Larry ClintonOperations OfficerInternet Security Alliancelclinton@eia.org703-907-7028202-236-0001

The Past

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.htmlThe Present

The Internet Security AllianceThe Internet Security Alliance is a collaborative effort between Carnegie Mellon Universitys Software Engineering Institute (SEI) and its CERT Coordination Center (CERT/CC) and the Electronic Industries Alliance (EIA), a federation of trade associations with over 2,500 members.

Sponsors

US National Strategy to Secure Cyber SpaceThe vast majority of cyber attacks originate or pass through systems abroad, cross several boarders and require international cooperation to stop

US National Strategy to Secure Cyber SpaceThe US interests in promoting cyber security extends well beyond its boarders. Critical information infrastructures are directly connected to Canada, Mexico, Europe, Asia and LA. The nations economy and security are reliant on far-flung corporations and trading partners that requires secure and reliable information infrastructure to function.

The Threats The RisksHuman AgentsHackersDisgruntled employeesWhite collar criminalsOrganized crimeTerrorists

Methods of AttackBrute forceDenial of ServiceViruses & wormsBack door taps & misappropriation,Information Warfare (IW) techniquesExposuresInformation theft, loss & corruptionMonetary theft & embezzlementCritical infrastructure failureHacker adventures, e-graffiti/defacementBusiness disruption

Representative IncidentsCode Red, Nimda, SircamCD Universe extortion, e-Toys Hactivist campaign, Love Bug, Melissa Viruses

Attack Sophistication v. Intruder Technical KnowledgeHighLow19801985199019952000password guessingself-replicating codepassword crackingexploiting known vulnerabilitiesdisabling auditsback doorshijacking sessionssweeperssnifferspacket spoofingGUIautomated probes/scansdenial of servicewww attacksToolsAttackersIntruderKnowledgeAttackSophisticationstealth / advanced scanning techniquesburglariesnetwork mgmt. diagnosticsDDOS attacks

The Dilemma: Growth in Number of Vulnerabilities Reported to CERT/CC19952002

Chart2

171

345

311

262

417

1090

2437

4129

Sheet1

IncidentsVulnerabilities

19886

19891321995171

19902521996345

19914061997311

19927731998262

19931,3341999417

19942,34020001,090

19952,41220012,437

19962,57320024,129

19972,134

19983,734

19999,859

200021,756

200155,100

2002110,000

Sheet1

Sheet2

Sheet3

Growth in Incidents Reported to the CERT/CC

Chart1

19886

1989132

1990252

1991406

1992773

19931334

19942340

19952412

19962573

19972134

19983734

19999859

200021756

200155100

2002110000

Sheet1

IncidentsVulnerabilities

19886

19891321995171

19902521996345

19914061997311

19927731998262

19931,3341999417

19942,34020001090

19952,41220012437

19962,5732002

19972,134

19983,734

19999,859

200021,756

200155,100

2002110,000

Sheet1

Sheet2

Sheet3

Machines Infected per Hour at Peak

Computer Virus Costs (in billions)(Through Oct 7)$billion

Economic Impact of Cyber AttacksEstimates of total world-wide losses attributable to virus and worm attacks in 2003 range from $13 billion due to viruses and worms only to $226 billion for all forms of overt attacks---Congressional Research Service Report to Congress April 2004

Largest Study Ever Conducted Finds :PricewaterhouseCoopers Sept. 10 2004

Actual Spending on Security is flat

Most plan to increase security spending

The greatest barrier to effective security is inadequate budget

Companies Integrating Internet into Security 58% North America

41 % Asia

37 % South America

36% Europe

Data Protection as part of PolicyNorth America 51 %

Asia 44 %

Europe 40 %

South America 24 %

A Coherent 10 step Program of Cyber Security1. Members and CERT create best practices

2. Members and CERT share information

3. Cooperate with industry and government to develop new models and products consistent with best practices

A Coherent Program of Cyber Security4. Provide Education and Training programs based on coherent theory and measured compliance

5. Coordinate across sectors

6. Coordinate across borders

A coherent program7. Develop the business case (ROI) for improved cyber security8. Develop market incentives and tools for consistent maintenance of cyber security9. Integrate sound theory and practice and evaluation into public policy10. Constantly expand the perimeter of cyber security by adding new members

ISA Security Anchor ProposalGo beyond isolated conferences toFull service trade association for cyber security providing on-going services in:Information sharing on threats and incidentsBest practices/standards/assessment developmentLocally-based education and trainingDomestic & international policy developmentDevelop market incentives for cyber security

ISA Wholesale Membership ProgramMethod of Reaching Smaller Companies

Trade Associations Join for ISA lowest rate.

ALL their small members receive full associate services FREE OF CHARGE

Wholesale ServicesFREE Best Practices Guide for Small Businesses

FREE On-Line assessment and suggestions

FREE access to secure Portal with news on Emerging threats, vulnerabilities & what to do

FREE meetings/calls with experts

FREE Newsletter on Cyber & Physical for SB

Larry ClintonOperations OfficerInternet Security Alliancelclinton@eia.org703-907-7028202-236-0001

There wasnt much to the then ARPAnet in 1980. Few machines connected by slow by todays standards links. They were at research facilities, government, military, and contractors.Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html Credit should go to Bell Labs Internet Mapping Project.This map appeared in the December 1998 Wired.

Colors denote related IP addresses. Pink is MCI, the magnetic north of the Internet according to Bill Cheswick. They used traceroute among 61,000 routers around the world, as of 12/98.Vulnerability: a set of conditions in a software system that allows an intruder to violate an implicit or explicit security policy.Examples include: phf (remote command execution as user "nobody") rpc.ttdbserverd (remote command execution as root) world-writeable password file (modification of system-critical data) default password (remote command execution or other access) denial of service problems that allow an attacker to cause a Blue Screen of Death smurf (denial of service by flooding a network) The number of vulnerabilities reported to CERT/CC went up 160% in 2000 [417 to 1090] and 124% in 2001 [1090 to 2437]. Vulnerabilities reported through 3Q02 are 3222, which for the year equals (est) 4296, a projected 76% increase.CERT only releases approximately 10% of what we know about current vulnerabilities. We have significant evidence that indicates that once more information than this is released, the vulnerabilties are more broadly exploited with negative consequences.Incident: Any real or suspected adverse event in relation to the security of computer systems or networks; the act of violating an explicit or implied security policy.Examples include: failed or successful attempts to gain unauthorized access to a system or its data unwanted disruption or denial of service the unauthorized use of a system for the processing or storage of data changes to systems without the owner's consent the occurrence of computer viruses probes (single attempt) or scans (multiple attempts) for vulnerabilities via the network to a range of computer systemsThe number of incidents reported to CERT/CC went up 250% in 1999 [3734 to 9859], 220% in 2000 [9859 to 21756], 240% in 2001 [21756 to 52658]. Incidents reported through 3Q02 are 73,359, which for the year equals (est) 97,812, a projected 86% increase.Why has this happened? more computers more at stake more people reporting CERT better known more incidents