trends in information security: security update 2003
DESCRIPTION
Trends in Information Security: Security Update 2003. Presented By: Tina LaCroix & Jason Witty. Presentation Overview. Introduction and Benefits of InfoSec Trends and Statistics Hacking Tools Discussion / Demonstration Proactive Threat and Vulnerability Management Security Lifecycle - PowerPoint PPT PresentationTRANSCRIPT
Trends in Information Security:
Security Update 2003
Presented By:
Tina LaCroix & Jason Witty
Presentation Overview
Introduction and Benefits of InfoSec Trends and Statistics Hacking Tools Discussion / Demonstration Proactive Threat and Vulnerability
Management Security Lifecycle Recommendations Wrap-up / Questions
Q: In Today’s Down Market, What Can: Give your company a competitive advantage? Support your reputation in the eyes of your
customers and business partners? Demonstrate compliance to local, federal and
international regulatory statutes? Improve system uptime and employee productivity? Ensure viable long term e-Commerce?
Answer: The appropriate Information Security Program.
What’s the Problem?
Your security people have to protect against
thousands of security problems…
Hackers only need one thing to be missed.
But with appropriate planning and execution, a comprehensive information security program will protect your corporate assets.
Some InfoSec Statistics General Internet attack trends are showing a 64%
annual rate of growth –Symantec The average [security conscious] company
experienced 32 attacks per week over the past 6 months – Symantec
The average measurable cost of a serious security incident in Q1/Q2 2002 was approximately $50,000 – UK Dept of Trade & Industry
Identify theft related information is selling for $50-$100 per record – LOMA Resource 12/02
Top 10 Security Laws (provided by Microsoft)
1. Technology is not a panacea2. Security isn't about risk avoidance, it's about risk management3. The most secure network is a well-administered one4. There really is someone out there trying to guess your
passwords5. Eternal vigilance is the price of security6. It doesn't do much good to install security fixes on a computer
that was never secured to begin with7. If you don't keep up with security fixes,your network won't be
yours for long8. Security only works if the secure way also happens to be
the easy way9. Nobody believes anything bad can happen to them,until
it does10. The difficulty of defending a network is directly proportional
to its complexity
Computer Incident Statistics
Number of Incidents Handled by CERT/CC
0
10000
20000
30000
40000
50000
60000
• In 1988 there were only 6 computer incidents reported to CERT/CC.
• There were 52,658 reported and handled last year.
Virus Threat EvolutionThe Threat is spreading faster
Year
Klez
Nimda
CodeRed
Anna Kournikova
ExploreZip
Melissa
# of infections/hour at
peak of outbreak.
1998 1999 2000 2001 2002
LoveLetter
7000
6000
5000
4000 The time required for malicious code to spread to a point where it can do serious infrastructure damage
halves every 18 months.
The time required for malicious code to spread to a point where it can do serious infrastructure damage
halves every 18 months.
Source: Network Associates, January 2003, used with permission
General Trends in Attack Sophistication
Over Time, Attacks have Gotten More Complex, While Knowledge Required to Attack has Gone WAY Down
0
2
4
6
8
10
Level of DamageCapable
Level of Knowledgerequired
Information Security Threats: Attackers
Bored IT guys…… “Hacktivists” Competitors Terrorists Disgruntled (or former) employees Real system crackers (Hackers) The infamous “script kiddie” Increasingly……Mob sponsored professionals
Hacker Tools: Web Hacking
More Web Hacking Tools
Password Cracking Tools
Password Cracking: Windows
Need More Tools?http://www.packetstormsecurity.org has tens of thousands of free hacker tools available for download
Full Disclosure: What’s That? When a vulnerability is discovered, all details
of that vulnerability are reported to the vendor
Vendor then works on a patch for a “reasonable” amount of time
Discoverer of the vulnerability then releases full details of the problem found, and typically, a tool to prove it can be exploited
Hopefully the vendor has a patch available
Hacker Techniques: The Scary Reality
Growing trend by some hackers NOT to report vulnerabilities to vendors – KEEP EXPLOITS UNPUBLISHED AND KNOWN ONLY TO THE HACKER COMMUNITY
Exploit services that HAVE to be allowed for business purposes (HTTP, E-Mail, etc.)
Initiate attacks from *inside* the network 2002 – Large Increase in “hacking for
hire” – US Secret Service
So How Do We Protect Against
All of This?
(No More of This)
Most companies can improve their information protection
program…
Security Risk Management Concepts
Information Security must be handled jointly by IT and the business you serve
Information Security risks need to be identified and managed like any other business risk
System, data and application lifecycle management is essential
The business climate has radically changed in the past two years. How your company handles its confidential information is being scrutinized.
Required Security ControlsNON-TECHNICAL TECHNICAL
SESSION
TRANSPORT
NETWORK
DATA LINK
PHYSICAL
PRESENTATION
APPLICATION
Security StrategyManagement Commitment
Security Management Structure
Awareness Program
POLICY
PROCESSES
PROCEDURES
STANDARDS
GUIDELINES
Source: Forsythe Solutions, used with permission
Security Risk Management: IT Control EvolutionYear “Secure Enough” Control Security Goal
1995 Statefull Firewalls and desktop anti-virus (AV)
Keep external intruders and viruses out
1997 Above plus Network Intrusion Detection Systems (N-IDS) and application proxy servers
Keep external intruders out, but let admins know when they do get in
2000 Above plus Network AV, URL Screening, Host Based IDS, and VPNs
Control and monitor all network access but allow flexibility
2002 Above plus strong authentication, application firewalls
Protect against blended threats
Future Gateway IDS (GIDS), application aware proxies, integrated exposure management, standard metrics and measurements
True enterprise security risk management
InfoSec Risk ExamplesThreat Damage Mitigation Strategies
Web Site Defacement
Loss in Customer confidence, loss in revenue
IT Controls, User Education, 24 x 7 monitoring
Data theft Extortion, loss of competitive advantage
IT Controls, User Education, employee screening
Wide-spread Virus infection
System downtime, loss in productivity, loss or corruption of data
IT Controls, User Education, email sanitization
Unauthorized network access
Any of the above IT Controls, User Education, network entry point consolidation
How Much Security do We Need Today?
Environmental & PhysicalSecurity
Classification& Controlof Assets
SystemAccess
Controls
BusinessContinuity
Planning
Computer & NetworkManagement
Compliance
SecurityPolicy
PersonnelSecurity
SystemDevelopment& Maintenance
SecurityOrganization
1 2
3 4
5 6
87
9 10
12 3 4
5
6789
10
ISO 17799 (Best Practices)
67
8910
5432
1
How much is Enough?
Source: Forsythe Solutions, used with permission
Security Risk Management ProgramShould include (not an exhaustive list): Governance and sponsorship by senior management Staff and leadership education Implementation of appropriate technical controls Written enterprise security policies & standards Formal risk assessment processes Incident response capabilities Reporting and measuring processes Compliance processes Ties to Legal, HR, Audit, and Privacy teams
Security Risk Management: Education One of the largest security risks in your enterprise is
untrained employees – this especially includes upper management
Who cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk?
Are users aware of their roles and responsibilities as they relate to information security?
Are users aware of security policies and procedures?
Do users know who to call when there are security problems?
Security Risk Management: IT Controls The average enterprise needs Firewalls, Intrusion Detection,
Authentication Systems, Proxies, URL Screening, Anti-Virus, and a slew of other things.
A major reason we need all of this technology is because systems continue to be shipped / built insecurely!!!
Every one of us needs to push vendors to ship secure software, and to include security testing in their QA processes
Security Risk Management: Selective OutsourcingThings you might consider outsourcing: The cyber risk itself (Insurance, Re-
insurance) E-mail filtering and sanitization 24 x 7 monitoring of security systems 1st level incident response (viruses, etc.) Password resets Others?
Wrap Up: What Can You Do Going Forward?1. Urge (contractually obligate if possible) vendors to
build, QA test, and ship secure products!!!!!!! 2. Remember that security is not a “thing” or a one time
event, it is a continual process……..3. Manage security risks like other business risks4. Conduct periodic security risk assessments that
recommend appropriate security controls5. Ensure security is inserted early in project
lifecycles6. Support your internal InfoSec team – they
have a tough job managing threats and vulnerabilities
Credits CERT/CC Internet Security Alliance –
http://www.isalliance.org Symantec – http://www.symantec.com UK Department of Trade and Industry LOMA – www.loma.org
Questions?