2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
-
Upload
isalliance -
Category
Documents
-
view
216 -
download
0
Transcript of 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
1/50
The Evolving Cyber Threatand what businesses can do about it
Larry Clinton, President
Direct 703/907-7028 [email protected]
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
2/50
Founders
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
3/50
ISA Board of Directors
Ken Silva, ChairmanCSO Verisgn
Ty Sagalow, Esq. 1st Vice ChairPresident Product Development, AIG
Angie Carfrae, VP Risk Management, Ceridian CorporationTim McKnight, CSO, Northrop GrummanJeff Brown, CISO/Director IT Infrastructure, RaytheonPaul Smocer, SVP/CIO, Mellon FinancialMatt Broda, Chief Strategic Security, NortelMarc-Anthony Signorino, Director Technology Policy, National
Association of ManufacturersPradeep Khosla, Dean Carnegie Mellon School of ComputerSciences
Matt Flanagen, President, EIelctronic Industries Alliance
J. Michael Hickey, 2nd Vice ChairVP Government Affairs, Verizon
Dr. M. Sagar Vidyasagar, TreasurerExec VP, Tata Consulting Services
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
4/50
Our Partners
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
5/50
Industry Affairs/Government Relations
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
6/50
The Old Web
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
7/50
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Web Today
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
8/50
The Web is Inherently Insecure---and getting more so
The problems we see in cyber security are aboutto get much worse because we continue todeploy base technologies that were developed
30 years ago when security was not anissue.TCP/IP was not designed to controlpower grids, financial networks and criticalinfrastructure. It will be used in future networks
(particularly wireless) but it lacks the basicsecurity controls to properly protect the network.
Source: Hancock, Cutter Technology Journal 06
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
9/50
The Earlier Threat:Growth in vulnerabilities (CERT/cc)
4,129
2,437
171345 311 262
417
1,090
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 2002
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
10/50
The Earlier Threat:Cyber incidents
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
11/50
The Changing ThreatA fast-moving virus or worm pandemic is not
the threat it was...
2002-2004 almost 100 medium-to-high riskattacks (Slammer; SoBig).
2005, there were only 6 2006 and 2007..Zero
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
12/50
Faces of Attackers Then
Chen-Ing HauCIH Virus
Joseph McElroy
Hacked US Dept of Energy
Jeffrey Lee Parson
Blaster-B Copycat
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
13/50
Faces of Attackers Now
Andrew SchwarmkoffRussian Mob Phisher
Jay Echouafni
Competitive DDoS
Jeremy Jaynes
$24M SPAM KING
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
14/50
The Changing Threat Today, attackers perpetrate fraud, gather
intelligence, or conduct blackmail
Vulnerabilities are on client-side applications word,spreadsheets, printers, etc.
The future threat landscape around the world willbe dictated by the soon-to-be-released AppleiPhone, Internet telephony and Internet video-sharing, and other Web-basedinnovations (McAfee 2007)
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
15/50
The Threat Landscape is Changing
New Era Attacks
Organized criminals, corporatespies, disgruntled employees,terrorists
Who: Kids, researchers,hackers, isolatedcriminals
Early Attacks
Why: Seeking fame & glory,use widespread attacks for
maximum publicity
Seeking profits, revenge, usetargeted stealth attacks to avoid
detection
Risk Exposure: Downtime,business disruption,information loss, defacement
Direct financial loss via theft and/orembezzlement, breach disclosure, IPcompromised, business disruption,
infrastructure failure
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
16/50
The Threat Landscape is Changing
New Era Attacks
Multilayer pre-emptive andbehavioral systemsDefense: Reactive AVsignatures
Early Attacks
Recovery: Scan & remove System wide, sometimes impossiblewithout re-image of system
Type: Virus, worm, spyware Targeted malware, root kits, spearphishing, ransomware, denial of service,back door taps, trojans, IW
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
17/50
Newer Threats Designer malware: Malware designed for a specific
target or small set of targets
Spear Phishing: Combines Phishing and socialengineering
Ransomware: Malcode packs important files intoencrypted archive & deletes original then ransom isdemanded
RootKits: shielding technology to make malcode invisibleto the op system
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
18/50
Characteristics of the New Attackers
Shift to profit motive Zero day exploits Increased investment and
innovation in malcode
Increased use of stealthtechniques
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
19/50
Digital Growth?
Companies have built into their businessmodels the efficiencies of digital technologies
such as real time tracking of supply lines,inventory management and on-linecommerce. The continued expansion of the
digital lifestyle is already built into almostevery companys assumptions for growth.---Stanford University Study, July 2006
Sure
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
20/50
Digital Defense?
29% of Senior Executives acknowledged that they did notknow how many negative security events they had in thepast year
50% of Senior Executives said they did not know how muchmoney was lost due to attacks
Maybe Not
Source: PricewaterhouseCoopers survey of 7,000 companies 9/06
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
21/50
Digital Defense
23% of CTOs did not know if cyber losseswere covered by insurance.
34% of CTOs thought cyber losses would becovered by insurance----and were wrong. The biggest network vulnerability in
American corporations are extra connectionsadded for senior executives without propersecurity.
---Source: DHS Chief Economist Scott Borg
Not So Much
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
22/50
Incidents & Losses
136
86
34
0
20
40
60
80
100
120
140
2004 2005 2006
Average Number of SecurityIncidents Per Participant
Percentage That ExperiencedLosses as a Result
25
56
28
55
40
63
0
20
40
60
80
100
2004 2005 2006
financial operational
---Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
23/50
Percentage of Participants Who
Experienced an Insider Incident
41 39
55
0
20
40
60
80
100
2004 2005 2006
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
24/50
Insider Incidents - 2006
In 2006 insiders committed more theft of IP & proprietary informationand sabotage than outsiders!
Total (%) Insider (%) Outsider (%)
Theft of IP 30 63 45
Theft of Proprietary Info. 36 56 49
Sabotage 33 49 41
Most common insider incidents in 2006 survey:
rogue wireless access points (72%), theft of IP (64%), exposure of sensitive or confidential information (56%)
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
25/50
Economic Effects of Attacks 25% of our wealth---$3 trillion---is transmitted over
the Internet daily
FBI: Cyber crime cost business$26 billion (probably LOW estimate)
Financial Institutions are generally considered thesafest---their losses were up 450% in the last year
There are more electronic financial transfers thanpaper checks now: Only 1% of cyber crooks arecaught.
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
26/50
Cyber Attacks Effect Stock Price
Investigations into the stockprice impact of cyber attacksshow that identified target
firms suffer losses of one tofive percent in the days afteran attack. For the average NYSEcorporation, pricedrops of these magnitudes translate intoshareholder losses between $50 and $200 million.
Source: US Congressional Research Service 2004
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
27/50
Indirect Economic EffectsWhile the tangible effects of a securityincident can be measured in terms of lostproductivity and staff time to recover and
restore systems, the intangible effects canbe of an order of magnitude larger.Intangible effects include the impact on an
organizations trust relationships, harm to itsreputation, and loss of economical andsociety confidence
Source Carnegie Mellon CyLab 2007
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
28/50
Can it be stopped ?Yes!
PricewaterhouseCoopersconducted 2 Internationalsurveys (2004 & 2006)
covering 15,000 corporationsof all types
Approximately 25% of thesecompanies follow recognizedbest practices for cybersecurity
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
29/50
Benefits of Best Practices Reduces the number of successful attacks Reduces the amount of down-time
suffered from attacks
Reduces the amount of money lost fromattacks
Reduces the motivation to comply withextortion threats
Source:PricewatterhouseCoopers 2006
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
30/50
Senior Managers Best Practices Cited in US National Draft Strategy
to Protect Cyber Space
Endorsed by TechNet for CEOSecurity Initiative
Endorsed US India BusinessCouncil
Currently Being Updated
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
31/50
Available Best Practice Resources#1: General Management
#2: Policy
#3: Risk Management
#4: Security Architecture & Design
#5: User Issues
#6: System & Network Management
#7: Authentication & Authorization#8: Monitor & Audit
#9: Physical Security
#10: Continuity Planning & Disaster Recovery
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
32/50
Best Practices for Insider ThreatPrevention & Mitigation
#1: Institute periodic enterprise-wide risk assessments.
#2: Institute periodic security awareness training for all employees.
#3: Enforce separation of duties and least privilege.
#4: Implement strict password and account management policies andpractices.
#5: Log, monitor, and audit employee online actions.#6: Use extra caution with system administrators and privileged users.
#7: Actively defend against malicious code.
#8: Use layered defense against remote attacks.
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
33/50
Best Practices for Insider ThreatPrevention & Mitigation
#9: Monitor and respond to suspicious or disruptive behavior.
#10: Deactivate computer accessfollowing termination.
#11: Collect and save data for usein investigations.
#12: Implement secure backup andrecovery processes.
#13: Clearly document threat controls.
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
34/50
Best PracticesModel Contracts
Volume II: published June 2007with
ANSI gives greater emphasis to
standards-based information securitycontrols. (www.isalliance.org)
Model Contract Clauses for Information
Security Standards. This new book
provides guidance on the contracting side
of implementing prevailing international
information security standards, notably
ISO 17799, BS 7799 and ISO 27001.
Volume I
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
35/50
Why Doesnt Everyone Complywith Established Best Practices?
Many organizations have found it difficult to provide
a business case to justify security investments andare reluctant to invest beyond the minimum. One ofthe main reasons for this reluctance is thatcompanies have been largely focused on direct
expenses related to security and not thecollateral benefits that can be realized
---Stanford University 06
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
36/50
Management is
Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness of shipping info (30%)
WRONG
A Stanford Global Supply ChainManagement Forum Study clearly
demonstrated that investments insecurity can provide business value andsignificant ROI through:
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
37/50
Security ROI Increase in supply chain information access (50%) Improved product handling (43%) Reduction in cargo delays (48%
reduction in inspections)
Reduction in transit time (29%) Reduction in problem identification
time (30%)
Higher customer satisfaction (26%)
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
38/50
Security, like Digital Technology, mustbe Integrated in the Business Plan
Security is still viewed as a cost, not as something
that could add strategic value and translate intorevenue and savings. But if one digs into the resultsthere is evidence that aligning security with enterprisebusiness strategy reduces the number of successfulattacks and financial loses as well as creates value aspart of the business plan.
PricewaterhoseCoopers, September 2006
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
39/50
How do we do that?
We have a changingtechnology environment
We have a changingbusiness model
We have a constantlychanging legal and
regulatory environment
Business must take the lead.
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
40/50
Security is an enterprise wide issue horizontally, verticallyand cross functionally throughout the organization
Leaders are Accountable to the organization, stakeholdersand the community (its a shared resource/responsibility)
Security must be viewed as a business requirement andaligned with organizational strategic goals; business unitsdont decide how much security they want
ISA/CMU:Elements of Effective Security Governance
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
41/50
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
42/50
ISA/CMUElements of Effective Security Governance
Commit adequate security resources including authority andtime to build and maintain core competencies
Expected staff awareness and training is reflected in jobdescriptions and expressed as cultural norm
Implement a life cycle system for software development,acquisitions, operations and retirement
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
43/50
Plan, define and manage clear security objectives measureresults and integrate lessons learned into future plans
Risk committee conducts regular reviews and integratesdigitalization into business plan---both positive and negative;Board Reviews and Audits
ISA/CMUElements of Effective Security Governance
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
44/50
Cyber Security is NOT an IT Problem
Business Policy Legal Technology
BUS/OPERAT
IONAL
LEGAL/REG
T
ECH/R&D
POLICY
PROBLEM /
ISSUE
Issues must simultaneously
address all organizationperspectives including:
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
45/50
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
46/50
Weekly Webinar Series
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
47/50
Sample of Recent WebinarsOn Privacy and Compliance with Application to Healthcare
Anupam Datta, CyLab Research Scientist, CMU
Psychological Profiling Software to Aid in Forensic Investigation,
Insider Detection and Relationship ManagementEric Shaw, Clinical Psychologist & Visiting Scientist, SEI, CERT
Outsourcing Risk Management: Legal Considerations
Jody Westby, CEO, Global Cyber Risk
Privacy and Security, it isn't Either/Or, it's Both/And
Jon Callas, PGP Corporation
Software Assurance in the Software Supply Chain
Bill Scherlis, Professor, School of Computer Science, Director,ISRI and director of CMU's PhD Program in Software Engineering
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
48/50
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
49/50
Conclusions
1. Band-Aids (or patches) dont cure Systemic treatments do
2. You need to stay aheadof the problemjust to keep up with the field
3. You are not in this alone, join the ISAteam
-
7/31/2019 2007 06 25 Larry Clinton Rochester Presentation About Best Practices and Cyber Threats
50/50
Larry Clinton
President
Internet Security [email protected]
703-907-7028 (O) 202-236-0001 (C)