Trends in Information Security:

Security Update 2003

Presented By:

Tina LaCroix & Jason Witty

Presentation Overview

Introduction and Benefits of InfoSec Trends and Statistics Hacking Tools Discussion / Demonstration Proactive Threat and Vulnerability

Management Security Lifecycle Recommendations Wrap-up / Questions

Q: In Today’s Down Market, What Can: Give your company a competitive advantage? Support your reputation in the eyes of your

customers and business partners? Demonstrate compliance to local, federal and

international regulatory statutes? Improve system uptime and employee productivity? Ensure viable long term e-Commerce?

Answer: The appropriate Information Security Program.

What’s the Problem?

Your security people have to protect against

thousands of security problems…

Hackers only need one thing to be missed.

But with appropriate planning and execution, a comprehensive information security program will protect your corporate assets.

Some InfoSec Statistics General Internet attack trends are showing a 64%

annual rate of growth –Symantec The average [security conscious] company

experienced 32 attacks per week over the past 6 months – Symantec

The average measurable cost of a serious security incident in Q1/Q2 2002 was approximately $50,000 – UK Dept of Trade & Industry

Identify theft related information is selling for $50-$100 per record – LOMA Resource 12/02

Top 10 Security Laws (provided by Microsoft)

1. Technology is not a panacea2. Security isn't about risk avoidance, it's about risk management3. The most secure network is a well-administered one4. There really is someone out there trying to guess your

passwords5. Eternal vigilance is the price of security6. It doesn't do much good to install security fixes on a computer

that was never secured to begin with7. If you don't keep up with security fixes,your network won't be

yours for long8. Security only works if the secure way also happens to be

the easy way9. Nobody believes anything bad can happen to them,until

it does10. The difficulty of defending a network is directly proportional

to its complexity

Computer Incident Statistics

Number of Incidents Handled by CERT/CC

0

10000

20000

30000

40000

50000

60000

• In 1988 there were only 6 computer incidents reported to CERT/CC.

• There were 52,658 reported and handled last year.

Virus Threat EvolutionThe Threat is spreading faster

Year

Klez

Nimda

CodeRed

Anna Kournikova

ExploreZip

Melissa

# of infections/hour at

peak of outbreak.

1998 1999 2000 2001 2002

LoveLetter

7000

6000

5000

4000 The time required for malicious code to spread to a point where it can do serious infrastructure damage

halves every 18 months.

The time required for malicious code to spread to a point where it can do serious infrastructure damage

halves every 18 months.

Source: Network Associates, January 2003, used with permission

General Trends in Attack Sophistication

Over Time, Attacks have Gotten More Complex, While Knowledge Required to Attack has Gone WAY Down

0

2

4

6

8

10

Level of DamageCapable

Level of Knowledgerequired

Information Security Threats: Attackers

Bored IT guys…… “Hacktivists” Competitors Terrorists Disgruntled (or former) employees Real system crackers (Hackers) The infamous “script kiddie” Increasingly……Mob sponsored professionals

Hacker Tools: Web Hacking

More Web Hacking Tools

Password Cracking Tools

Password Cracking: Windows

Need More Tools?http://www.packetstormsecurity.org has tens of thousands of free hacker tools available for download

Full Disclosure: What’s That? When a vulnerability is discovered, all details

of that vulnerability are reported to the vendor

Vendor then works on a patch for a “reasonable” amount of time

Discoverer of the vulnerability then releases full details of the problem found, and typically, a tool to prove it can be exploited

Hopefully the vendor has a patch available

Hacker Techniques: The Scary Reality

Growing trend by some hackers NOT to report vulnerabilities to vendors – KEEP EXPLOITS UNPUBLISHED AND KNOWN ONLY TO THE HACKER COMMUNITY

Exploit services that HAVE to be allowed for business purposes (HTTP, E-Mail, etc.)

Initiate attacks from *inside* the network 2002 – Large Increase in “hacking for

hire” – US Secret Service

So How Do We Protect Against

All of This?

(No More of This)

Most companies can improve their information protection

program…

Security Risk Management Concepts

Information Security must be handled jointly by IT and the business you serve

Information Security risks need to be identified and managed like any other business risk

System, data and application lifecycle management is essential

The business climate has radically changed in the past two years. How your company handles its confidential information is being scrutinized.

Required Security ControlsNON-TECHNICAL TECHNICAL

SESSION

TRANSPORT

NETWORK

DATA LINK

PHYSICAL

PRESENTATION

APPLICATION

Security StrategyManagement Commitment

Security Management Structure

Awareness Program

POLICY

PROCESSES

PROCEDURES

STANDARDS

GUIDELINES

Source: Forsythe Solutions, used with permission

Security Risk Management: IT Control EvolutionYear “Secure Enough” Control Security Goal

1995 Statefull Firewalls and desktop anti-virus (AV)

Keep external intruders and viruses out

1997 Above plus Network Intrusion Detection Systems (N-IDS) and application proxy servers

Keep external intruders out, but let admins know when they do get in

2000 Above plus Network AV, URL Screening, Host Based IDS, and VPNs

Control and monitor all network access but allow flexibility

2002 Above plus strong authentication, application firewalls

Protect against blended threats

Future Gateway IDS (GIDS), application aware proxies, integrated exposure management, standard metrics and measurements

True enterprise security risk management

InfoSec Risk ExamplesThreat Damage Mitigation Strategies

Web Site Defacement

Loss in Customer confidence, loss in revenue

IT Controls, User Education, 24 x 7 monitoring

Data theft Extortion, loss of competitive advantage

IT Controls, User Education, employee screening

Wide-spread Virus infection

System downtime, loss in productivity, loss or corruption of data

IT Controls, User Education, email sanitization

Unauthorized network access

Any of the above IT Controls, User Education, network entry point consolidation

How Much Security do We Need Today?

Environmental & PhysicalSecurity

Classification& Controlof Assets

SystemAccess

Controls

BusinessContinuity

Planning

Computer & NetworkManagement

Compliance

SecurityPolicy

PersonnelSecurity

SystemDevelopment& Maintenance

SecurityOrganization

1 2

3 4

5 6

87

9 10

12 3 4

5

6789

10

ISO 17799 (Best Practices)

67

8910

5432

1

How much is Enough?

Source: Forsythe Solutions, used with permission

Security Risk Management ProgramShould include (not an exhaustive list): Governance and sponsorship by senior management Staff and leadership education Implementation of appropriate technical controls Written enterprise security policies & standards Formal risk assessment processes Incident response capabilities Reporting and measuring processes Compliance processes Ties to Legal, HR, Audit, and Privacy teams

Security Risk Management: Education One of the largest security risks in your enterprise is

untrained employees – this especially includes upper management

Who cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk?

Are users aware of their roles and responsibilities as they relate to information security?

Are users aware of security policies and procedures?

Do users know who to call when there are security problems?

Security Risk Management: IT Controls The average enterprise needs Firewalls, Intrusion Detection,

Authentication Systems, Proxies, URL Screening, Anti-Virus, and a slew of other things.

A major reason we need all of this technology is because systems continue to be shipped / built insecurely!!!

Every one of us needs to push vendors to ship secure software, and to include security testing in their QA processes

Security Risk Management: Selective OutsourcingThings you might consider outsourcing: The cyber risk itself (Insurance, Re-

insurance) E-mail filtering and sanitization 24 x 7 monitoring of security systems 1st level incident response (viruses, etc.) Password resets Others?

Wrap Up: What Can You Do Going Forward?1. Urge (contractually obligate if possible) vendors to

build, QA test, and ship secure products!!!!!!! 2. Remember that security is not a “thing” or a one time

event, it is a continual process……..3. Manage security risks like other business risks4. Conduct periodic security risk assessments that

recommend appropriate security controls5. Ensure security is inserted early in project

lifecycles6. Support your internal InfoSec team – they

have a tough job managing threats and vulnerabilities

Credits CERT/CC Internet Security Alliance –

http://www.isalliance.org Symantec – http://www.symantec.com UK Department of Trade and Industry LOMA – www.loma.org

Questions?