2007 06 25 larry clinton rochester presentation about best practices and cyber threats

7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats

1/50

The Evolving Cyber Threatand what businesses can do about it

Larry Clinton, President

Direct 703/907-7028 [email protected]


2/50

Founders


3/50

ISA Board of Directors

Ken Silva, ChairmanCSO Verisgn

Ty Sagalow, Esq. 1st Vice ChairPresident Product Development, AIG

Angie Carfrae, VP Risk Management, Ceridian CorporationTim McKnight, CSO, Northrop GrummanJeff Brown, CISO/Director IT Infrastructure, RaytheonPaul Smocer, SVP/CIO, Mellon FinancialMatt Broda, Chief Strategic Security, NortelMarc-Anthony Signorino, Director Technology Policy, National

Association of ManufacturersPradeep Khosla, Dean Carnegie Mellon School of ComputerSciences

Matt Flanagen, President, EIelctronic Industries Alliance

J. Michael Hickey, 2nd Vice ChairVP Government Affairs, Verizon

Dr. M. Sagar Vidyasagar, TreasurerExec VP, Tata Consulting Services


4/50

Our Partners


5/50

Industry Affairs/Government Relations


6/50

The Old Web


7/50

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Web Today


8/50

The Web is Inherently Insecure---and getting more so

The problems we see in cyber security are aboutto get much worse because we continue todeploy base technologies that were developed

30 years ago when security was not anissue.TCP/IP was not designed to controlpower grids, financial networks and criticalinfrastructure. It will be used in future networks

(particularly wireless) but it lacks the basicsecurity controls to properly protect the network.

Source: Hancock, Cutter Technology Journal 06


9/50

The Earlier Threat:Growth in vulnerabilities (CERT/cc)

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


10/50

The Earlier Threat:Cyber incidents

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


11/50

The Changing ThreatA fast-moving virus or worm pandemic is not

the threat it was...

2002-2004 almost 100 medium-to-high riskattacks (Slammer; SoBig).

2005, there were only 6 2006 and 2007..Zero


12/50

Faces of Attackers Then

Chen-Ing HauCIH Virus

Joseph McElroy

Hacked US Dept of Energy

Jeffrey Lee Parson

Blaster-B Copycat


13/50

Faces of Attackers Now

Andrew SchwarmkoffRussian Mob Phisher

Jay Echouafni

Competitive DDoS

Jeremy Jaynes

$24M SPAM KING


14/50

The Changing Threat Today, attackers perpetrate fraud, gather

intelligence, or conduct blackmail

Vulnerabilities are on client-side applications word,spreadsheets, printers, etc.

The future threat landscape around the world willbe dictated by the soon-to-be-released AppleiPhone, Internet telephony and Internet video-sharing, and other Web-basedinnovations (McAfee 2007)


15/50

The Threat Landscape is Changing

New Era Attacks

Organized criminals, corporatespies, disgruntled employees,terrorists

Who: Kids, researchers,hackers, isolatedcriminals

Early Attacks

Why: Seeking fame & glory,use widespread attacks for

maximum publicity

Seeking profits, revenge, usetargeted stealth attacks to avoid

detection

Risk Exposure: Downtime,business disruption,information loss, defacement

Direct financial loss via theft and/orembezzlement, breach disclosure, IPcompromised, business disruption,

infrastructure failure


16/50

The Threat Landscape is Changing

New Era Attacks

Multilayer pre-emptive andbehavioral systemsDefense: Reactive AVsignatures

Early Attacks

Recovery: Scan & remove System wide, sometimes impossiblewithout re-image of system

Type: Virus, worm, spyware Targeted malware, root kits, spearphishing, ransomware, denial of service,back door taps, trojans, IW


17/50

Newer Threats Designer malware: Malware designed for a specific

target or small set of targets

Spear Phishing: Combines Phishing and socialengineering

Ransomware: Malcode packs important files intoencrypted archive & deletes original then ransom isdemanded

RootKits: shielding technology to make malcode invisibleto the op system


18/50

Characteristics of the New Attackers

Shift to profit motive Zero day exploits Increased investment and

innovation in malcode

Increased use of stealthtechniques


19/50

Digital Growth?

Companies have built into their businessmodels the efficiencies of digital technologies

such as real time tracking of supply lines,inventory management and on-linecommerce. The continued expansion of the

digital lifestyle is already built into almostevery companys assumptions for growth.---Stanford University Study, July 2006

Sure


20/50

Digital Defense?

29% of Senior Executives acknowledged that they did notknow how many negative security events they had in thepast year

50% of Senior Executives said they did not know how muchmoney was lost due to attacks

Maybe Not

Source: PricewaterhouseCoopers survey of 7,000 companies 9/06


21/50

Digital Defense

23% of CTOs did not know if cyber losseswere covered by insurance.

34% of CTOs thought cyber losses would becovered by insurance----and were wrong. The biggest network vulnerability in

American corporations are extra connectionsadded for senior executives without propersecurity.

---Source: DHS Chief Economist Scott Borg

Not So Much


22/50

Incidents & Losses

136

86

34

0

20

40

60

80

100

120

140

2004 2005 2006

Average Number of SecurityIncidents Per Participant

Percentage That ExperiencedLosses as a Result

25

56

28

55

40

63

0

20

40

60

80

100

2004 2005 2006

financial operational

---Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)


23/50

Percentage of Participants Who

Experienced an Insider Incident

41 39

55

0

20

40

60

80

100

2004 2005 2006


24/50

Insider Incidents - 2006

In 2006 insiders committed more theft of IP & proprietary informationand sabotage than outsiders!

Total (%) Insider (%) Outsider (%)

Theft of IP 30 63 45

Theft of Proprietary Info. 36 56 49

Sabotage 33 49 41

Most common insider incidents in 2006 survey:

rogue wireless access points (72%), theft of IP (64%), exposure of sensitive or confidential information (56%)


25/50

Economic Effects of Attacks 25% of our wealth---$3 trillion---is transmitted over

the Internet daily

FBI: Cyber crime cost business$26 billion (probably LOW estimate)

Financial Institutions are generally considered thesafest---their losses were up 450% in the last year

There are more electronic financial transfers thanpaper checks now: Only 1% of cyber crooks arecaught.


26/50

Cyber Attacks Effect Stock Price

Investigations into the stockprice impact of cyber attacksshow that identified target

firms suffer losses of one tofive percent in the days afteran attack. For the average NYSEcorporation, pricedrops of these magnitudes translate intoshareholder losses between $50 and $200 million.

Source: US Congressional Research Service 2004


27/50

Indirect Economic EffectsWhile the tangible effects of a securityincident can be measured in terms of lostproductivity and staff time to recover and

restore systems, the intangible effects canbe of an order of magnitude larger.Intangible effects include the impact on an

organizations trust relationships, harm to itsreputation, and loss of economical andsociety confidence

Source Carnegie Mellon CyLab 2007


28/50

Can it be stopped ?Yes!

PricewaterhouseCoopersconducted 2 Internationalsurveys (2004 & 2006)

covering 15,000 corporationsof all types

Approximately 25% of thesecompanies follow recognizedbest practices for cybersecurity


29/50

Benefits of Best Practices Reduces the number of successful attacks Reduces the amount of down-time

suffered from attacks

Reduces the amount of money lost fromattacks

Reduces the motivation to comply withextortion threats

Source:PricewatterhouseCoopers 2006


30/50

Senior Managers Best Practices Cited in US National Draft Strategy

to Protect Cyber Space

Endorsed by TechNet for CEOSecurity Initiative

Endorsed US India BusinessCouncil

Currently Being Updated


31/50

Available Best Practice Resources#1: General Management

#2: Policy

#3: Risk Management

#4: Security Architecture & Design

#5: User Issues

#6: System & Network Management

#7: Authentication & Authorization#8: Monitor & Audit

#9: Physical Security

#10: Continuity Planning & Disaster Recovery


32/50

Best Practices for Insider ThreatPrevention & Mitigation

#1: Institute periodic enterprise-wide risk assessments.

#2: Institute periodic security awareness training for all employees.

#3: Enforce separation of duties and least privilege.

#4: Implement strict password and account management policies andpractices.

#5: Log, monitor, and audit employee online actions.#6: Use extra caution with system administrators and privileged users.

#7: Actively defend against malicious code.

#8: Use layered defense against remote attacks.


33/50

Best Practices for Insider ThreatPrevention & Mitigation

#9: Monitor and respond to suspicious or disruptive behavior.

#10: Deactivate computer accessfollowing termination.

#11: Collect and save data for usein investigations.

#12: Implement secure backup andrecovery processes.

#13: Clearly document threat controls.


34/50

Best PracticesModel Contracts

Volume II: published June 2007with

ANSI gives greater emphasis to

standards-based information securitycontrols. (www.isalliance.org)

Model Contract Clauses for Information

Security Standards. This new book

provides guidance on the contracting side

of implementing prevailing international

information security standards, notably

ISO 17799, BS 7799 and ISO 27001.

Volume I


35/50

Why Doesnt Everyone Complywith Established Best Practices?

Many organizations have found it difficult to provide

a business case to justify security investments andare reluctant to invest beyond the minimum. One ofthe main reasons for this reluctance is thatcompanies have been largely focused on direct

expenses related to security and not thecollateral benefits that can be realized

---Stanford University 06


36/50

Management is

Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness of shipping info (30%)

WRONG

A Stanford Global Supply ChainManagement Forum Study clearly

demonstrated that investments insecurity can provide business value andsignificant ROI through:


37/50

Security ROI Increase in supply chain information access (50%) Improved product handling (43%) Reduction in cargo delays (48%

reduction in inspections)

Reduction in transit time (29%) Reduction in problem identification

time (30%)

Higher customer satisfaction (26%)


38/50

Security, like Digital Technology, mustbe Integrated in the Business Plan

Security is still viewed as a cost, not as something

that could add strategic value and translate intorevenue and savings. But if one digs into the resultsthere is evidence that aligning security with enterprisebusiness strategy reduces the number of successfulattacks and financial loses as well as creates value aspart of the business plan.

PricewaterhoseCoopers, September 2006


39/50

How do we do that?

We have a changingtechnology environment

We have a changingbusiness model

We have a constantlychanging legal and

regulatory environment

Business must take the lead.


40/50

Security is an enterprise wide issue horizontally, verticallyand cross functionally throughout the organization

Leaders are Accountable to the organization, stakeholdersand the community (its a shared resource/responsibility)

Security must be viewed as a business requirement andaligned with organizational strategic goals; business unitsdont decide how much security they want

ISA/CMU:Elements of Effective Security Governance


41/50


42/50

ISA/CMUElements of Effective Security Governance

Commit adequate security resources including authority andtime to build and maintain core competencies

Expected staff awareness and training is reflected in jobdescriptions and expressed as cultural norm

Implement a life cycle system for software development,acquisitions, operations and retirement


43/50

Plan, define and manage clear security objectives measureresults and integrate lessons learned into future plans

Risk committee conducts regular reviews and integratesdigitalization into business plan---both positive and negative;Board Reviews and Audits

ISA/CMUElements of Effective Security Governance


44/50

Cyber Security is NOT an IT Problem

Business Policy Legal Technology

BUS/OPERAT

IONAL

LEGAL/REG

T

ECH/R&D

POLICY

PROBLEM /

ISSUE

Issues must simultaneously

address all organizationperspectives including:


45/50


46/50

Weekly Webinar Series


47/50

Sample of Recent WebinarsOn Privacy and Compliance with Application to Healthcare

Anupam Datta, CyLab Research Scientist, CMU

Psychological Profiling Software to Aid in Forensic Investigation,

Insider Detection and Relationship ManagementEric Shaw, Clinical Psychologist & Visiting Scientist, SEI, CERT

Outsourcing Risk Management: Legal Considerations

Jody Westby, CEO, Global Cyber Risk

Privacy and Security, it isn't Either/Or, it's Both/And

Jon Callas, PGP Corporation

Software Assurance in the Software Supply Chain

Bill Scherlis, Professor, School of Computer Science, Director,ISRI and director of CMU's PhD Program in Software Engineering


48/50


49/50

Conclusions

1. Band-Aids (or patches) dont cure Systemic treatments do

2. You need to stay aheadof the problemjust to keep up with the field

3. You are not in this alone, join the ISAteam


50/50

Larry Clinton

President

Internet Security [email protected]

703-907-7028 (O) 202-236-0001 (C)

2007 06 25 larry clinton rochester presentation about best practices and cyber threats

Documents