The Evolving Threat. Today s cyber security challenges and solutions

Transcription

1 The Evolving Threat Today s cyber security challenges and solutions

2 Are Water Lines At Risk? Security lacking in networks controlling critical infrastructure Hackers, terrorists could find way into controls of nuclear power stations, electrical grids, water lines. By Bob Keefe WEST COAST BUREAU Monday, October 02, 2006

3 The Past

4 The Present Source:

5 The earlier threat landscape Human Agents Hackers Disgruntled employees White collar criminals Organized crime Terrorists Exposures Information theft, loss & corruption Monetary theft & embezzlement Critical infrastructure failure Hacker adventures, e-graffiti/ defacement Business disruption Methods of Attack Brute force Denial of Service Viruses & worms Back door taps & misappropriation, Information Warfare (IW) techniques Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-toys Hactivist campaign, Love Bug, Melissa Viruses SOBIG, SLAMMER

6 The earlier threat: growth in vulnerabilities (CERT/cc) 4,500 4,000 4,129 3,500 3,000 2,500 2,437 2,000 1,500 1,090 1,

7 The earlier threat: cyber incidents , , , , ,334 2,340 2,412 2,573 2,134 3,

8 Anyone have a cell phone? Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every company s assumptions for growth. ---The Manufacturing Institute July 2006

9 The changing threat The fast-moving virus or worm pandemic is not the threat almost 100 medium-to-high risk attacks. 2005, there were only 6 This year, 0.

10 The changing threat Today, attackers are motivated to perpetrate fraud, gather intelligence, or gain access to vulnerable systems. Vulnerabilities are now on client-side devices and applications (word processing, spreadsheet programs, wireless devices) that require interaction, instead of on servers

11 The changing threat Cybercrime growth 6,110 Denial of Service attacks per day 4000 in January 06 to 7,500 in June 06 Bot nets are the engine driving growth Increase in modular malicious code (initially limited functionality but updates itself with new, more damaging capabilities) Insider threats

12 Economic Effects of Attacks 25% of our wealth---$3 trillion---is transmitted over the Internet daily FBI: Cyber crime cost business $26 billion (probably a LOW estimate) Financial Institutions are generally considered the safest---their losses were up 450% in the last year There are more electronic financial transactions than paper checks now, 1% of cyber crooks are caught.

13 I m too Small to Attack, Not. One of every three small businesses in America were affected by MyDoom virus---- 2x the proportion of large companies effected by that virus. Small Businesses get attacked more often, have less defenses, have smaller margins to protect against loss Small businesses have needs and require a special program

14 2006 Data Breach Laws Introduced in at least 35 states Enacted in: AZ, CO, KS, UT, NE, ID Sources: Enacted in: IN, ME, WI National Conference of State Legislatures U.S. Public Interest Research Group

15 Pending Federal Legislation House Judiciary Committee: Ø Passed legislation on Thursday June 1 st 2006 House Energy and Commerce Committee Ø Passed legislation on Wednesday May 31 st 2006 Senate Judiciary Committee Ø S.1789 Personal Data and Privacy Act - Pending Sponsor: Sen. Arlen Specter (PA) Cosponsors: Sen. Patrick Leahy (VT), Sen. Russell D. Fiengold (WI), Sen. Dianne Fienstein (CA)

16 What s the result of all the legislative activity? 1. Confusion for business 2. Inaction in the Congress 3. Growing problems and costs August 2006 was the worst month for data security breeches on record SANS Institute Sept 2006

17 Can it be stopped? YES! PricewaterhouseCoopers conducted 2 International surveys (2004 & 2006) covering 15,000 corporations of all types Apx 25% of the companies surveyed were found to have followed recognized best practices for cyber security.

18 Benefits of Best Practices Reduces the number of successful attacks Reduces the amount of down-time suffered from attacks Reduces the amount of money lost from attacks Reduces the motivation to comply with extortion threats

19 Cited in US National Draft Strategy to Protect Cyber Space (September 2002) Endorsed by TechNet for CEO Security Initiative (April 2003) Endorsed US India Business Council (April 2003)

20 ISALLIANCE BEST PRACTICES Practice #1: General Management Practice #2: Policy Practice #3: Risk Management Practice #4: Security Architecture & Design Practice #5: User Issues Practice #6: System & Network Management Practice #7: Authentication & Authorization Practice #8: Monitor & Audit Practice #9: Physical Security Practice #10: Continuity Planning & Disaster Recovery

21 Why Doesn t Everyone Comply with the Best Practices? Many organizations have found it difficult to provide a business case to justify security investments and are reluctant to invest beyond the minimum. One of the main reasons for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realized Manufacturer s Institute 06

22 But, management is wrong. Stanford Global Supply Chain Management Forum/IBM Study: Clearly demonstrated that investments in supply chain security can provide business value such as: * Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness of shipping info (30%)

23 There s More!!! Increase in supply chain information access (50%) Improved product handling (43%) Reduction in cargo delays (48% reduction in inspections) Reduction in transit time (29%) Reduction in problem identification time (30%) Higher customer satisfaction (26%)

24 Security, like Digital Technology must be Integrated in Bus Plan Security is still viewed as a cost, not as something that could add strategic value and translate into revenue and savings. But if one digs into the results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan. PricewaterhoseCoopers Sept 2006

25 So, how do we do that? We have a changing technology environment We have a changing business model We have a constantly changing legal and regulatory environment Business must take the lead

26 Cyber Security is not an IT problem Issues must be addressed simultaneously from the Legal Perspective The Business Perspective The Technology perspective The Policy Perspective

27 ISAlliance Integrated Business Security Program Outsourcing Risk Management Security Breech Notification Privacy Insider Threats Auditing Contractual Relationships (suppliers, partners, sub-contractors, customers)

28 ISAlliance Small Business Program Special Set of Best Practices Endorsed by: DHS Chamber of Commerce NAM NFIB ABA Wholesale Memberships through trade associations

29 Sponsors

30 Larry Clinton Operations Officer Internet Security Alliance