2004 02 02 Dave McCurdy India Presentation
-
Upload
isalliance -
Category
Documents
-
view
222 -
download
0
Transcript of 2004 02 02 Dave McCurdy India Presentation
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
1/48
Dave McCurdyExecutive Director,
Internet Security Alliance
President, Electronic Industries Alliance
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
2/48
Electronic Industries AllianceThe Whole is Greater Than the Sum of the
Individual Parts
TelecommunicationsIndustry Association
(TIA)
Solid State and
SemiconductorTechnology
(JEDEC)
NSTEP NationalScience &
Technology
EducationPartnership
(Foundation)
Affiliates
ConsumerElectronicsAssociation
(CEA)
Government Electronics
& InformationTechnology Association
(GEIA)
Electronic Components,Assemblies & Materials
Association (ECA)
ElectronicRepresentativeAssociation (ERA)
Internet SecurityAlliance (ISAlliance)
National Association ofRelay Manufactures(NARM)
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
3/48
Electronic Industries Alliance
Mission
EIA the Alliance Promote market development and competitiveness of the high-
tech industry through domestic and international policy efforts.
EIA the Entity Serves as a common voice for industry to educatepolicymakers and public
Addresses sustained and critical issues important to theconstituent industry
Mobilizes the industry on critical issues Coordinates policies and strategies with all allied
associations
Promotes standards that serve the industry
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
4/48
Electronic Industries Alliance
Brings together top-levelgovernment officials andcorporate leaders.
Each of the past four U.S.presidents and other majorpolicy makers meet withEIA.
EIA provides major US techlink to internationalorganizations
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
5/48
The Internet Security Alliance
The Internet Security Alliance is a collaborative effort between
Carnegie Mellon UniversitysSoftware Engineering Institute (SEI)
and its CERT Coordination Center (CERT/CC) and the Electronic
Industries Alliance (EIA), a federation of trade associations with
over 2,500 members.
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
6/48
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
7/48
ISAlliance = Power-Synergy
Draws on the political muscle of EIA and its 80year history in technology policy, marketdevelopment and standards creation.
Draws on the internet security expertise of theCERT at Carnegie Mellon
Draws on an international membership to bringcohesion and focus to issues
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
8/48
ISAlliance International---
India--Participation
ISAlliance has active members on 4 continents 20% of ISAlliance Board are non-US based
companies, Board Chair is from CW of England
TCS is the ISAlliance Founding Sponsor from India TCS has offered to become the first ISAlliance
Security Anchor
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
9/48
Outline of Todays
Presentation
The substance and politics of outsourcing in theUnited States today
The relationship between security issues andoutsourcing and its potential effect on public policyand international business cooperation.
A proposal for NASSCOM and its membercompanies to formally join/work together
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
10/48
Economics of Offshore
Outsourcing for the US
The U.S. is now facing a third consecutive year ofjob losses.
Last summer the US lost a quarter million jobs,while US firms shipped 30,000 new service jobs toIndia.
Estimates are that during the next 15 years the USwill lose 3.3 million jobs to foreign companiesalong with $136 billion dollars in lost wages.
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
11/48
Positive Aspects of
Outsourcing to India
India provides significant assets for high-techcompanies: a highly-educated workforce well-versed in math and science and possessing
engineering degrees comparable to U.S. collegesand universities.
India is becoming an increasingly importantmember of the international economic community.
This strength could also bring better relationsbetween the U.S. and India, and a vested interestin international security.
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
12/48
The US Politics of
Outsourcing to India
The U.S. face a job loss economic recovery. Homeland security-including cyber security-
continues to have strong political appeal. The AFL-CIO (the largest union in the US) has
mobilized support around the country for
legislation that calls for an outright ban on
overseas contracting (Wash Post 1/31/04)
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
13/48
Results of Political
Pressure in US
In November the state of Indiana canceled a $15million contract with an Indian company due to
public outcry over outsourcing.
Last year 8 states considered legislation to bancontracts using overseas workers----none passedbut more pressure is expected
On Jan 23 2004 President Bush signed into law aprovision prohibiting certain government contractsto companies performing the work overseas.
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
14/48
New US law is tip of the
Iceberg
THE LAW IS LIMITED1. It pertains to only a
narrow range of
mostly transportationcontracts.
2. It is already set toexpire in September
3. Very few contractsare likely to beaffected
THE LAW IS AWARNING
1. State bills defeated lastyear have a betterchance now
2. Congress and theAdministration are nowon record as willing to
take aggressive action
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
15/48
What Drives the
Outsourcing Politics ?
Speaking of the new US federal law in SaturdaysWashington Post Stan Soloway (Pres. US
Professional Service Council) is quoted as saying:
he knows of no such competitions that have resulted
in jobs going overseas. (It is) security restrictionsthat keep government contractors from using
foreign workers. (Wash. Post 1/31/04)
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
16/48
A Security Focus may be
a good approach for India
India is considered to have a much better culturaland legal climate for IP protection than many othernations offering offshore coding. Poorer nations
often don't have laws protecting foreign companiesand rarely enforce whatever laws may exist.
Indias membership in WTO and adherence to TRIPSwill help reduce fear.
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
17/48
US also needs a focus on
Internet Security
1. Concerns about offshore-related security is on the rise.2. Shift to higher-level outsourcing will put security more in
spotlight. Database testing offers higher level of risk than
application development and maintenance.3. US industry develop cooperative policies, or high-tech
companies will be penalized by those who are not as
familiar with the issues or who wish to capitalize on the
misfortunes of voters.
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
18/48
Growth in Incidents Reported
to the CERT/CC
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
19/48
The Dilemma: Growth in Number of
Vulnerabilities Reported to CERT/CC
4,129
2,437
171345 311 262
417
1,090
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 2002
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
20/48
Human Agents
Hackers Disgruntled employees White collar criminals Organized crime Terrorists
Methods of Attack
Brute force Denial of Service Viruses & worms Back door taps &
misappropriation,
Information Warfare (IW)techniques
Exposures
Information theft, loss &corruption
Monetary theft & embezzlement
Critical infrastructure failure Hacker adventures, e-graffiti/
defacement
Business disruptionRepresentative Incidents
Code Red, Nimda, Sircam CD Universe extortion, e-Toys
Hactivist campaign,
Love Bug, Melissa Viruses
The Threats The Risks
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
21/48
Attack Sophistication v. Intruder
Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijackingsessions
sweepers
sniffers
packet spoofing
GUI
automated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
stealth / advancedscanning techniques
burglaries
network mgmt. diagnostics
DDOSattacks
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
22/48
Discovered Virus Threats Per Day
0
10
20
30
40
50
60
70
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
Est
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
23/48
The Speed of Attacks
Accelerates
Slammer (January 2003)
Blended threat exploits known vulnerability
Global in 3 minutes
Enterprises scramble to restore business availability
MYDOOM (January 2004) Even Faster
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
24/48
Machines Infected per Hour at Peak
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
90,000
100,000
Code Red Nimda Goner Slammer
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
25/48
Computer Virus Costs (in
billions)
0
30
60
90
120
150
'96 '97 '98 '99 '00 '01 '02 '03
Ran e
(Through Oct 7)
$
billion
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
26/48
ISA Security Anchor
Proposal
Go beyond isolated conferences to
Full service trade association for cyber securityproviding on-going services in:
Information sharing on threats and incidents Best practices/standards/assessment development Locally-based education and training
Domestic & international policy development Develop market incentives for cyber security
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
27/48
What Indian Partners
Can Do:
Become Security Anchors in India TCS will be a Security Anchor in India other
companies or Associations may also apply
Join ISAlliance, be a conduit for ISAlliance services Work jointly on projects of mutual benefit Work jointly on increasing confidence in free
market policies in the Internet age
Work jointly on developing Return on Investmentprograms in cyber-security
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
28/48
ISAlliance/CERT
Knowledgebase Examples
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
29/48
Benefits of Information
Sharing Organizations
May lesson the likelihood of attackOrganizations that share information about computer break-
ins are less attractive targets for malicious attackers.
NYT 2003
Participants in information sharing have theability to better prepare for attacks
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
30/48
Benefits of Information
Sharing Organizations
SNMP vulnerabilityCERT notified Alliance members Oct. 2001Publicly disclosed Feb. 2002
Slammer wormCERT notified Alliance members May 2002Worm exploited Jan. 2003
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
31/48
Why ISA Info Sharing
Works
Carnegie Mellon/CERT leadership and credibility History and regularity build up trust Enforcing the rules builds trust Cross-sector/international model lessens
competitive concerns
Success breeds greater success
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
32/48
A Risk Management
Approach is Needed
Installing a network security device is not asubstitute for a constant focus andkeeping our defenses up to date There
is no special technology that can make anenterprise completely secure.
National Plan to Secure Cyberspace, 2/14/03
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
33/48
Chief Technology Officers
Knowledge of their Cyber Insurance
34% Incorrectlythought they werecovered
36% Did not haveInsurance
23% Did not know ifthey had insurance
7% Knew that theywere insured by aspecific policy
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
34/48
ISAlliance Cyber-
Insurance Program
Coverage for members Free Assessment through AIG Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance
Best Practices (July 2002)
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
35/48
Adopt and Implement Best
Practices
Cited in US NationalDraft Strategy to ProtectCyber Space (September
2002) Endorsed by TechNet for
CEO Security Initiative(April 2003)
Endorsed by US IndiaBusiness Council (April2003)
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
36/48
Common Sense Guide
Top Ten Practice Topics
Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster Recovery
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
37/48
Other ISAlliance Best
Practice Publications
Common Sense Guide for Home Users andTraveling Executives (February 2003)
Common Sense Guide to Cyber Security for SmallBusinesses (Commissioned by National Cyber
Security Summit Meeting 11/03)
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
38/48
Cooperative work on
assessment/certification
TechNet CEO Self-Assessment Program
Bring cyber security to theC-level based on ISA BestPractices
Create a baseline ofsecurity even CEOs canunderstand
Global SecurityConsortium 3-PartyAssessment program
Risk Preparedness Indexfor assessment asQualified Member
Develop quantitativeindependent ROI forcyber security
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
39/48
ISAlliance Qualification
Program
No Standardized Certification Program Exists orwill exist soon
ISAlliance in cooperation with big 4 accountingfirms and insurance industry create quantitativemeasurement for qualification for ISA discountsas proxy for certification
ISA works with CMU CyLab on Certification
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
40/48
ISAlliance/CERT Training
Concepts and Trends In Information Security Information Security for Technical Staff OCTAVE Method Training Workshop Overview of Managing Computer Security Incident
Response Teams
Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
41/48
Public Policy Policy must address Internet as a new technology No one owns the Internet It is constantly evolving International operation makes regulation difficult Mandates will truncate innovation and the economy
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
42/48
Putnam Legislation
Risk assessment Risk mitigation Incident response program Tested continuity plan Updated patch management program Putnam has said industry led Internet Security
efforts wont work.
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
43/48
ISAlliance Incentive Model
Model Programs for market Incentives---AIG ----Nortel
---Visa ----Verizon
SemaTech Program
Tax Incentives
Liability Carrots
Procurement Model
Research and Development
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
44/48
A Coherent 10 step Program
of Cyber Security
1. Members and CERT create best practices
2. Members and CERT share information
3. Cooperate with industry and government todevelop new models and products consistent with
best practices
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
45/48
A Coherent Program of
Cyber Security
4. Provide Education and Training programs based
on coherent theory and measured compliance
5. Coordinate across sectors
6. Coordinate across borders
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
46/48
A coherent program
7. Develop the business case (ROI) for improvedcyber security
8. Develop market incentives and tools for consistent
maintenance of cyber security
9. Integrate sound theory and practice and
evaluation into public policy
10. Constantly expand the perimeter of cybersecurity by adding new members
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
47/48
Benefits
Share critical information across industries andacross national borders
Provide secure setting to work on commonproblems
Provide economic incentive programs Develop model industry evaluation and training
programs
-
7/31/2019 2004 02 02 Dave McCurdy India Presentation
48/48
For Additional Information
Dave McCurdy [email protected]
Larry Clinton [email protected]