2006 00 00 Larry Clinton PMI Presentation Covering Water and Control System Cyber Security

7/31/2019 2006 00 00 Larry Clinton PMI Presentation Covering Water and Control System Cyber Security

1/30

The Evolving ThreatTodays cyber security challenges andsolutions


2/30

Are Water Lines At Risk?

n Security lacking in networkscontrolling critical infrastructure

n Hackers, terrorists could find way intocontrols of nuclear power stations,electrical grids, water lines.

n By Bob KeefeWEST COAST BUREAUMonday, October 02, 2006


3/30

The Past


4/30

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Present


5/30

The earlier threat landscapen Human Agentsn Hackersn Disgruntled employeesn White collar criminalsn Organized crimen Terrorists

n Methods of Attackn Brute forcen Denial of Servicen Viruses & wormsn Back door taps & misappropriation,n Information Warfare (IW)

techniques

Exposures

n Information theft, loss &corruption

n Monetary theft & embezzlementn Critical infrastructure failuren Hacker adventures, e-graffiti/

defacement

n Business disruption

Representative Incidents

n Code Red, Nimda, Sircamn CD Universe extortion, e-Toys

Hactivist campaign,

n Love Bug, Melissa Virusesn SOBIG, SLAMMER


6/30

The earlier threat:growth in vulnerabilities (CERT/cc)

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


7/30

The earlier threat:cyber incidents

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


8/30

Anyone have a cell phone?

nCompanies have built into theirbusiness models the efficiencies ofdigital technologies such as real time

tracking of supply lines, inventorymanagement and on-line commerce.The continued expansion of thedigital lifestyle is already built intoalmost every companys assumptionsfor growth. ---The ManufacturingInstitute July 2006


9/30

The changing threat

n The fast-moving virus or wormpandemic is not the threat.

2002-2004 almost 100 medium-to-highrisk attacks.

2005, there were only 6

This year, 0.


10/30

The changing threat

n Today, attackers are motivated toperpetrate fraud, gather intelligence,or gain access to vulnerable systems.

nVulnerabilities are now on client-sidedevices and applications (word

processing, spreadsheet programs,wireless devices) that requireinteraction, instead of on servers


11/30

The changing threat

n Cybercrime growthn6,110 Denial of Service attacks per day

n4000 in January 06 to 7,500 in June 06n

Bot nets are the engine driving growthnIncrease in modular malicious code

(initially limited functionality but updatesitself with new, more damaging

capabilities)

n Insider threats


12/30

Economic Effects of Attacks

n 25% of our wealth---$3 trillion---istransmitted over the Internet daily

n FBI: Cyber crime cost business $26billion (probably a LOW estimate)

n Financial Institutions are generallyconsidered the safest---their losses

were up 450% in the last yearn There are more electronic financial

transactions than paper checks now,

1% of cyber crooks are caught.


13/30

Im too Small to Attack, Not.

n One of every three small businessesin America were affected by MyDoomvirus---- 2x the proportion of large

companies effected by that virus.n Small Businesses get attacked more

often, have less defenses, have

smaller margins to protect againstloss

n Small businesses have needs andrequire a special program


14/30

2006 Data Breach Laws

Enacted in:AZ, CO,

KS, UT,

NE, ID

Enacted in:

IN, ME,

WI

Introduced

in at least

35 states

Sources: National Conference of State Legislatures

U.S. Public Interest Research Group


15/30

Pending Federal Legislation

n House Judiciary Committee: Passed legislation on Thursday June 1st 2006

n House Energy and Commerce Committee Passed legislation on Wednesday May 31st 2006

n Senate Judiciary Committee S.1789Personal Data and Privacy Act - Pending

n Sponsor: Sen. Arlen Specter (PA)n Cosponsors: Sen. Patrick Leahy (VT), Sen. Russell D.

Fiengold (WI), Sen. Dianne Fienstein (CA)


16/30

Whats the result of all thelegislative activity?

1. Confusion for business2. Inaction in the Congress3. Growing problems and costs

August 2006 was the worst month fordata security breeches on record

SANS Institute Sept 2006


17/30

Can it be stopped ? YES !

n PricewaterhouseCoopers conducted 2International surveys (2004 & 2006)covering 15,000 corporations of all

types

nApx 25% of the companies surveyedwere found to have followedrecognized best practices for cybersecurity.


18/30

Benefits of Best Practices

n Reduces the number of successfulattacks

n Reduces the amount of down-timesuffered from attacks

n Reduces the amount of money lostfrom attacks

n Reduces the motivation to complywith extortion threats


19/30

n Cited in US NationalDraft Strategy to

Protect Cyber Space(September 2002)

nEndorsed by TechNetfor CEO SecurityInitiative (April 2003)

n Endorsed US IndiaBusiness Council (April2003)


20/30

ISALLIANCE BEST PRACTICES

nPractice #1: General ManagementnPractice #2: PolicynPractice #3: Risk ManagementnPractice #4: Security Architecture & DesignnPractice #5: User IssuesnPractice #6: System & Network ManagementnPractice #7: Authentication & AuthorizationnPractice #8: Monitor & AuditnPractice #9: Physical SecuritynPractice #10: Continuity Planning & DisasterRecovery

Wh D t E C l


21/30

Why Doesnt Everyone Complywith the Best Practices?

nMany organizations have found itdifficult to provide a business case to

justify security investments and are

reluctant to invest beyond theminimum. One of the main reasonsfor this reluctance is that companieshave been largely focused on direct

expenses related to security and notthe collateral benefits that can berealizedManufacturers Institute 06


22/30

But, management is wrong.

n Stanford Global Supply Chain ManagementForum/IBM Study:Clearly demonstrated that investments in

supply chain security can provide business

value such as:

* Improved Product Safety (38%)

Improved Inventory management (14%) Increase in timeliness of shipping info

(30%)


23/30

Theres More !!!

n Increase in supply chain informationaccess (50%)

n Improved product handling (43%)n Reduction in cargo delays (48%

reduction in inspections)

n Reduction in transit time (29%)n Reduction in problem identification

time (30%)

n Higher customer satisfaction (26%)

S it lik Di it l T h l


24/30

Security, like Digital Technologymust be Integrated in Bus Plan

nSecurity is still viewed as a cost, notas something that could add strategicvalue and translate into revenue andsavings. But if one digs into the

results there is evidence that aligningsecurity with enterprise businessstrategy reduces the number ofsuccessful attacks and financial losesas well as creates value as part of thebusiness plan.PricewaterhoseCoopers Sept 2006


25/30

So, how do we do that?

n We have a changing technologyenvironment

n We have a changing business modeln We have a constantly changing legal

and regulatory environment

n Business must take the lead

C b S it i t IT


26/30

Cyber Security is not an ITproblem

n Issues must be addressedsimultaneously from the

n Legal Perspectiven The Business Perspectiven The Technology perspectiven The Policy Perspective

ISAlli I t t d B i


27/30

ISAlliance Integrated BusinessSecurity Program

n Outsourcingn Risk Managementn Security Breech Notificationn Privacyn Insider ThreatsnAuditingn Contractual Relationships (suppliers,

partners, sub-contractors, customers)

ISAlli S ll B i


28/30

ISAlliance Small BusinessProgram

n Special Set of Best Practices Endorsedby:

n DHSn Chamber of Commercen NAMn NFIBnABAnWholesale Memberships through

trade associations


29/30

Sponsors


30/30

Larry ClintonOperations Officer

Internet Security [email protected]

703-907-7028

202 236 0001

2006 00 00 Larry Clinton PMI Presentation Covering Water and Control System Cyber Security

Documents

Transcript of 2006 00 00 Larry Clinton PMI Presentation Covering Water and Control System Cyber Security