2004 02 02 Dave McCurdy India Presentation

7/31/2019 2004 02 02 Dave McCurdy India Presentation

1/48

Dave McCurdyExecutive Director,

Internet Security Alliance

President, Electronic Industries Alliance


2/48

Electronic Industries AllianceThe Whole is Greater Than the Sum of the

Individual Parts

TelecommunicationsIndustry Association

(TIA)

Solid State and

SemiconductorTechnology

(JEDEC)

NSTEP NationalScience &

Technology

EducationPartnership

(Foundation)

Affiliates

ConsumerElectronicsAssociation

(CEA)

Government Electronics

& InformationTechnology Association

(GEIA)

Electronic Components,Assemblies & Materials

Association (ECA)

ElectronicRepresentativeAssociation (ERA)

Internet SecurityAlliance (ISAlliance)

National Association ofRelay Manufactures(NARM)


3/48

Electronic Industries Alliance

Mission

EIA the Alliance Promote market development and competitiveness of the high-

tech industry through domestic and international policy efforts.

EIA the Entity Serves as a common voice for industry to educatepolicymakers and public

Addresses sustained and critical issues important to theconstituent industry

Mobilizes the industry on critical issues Coordinates policies and strategies with all allied

associations

Promotes standards that serve the industry


4/48

Electronic Industries Alliance

Brings together top-levelgovernment officials andcorporate leaders.

Each of the past four U.S.presidents and other majorpolicy makers meet withEIA.

EIA provides major US techlink to internationalorganizations


5/48

The Internet Security Alliance

The Internet Security Alliance is a collaborative effort between

Carnegie Mellon UniversitysSoftware Engineering Institute (SEI)

and its CERT Coordination Center (CERT/CC) and the Electronic

Industries Alliance (EIA), a federation of trade associations with

over 2,500 members.


6/48


7/48

ISAlliance = Power-Synergy

Draws on the political muscle of EIA and its 80year history in technology policy, marketdevelopment and standards creation.

Draws on the internet security expertise of theCERT at Carnegie Mellon

Draws on an international membership to bringcohesion and focus to issues


8/48

ISAlliance International---

India--Participation

ISAlliance has active members on 4 continents 20% of ISAlliance Board are non-US based

companies, Board Chair is from CW of England

TCS is the ISAlliance Founding Sponsor from India TCS has offered to become the first ISAlliance

Security Anchor


9/48

Outline of Todays

Presentation

The substance and politics of outsourcing in theUnited States today

The relationship between security issues andoutsourcing and its potential effect on public policyand international business cooperation.

A proposal for NASSCOM and its membercompanies to formally join/work together


10/48

Economics of Offshore

Outsourcing for the US

The U.S. is now facing a third consecutive year ofjob losses.

Last summer the US lost a quarter million jobs,while US firms shipped 30,000 new service jobs toIndia.

Estimates are that during the next 15 years the USwill lose 3.3 million jobs to foreign companiesalong with $136 billion dollars in lost wages.


11/48

Positive Aspects of

Outsourcing to India

India provides significant assets for high-techcompanies: a highly-educated workforce well-versed in math and science and possessing

engineering degrees comparable to U.S. collegesand universities.

India is becoming an increasingly importantmember of the international economic community.

This strength could also bring better relationsbetween the U.S. and India, and a vested interestin international security.


12/48

The US Politics of

Outsourcing to India

The U.S. face a job loss economic recovery. Homeland security-including cyber security-

continues to have strong political appeal. The AFL-CIO (the largest union in the US) has

mobilized support around the country for

legislation that calls for an outright ban on

overseas contracting (Wash Post 1/31/04)


13/48

Results of Political

Pressure in US

In November the state of Indiana canceled a $15million contract with an Indian company due to

public outcry over outsourcing.

Last year 8 states considered legislation to bancontracts using overseas workers----none passedbut more pressure is expected

On Jan 23 2004 President Bush signed into law aprovision prohibiting certain government contractsto companies performing the work overseas.


14/48

New US law is tip of the

Iceberg

THE LAW IS LIMITED1. It pertains to only a

narrow range of

mostly transportationcontracts.

2. It is already set toexpire in September

3. Very few contractsare likely to beaffected

THE LAW IS AWARNING

1. State bills defeated lastyear have a betterchance now

2. Congress and theAdministration are nowon record as willing to

take aggressive action


15/48

What Drives the

Outsourcing Politics ?

Speaking of the new US federal law in SaturdaysWashington Post Stan Soloway (Pres. US

Professional Service Council) is quoted as saying:

he knows of no such competitions that have resulted

in jobs going overseas. (It is) security restrictionsthat keep government contractors from using

foreign workers. (Wash. Post 1/31/04)


16/48

A Security Focus may be

a good approach for India

India is considered to have a much better culturaland legal climate for IP protection than many othernations offering offshore coding. Poorer nations

often don't have laws protecting foreign companiesand rarely enforce whatever laws may exist.

Indias membership in WTO and adherence to TRIPSwill help reduce fear.


17/48

US also needs a focus on

Internet Security

1. Concerns about offshore-related security is on the rise.2. Shift to higher-level outsourcing will put security more in

spotlight. Database testing offers higher level of risk than

application development and maintenance.3. US industry develop cooperative policies, or high-tech

companies will be penalized by those who are not as

familiar with the issues or who wish to capitalize on the

misfortunes of voters.


18/48

Growth in Incidents Reported

to the CERT/CC

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


19/48

The Dilemma: Growth in Number of

Vulnerabilities Reported to CERT/CC

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


20/48

Human Agents

Hackers Disgruntled employees White collar criminals Organized crime Terrorists

Methods of Attack

Brute force Denial of Service Viruses & worms Back door taps &

misappropriation,

Information Warfare (IW)techniques

Exposures

Information theft, loss &corruption

Monetary theft & embezzlement

Critical infrastructure failure Hacker adventures, e-graffiti/

defacement

Business disruptionRepresentative Incidents

Code Red, Nimda, Sircam CD Universe extortion, e-Toys

Hactivist campaign,

Love Bug, Melissa Viruses

The Threats The Risks


21/48

Attack Sophistication v. Intruder

Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijackingsessions

sweepers

sniffers

packet spoofing

GUI

automated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

stealth / advancedscanning techniques

burglaries

network mgmt. diagnostics

DDOSattacks


22/48

Discovered Virus Threats Per Day

0

10

20

30

40

50

60

70

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

Est


23/48

The Speed of Attacks

Accelerates

Slammer (January 2003)

Blended threat exploits known vulnerability

Global in 3 minutes

Enterprises scramble to restore business availability

MYDOOM (January 2004) Even Faster


24/48

Machines Infected per Hour at Peak

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000

90,000

100,000

Code Red Nimda Goner Slammer


25/48

Computer Virus Costs (in

billions)

0

30

60

90

120

150

'96 '97 '98 '99 '00 '01 '02 '03

Ran e

(Through Oct 7)

$

billion


26/48

ISA Security Anchor

Proposal

Go beyond isolated conferences to

Full service trade association for cyber securityproviding on-going services in:

Information sharing on threats and incidents Best practices/standards/assessment development Locally-based education and training

Domestic & international policy development Develop market incentives for cyber security


27/48

What Indian Partners

Can Do:

Become Security Anchors in India TCS will be a Security Anchor in India other

companies or Associations may also apply

Join ISAlliance, be a conduit for ISAlliance services Work jointly on projects of mutual benefit Work jointly on increasing confidence in free

market policies in the Internet age

Work jointly on developing Return on Investmentprograms in cyber-security


28/48

ISAlliance/CERT

Knowledgebase Examples


29/48

Benefits of Information

Sharing Organizations

May lesson the likelihood of attackOrganizations that share information about computer break-

ins are less attractive targets for malicious attackers.

NYT 2003

Participants in information sharing have theability to better prepare for attacks


30/48

Benefits of Information

Sharing Organizations

SNMP vulnerabilityCERT notified Alliance members Oct. 2001Publicly disclosed Feb. 2002

Slammer wormCERT notified Alliance members May 2002Worm exploited Jan. 2003


31/48

Why ISA Info Sharing

Works

Carnegie Mellon/CERT leadership and credibility History and regularity build up trust Enforcing the rules builds trust Cross-sector/international model lessens

competitive concerns

Success breeds greater success


32/48

A Risk Management

Approach is Needed

Installing a network security device is not asubstitute for a constant focus andkeeping our defenses up to date There

is no special technology that can make anenterprise completely secure.

National Plan to Secure Cyberspace, 2/14/03


33/48

Chief Technology Officers

Knowledge of their Cyber Insurance

34% Incorrectlythought they werecovered

36% Did not haveInsurance

23% Did not know ifthey had insurance

7% Knew that theywere insured by aspecific policy


34/48

ISAlliance Cyber-

Insurance Program

Coverage for members Free Assessment through AIG Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance

Best Practices (July 2002)


35/48

Adopt and Implement Best

Practices

Cited in US NationalDraft Strategy to ProtectCyber Space (September

2002) Endorsed by TechNet for

CEO Security Initiative(April 2003)

Endorsed by US IndiaBusiness Council (April2003)


36/48

Common Sense Guide

Top Ten Practice Topics

Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster Recovery


37/48

Other ISAlliance Best

Practice Publications

Common Sense Guide for Home Users andTraveling Executives (February 2003)

Common Sense Guide to Cyber Security for SmallBusinesses (Commissioned by National Cyber

Security Summit Meeting 11/03)


38/48

Cooperative work on

assessment/certification

TechNet CEO Self-Assessment Program

Bring cyber security to theC-level based on ISA BestPractices

Create a baseline ofsecurity even CEOs canunderstand

Global SecurityConsortium 3-PartyAssessment program

Risk Preparedness Indexfor assessment asQualified Member

Develop quantitativeindependent ROI forcyber security


39/48

ISAlliance Qualification

Program

No Standardized Certification Program Exists orwill exist soon

ISAlliance in cooperation with big 4 accountingfirms and insurance industry create quantitativemeasurement for qualification for ISA discountsas proxy for certification

ISA works with CMU CyLab on Certification


40/48

ISAlliance/CERT Training

Concepts and Trends In Information Security Information Security for Technical Staff OCTAVE Method Training Workshop Overview of Managing Computer Security Incident

Response Teams

Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective


41/48

Public Policy Policy must address Internet as a new technology No one owns the Internet It is constantly evolving International operation makes regulation difficult Mandates will truncate innovation and the economy


42/48

Putnam Legislation

Risk assessment Risk mitigation Incident response program Tested continuity plan Updated patch management program Putnam has said industry led Internet Security

efforts wont work.


43/48

ISAlliance Incentive Model

Model Programs for market Incentives---AIG ----Nortel

---Visa ----Verizon

SemaTech Program

Tax Incentives

Liability Carrots

Procurement Model

Research and Development


44/48

A Coherent 10 step Program

of Cyber Security

1. Members and CERT create best practices

2. Members and CERT share information

3. Cooperate with industry and government todevelop new models and products consistent with

best practices


45/48

A Coherent Program of

Cyber Security

4. Provide Education and Training programs based

on coherent theory and measured compliance

5. Coordinate across sectors

6. Coordinate across borders


46/48

A coherent program

7. Develop the business case (ROI) for improvedcyber security

8. Develop market incentives and tools for consistent

maintenance of cyber security

9. Integrate sound theory and practice and

evaluation into public policy

10. Constantly expand the perimeter of cybersecurity by adding new members


47/48

Benefits

Share critical information across industries andacross national borders

Provide secure setting to work on commonproblems

Provide economic incentive programs Develop model industry evaluation and training

programs


48/48

For Additional Information

Dave McCurdy [email protected]

Larry Clinton [email protected]

2004 02 02 Dave McCurdy India Presentation

Documents

Transcript of 2004 02 02 Dave McCurdy India Presentation