2008 06 07 larry clinton rochester presentation about evolving threat and best practices
TRANSCRIPT
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
1/38
The Evolving ThreatTodays cyber security challenges andsolutions
Larry Clinton, President,
Internet Security Alliance
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
2/38
Sponsors
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
3/38
The Past
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
4/38
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Present
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
5/38
The earlier threat landscapen Human Agentsn Hackersn Disgruntled employeesn White collar criminalsn Organized crimen Terrorists
n Methods of Attackn Brute forcen Denial of Servicen Viruses & wormsn Back door taps & misappropriation,n Information Warfare (IW)
techniques
Exposures
n Information theft, loss &corruption
n Monetary theft & embezzlementn Critical infrastructure failuren Hacker adventures, e-graffiti/
defacement
n Business disruption
Representative Incidents
n Code Red, Nimda, Sircamn CD Universe extortion, e-Toys
Hactivist campaign,
n Love Bug, Melissa Virusesn SoBIG, SLAMMER
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
6/38
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
7/38
The earlier threat:cyber incidents
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
8/38
The changing threat
n The fast-moving virus or wormpandemic is not the threat.
2002-2004 almost 100 medium-to-highrisk attacks (Slammer; SoBig).
2005, there were only 6
This year, 0.
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
9/38
The changing threat
n Today, attackers are motivated toperpetrate fraud, gather intelligence,or gain access to vulnerable systems.
nVulnerabilities are now on client-sidedevices and applications (word
processing, spreadsheet programs,printers, wireless devices) thatrequire some degree of userinteraction
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
10/38
Digital Growth?
nCompanies have built into theirbusiness models the efficiencies ofdigital technologies such as real time
tracking of supply lines, inventorymanagement and on-line commerce.The continued expansion of thedigital lifestyle is already built intoalmost every companys assumptionsfor growth.
---Stanford University Study, July 2006
Sure
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
11/38
Digital Defense?
n 29% of Senior Executivesacknowledged that they did notknow how many negative security
events they had in the past yearn 50% of Senior Executives said they
did not know how much money was
lost due to attacks
Source: PricewaterhouseCoopers survey of 7,000companies 9/06
Maybe Not
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
12/38
Digital Defense
n 23% of CTOs did not know if cyberlosses were covered by insurance ornot.
n 34% of CTOs thought their cyberlosses would be covered byinsurance----and were wrong.
nThe biggest network vulnerability inAmerican corporations are extraconnections added for seniorexecutives without proper security.
---Source: DHS Chief Economist Scott Borg
NOT
d &
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
13/38
Incidents & Losses2004-2006
136
86
34
0
20
40
60
80
100
120
140
2004 2005 2006
Average Number of Security
Incidents Per Participant
Percentage That Experienced
Losses as a Result
25
56
28
55
40
63
0
20
40
60
80
100
2004 2005 2006
financial operational
---Source: 2006 eCrime Survey,
conducted by U.S. Secret Service,
CSO Magazine, CERT/cc (CMU)
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
14/38
Economic Effects of Attacks
n 25% of our wealth---$3 trillion---istransmitted over the Internet daily
n FBI: Cyber crime cost business$26 billion (probably LOW estimate)
n Financial Institutions are generallyconsidered the safest---their losses
were up 450% in the last yearn There are more electronic financial
transactions than paper checks now,
1% of cyber crooks are caught.
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
15/38
Cyber Attacks Effect on StockPrice
nInvestigations into the stock priceimpact of cyber attacks show thatidentified target firms suffer losses of
one to five percent in the days afteran attack. For the average NYSEcorporation, price drops of thesemagnitudes translate into shareholderlosses between $50 and $200 million.
n Source: US Congressional ResearchService 2004
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
16/38
Indirect Economic Effects ofCyber Attacks
nWhile the tangible effects of asecurity incident can be measured interms of lost productivity and stafftime to recover and restore systems,
the intangible effects can be of anorder of magnitude larger. Intangibleeffects include the impact on an
organizations trust relationships,harm to its reputation, and loss ofeconomical and society confidence
n Source Carnegie Mellon CyLab 2007
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
17/38
Can it be stopped ?
n PricewaterhouseCoopers conducted 2International surveys (2004 & 2006)covering 15,000 corporations of all
types
nApx 25% of the companies surveyedwere found to have followedrecognized best practices for cybersecurity.
Yes!
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
18/38
Benefits of Best Practices
n Reduces the number of successfulattacks
n Reduces the amount of down-timesuffered from attacks
n Reduces the amount of money lostfrom attacks
n Reduces the motivation to complywith extortion threats
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
19/38
Senior Mgrs Best Practices
nCited in US NationalDraft Strategy toProtect Cyber Space(September 2002)
n Endorsed byTechNet for CEOSecurity Initiative(April 2003)
n Endorsed US IndiaBusiness Council
(April 2003)
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
20/38
ISALLIANCE BEST PRACTICES
nPractice #1: General ManagementnPractice #2: PolicynPractice #3: Risk ManagementnPractice #4: Security Architecture & DesignnPractice #5: User IssuesnPractice #6: System & Network ManagementnPractice #7: Authentication & AuthorizationnPractice #8: Monitor & AuditnPractice #9: Physical SecuritynPractice #10: Continuity Planning & Disaster
Recovery
P t f P ti i t Wh
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
21/38
Percentage of Participants WhoExperienced an Insider Incident
41 39
55
0
20
40
60
80
100
2004 2005 2006
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
22/38
Insider Incidents - 2006
Insiders committed more theft of IP & otherproprietary information and sabotage thanoutsiders
Total (%) Insider(%)
Outsider(%)
Theft of IP 30 63 45
Theft ofProprietary Info.
36 56 49
Sabotage 33 49 41
Most common insider incidents in 2006 survey:
rogue wireless access points (72%), theft of IP (64%), exposure of sensitive or confidential information (56%)
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
23/38
Insider Methods - 2006
0
20
40
60
80
100
CompromisedAccount
Sys.Admin.Access
RemoteAccess
SocialEngineering
Backdoors
PWCrackers
MaliciousCode
LogicBomb
% of
Organizations
ISA B t P ti f I id
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
24/38
ISA Best Practices for InsiderThreat Prevention & Mitigationn PRACTICE #1: Institute periodic enterprise-wide risk
assessments.
n PRACTICE #2: Institute periodic security awareness trainingfor all employees.
n PRACTICE #3: Enforce separation of duties and leastprivilege.
n PRACTICE #4: Implement strict password and accountmanagement policies and practices.
n PRACTICE #5: Log, monitor, and audit employee onlineactions.
n PRACTICE #6: Use extra caution with system administratorsand privileged users.n PRACTICE #7: Actively defend against malicious code.n PRACTICE #8: Use layered defense against remote attacks.
ISA B t P ti f I id
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
25/38
ISA Best Practices for InsiderThreat Prevention & Mitigationn
PRACTICE #9: Monitor and respond to suspiciousor disruptive behavior.
n PRACTICE #10: Deactivate computer accessfollowing termination.
n PRACTICE #11: Collect and save data for use ininvestigations.
n PRACTICE #12: Implement secure backup andrecovery processes.
n PRACTICE #13: Clearly document insider threatcontrols.
ISA B t P ti
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
26/38
ISA Best PracticesModel Contracts
Volume II: published June
2007with ANSI gives greater
emphasis to standards-based
information security controls.
(www.isalliance.org)
Model Contract Clauses for
Information Security
Standards. This new book
provides guidance on the
contracting side ofimplementing prevailing
international information
security standards, notably
ISO 17799, BS 7799 and
Volume I
Wh D t E C l
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
27/38
Why Doesnt Everyone Complywith the Best Practices?
nMany organizations have found itdifficult to provide a business case tojustify security investments and arereluctant to invest beyond the
minimum. One of the mainreasons for this reluctance is thatcompanies have been largelyfocused on direct expensesrelated to security and not thecollateral benefits that can berealized
---Stanford University 06
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
28/38
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
29/38
Theres More !!!
n Increase in supply chain informationaccess (50%)
n Improved product handling (43%)n Reduction in cargo delays (48%
reduction in inspections)
n Reduction in transit time (29%)n Reduction in problem identification
time (30%)
n Higher customer satisfaction (26%)
Security like Digital Technology
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
30/38
Security, like Digital Technologymust be Integrated in Bus Plan
nSecurity is still viewed as a cost, notas something that could add strategicvalue and translate into revenue andsavings. But if one digs into the
results there is evidence that aligningsecurity with enterprise businessstrategy reduces the number ofsuccessful attacks and financial losesas well as creates value as part of thebusiness plan.PricewaterhoseCoopers Sept 2006
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
31/38
So, how do we do that?
n We have a changing technologyenvironment
n We have a changing business modeln We have a constantly changing legal and
regulatory environment
Business must take the lead
Characteristics of Effective
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
32/38
Characteristics of EffectiveSecurity Governance
1. Security is an Enterprise Wide IssueHorizontally, vertically and cross
functionally throughout the org.
2. Leaders are AccountableTo the org., stakeholders and thecommunity (its a shared resource)
3. Viewed as a Business Requirement
Aligned w/organizational strategicgoals, business units dont decidehow much security they want
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
33/38
Effective Security Governance
4. Risk BasedHow much is based onTolerance for exposure compliance,
liability, operational disruptions,
financial or reputation5. Roles and Responsibilities Defined
Clear lines of delineation as to who
does what and reports to who6. Addressed and Enforced in Policy
Rewards and recognition included
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
34/38
Effective Security Governance
7. Adequate Recourses are CommittedIncluding authority and time to build
and maintain core competencies
8. Staff Aware and TrainedReflected in job descriptions andexpected as cultural norm
9. A Developmental Life Cycle
System software development,acquisitions, operations andretirement
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
35/38
Effective Security governance
10. Planned, Managed MeasuredClear objectives measured w/results
integrated into future plans
11. Reviewed and AuditedBoard audit and risk committees
conduct regular reviews and
integrates digitalization into businessplan---both positive and negative
Cyber Security is NOT an IT
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
36/38
Cyber Security is NOT an ITproblem
n Issues must be addressedsimultaneously from the:
n Legaln Businessn Technologyn
PolicyPerspectives
B
US/OPERAT
IONAL
LEGAL/REG
T
ECH/R&D
POLICY
PROBLEM /
ISSUE
ISAlliance Integrated Business
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
37/38
ISAlliance Integrated BusinessSecurity Program
n Outsourcingn Risk Managementn Security Breech Notificationn Privacyn Insider ThreatsnAuditingn Contractual Relationships (suppliers,
partners, sub-contractors, customers)
-
7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices
38/38
Larry Clinton
President
Internet Security [email protected]
703 907 7028 (O) 202 236 0001 (C)