we need to bring in expertise? Who? Is insurance available? What is the ROI for insurance and other risk
transfer approaches?
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
29/34
09 Securing the VOIPPlatform
VOIP is the paradigm case for corporate economicsovercoming security concerns
Platform itself not a profitable as products sold to use it ISA/NIST program to use SCAP (Security Content
Automation Protocol) and National Vulnerability Database
to create a free customizable framework.
Companies can build products on the more secure platform(ones that participate get to know the standards first)
Better security and better markets
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
30/34
09 Securing the Global ITSupply Chain
IT supply chain is inherently global This immutable reality brings new risks
If not addressed Congress will do it for us,probably through protectionism
07-08 ISA/CMU/industry 3-phase program tocreate a framework that takes into account market,
business and policy reality New phase to begin first quarter 09
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
31/34
What to Tell PresidentObama?
1. We need to increase our emphasis andinvestment on cyber security
2. Cyber Security must be recognized as criticalinfrastructure maintenance
3. Cyber Security is not a IT problem.4. Cyber security is a enterprise wide risk
management problem5. Government and Industry need new relationship
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
32/34
Obama: Inconvenient truths
1. All security is reliant on cyber systems
2. Cyber systems are inherently in the private sectorshands
3. US cannot tackle the cyber security issues
unilaterally
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
33/34
Cyber Social Contract
Similar to the agreement that led to public utilityinfrastructure dissemination in 20th century
Infrastructure development through marketincentives
Consumer protection through regulation Gov role to motive is more creativeharder Industry role is to develop practices and standards
and implement them
-
7/31/2019 2008 11 19 Larry Clinton ISA Overview and International Outreach to Portugal
34/34
Larry ClintonPresident
Internet Security Alliance
202-236-0001