2004 01 07 larry clinton risk management and insurance presentation for the institute of internal of...

7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA

1/38

Larry ClintonOperations Officer

Internet Security [email protected]

202-236-0001


2/38


3/38

The Internet Security Alliance

The Internet Security Alliance is a collaborative effort between

Carnegie Mellon UniversitysSoftware Engineering Institute (SEI)

and its CERT Coordination Center (CERT/CC) and the Electronic

Industries Alliance (EIA), a federation of trade associations with

over 2,500 members.


4/38

Sponsors


5/38

The Past


6/38

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Present


7/38

Human Agents

Hackers Disgruntled employees White collar criminals Organized crime Terrorists

Methods of Attack

Brute force Denial of Service Viruses & worms Back door taps &

misappropriation,

Information Warfare (IW)techniques

Exposures

Information theft, loss &corruption

Monetary theft & embezzlement

Critical infrastructure failure Hacker adventures, e-graffiti/

defacement

Business disruption

Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-Toys

Hactivist campaign,

Love Bug, Melissa Viruses

The Threats The Risks


8/38

Growth in Incidents Reported

to the CERT/CC

1988 1989 1990 1991 1992 1993 1994 19951996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


9/38

The Dilemma: Growth in Number ofVulnerabilities Reported to CERT/CC

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


10/38

Attack Sophistication v. Intruder

Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijackingsessions

sweepers

sniffers

packet spoofing

GUI

automated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

stealth / advancedscanning techniques

burglaries

network mgmt. diagnostics

DDOSattacks


11/38

Computer Virus Costs (in

billions)

0

30

60

90

120

150

'96 '97 '98 '99 '00 '01 '02 '03

Ran e

(Through Oct 7)

$

billion


12/38

Attacks are Inevitable

According to the US Intelligence community Americannetworks will be increasingly targeted by malicious actors

both for the data and the power they possess. National

Strategy to Secure Cyberspace, 2/14/02

The significance of the NIMDA attack was not in the amountof damage it caused but it foreshadows what we could

face in the future CIPB

Things are getting worse not better. NYT 1/30/03


13/38

The Private Sector and

National CyberSecurity

US government is holding companiesresponsible for their security

Fiduciary and oversight responsibility isbeing enforced

Corporate governance, vision and goalsreside at the executive level


14/38

Info Sharing & IIA

Changing expectations of business partners ,investors, regulators and legislators are raising the

bar for information security and reliability in the

business worldInformation sharing is a keycomponent of the national Strategy to Secure

Cyber Space.

Charles Le Grand AVP IIA


15/38

ISAlliance/CERT

Knowledgebase Examples


16/38

Benefits of Information Sharing

Organizations

May lesson the likelihood of attackOrganizations that share information about computer break ins are less

attractive targets for malicious attackers. NYT 2003

Participants in information sharing have theability to better prepare for attacks


17/38

Benefits of Information Sharing

Organizations

SNMP vulnerability CERT notified Alliance members Oct. 2001 Publicly disclosed Feb. 2002

Slammer worm CERT notified Alliance members May 2002 Worm exploited Jan. 2003


18/38

Why ISA Info Sharing

Works Carnigie Mellon/CERT leadership and credibility History, and regularity build up trust

Enforce the rules builds trust Cross-sector/international model lessens

competitive concerns

Success breeds greater success


19/38

A Risk Management

Approach is Needed

Installing a network security device is not asubstitute for a constant focus andkeeping our defenses up to date There

is no special technology that can make anenterprise completely secure.

National Plan to Secure Cyberspace, 2/14/03


20/38

Risk Management and IIA

Private Industry is encouraged to performperiodic, quantitative risk assessments of their

information systemsThe IIA definition of internal

auditing emphasizes a systematic, disciplinedapproach to risk management in contributing to the

value of an organization.

---Charles Le Grand, AVP IIA. in Information Security

Governance and Assurance


21/38

Risk Mitigation/Cyber

Insurance

ISAlliance Establishes Cyber Insurance

Incentive Program 2001

ISAlliance Established Risk ManagementCommittee, November 2002

Risk Manager Survey Begins 2003


22/38

Chief Technology OfficersKnowledge of their Cyber Insurance

34% Incorrectlythought they werecovered

36% Did not haveInsurance

23% Did not know ifthey had insurance

7% Knew that theywere insured by aspecific policy


23/38

ISAlliance Cyber-Insurance

Program

Coverage for members

Free Assessment through AIG

Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance

Best Practices (July 2002)


24/38

Risk management

Committee Survey of ISAlliance Members to provide baseline

of issues and interactions

Congressional Briefing including the need for riskmanagement in cyber security (1/30/03)

Cyber/Physical Risk Management Project


25/38

Step 4. Adopt and

Implement Best Practices

Cited in US National DraftStrategy to Protect Cyber

Space (September 2002)

Endorsed by TechNet for CEOSecurity Initiative (April 2003)

Endorsed US India BusinessCouncil (April 2003)


26/38

Common Sense Guide

Top Ten Practice Topics

Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster Recovery


27/38

Other ISAlliance Best

Practice Publications Common Sense Guide for Home Users and

Traveling Executives (February 2003)

Common Sense Guide to Cyber Security for SmallBusinesses (Commissioned by National Cyber

Security Summit Meeting 11/03)


28/38

Cooperative work on

assessment/certification TechNet CEO Self-

Assessment Program

Bring cyber security to theC-level based on ISA BestPractices

Create a baseline ofsecurity even CEOs canunderstand

American SecurityConsortium 3-Party

Assessment program

Risk Preparedness Indexfor assessment and

certification

Develop quantitativeindependent ROI for cybersecurity


29/38

ISAlliance Qualification

Program No Standardized Certification Program Exists or

will exist soon

ISAlliance in cooperation with big 4 and insuranceindustry create quantitative measurement forqualification for ISA discounts as proxy forcertification

ISA works with CMU CyLab on Certification


30/38

ISAlliance/CERT Training

Concepts and Trends In Information Security Information Security for Technical Staff OCTAVE Method Training Workshop Overview of Managing Computer Security Incident

Response Teams

Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective


31/38

Public Policy

Policy Must Address Internet as a new Technology No one owns the Internet It is Constantly Evolving International Operation makes regulation difficult Mandates will Truncate innovation and the

economy

Beware the Roadmap for mischief


32/38

Putnam Legislation

Risk Assessment Risk Mitigation Incident Response Program Tested Continuity plan Updated Patch management program Putnam has said it wont work.


33/38

ISAlliance Incentive

Model Model Programs for market Incentives---AIG ----Nortel

---Visa ----Verizon

SemaTech Program

Tax Incentives

Liability Carrots

Procurement Model

Research and Development


34/38

A Coherent 10 step

Program of Cyber Security

1. Members and CERT create best practices

2. Members and CERT share information

3. Cooperate with industry and government todevelop new models and products consistent with

best practices


35/38

A Coherent Program of

Cyber Security

4. Provide Education and Training programs based

on coherent theory and measured compliance

5. Coordinate across sectors

6. Coordinate across boarders


36/38

A coherent program

7. Develop the business case (ROI) for improvedcyber security

8. Develop market incentives and tools for consistent

maintenance of cyber security

9. Integrate sound theory and practice and

evaluation into public policy

10. Constantly expand the perimeter of cybersecurity by adding new members


37/38

Benefits

Share critical information across industries andacross national boarders

Provide secure setting to work on commonproblems

Provide economic incentive programs Develop model industry evaluation and training

programs


38/38

Larry ClintonOperations Officer

Internet Security Alliance

[email protected]

202-236-0001

2004 01 07 larry clinton risk management and insurance presentation for the institute of internal of...

Documents