information security today and tomorrow

IBM Global Services

© Copyright IBM Corporation 2004

Information Security Today and Tomorrow

Oct .2nd 2007, GRIFFE session

Michel Bobillier, Global Offering ExecutiveIBM Security and Privacy Services

Presentation Title | Confidential | 15-Oct-072

IBM Global Services


Agenda

1. Illustrate the Business Challenge created by security

2. Highlight the transformation and trends underway

3. Review myths and themes


IBM Global Services


Boeing employee charged with stealing 320,000 sensitive files InformationWeek, July 11, 2007

Japanese bank loses 1million customer recordsDark Reading, July, 2007

The Department of Justice and FBI today said ongoing investigations have identified over 1 million botnetcrime victims Networkworld.com, June 13th, 2007

Data for 800,000 GAP job applicants stolenTheregister.co.uk, Sept. 28, 2007

The tally of people whose Social Security numbers and other personal data were on a computer storage device stolen from a state intern reached 859,800. The Enquirer , July 12, 2007

<>

Retail giant TJX Companies announced a $118 million charge to pay for the theft of 45.6 million credit and debit accounts.Security Focus, Aug. 14, 2007

Lawsuit against Fidelity National Information Services filed on behalf of 8.5 million consumers in data breach case Computerworld, Aug. 2007

Security breaches regularly published demonstrate the reality ofthe menace.


IBM Global Services


Pre-warnings have reached us during the last four years

Slammer worm crashed Ohio nuke plant network

Computer virus brings down train signals in Washington. Dozen trains canceled.

More than 70 percent of virus writers are now writing spywareunder contract

MasterCard Shuts Down 1,400 PhishingSites.

The number of bank accounts accessed illegally by a New Jersey cybercrime ring has grown to 676,000, according to police investigators.

At least a million machines are under the control of hackers worldwide.

Fraudsters use iPodsto steal company information

Dutch suspects arrested controlled some 1.5 million computers as part of a worldwide botnet, not 100,000 as first thought.


IBM Global Services


Security breaches: media titles


IBM Global Services


Security threats are growing in numbers and sophistication

• The incidents reported are growing exponentially years after years

• The focus, creativity and sophistication of these attacks has reached unprecedented levels

• The weaker point of the chain is often the target: the user

• Phishing sites are sharply on the rise

(Source: IBM ISS x-force 1H2007 report, Aug. 2007)


IBM Global Services


Other IBM ISS x-Force report highlightsVulnerabilities

• The top-3 vulnerable vendors in the first half of 2007 are Microsoft, Apple and Oracle (9%)• 21% of the vulnerabilities identified within the top-5 vulnerable vendors’ products were unpatched at the

end of the first half of 2007 (60% for the remaining vendors)• 90% of all vulnerabilities uncovered in the first half of 2007 can be exploited remotely.

Spam and Phishing• The U.S., Poland and Russia are the three largest originators of spam worldwide (25%)• Europe accounts for the largest source of phishing e-mail. Spain is 18% of the world-wide volume• Almost half of all fraudulent phishing Web sites are hosted within the U.S.

Web Content• “Unwanted” content decreased to 10 percent in the first half of 2007• Web sites that host pornographic or sex-related content account for 9.9 percent of the Internet.• The U.S. continues to be the top hosting country for “unwanted” content.

Malcode• The largest threat category of malware so far in 2007 is Trojans.

Web Browser Exploitation• The most popular exploit used to infect Web browsers with malware was Visual Studio WMI Object

Broker ActiveX.• 80% of Web-based exploits are obfuscated, with JavaScript being the most common obfuscation vector


IBM Global Services


Phishing, Pharming, Spyware, Malware, Ransomware, Malcode, Phrauding, Botnets, Zombies…

• 237 million security attacks detected during one semester by IBM outsourcing organization

• Targeted phishing attacks for money laundering and identity fraud purposes

• More and more astute in the creation and delivery of such attacks

• Hackers have turned toward more criminal and lucrative areas of directing attacks to specific individuals or organizations

• 150,000 unique spams message analyzed daily

(Source: antiphishing.org, Sept. 2007)

Thousands of stones versus one big shot


IBM Global Services


Where do threats to your business originate from?

Your Business

Foreign Governments Fraud

Competitors

Organized Crime

Internal Threats

Hackers

Viruses

Deliberate Attack

Natural DisasterAccident

Human Error


IBM Global Services


Real losses are encountered. Amount by category

(Source: CSI 2007 survey, n= 494, US)

Likely Sources of Attack:

11% 10%

32%16%

31%

Foreign Gvt

Foreign Corp

Indep Hackers

Competitors

Employees

(Source:2003 CSI/FBI survey, n=488)


IBM Global Services


Why is this happening today?

1. Increased business dependency on Information Technology

2. Multi-company processes, business partnerships, alliances, M&As

3. Increasing user base

4. Rapidly developing technologies & complexity

Follow the money

� “Manage your IT risk or lose your good name” – Gartner Group, Sept. 2007


IBM Global Services


Adoption of new business models provide key benefits as well as new security challenges

Businessprocesses

consumer organization IT consumer organization

Increasing need for:

� Flexibility� Responsiveness� Availability� Security

• IT is key interface with outside

•Faster pace, less predictable

•Realtime linkage (IT/business)

• IT was insulated within business

•Slower, more predictable

•After the fact linkage (IT/business)

ITIT

Businessprocesses

IT


IBM Global Services


Increased collaboration brings greater business rewards, but also poses greater business risks

Collaboration

Tru

st

Isolated Operations

Select ‘Trusted Partners’

Value Chain Visibility

Industry-Centric Value Web

Cross-Industry Value Coalition

Partner/Channel

Supplier/Outsourcer

Customer

Subsidiary/JV

Core Business

Legend

11

22

33

44

55


IBM Global Services


Technology developments fuel provide a moving technical environment

Doubles every 12 month

Doubles ever 12 month (fiber), but access to home much less

CPU

BandwidthDisplay

New Technologies

wired

wirelessOLED

Nano

Quantum

fiber Broadband

Gadgets

Super computing

Memory

Doubles ever 12 month

Doubles ever 18 month

More gadgets than PCs

250 Pixels per inch

Better, Faster, Cheaper !

Storage


IBM Global Services


How will the security challenges evolve?

Drivers

1. Regulatory complianceBasel II (banks), 21 CFR Part 11 (life sciences), HIPAA (healthcare), TREAD Act (automotive), and Sarbanes-Oxley (publicly traded firms and their accounting firms), GLBA (Gramm-Leach-Bliley Act), Canadian Privacy Code, European Data Directive, South Korea Basic Act on Electronic Commerce

2. New business model adoption and increasing business dependency on technology

3. Increasing user base

4. Business partnerships, alliances, M&A

5. Rapidly developing technologies and complexity

6. Need for brand and shareholder value protection

Issues:

� Recreational hacker -> hactivist -> industrial espionage -> organised crime

� Greater proliferation of intelligent viruses

� Increased tooling to exploit vulnerabilities

� Internal versus external threats

� Malicious intent vs accidental

� Skills shortages


IBM Global Services


Key security trends

� Convergence of Physical and logical security

� Adoption of federated Identity management

� Drive toward greater interoperability

� Evolution of real-time threat management systems

� Movement from disaster recovery to business continuity and resiliency

� Enterprise wide security programs focusing on risk management and governance


IBM Global Services


Deloitte and Touche global customer survey

Top 5 customer initiatives:

1. Access and identity management – 50%.

2. Security regulatory compliance – 49%.

3. Security training and awareness – 48%.

4. Governance for security – 37%.

5. Disaster recovery and business continuity – 37%.

(Source: Deloitte and Touche,

2007 Global Security Survey

n = 169 financial institutions)


IBM Global Services


Myths and ThemesMyths and Themes


IBM Global Services


Theme 1: This is a journey, not a destination

PolicyAudit ControlControl

TrustTrust

PrivacyPrivacy

Administration Implementation

Risk


IBM Global Services


Theme 2: Patch management provides high return on investment

� 10th of new vulnerabilities appear every week

� 90%+ of successful attacks use known vulnerabilities (!)

� Hackers are able to reverse engineer patches in 2 days to detect the vulnerability addressed and launch corresponding attacks

� The problem is complex: heterogeneous disseminated technology

� A majority of companies do not feel they have implemented optimal patch management processes


IBM Global Services


Theme 3: Everything starts with an Identity

� Legislation and best practices require to know who access what data

� We all are unique, but have 10th of identities, with different flavors: governments, bank, employment, web, etc.

� Sound identity management is about a process

� Privacy and trust are closely linked to identity

� Across frontiers, across businesses, across time

� Moving from long heavy processes to automatizedlight and rapid procedure

Security Policies

Applications

Authentic.Methods

Identity Credentials

Users

Identity Information

ProofProof

ProvisionProvision

AccessAccess

Identity theft

Fraud

Privacy


IBM Global Services


Theme 4: Security is a business issue, not a technology one

• Brand image

• Shareholder value

• Customer confidence

• Critical corporate information and assets

• Employee, supplier and shareholder confidence

• Brand value and power

• Competitive advantage

• Business growth

Business Strategy

Business Processes and Operation

Business Applications

Infrastructure


IBM Global Services


Theme 4: Security is a business issue, not a technology one

• Brand image







• Business growth

Business Strategy

Business Processes and Operation

Business Applications

Infrastructure

• Brand image







• Business growth

Brand Values: • Coca-cola $67B • Microsoft $59M• IBM $53M• GE $47M• Nescafé (23) $12M

(Source: business week.com)


IBM Global Services


Plan to keep spend constant

Plan to increase spend

Plan to decrease spend

Source: Forrester, 2007, IBM Customer Interviews

Security budgets are large … and increasing

(%)

Plan to keep spend constant

Plan to increase spend

Plan to decrease spend

% of Overall IT Spending Going to Security, 2007

Source: Forrester, 2007, IBM Customer Interviews

Plans to change security spend over the next 2 years


IBM Global Services


A fresh approach is required

The new security imperatives

1. Prioritize by identifying and protecting the most critical assets

2. Integrate people and process with technology

3. Weigh the benefits of outsourcing select security functions to trusted partners

Virus, anti-virus. Spam, anti-spam. Spyware, anti-spyware. Adware, anti-adware. , xxx, anti xxx …….


IBM Global Services


IBM’s leverages an integrated security solutions approach to allow customers to “Stay ahead of the threat”

Defend against threats

Assess security posture

Monitorthe environment

Protect valuable assets

Controlrisk

IBM Professional Security Services

IBM Managed Security Services

IBM Security Hardware and Software

IBM Information Security Framework

GovernanceGovernance

PrivacyPrivacy

Threat mitigationThreat mitigation Transaction and data integrity

Transaction and data integrity

Identity andaccess management

Identity andaccess management Application securityApplication security

Physical securityPhysical security Personnel securityPersonnel security


IBM Global Services


Do and don’t

ibm.com/services/security

� Start with an enterprise security policy and review it twice a year

� Assess regularly your security posture and compare it with your requirements

� Conduct a security awareness program across your company

� Position the Chief Security Officier outside the IT organization

� Automatize your patch management

� Focus on processes, application and infrastructure. Not only on technology

� Consider strong authentication to replace password-based security

� Test regularly your business continuity plans


IBM Global Services


Conclusion

1. The danger is real. It happens.

2. There is no silver bullet. Our worse enemy is the lack of awareness and top executive focus.

3. Security is not about technology. It's a business issue

4. IBM is uniquely positioned to solve your complex security problems with our unmatched combination of research, technology and expertise. For you.


IBM Global Services


Thank YouThank You

Q&AQ&A

[email protected]/services/security


IBM Global Services


Spam – August 2007 status

information security today and tomorrow

Documents