The Evolving Threat

Todays cyber security challenges and solutions

Larry Clinton, President, Internet Security Alliance

Sponsors

The Past

The Present

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The earlier threat landscape

n n n n n n

Human Agents Hackers Disgruntled employees White collar criminals Organized crime Terrorists

Exposures n Information theft, loss & corruption n Monetary theft & embezzlement n Critical infrastructure failure n Hacker adventures, e-graffiti/ defacement n Business disruption

n n n n n n

Methods of Attack Brute force Denial of Service Viruses & worms Back door taps & misappropriation, Information Warfare (IW) techniques

Representative Incidents n Code Red, Nimda, Sircam n CD Universe extortion, e-Toys Hactivist campaign, n Love Bug, Melissa Viruses
n

SoBIG, SLAMMER

The earlier threat:

growth in vulnerabilities
4,500 4,000 3,500 3,000 2,500 2,000 1,500 1,000 500 171 0
345 311 262 417 1,090 2,437 4,129

(CERT/cc)

1995

2002

The earlier threat:

cyber incidents
120000
110,000

100000 80000
55,100

60000 40000

21,756

20000
6 132 252 406 773 1,334 2,340 2,412 2,573 2,134 3,734 9,859

0 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

The changing threat

n The

fast-moving virus or worm pandemic is not the threat.

2002-2004 almost 100 medium-to-high risk attacks (Slammer; SoBig). 2005, there were only 6 This year, 0.

The changing threat

n Today,

attackers are motivated to perpetrate fraud, gather intelligence, or gain access to vulnerable systems. are now on client-side devices and applications (word processing, spreadsheet programs, printers, wireless devices) that require some degree of user interaction

n Vulnerabilities

Digital Growth?
n Companies

Sure

have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every companys assumptions for growth.

---Stanford University Study, July 2006

Digital Defense? Maybe Not

n 29%

of Senior Executives acknowledged that they did not know how many negative security events they had in the past year n 50% of Senior Executives said they did not know how much money was lost due to attacks
Source: PricewaterhouseCoopers survey of 7,000 companies 9/06

Digital Defense
n 23%

NOT

of CTOs did not know if cyber losses were covered by insurance or not. n 34% of CTOs thought their cyber losses would be covered by insurance----and were wrong. n The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security.
---Source: DHS Chief Economist Scott Borg

Incidents & Losses 2004-2006

Percentage That Experienced Losses as a Result
100 80 60 56 28 55 40 25 63

Average Number of Security Incidents Per Participant

140 120 100 80 60 40 20 0 2004 2005 2006 34 86 136

40 20 0

2004 financial

2005 operational

2006

---Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)

Economic Effects of Attacks

n 25%

of our wealth---$3 trillion---is transmitted over the Internet daily n FBI: Cyber crime cost business $26 billion (probably LOW estimate) n Financial Institutions are generally considered the safest---their losses were up 450% in the last year n There are more electronic financial transactions than paper checks now, 1% of cyber crooks are caught.

Cyber Attacks Effect on Stock Price

n Investigations

into the stock price impact of cyber attacks show that identified target firms suffer losses of one to five percent in the days after an attack. For the average NYSE corporation, price drops of these magnitudes translate into shareholder losses between $50 and $200 million. n Source: US Congressional Research Service 2004

Indirect Economic Effects of Cyber Attacks

n While

the tangible effects of a security incident can be measured in terms of lost productivity and staff time to recover and restore systems, the intangible effects can be of an order of magnitude larger. Intangible effects include the impact on an organizations trust relationships, harm to its reputation, and loss of economical and society confidence n Source Carnegie Mellon CyLab 2007

Can it be stopped ? Yes!

n PricewaterhouseCoopers

conducted 2 International surveys (2004 & 2006) covering 15,000 corporations of all types 25% of the companies surveyed were found to have followed recognized best practices for cyber security.

n Apx

Benefits of Best Practices

n Reduces

attacks n Reduces the amount of down-time suffered from attacks n Reduces the amount of money lost from attacks n Reduces the motivation to comply with extortion threats

the number of successful

Senior Mgrs Best Practices

n

Cited in US National Draft Strategy to Protect Cyber Space (September 2002) Endorsed by TechNet for CEO Security Initiative (April 2003) Endorsed US India Business Council (April 2003)

ISALLIANCE BEST PRACTICES

nPractice nPractice nPractice nPractice nPractice nPractice nPractice nPractice nPractice nPractice

#1: #2: #3: #4: #5: #6: #7: #8: #9:

General Management Policy Risk Management Security Architecture & Design User Issues System & Network Management Authentication & Authorization Monitor & Audit Physical Security

#10: Continuity Planning & Disaster Recovery

Percentage of Participants Who Experienced an Insider Incident

100 80 60 40 20 0 41 39 55

2004

2005

2006

Insider Incidents - 2006

Insiders committed more theft of IP & other proprietary information and sabotage than outsiders
Total (%) Theft of IP Theft of Proprietary Info. Sabotage 30 36 33 Insider (%) 63 56 49 Outsider (%) 45 49 41

Most common insider incidents in 2006 survey: rogue wireless access points (72%), theft of IP (64%), exposure of sensitive or confidential information (56%)

Insider Methods - 2006

b om B c de gi Lo Co us io ic al s M er ck ra C PW rs g oo in kd er ac ne B gi En al s ci es So cc s A e es ot cc em .A R nt in ou dm cc A A s. ed Sy is om pr om

100

80

60

40

20

0
C

% of Organizations

ISA Best Practices for Insider Threat Prevention & Mitigation

n n n n n n n n

PRACTICE #1: Institute periodic enterprise-wide risk assessments. PRACTICE #2: Institute periodic security awareness training for all employees. PRACTICE #3: Enforce separation of duties and least privilege. PRACTICE #4: Implement strict password and account management policies and practices. PRACTICE #5: Log, monitor, and audit employee online actions. PRACTICE #6: Use extra caution with system administrators and privileged users. PRACTICE #7: Actively defend against malicious code. PRACTICE #8: Use layered defense against remote attacks.

ISA Best Practices for Insider Threat Prevention & Mitigation

n

PRACTICE #9: Monitor and respond to suspicious or disruptive behavior. PRACTICE #10: Deactivate computer access following termination. PRACTICE #11: Collect and save data for use in investigations. PRACTICE #12: Implement secure backup and recovery processes. PRACTICE #13: Clearly document insider threat controls.

ISA Best Practices Model Contracts

Volume I
Volume II: published June 2007with ANSI gives greater emphasis to standards-based information security controls. (www.isalliance.org) Model Contract Clauses for Information Security Standards. This new book provides guidance on the contracting side of implementing prevailing international information security standards, notably ISO 17799, BS 7799 and

Why Doesnt Everyone Comply with the Best Practices?

n Many

organizations have found it difficult to provide a business case to justify security investments and are reluctant to invest beyond the minimum. One of the main reasons for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realized

---Stanford University 06

Management is WRONG
n

Stanford Global Supply Chain Management Forum/IBM Study:

Clearly demonstrated that investments in security can provide business value such as: * Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness of shipping info (30%)

Theres More !!!

n Increase

in supply chain information access (50%) n Improved product handling (43%) n Reduction in cargo delays (48% reduction in inspections) n Reduction in transit time (29%) n Reduction in problem identification time (30%) n Higher customer satisfaction (26%)

Security, like Digital Technology must be Integrated in Bus Plan

n Security

is still viewed as a cost, not as something that could add strategic value and translate into revenue and savings. But if one digs into the results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan. PricewaterhoseCoopers Sept 2006

So, how do we do that?

n n n

We have a changing technology environment We have a changing business model We have a constantly changing legal and regulatory environment

Business must take the lead

Characteristics of Effective Security Governance

1. Security is an Enterprise Wide Issue Horizontally, vertically and cross functionally throughout the org. 2. Leaders are Accountable To the org., stakeholders and the community (its a shared resource) 3. Viewed as a Business Requirement Aligned w/organizational strategic goals, business units dont decide how much security they want

Effective Security Governance

4. Risk BasedHow much is based on Tolerance for exposure compliance, liability, operational disruptions, financial or reputation 5. Roles and Responsibilities Defined Clear lines of delineation as to who does what and reports to who 6. Addressed and Enforced in Policy Rewards and recognition included

Effective Security Governance

7. Adequate Recourses are Committed Including authority and time to build and maintain core competencies 8. Staff Aware and Trained Reflected in job descriptions and expected as cultural norm 9. A Developmental Life Cycle System software development, acquisitions, operations and retirement

Effective Security governance

10. Planned, Managed Measured Clear objectives measured w/results integrated into future plans 11. Reviewed and Audited Board audit and risk committees conduct regular reviews and integrates digitalization into business plan---both positive and negative

Cyber Security is NOT an IT problem

n Issues

must be addressed simultaneously from the:

Legal Business Technology Policy Perspectives
LEGAL/REG

BUS/OPERATIONAL

n n n n

TECH/R&D

PROBLEM / ISSUE

POLICY

ISAlliance Integrated Business Security Program

n Outsourcing n Risk

Management n Security Breech Notification n Privacy n Insider Threats n Auditing n Contractual Relationships (suppliers, partners, sub-contractors, customers)

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 (O) 202-236-0001 (C)