2004 01 07 larry clinton risk management and insurance presentation for the institute of internal of...
TRANSCRIPT
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
1/38
Larry ClintonOperations Officer
Internet Security [email protected]
202-236-0001
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
2/38
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
3/38
The Internet Security Alliance
The Internet Security Alliance is a collaborative effort between
Carnegie Mellon UniversitysSoftware Engineering Institute (SEI)
and its CERT Coordination Center (CERT/CC) and the Electronic
Industries Alliance (EIA), a federation of trade associations with
over 2,500 members.
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
4/38
Sponsors
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
5/38
The Past
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
6/38
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Present
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
7/38
Human Agents
Hackers Disgruntled employees White collar criminals Organized crime Terrorists
Methods of Attack
Brute force Denial of Service Viruses & worms Back door taps &
misappropriation,
Information Warfare (IW)techniques
Exposures
Information theft, loss &corruption
Monetary theft & embezzlement
Critical infrastructure failure Hacker adventures, e-graffiti/
defacement
Business disruption
Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-Toys
Hactivist campaign,
Love Bug, Melissa Viruses
The Threats The Risks
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
8/38
Growth in Incidents Reported
to the CERT/CC
1988 1989 1990 1991 1992 1993 1994 19951996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
9/38
The Dilemma: Growth in Number ofVulnerabilities Reported to CERT/CC
4,129
2,437
171345 311 262
417
1,090
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 2002
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
10/38
Attack Sophistication v. Intruder
Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijackingsessions
sweepers
sniffers
packet spoofing
GUI
automated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
stealth / advancedscanning techniques
burglaries
network mgmt. diagnostics
DDOSattacks
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
11/38
Computer Virus Costs (in
billions)
0
30
60
90
120
150
'96 '97 '98 '99 '00 '01 '02 '03
Ran e
(Through Oct 7)
$
billion
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
12/38
Attacks are Inevitable
According to the US Intelligence community Americannetworks will be increasingly targeted by malicious actors
both for the data and the power they possess. National
Strategy to Secure Cyberspace, 2/14/02
The significance of the NIMDA attack was not in the amountof damage it caused but it foreshadows what we could
face in the future CIPB
Things are getting worse not better. NYT 1/30/03
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
13/38
The Private Sector and
National CyberSecurity
US government is holding companiesresponsible for their security
Fiduciary and oversight responsibility isbeing enforced
Corporate governance, vision and goalsreside at the executive level
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
14/38
Info Sharing & IIA
Changing expectations of business partners ,investors, regulators and legislators are raising the
bar for information security and reliability in the
business worldInformation sharing is a keycomponent of the national Strategy to Secure
Cyber Space.
Charles Le Grand AVP IIA
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
15/38
ISAlliance/CERT
Knowledgebase Examples
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
16/38
Benefits of Information Sharing
Organizations
May lesson the likelihood of attackOrganizations that share information about computer break ins are less
attractive targets for malicious attackers. NYT 2003
Participants in information sharing have theability to better prepare for attacks
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
17/38
Benefits of Information Sharing
Organizations
SNMP vulnerability CERT notified Alliance members Oct. 2001 Publicly disclosed Feb. 2002
Slammer worm CERT notified Alliance members May 2002 Worm exploited Jan. 2003
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
18/38
Why ISA Info Sharing
Works Carnigie Mellon/CERT leadership and credibility History, and regularity build up trust
Enforce the rules builds trust Cross-sector/international model lessens
competitive concerns
Success breeds greater success
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
19/38
A Risk Management
Approach is Needed
Installing a network security device is not asubstitute for a constant focus andkeeping our defenses up to date There
is no special technology that can make anenterprise completely secure.
National Plan to Secure Cyberspace, 2/14/03
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
20/38
Risk Management and IIA
Private Industry is encouraged to performperiodic, quantitative risk assessments of their
information systemsThe IIA definition of internal
auditing emphasizes a systematic, disciplinedapproach to risk management in contributing to the
value of an organization.
---Charles Le Grand, AVP IIA. in Information Security
Governance and Assurance
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
21/38
Risk Mitigation/Cyber
Insurance
ISAlliance Establishes Cyber Insurance
Incentive Program 2001
ISAlliance Established Risk ManagementCommittee, November 2002
Risk Manager Survey Begins 2003
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
22/38
Chief Technology OfficersKnowledge of their Cyber Insurance
34% Incorrectlythought they werecovered
36% Did not haveInsurance
23% Did not know ifthey had insurance
7% Knew that theywere insured by aspecific policy
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
23/38
ISAlliance Cyber-Insurance
Program
Coverage for members
Free Assessment through AIG
Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance
Best Practices (July 2002)
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
24/38
Risk management
Committee Survey of ISAlliance Members to provide baseline
of issues and interactions
Congressional Briefing including the need for riskmanagement in cyber security (1/30/03)
Cyber/Physical Risk Management Project
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
25/38
Step 4. Adopt and
Implement Best Practices
Cited in US National DraftStrategy to Protect Cyber
Space (September 2002)
Endorsed by TechNet for CEOSecurity Initiative (April 2003)
Endorsed US India BusinessCouncil (April 2003)
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
26/38
Common Sense Guide
Top Ten Practice Topics
Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster Recovery
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
27/38
Other ISAlliance Best
Practice Publications Common Sense Guide for Home Users and
Traveling Executives (February 2003)
Common Sense Guide to Cyber Security for SmallBusinesses (Commissioned by National Cyber
Security Summit Meeting 11/03)
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
28/38
Cooperative work on
assessment/certification TechNet CEO Self-
Assessment Program
Bring cyber security to theC-level based on ISA BestPractices
Create a baseline ofsecurity even CEOs canunderstand
American SecurityConsortium 3-Party
Assessment program
Risk Preparedness Indexfor assessment and
certification
Develop quantitativeindependent ROI for cybersecurity
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
29/38
ISAlliance Qualification
Program No Standardized Certification Program Exists or
will exist soon
ISAlliance in cooperation with big 4 and insuranceindustry create quantitative measurement forqualification for ISA discounts as proxy forcertification
ISA works with CMU CyLab on Certification
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
30/38
ISAlliance/CERT Training
Concepts and Trends In Information Security Information Security for Technical Staff OCTAVE Method Training Workshop Overview of Managing Computer Security Incident
Response Teams
Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
31/38
Public Policy
Policy Must Address Internet as a new Technology No one owns the Internet It is Constantly Evolving International Operation makes regulation difficult Mandates will Truncate innovation and the
economy
Beware the Roadmap for mischief
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
32/38
Putnam Legislation
Risk Assessment Risk Mitigation Incident Response Program Tested Continuity plan Updated Patch management program Putnam has said it wont work.
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
33/38
ISAlliance Incentive
Model Model Programs for market Incentives---AIG ----Nortel
---Visa ----Verizon
SemaTech Program
Tax Incentives
Liability Carrots
Procurement Model
Research and Development
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
34/38
A Coherent 10 step
Program of Cyber Security
1. Members and CERT create best practices
2. Members and CERT share information
3. Cooperate with industry and government todevelop new models and products consistent with
best practices
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
35/38
A Coherent Program of
Cyber Security
4. Provide Education and Training programs based
on coherent theory and measured compliance
5. Coordinate across sectors
6. Coordinate across boarders
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
36/38
A coherent program
7. Develop the business case (ROI) for improvedcyber security
8. Develop market incentives and tools for consistent
maintenance of cyber security
9. Integrate sound theory and practice and
evaluation into public policy
10. Constantly expand the perimeter of cybersecurity by adding new members
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
37/38
Benefits
Share critical information across industries andacross national boarders
Provide secure setting to work on commonproblems
Provide economic incentive programs Develop model industry evaluation and training
programs
-
7/31/2019 2004 01 07 Larry Clinton Risk Management and Insurance Presentation for the Institute of Internal of Auditors IIA
38/38
Larry ClintonOperations Officer
Internet Security Alliance
202-236-0001