Major global information security trends - a summary

© 2004 SensePost and RedPay. All rights reserved.

“Major Global Information Security Trends – a Summary”

Luc de Graeve

SensePost and RedPay


TOPICS TO COVER

Setting the Scene:Introduction – Major Global trends

Information Security – a problem definition

Statistics, suitable statistics and perceptions

Major Global Trends:The Business Environment

Regulatory and Legal Issues

Threats

Technologies and Solutions

A final thought

References, Contact details and Questions


TOPICS TO COVER



SETTING THE SCENE - INTRODUCTION

A summary – an oxymoronHuge environment

Complex environment

Fast-moving environment

Interactions with multiple areas

Each area – subject matter of its ownA whirlwind 45-minute tour

Subset….no time for exhaustive areas

Non Technical…….as much as possible.


SETTING THE SCENE - INTRODUCTION

Source BackgroundSell no products

Clients all over the world

Spend huge amounts of time researching the space

Consult to International Private, Public and Government

Involvement in Information gathering – CSI to DefCon

Provide some references later


TOPICS TO COVER




SETTING THE SCENE – A PROBLEM CHRONOLOGY

Obscurity PhasePredominantly cryptographic cultureTime of Line, data, voice, PIN crypto

Access PhaseThe company network and database effectTime of Access control Start of sharing of information across companies

Interconnected PhaseThe Internet effectTime of Firewalls, AVS, IDS/IPS and many others

Fear and control PhaseThe Terrorist and Fraudster effectTime of Legal and Regulatory controls…..possibly the beginning of end-to-end security?

Wood for the treesDifferent companies in different phases


SETTING THE SCENE – A PROBLEM DEFINITION

Information Security – present definition Often hype driven

Regularly perception driven

Threat event driven

Supplier driven

Interconnected companies

Diffuse responsibilities………….

………Many things to many people

Today’s summary – cover a number of aspects

Keep the definition broad-based


TOPICS TO COVER





SETTING THE SCENE – STATISTICS

Terri Curran – respected security consultant in USA…Analysis of following sources Nov 2003 – June 2004:

Multiple Information Security mail-lists

Computer Security Institute poll

CISSP forum analysis

META Group Research on Trends 2003

Yankee Group 2003 Enterprise Security Spending Survey

Kenneth Knapp survey – Auburn University (CISSP)

Peter Gregory, Computer World December 2003

Independent Security Practitioner’s Poll

2004 CSI/FBI Computer Crime and Security Survey

March 2004 Symantec Internet Security Threat Report

…..Too many sources to mention



CISSP Forum analysis – a summary*ROI & Information Security MetricsSPAMMalwareLegislation, Regulation (SOX)CyberterrorismPerimeter securityProduct Selection issuesFirewall deploymentSecurity CertificationBest Practices

* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)



META Group Research on Trends – a summary*Security strategyConfidentialityOrganization/Governance/BudgetIdentityThreat and VulnerabilityPhysical SecurityContent SecurityApplication SecurityIsolationStrategic Processes




The Yankee Group 2003 Enterprise Security Spending Survey – a summary*

Top 4 product areas budgeted for 2004 Antivirus

IDS and IPS

Firewalls

Web Application Security

Other items on top 10 product list:VPN

Access Control

Storage Security

Antispam

Authentication

Wireless Security





Top service area budgeted for 2004: Firewalls

Four important service areas budgeted for 2004:IDS

Vulnerability Management

User Identity Administration

Security Assessments

Other service areas budgeted for 2004:Strategic Consulting

Regulatory Compliance





Security incidents experienced in 2003:Virus/Worms (83%)Denial of Service attacks (40%)Unauthorised data access (34%)Misconfiguration (32%)Web Site penetration (29%)Theft of customer data (13%)Disclosure of customer data (8%)




Kenneth Knapp CISSP survey – a summary*Greatest Security Concerns;

Top Management supportPatch ManagementMalwareLegal and regulatory issuesInternal threatsAccess control and identity managementSDLC support for Information SecurityPrivacyBusiness Continuity and Disaster RecoverySPAMFirewall and IDS ConfigurationsExternal Connectivity to other organisations




Peter Gregory, Computerworld survey – a summary*

Greatest Security Concerns/Hype for 2004;SPAM

Internet access filtering

Desktop management

Personal Firewalls

Leaky Metadata

Wi-Fi break in

Bluetooth

Mobile phone hacking

Instant Messaging incident

Organised Crime

Shorter time to exploitation




CSI/FBI June 2004 survey – highlightsDecline in reported unauthorised use

Decrease in reported dollar loss from security breaches

Denial of Service most expensive computer crime

Percentage companies reporting incidents declining

Economic evaluation of security expenditures:ROI – 55% of companies

IRR – 28% of companies

NPV – 25% of companies

Most companies conduct security audits (>80%)

Outsourcing – most companies do not (63%)When done – selective areas (25% …less than 20% of function)

Not enough security awareness focus in organisations

Sarbanes-Oxley Act beginning to have an impact



CSI/FBI June 2004 survey – highlightsAction taken after experiencing computer intrusion:

Patched holes (91%)

Did not report (48%)

Reported to law enforcement (20%)

Reported to legal council (16%)

Prime reasons cited for not going to authorities:Negative publicity – hurt stock/image (51%)

Competitors could use to their advantage (35%)


SETTING THE SCENE – STATISTICS?

The problem with these statistics:Each survey has different respondent profile

Each survey questions posed differently

Survey questions have to change from year to year

Surveys not quoted entirely in contextPurveyors of news

Purveyors of information

Vendors

Recipients of information

Access to surveys is often restrictedClosed/special user communities

Some surveys are only for paid up members

Analysing only one (or parts of one) survey can be fatal


SETTING THE SCENE – STATISTICS?

How does one obtain value?Have to be actively involved in the industry

Globally

Multiple clients

Multiple industries

Constantly evaluate new technologies

Do trending from industry knowledge sharing lists

Analysis of multiple sources is absolutely essential

Correlation study of threats, solutions and environment

Share knowledgeshare knowledge

share knowledge...


TOPICS TO COVER






MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT

Increased online availability of informationMore sophisticated information systems

Increased need for communication with others

Increased need for sharing information with others

Improved transport mechanisms for information

Multiple client channels to service providers

Multiple partner channels between organisations

ERP systems – company information repositories.

Increased use of standard computing delivery platforms

Ubiquitous Internet and Web

GT - Complexity is the number one enemy of Information Security


MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT

Increased business model sophisticationLarger, more complex organisations

Mix of centralisation and de-centralisation

Diffuse and ill defined responsibilities, accountabilities and authorities in organisations

Complex, interlinked internal processes

Complex relationships with other entities

Multitude of legacy, current and futuristic computing platforms in organisations

Incomplete understanding of asset and risk classification

GT - Complexity is the number one enemy of Information Security


TOPICS TO COVER





Regulatory and Legal Issues…or in layman’s terms “When can I sue?”


MAJOR GLOBAL TRENDS – REGULATORY AND LEGAL ISSUES

A large number of “new” Laws, Regulations and Standards

NERC Cyber Security Standard 1200 (USA)

BS7799, ISO17799, FISMA (USA), ISG (USA)

ISF, COBIT

King II Report

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes-Oxley (SOX)

Gramm, Leach, Bliley Act (GLBA)

ECT Act, Commsec Act

……and many, many more!.....to be tested in the courts!!GT: New legal landscape will force enhanced security!


TOPICS TO COVER






Threats

*Note* Do not be scared – be aware!


MAJOR GLOBAL TRENDS - THREATS

HACKERS …..and other (bigger?) beasts.Website defacements:

21 May 2001 – approximately 100 website defacements per day (Attrition.org)

9 January 2003, 15h30 - 177 defacements

2 March 2004, 18h30 - 403 defacements

18 July 2004, 14h30 – 1096 defacements

GT: A continued increase in website defacements!




Just in case you missed out on the whole ordeal last

week, we were hacked 4 times by an elite group called r 139.

So we thought we would help the hackers out by hacking

our own page to save them some time...

Just in case you missed out on the whole ordeal last

week, we were hacked 4 times by an elite group called r 139.

So we thought we would help the hackers out by hacking

our own page to save them some time...



MALWARE – Viruses, Worms and Horses

Usual Suspects - Code Red Initiation: 19-07-2001 @ 00.00Completion: 19-07-2001 @ 19.50



MALWARE – Viruses, Worms and Horses

Usual Suspects – Saphire/SQL Initiation: 25-01-2003 @ 05:29 Completion: 25-01-2003 @ 06:00

GT: A continued increase in speed of infections!



Characteristics of attack profile trends Speed of attack generation increasing

Sophistication levels of attacks increasing

Time from Vulnerability to Exploit decreasing

Coordination levels of attacks increasingFrom DOS to DDOS to GDOS

Attacks utilise ever larger number of combined techniques

Definite increase in Application Level Attacks…in addition to simpler Network Level Attacks

GT: A continued increase in Attack Sophistication!



IDENTITY THEFT - Definition: When an entity pretends to be another entity, without any authorisation, with the aim of gain.

“It is not only the most difficult thing to know oneself, but the most inconvenient, too.” H.W. Shaw

“Why steal from someone if you can just become that person?” Bruce Schneier

Considered the fastest growing crime globallyFigures ranging between 46% and 58% ACGR

Consists of personal and corporate ID theft.

GT: ID theft – the fastest growing crime globally!



IDENTITY THEFT and PHISHINGMechanisms and components in online world

SPAM – using spoofed e-mails

Social Engineering

Corporate Website Spoofing

SPAM – in excess of 50% of Internet traffic

PHISHINGObtaining personal financial information online.

Hijacking of trusted brands

419 Scams

List making for further SPAM

Malware Distribution



IDENTITY THEFT and PHISHING

It is a complex problem: Show me all the domains on the Internet that look and sound like my company, but that do not belong to me…



IDENTITY THEFT and PHISHING

GT: Phishing attack trend points to huge IDtheft attack increase on the Web!



In Summary:All information points to increase in attack vectors on the Internet.

Sophistication and speed of attacks increase

The Internet environment is increasingly used by criminal elements.

However – this by no means implies that one does not use the environment……which brings us to trends in the Technologies and Solutions space…


TOPICS TO COVER






Threats

Technologies and Solutions


MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS

What are most companies spending their security efforts on?

Anti Virus Systems

Firewalls

IDS/IPS solutions

Patch Management

These assist in reducing effects of intrusion attacks and malware attacks

Reduces potential financial and reputational loss

Improves Quality of Service….but….

Insufficient to combat fraud and reduce criminal element

GT: Most companies still focused on Perimeter Security



Additionally - what are leading companies spending their security efforts on?

Substantial User Awareness Programs

Improvement of processes that have security implication

Classification of user base and risk profiling

Classification of Information

Gearing up legal and forensics department

Ongoing Security Assessments

Multi-layering of security environments

Implementing and monitoring Security Baselining standards

GT: Leading Companies are starting to look at Information Security using business principles!



Additionally - what are leading companies spending their security efforts on?

Multi-factor authentication for selected applications

Securing selected Web Applications

Incorporating security in the I.T. System development Life Cycle (SDLC)

Identity Management for complex environments

Analysing end-to-end security for selected applications

Clearer understanding of Acceptable Residual Risk

GT: Leading Companies are looking after the basics! GT: Leading Companies are viewing Information Security as an important part of doing business!GT: Some Leading Companies are viewing Information Security as a Competitive differentiator!


MAJOR GLOBAL TRENDS – A FINAL THOUGHT

“Information security will continue to be a catch-up game….

the complex environment and the criminal nature of the lunatic fringe will force organisations to do the best they can within their given constraints.

One hundred percent security is not the aim. Trade as safely as your risk profile will allow and keep a look out for the trends.”

“THE TREND IS YOUR FRIEND!”


SELECTED REFERENCES

Curran, Terri. “Security trends from a practitioner’s perspective.” CSI NetSec04 paper.

Marc R. Menninger, Fiora Stevens. “Deriving Privacy Due Care practices from HIPAA and GLBA.”

Ninth Annual (2004) CSI/FBI Computer Crime and Security Survey

Symantec Internet Security Threat Report, Volume V, Published March 2004

Peltier and Associates. “Mapping Policies to the Enterprise.”

David Lynas. “Return on Investment from Information Security.”

www.antiphishing.org

www.attrition.org

www.cio.com

www.csoonline.com

www.dshield.org

www.ftc.gov

www.gocsi.com

www.metagroup.com

www.redpay.com

www.searchsecurity.com

www.schneier.com

www.sensepost.com

www.siia.net

www.zone-h.org


Contact Details and Questions

Luc de [email protected]

[email protected]

+27 (012) 667 4737

QUESTIONS?

THANK YOU!

Major global information security trends - a summary

Technology

Transcript of Major global information security trends - a summary