Perspectives on Threat

Transcription

1 Commerce Threats

2 Perspectives on Threat Higher level approach Define and characterize the threat rather list the what if scenarios Where to find accurate information on information

3 Part I: Business

4 Traditional Defense Learn Well organizational threats, the vulnerabilities they will affect, the interdependencies they impact, and the probable disruption to core competencies. Plan for Continuity Test for Security Gather Information Assess government resources

5 The Mandate Government Support Government agencies support and protect corporate interests Part of overall corporate security plan Law enforcement Private security Expectation Define the territory Legislate the crime Respond in crisis

6 True Crimes and Misdemeanors List of accepted wrongs Articulated criminal elements Laws Burglary Robbery Extortion Fraud Standards and policies

7 Burglary! I know burglary is a threat to my inventory because I know the elements of this action therefore I know how to secure my business against it and test for it Elements: Now I know my enemy Intent Knowingly enters without authorization To take something not owned

8 Response I know government officials will respond as jurisdictionally specified I expect an investigation I hope for an arrest prosecution and finally punishment

9 Playing Field Geo-political boundaries Defines Right and Wrong Strength and Vulnerability Safety and Threat Provides enterprise foundation or known environment

10 Part II Then Came the Internet

11 The Cloud Commerce moved to the Internet The Cloud was created Stays cloudy because Impossible to force old concepts into new environment Government cannot act on what it cannot not delimit Commerce acted without quantification

12 Reactive Digital Environment Concept of security is warped what is it we are trying to secure? What are the doors we must lock? Corporate information infrastructures are left with little more than a shallow defense amid the New Threats

13 True Threat The Big Three Lack of Political Identity No Mandate No Jurisdictional Boundaries No governing or enforcement body Ambiguity Marketplace is ill defined Product or Technology? Lack of Authority No enforcer

14 #1 No Political Identity The risk inherent in the Internet s lack of definition is the lack of a definitive governing body. No one is in charge!! Businesses are alone in securing assets Bad guys have access too Same tools Same environment Focus only on hacking, cracking, and electronic disobedience

15 #2 Ambiguity: Boundaries where? In order to protect ourselves in it, we must define the parameters of it How is jurisdiction identified in the cloud? Where do we conduct business? The marketplace?

16 #2 Ambiguity: Product What? Product or Technology? No definitive product exists line between technology and product is muted Testing product or testing technical operations? Quality Assurance vs. Information Assurance Divided Business Processes and Technology Allowed business to fragment Lost our ability to secure business with technology only focus

17 Threat #3 Authority Few or non-existent Best Practices for dealing with Enterprise Business Technology Operations No entity claims rights or responsibility To investigating attacks Set standards Enact legislation Identify jurisdictional boundaries Best Practices Standards Demand Enforcement Authority Checks and Balances

18 Threat Summary Threats Business/Technology Disconnection Lack of Political Mandate Boundaries? Jurisdiction? Ambiguity in Business Definitions Product? Technology = tool Technology = product Authority Anyone in charge? Elements of a crime?

19 The Outcome Internet remains as ambiguous as the commerce it generates The pace of change is out of control The unknown threat looms ever larger from an unknown place

20 New Defense Learn Well organizational threats, the vulnerabilities they will affect, the interdependencies they impact, and the probable disruption to core competencies. Plan for Continuity Test for Security Gather Information Assess government resources

21 Develop the Methodology Believe in the Threat and its new complexities! Believe its costs! Manage Change Develop new threat/vulnerability methodology Stay Current!

22 The New Assessment Enterprise Business Technology Operations (EBTO) Methodology Already knows the threat Needs no authority to succeed Bundles processes and technology Not boundary dependent Solution-specific actions based upon Standardized Risk Index Combines tangible and intangible costs ROI associated with risk mitigation

23 Managing Change Enterprise leaders require timely, reliable, consistent and accurate information to make decisions. Therefore, success depends upon safeguarding information resources and reducing risk by! Identifying & monitoring threats! Assessing & correcting known organizational vulnerabilities! Validating and verifying business policies & contingencies! Leveraging known solutions through continuous awareness & training! Developing new solution strategies to handle change

24 EBTO Strategy Business Requirements! Process starts with EBTO Executives! Reverse engineer critical business processes! Determine sources of critical data Vulnerability Analysis! Identify vulnerabilities of data sources! Identify policy & contingency shortcomings! Measure risk Business Decisions! Implement solutions to maximize ROI while mitigating Risk

25 EBTO Methodology Steps Outcomes Deliverables 1. Identify Critical Information Shows Management information critical to enterprise decision making Critical business processes & origin of data 2. Perform Vulnerability Analysis Shows Management existing technical vulnerabilities, threats & potential loss of revenues Vulnerability Analysis & Business Loss (Risk Index) 3. Recommend Security Solutions Shows Management cost & benefit of recommended solutions Security Solutions based on ROI

26 Identify Critical Information 1. Identify Critical Information! Information needed for making key enterprise decisions Determine Origin of Data Regional Sales Report For First Quarter Region Sales (in $ million) Amount (in thousands) Northern 4 8 Southern 2 12 Eastern 3 9 Western 4 8 Northern Region Sales Report For First Quarter District Sales (in $ thousands) Amount (in thousands) Vienna 2,000 4 Fairfax 2,000 4 Northern Region Vienna District Sales Report For First Quarter Months Sales (in $ thousands) Product Amount (in hundreds) Sales Reps January 250 Wizard 1 5 John 250 Wizard 2 5 Steve February 250 Wizard 1 5 John 250 Wizard 2 5 Steve March 500 Wizard 1 10 John 500 Wizard 2 10 Steve Identify Critical Business Processes Develop Quarterly Sales Report Regional Report Create Regional Quarterly Sales Report District Report Prepare District Quarterly Sales Report Quarterly Report Burke Corporate Database Eastern Region Database Western Region Database Southern Region Database Northern Region Database Fairfax Database Vienna Database

27 2. Perform Vulnerability Analysis Unauthorized Users Laptop theft Social Engineering Perform Vulnerability Analysis Theft of proprietary information Policies, Plans & Procedures Database Server File Server Sabotage of data/network NT Novel l UNIX AS/400 s Vendors/ Suppliers Applications Disgruntled Employees Virus Insider abuse of net access LAN WWW Hackers Competitors Foreign Govt

28 Risk Considerations 2. Perform Vulnerability Analysis This system is very vulnerable to failure and accounts for 80% of the information in my critical report. Decision makers should know the source of their data - knowing the source tells them: importance of the data for decision making vulnerability of the source data where to spend scarce resources for protection If this system crashes, Alternate data source available? Contingency plans available? ebay lost $5M in sales & $4B in stock value after a shutdown for 22 hours Company Sales Report Loss of $$Revenue! Outages at Yahoo, ebay, & Amazon cost $1.2B. Stock prices fell after outages. Origin of Data