information security today and tomorrow
TRANSCRIPT
IBM Global Services
© Copyright IBM Corporation 2004
Information Security Today and Tomorrow
Oct .2nd 2007, GRIFFE session
Michel Bobillier, Global Offering ExecutiveIBM Security and Privacy Services
Presentation Title | Confidential | 15-Oct-072
IBM Global Services
© Copyright IBM Corporation 2004
Agenda
1. Illustrate the Business Challenge created by security
2. Highlight the transformation and trends underway
3. Review myths and themes
Presentation Title | Confidential | 15-Oct-073
IBM Global Services
© Copyright IBM Corporation 2004
Boeing employee charged with stealing 320,000 sensitive files InformationWeek, July 11, 2007
Japanese bank loses 1million customer recordsDark Reading, July, 2007
The Department of Justice and FBI today said ongoing investigations have identified over 1 million botnetcrime victims Networkworld.com, June 13th, 2007
Data for 800,000 GAP job applicants stolenTheregister.co.uk, Sept. 28, 2007
The tally of people whose Social Security numbers and other personal data were on a computer storage device stolen from a state intern reached 859,800. The Enquirer , July 12, 2007
<>
Retail giant TJX Companies announced a $118 million charge to pay for the theft of 45.6 million credit and debit accounts.Security Focus, Aug. 14, 2007
Lawsuit against Fidelity National Information Services filed on behalf of 8.5 million consumers in data breach case Computerworld, Aug. 2007
Security breaches regularly published demonstrate the reality ofthe menace.
Presentation Title | Confidential | 15-Oct-074
IBM Global Services
© Copyright IBM Corporation 2004
Pre-warnings have reached us during the last four years
Slammer worm crashed Ohio nuke plant network
Computer virus brings down train signals in Washington. Dozen trains canceled.
More than 70 percent of virus writers are now writing spywareunder contract
MasterCard Shuts Down 1,400 PhishingSites.
The number of bank accounts accessed illegally by a New Jersey cybercrime ring has grown to 676,000, according to police investigators.
At least a million machines are under the control of hackers worldwide.
Fraudsters use iPodsto steal company information
Dutch suspects arrested controlled some 1.5 million computers as part of a worldwide botnet, not 100,000 as first thought.
Presentation Title | Confidential | 15-Oct-075
IBM Global Services
© Copyright IBM Corporation 2004
Security breaches: media titles
Presentation Title | Confidential | 15-Oct-076
IBM Global Services
© Copyright IBM Corporation 2004
Security threats are growing in numbers and sophistication
• The incidents reported are growing exponentially years after years
• The focus, creativity and sophistication of these attacks has reached unprecedented levels
• The weaker point of the chain is often the target: the user
• Phishing sites are sharply on the rise
(Source: IBM ISS x-force 1H2007 report, Aug. 2007)
Presentation Title | Confidential | 15-Oct-077
IBM Global Services
© Copyright IBM Corporation 2004
Other IBM ISS x-Force report highlightsVulnerabilities
• The top-3 vulnerable vendors in the first half of 2007 are Microsoft, Apple and Oracle (9%)• 21% of the vulnerabilities identified within the top-5 vulnerable vendors’ products were unpatched at the
end of the first half of 2007 (60% for the remaining vendors)• 90% of all vulnerabilities uncovered in the first half of 2007 can be exploited remotely.
Spam and Phishing• The U.S., Poland and Russia are the three largest originators of spam worldwide (25%)• Europe accounts for the largest source of phishing e-mail. Spain is 18% of the world-wide volume• Almost half of all fraudulent phishing Web sites are hosted within the U.S.
Web Content• “Unwanted” content decreased to 10 percent in the first half of 2007• Web sites that host pornographic or sex-related content account for 9.9 percent of the Internet.• The U.S. continues to be the top hosting country for “unwanted” content.
Malcode• The largest threat category of malware so far in 2007 is Trojans.
Web Browser Exploitation• The most popular exploit used to infect Web browsers with malware was Visual Studio WMI Object
Broker ActiveX.• 80% of Web-based exploits are obfuscated, with JavaScript being the most common obfuscation vector
Presentation Title | Confidential | 15-Oct-078
IBM Global Services
© Copyright IBM Corporation 2004
Phishing, Pharming, Spyware, Malware, Ransomware, Malcode, Phrauding, Botnets, Zombies…
• 237 million security attacks detected during one semester by IBM outsourcing organization
• Targeted phishing attacks for money laundering and identity fraud purposes
• More and more astute in the creation and delivery of such attacks
• Hackers have turned toward more criminal and lucrative areas of directing attacks to specific individuals or organizations
• 150,000 unique spams message analyzed daily
(Source: antiphishing.org, Sept. 2007)
Thousands of stones versus one big shot
Presentation Title | Confidential | 15-Oct-079
IBM Global Services
© Copyright IBM Corporation 2004
Where do threats to your business originate from?
Your Business
Foreign Governments Fraud
Competitors
Organized Crime
Internal Threats
Hackers
Viruses
Deliberate Attack
Natural DisasterAccident
Human Error
Presentation Title | Confidential | 15-Oct-0710
IBM Global Services
© Copyright IBM Corporation 2004
Real losses are encountered. Amount by category
(Source: CSI 2007 survey, n= 494, US)
Likely Sources of Attack:
11% 10%
32%16%
31%
Foreign Gvt
Foreign Corp
Indep Hackers
Competitors
Employees
(Source:2003 CSI/FBI survey, n=488)
Presentation Title | Confidential | 15-Oct-0711
IBM Global Services
© Copyright IBM Corporation 2004
Why is this happening today?
1. Increased business dependency on Information Technology
2. Multi-company processes, business partnerships, alliances, M&As
3. Increasing user base
4. Rapidly developing technologies & complexity
Follow the money
� “Manage your IT risk or lose your good name” – Gartner Group, Sept. 2007
Presentation Title | Confidential | 15-Oct-0712
IBM Global Services
© Copyright IBM Corporation 2004
Adoption of new business models provide key benefits as well as new security challenges
Businessprocesses
consumer organization IT consumer organization
Increasing need for:
� Flexibility� Responsiveness� Availability� Security
• IT is key interface with outside
•Faster pace, less predictable
•Realtime linkage (IT/business)
• IT was insulated within business
•Slower, more predictable
•After the fact linkage (IT/business)
ITIT
Businessprocesses
IT
Presentation Title | Confidential | 15-Oct-0713
IBM Global Services
© Copyright IBM Corporation 2004
Increased collaboration brings greater business rewards, but also poses greater business risks
Collaboration
Tru
st
Isolated Operations
Select ‘Trusted Partners’
Value Chain Visibility
Industry-Centric Value Web
Cross-Industry Value Coalition
Partner/Channel
Supplier/Outsourcer
Customer
Subsidiary/JV
Core Business
Legend
11
22
33
44
55
Presentation Title | Confidential | 15-Oct-0714
IBM Global Services
© Copyright IBM Corporation 2004
Technology developments fuel provide a moving technical environment
Doubles every 12 month
Doubles ever 12 month (fiber), but access to home much less
CPU
BandwidthDisplay
New Technologies
wired
wirelessOLED
Nano
Quantum
fiber Broadband
Gadgets
Super computing
Memory
Doubles ever 12 month
Doubles ever 18 month
More gadgets than PCs
250 Pixels per inch
Better, Faster, Cheaper !
Storage
Presentation Title | Confidential | 15-Oct-0715
IBM Global Services
© Copyright IBM Corporation 2004
How will the security challenges evolve?
Drivers
1. Regulatory complianceBasel II (banks), 21 CFR Part 11 (life sciences), HIPAA (healthcare), TREAD Act (automotive), and Sarbanes-Oxley (publicly traded firms and their accounting firms), GLBA (Gramm-Leach-Bliley Act), Canadian Privacy Code, European Data Directive, South Korea Basic Act on Electronic Commerce
2. New business model adoption and increasing business dependency on technology
3. Increasing user base
4. Business partnerships, alliances, M&A
5. Rapidly developing technologies and complexity
6. Need for brand and shareholder value protection
Issues:
� Recreational hacker -> hactivist -> industrial espionage -> organised crime
� Greater proliferation of intelligent viruses
� Increased tooling to exploit vulnerabilities
� Internal versus external threats
� Malicious intent vs accidental
� Skills shortages
Presentation Title | Confidential | 15-Oct-0716
IBM Global Services
© Copyright IBM Corporation 2004
Key security trends
� Convergence of Physical and logical security
� Adoption of federated Identity management
� Drive toward greater interoperability
� Evolution of real-time threat management systems
� Movement from disaster recovery to business continuity and resiliency
� Enterprise wide security programs focusing on risk management and governance
Presentation Title | Confidential | 15-Oct-0717
IBM Global Services
© Copyright IBM Corporation 2004
Deloitte and Touche global customer survey
Top 5 customer initiatives:
1. Access and identity management – 50%.
2. Security regulatory compliance – 49%.
3. Security training and awareness – 48%.
4. Governance for security – 37%.
5. Disaster recovery and business continuity – 37%.
(Source: Deloitte and Touche,
2007 Global Security Survey
n = 169 financial institutions)
Presentation Title | Confidential | 15-Oct-0718
IBM Global Services
© Copyright IBM Corporation 2004
Myths and ThemesMyths and Themes
Presentation Title | Confidential | 15-Oct-0719
IBM Global Services
© Copyright IBM Corporation 2004
Theme 1: This is a journey, not a destination
PolicyAudit ControlControl
TrustTrust
PrivacyPrivacy
Administration Implementation
Risk
Presentation Title | Confidential | 15-Oct-0720
IBM Global Services
© Copyright IBM Corporation 2004
Theme 2: Patch management provides high return on investment
� 10th of new vulnerabilities appear every week
� 90%+ of successful attacks use known vulnerabilities (!)
� Hackers are able to reverse engineer patches in 2 days to detect the vulnerability addressed and launch corresponding attacks
� The problem is complex: heterogeneous disseminated technology
� A majority of companies do not feel they have implemented optimal patch management processes
Presentation Title | Confidential | 15-Oct-0721
IBM Global Services
© Copyright IBM Corporation 2004
Theme 3: Everything starts with an Identity
� Legislation and best practices require to know who access what data
� We all are unique, but have 10th of identities, with different flavors: governments, bank, employment, web, etc.
� Sound identity management is about a process
� Privacy and trust are closely linked to identity
� Across frontiers, across businesses, across time
� Moving from long heavy processes to automatizedlight and rapid procedure
Security Policies
Applications
Authentic.Methods
Identity Credentials
Users
Identity Information
ProofProof
ProvisionProvision
AccessAccess
Identity theft
Fraud
Privacy
Presentation Title | Confidential | 15-Oct-0722
IBM Global Services
© Copyright IBM Corporation 2004
Theme 4: Security is a business issue, not a technology one
• Brand image
• Shareholder value
• Customer confidence
• Critical corporate information and assets
• Employee, supplier and shareholder confidence
• Brand value and power
• Competitive advantage
• Business growth
Business Strategy
Business Processes and Operation
Business Applications
Infrastructure
Presentation Title | Confidential | 15-Oct-0723
IBM Global Services
© Copyright IBM Corporation 2004
Theme 4: Security is a business issue, not a technology one
• Brand image
• Shareholder value
• Customer confidence
• Critical corporate information and assets
• Employee, supplier and shareholder confidence
• Brand value and power
• Competitive advantage
• Business growth
Business Strategy
Business Processes and Operation
Business Applications
Infrastructure
• Brand image
• Shareholder value
• Customer confidence
• Critical corporate information and assets
• Employee, supplier and shareholder confidence
• Brand value and power
• Competitive advantage
• Business growth
Brand Values: • Coca-cola $67B • Microsoft $59M• IBM $53M• GE $47M• Nescafé (23) $12M
(Source: business week.com)
Presentation Title | Confidential | 15-Oct-0724
IBM Global Services
© Copyright IBM Corporation 2004
Plan to keep spend constant
Plan to increase spend
Plan to decrease spend
Source: Forrester, 2007, IBM Customer Interviews
Security budgets are large … and increasing
(%)
Plan to keep spend constant
Plan to increase spend
Plan to decrease spend
% of Overall IT Spending Going to Security, 2007
Source: Forrester, 2007, IBM Customer Interviews
Plans to change security spend over the next 2 years
Presentation Title | Confidential | 15-Oct-0725
IBM Global Services
© Copyright IBM Corporation 2004
A fresh approach is required
The new security imperatives
1. Prioritize by identifying and protecting the most critical assets
2. Integrate people and process with technology
3. Weigh the benefits of outsourcing select security functions to trusted partners
Virus, anti-virus. Spam, anti-spam. Spyware, anti-spyware. Adware, anti-adware. , xxx, anti xxx …….
Presentation Title | Confidential | 15-Oct-0726
IBM Global Services
© Copyright IBM Corporation 2004
IBM’s leverages an integrated security solutions approach to allow customers to “Stay ahead of the threat”
Defend against threats
Assess security posture
Monitorthe environment
Protect valuable assets
Controlrisk
IBM Professional Security Services
IBM Managed Security Services
IBM Security Hardware and Software
IBM Information Security Framework
GovernanceGovernance
PrivacyPrivacy
Threat mitigationThreat mitigation Transaction and data integrity
Transaction and data integrity
Identity andaccess management
Identity andaccess management Application securityApplication security
Physical securityPhysical security Personnel securityPersonnel security
Presentation Title | Confidential | 15-Oct-0727
IBM Global Services
© Copyright IBM Corporation 2004
Do and don’t
ibm.com/services/security
� Start with an enterprise security policy and review it twice a year
� Assess regularly your security posture and compare it with your requirements
� Conduct a security awareness program across your company
� Position the Chief Security Officier outside the IT organization
� Automatize your patch management
� Focus on processes, application and infrastructure. Not only on technology
� Consider strong authentication to replace password-based security
� Test regularly your business continuity plans
Presentation Title | Confidential | 15-Oct-0728
IBM Global Services
© Copyright IBM Corporation 2004
Conclusion
1. The danger is real. It happens.
2. There is no silver bullet. Our worse enemy is the lack of awareness and top executive focus.
3. Security is not about technology. It's a business issue
4. IBM is uniquely positioned to solve your complex security problems with our unmatched combination of research, technology and expertise. For you.
Presentation Title | Confidential | 15-Oct-0729
IBM Global Services
© Copyright IBM Corporation 2004
Thank YouThank You
Q&AQ&A
[email protected]/services/security
Presentation Title | Confidential | 15-Oct-0730
IBM Global Services
© Copyright IBM Corporation 2004
Spam – August 2007 status