the evolving cyber threat - internet security alliance evolving cyber threat and what businesses can...
TRANSCRIPT
The Evolving Cyber Threat and what businesses can do about it
Larry Clinton, President Direct 703/907-7028 [email protected]
Founders
ISA Board of Directors Ken Silva, Chairman CSO Verisgn Ty Sagalow, Esq. 1st Vice Chair President Product Development, AIG
• Angie Carfrae, VP Risk Management, Ceridian Corporation • Tim McKnight, CSO, Northrop Grumman • Jeff Brown, CISO/Director IT Infrastructure, Raytheon • Paul Smocer, SVP/CIO, Mellon Financial • Matt Broda, Chief Strategic Security, Nortel • Marc-Anthony Signorino, Director Technology Policy, National Association of Manufacturers • Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences • Matt Flanagen, President, EIelctronic Industries Alliance
J. Michael Hickey, 2nd Vice Chair VP Government Affairs, Verizon Dr. M. Sagar Vidyasagar, Treasurer Exec VP, Tata Consulting Services
Our Partners
Industry Affairs/Government Relations
The Old Web
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Web Today
The Web is Inherently Insecure---and getting more so
• The problems we see in cyber security are about to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue….TCP/IP was not designed to control power grids, financial networks and critical infrastructure. It will be used in future networks (particularly wireless) but it lacks the basic security controls to properly protect the network.”
Source: Hancock, Cutter Technology Journal 06
The Earlier Threat: Growth in vulnerabilities (CERT/cc)
4,129
2,437
171345 311 262
417
1,090
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 2002
The Earlier Threat: Cyber incidents
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
The Changing Threat A fast-moving virus or worm pandemic is not
the threat it was... • 2002-2004 almost 100 medium-to-high risk
attacks (“Slammer”; “SoBig”). • 2005, there were only 6 • 2006 and 2007……….. Zero
Faces of Attackers… Then
Chen-Ing Hau CIH Virus
Joseph McElroy
Hacked US Dept of Energy
Jeffrey Lee Parson
Blaster-B Copycat
Faces of Attackers… Now
Andrew Schwarmkoff Russian Mob Phisher
Jay Echouafni
Competitive DDoS
Jeremy Jaynes
$24M SPAM KING
The Changing Threat • Today, attackers perpetrate fraud, gather
intelligence, or conduct blackmail
• Vulnerabilities are on client-side applications word, spreadsheets, printers, etc.
• “The future threat landscape around the world will be dictated by the soon-to-be-released Apple iPhone, Internet telephony and Internet video-sharing, and other Web-based innovations” (McAfee 2007)
The Threat Landscape is Changing
New Era Attacks Organized criminals, corporate spies, disgruntled employees, terrorists
Who: Kids, researchers, hackers, isolated criminals
Early Attacks
Why: Seeking fame & glory, use widespread attacks for maximum publicity
Seeking profits, revenge, use targeted stealth attacks to avoid detection
Risk Exposure: Downtime, business disruption, information loss, defacement
Direct financial loss via theft and/or embezzlement, breach disclosure, IP compromised, business disruption, infrastructure failure
The Threat Landscape is Changing
New Era Attacks Multilayer pre-emptive and behavioral systems
Defense: Reactive AV signatures
Early Attacks
Recovery: Scan & remove System wide, sometimes impossible without re-image of system
Type: Virus, worm, spyware Targeted malware, root kits, spear phishing, ransomware, denial of service, back door taps, trojans, IW
Newer Threats • Designer malware: Malware designed for a specific
target or small set of targets
• Spear Phishing: Combines Phishing and social
engineering
• Ransomware: Malcode packs important files into
encrypted archive & deletes original then ransom is demanded
• RootKits: shielding technology to make malcode invisible
to the op system
Characteristics of the New Attackers
• Shift to profit motive • Zero day exploits • Increased investment and
innovation in malcode • Increased use of stealth
techniques
Digital Growth?
• “Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every company’s assumptions for growth.”
---Stanford University Study, July 2006
Sure
Digital Defense? • 29% of Senior Executives “acknowledged” that they did not
know how many negative security events they had in the past year
• 50% of Senior Executives said they did not know how much money was lost due to attacks
Maybe Not
Source: PricewaterhouseCoopers survey of 7,000 companies 9/06
Digital Defense
• 23% of CTOs did not know if cyber losses were covered by insurance.
• 34% of CTOs thought cyber losses would be covered by insurance----and were wrong.
• “The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security.”
---Source: DHS Chief Economist Scott Borg
Not So Much
Incidents & Losses
136
86
34
0
20
40
60
80
100
120
140
2004 2005 2006
Average Number of Security Incidents Per Participant
Percentage That Experienced Losses as a Result
25
56
28
55
40
63
0
20
40
60
80
100
2004 2005 2006
financial operational
---Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)
Percentage of Participants Who Experienced an Insider Incident
41 39
55
0
20
40
60
80
100
2004 2005 2006
Insider Incidents - 2006
In 2006 insiders committed more theft of IP & proprietary information and sabotage than outsiders!
Total (%) Insider (%) Outsider (%)
Theft of IP 30 63 45 Theft of Proprietary Info. 36 56 49
Sabotage 33 49 41
Most common insider incidents in 2006 survey:
• rogue wireless access points (72%),
• theft of IP (64%),
• exposure of sensitive or confidential information (56%)
Economic Effects of Attacks • 25% of our wealth---$3 trillion---is transmitted over
the Internet daily • FBI: Cyber crime cost business
$26 billion (probably LOW estimate) • Financial Institutions are generally considered the
safest---their losses were up 450% in the last year • There are more electronic financial transfers than
paper checks now: Only 1% of cyber crooks are caught.
Cyber Attacks Effect Stock Price “Investigations into the stock price impact of cyber attacks show that identified target firms suffer losses of one to five percent in the days after an attack. For the average NYSE corporation, price drops of these magnitudes translate into shareholder losses between $50 and $200 million.” Source: US Congressional Research Service 2004
Indirect Economic Effects “While the tangible effects of a security incident can be measured in terms of lost productivity and staff time to recover and restore systems, the intangible effects can be of an order of magnitude larger. Intangible effects include the impact on an organizations trust relationships, harm to its reputation, and loss of economical and society confidence”
Source Carnegie Mellon CyLab 2007
Can it be stopped ? Yes! PricewaterhouseCoopers conducted 2 International surveys (2004 & 2006) covering 15,000 corporations of all types Approximately 25% of these companies follow recognized “best practices” for cyber security
Benefits of Best Practices • Reduces the number of successful attacks • Reduces the amount of down-time
suffered from attacks • Reduces the amount of money lost from
attacks • Reduces the motivation to comply with
extortion threats Source:PricewatterhouseCoopers 2006
Senior Managers Best Practices
• Cited in US National Draft Strategy to Protect Cyber Space
• Endorsed by TechNet for CEO
Security Initiative
• Endorsed US India Business Council
• Currently Being Updated
Available Best Practice Resources #1: General Management
#2: Policy
#3: Risk Management
#4: Security Architecture & Design
#5: User Issues
#6: System & Network Management
#7: Authentication & Authorization
#8: Monitor & Audit
#9: Physical Security
#10: Continuity Planning & Disaster Recovery
Best Practices for Insider Threat Prevention & Mitigation
#1: Institute periodic enterprise-wide risk assessments.
#2: Institute periodic security awareness training for all employees.
#3: Enforce separation of duties and least privilege.
#4: Implement strict password and account management policies and practices.
#5: Log, monitor, and audit employee online actions.
#6: Use extra caution with system administrators and privileged users.
#7: Actively defend against malicious code.
#8: Use layered defense against remote attacks.
Best Practices for Insider Threat Prevention & Mitigation
#9: Monitor and respond to suspicious or disruptive behavior. #10: Deactivate computer access
following termination. #11: Collect and save data for use
in investigations. #12: Implement secure backup and
recovery processes.
#13: Clearly document threat controls.
Best Practices Model Contracts
Volume II: published June 2007with ANSI gives greater emphasis to standards-based information security controls. (www.isalliance.org)
Model Contract Clauses for Information Security Standards. This new book provides guidance on the contracting side of implementing prevailing international information security standards, notably ISO 17799, BS 7799 and ISO 27001.
Volume I
Why Doesn’t Everyone Comply with Established Best Practices?
“Many organizations have found it difficult to provide a business case to justify security investments and are reluctant to invest beyond the minimum. One of the main reasons for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realized” ---Stanford University ‘06
Management is
• Improved Product Safety (38%) • Improved Inventory management (14%) • Increase in timeliness of shipping info (30%)
WRONG A Stanford Global Supply Chain Management Forum Study clearly demonstrated that investments in security can provide business value and significant ROI through:
Security ROI • Increase in supply chain information access (50%) • Improved product handling (43%) • Reduction in cargo delays (48%
reduction in inspections) • Reduction in transit time (29%) • Reduction in problem identification
time (30%) • Higher customer satisfaction (26%)
Security, like Digital Technology, must be Integrated in the Business Plan
“Security is still viewed as a cost, not as something that could add strategic value and translate into revenue and savings. But if one digs into the results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan.” PricewaterhoseCoopers, September 2006
How do we do that?
• We have a changing technology environment • We have a changing
business model • We have a constantly
changing legal and regulatory environment
Business must take the lead.
• Security is an enterprise wide issue horizontally, vertically and cross functionally throughout the organization • Leaders are Accountable to the organization, stakeholders and the community (it’s a shared resource/responsibility) • Security must be viewed as a business requirement and aligned with organizational strategic goals; business units don’t decide how much security they want
ISA/CMU: Elements of Effective Security Governance
ISA/CMU: Elements of Effective Security Governance
• Assess security based on risk - not tolerance to exposure, compliance, liability, operational disruptions, financial needs or reputation
• Define security roles and responsibilities – draw clear lines of delineation as to who does what and reports to who
• Address and enforce security in policy – include rewards and recognition
ISA/CMU Elements of Effective Security Governance
• Commit adequate security resources including authority and time to build and maintain core competencies • Expected staff awareness and training is reflected in job descriptions and expressed as cultural norm • Implement a life cycle system for software development, acquisitions, operations and retirement
• Plan, define and manage clear security objectives – measure results and integrate lessons learned into future plans • Risk committee conducts regular reviews and integrates digitalization into business plan---both positive and negative; Board Reviews and Audits
ISA/CMU Elements of Effective Security Governance
Cyber Security is NOT an IT Problem
• Business • Policy • Legal • Technology
BU
S/O
PE
RA
TIO
NA
L
LEGAL/REG
TE
CH
/R&
D
POLICY
PROBLEM / ISSUE
Issues must simultaneously address all organization perspectives including:
ISAlliance Integrated Business Security Program
• Outsourcing • Risk Management • Security Breech Notification • Privacy • Insider Threats • Auditing • Contractual Relationships (suppliers,
partners, sub-contractors, customers)
Weekly Webinar Series
Sample of Recent Webinars On Privacy and Compliance with Application to Healthcare Anupam Datta, CyLab Research Scientist, CMU Psychological Profiling Software to Aid in Forensic Investigation, Insider Detection and Relationship Management Eric Shaw, Clinical Psychologist & Visiting Scientist, SEI, CERT Outsourcing Risk Management: Legal Considerations Jody Westby, CEO, Global Cyber Risk
Privacy and Security, it isn't Either/Or, it's Both/And Jon Callas, PGP Corporation
Software Assurance in the Software Supply Chain Bill Scherlis, Professor, School of Computer Science, Director, ISRI and director of CMU's PhD Program in Software Engineering
Conclusions
1. Band-Aids (or patches) don’t cure – Systemic treatments do
2. You need to stay ahead of the problem just to keep up with the field
3. You are not in this alone, join the ISA team
Larry Clinton
President Internet Security Alliance
703-907-7028 (O) 202-236-0001 (C)