Major global information security trends - a summary
-
Upload
sensepost -
Category
Technology
-
view
866 -
download
3
description
Transcript of Major global information security trends - a summary
© 2004 SensePost and RedPay. All rights reserved.
“Major Global Information Security Trends – a Summary”
Luc de Graeve
SensePost and RedPay
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
Information Security – a problem definition
Statistics, suitable statistics and perceptions
Major Global Trends:The Business Environment
Regulatory and Legal Issues
Threats
Technologies and Solutions
A final thought
References, Contact details and Questions
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE - INTRODUCTION
A summary – an oxymoronHuge environment
Complex environment
Fast-moving environment
Interactions with multiple areas
Each area – subject matter of its ownA whirlwind 45-minute tour
Subset….no time for exhaustive areas
Non Technical…….as much as possible.
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE - INTRODUCTION
Source BackgroundSell no products
Clients all over the world
Spend huge amounts of time researching the space
Consult to International Private, Public and Government
Involvement in Information gathering – CSI to DefCon
Provide some references later
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
Information Security – a problem definition
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – A PROBLEM CHRONOLOGY
Obscurity PhasePredominantly cryptographic cultureTime of Line, data, voice, PIN crypto
Access PhaseThe company network and database effectTime of Access control Start of sharing of information across companies
Interconnected PhaseThe Internet effectTime of Firewalls, AVS, IDS/IPS and many others
Fear and control PhaseThe Terrorist and Fraudster effectTime of Legal and Regulatory controls…..possibly the beginning of end-to-end security?
Wood for the treesDifferent companies in different phases
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – A PROBLEM DEFINITION
Information Security – present definition Often hype driven
Regularly perception driven
Threat event driven
Supplier driven
Interconnected companies
Diffuse responsibilities………….
………Many things to many people
Today’s summary – cover a number of aspects
Keep the definition broad-based
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
Information Security – a problem definition
Statistics, suitable statistics and perceptions
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
Terri Curran – respected security consultant in USA…Analysis of following sources Nov 2003 – June 2004:
Multiple Information Security mail-lists
Computer Security Institute poll
CISSP forum analysis
META Group Research on Trends 2003
Yankee Group 2003 Enterprise Security Spending Survey
Kenneth Knapp survey – Auburn University (CISSP)
Peter Gregory, Computer World December 2003
Independent Security Practitioner’s Poll
2004 CSI/FBI Computer Crime and Security Survey
March 2004 Symantec Internet Security Threat Report
…..Too many sources to mention
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
CISSP Forum analysis – a summary*ROI & Information Security MetricsSPAMMalwareLegislation, Regulation (SOX)CyberterrorismPerimeter securityProduct Selection issuesFirewall deploymentSecurity CertificationBest Practices
* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
META Group Research on Trends – a summary*Security strategyConfidentialityOrganization/Governance/BudgetIdentityThreat and VulnerabilityPhysical SecurityContent SecurityApplication SecurityIsolationStrategic Processes
* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
The Yankee Group 2003 Enterprise Security Spending Survey – a summary*
Top 4 product areas budgeted for 2004 Antivirus
IDS and IPS
Firewalls
Web Application Security
Other items on top 10 product list:VPN
Access Control
Storage Security
Antispam
Authentication
Wireless Security
* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
The Yankee Group 2003 Enterprise Security Spending Survey – a summary*
Top service area budgeted for 2004: Firewalls
Four important service areas budgeted for 2004:IDS
Vulnerability Management
User Identity Administration
Security Assessments
Other service areas budgeted for 2004:Strategic Consulting
Regulatory Compliance
* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
The Yankee Group 2003 Enterprise Security Spending Survey – a summary*
Security incidents experienced in 2003:Virus/Worms (83%)Denial of Service attacks (40%)Unauthorised data access (34%)Misconfiguration (32%)Web Site penetration (29%)Theft of customer data (13%)Disclosure of customer data (8%)
* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
Kenneth Knapp CISSP survey – a summary*Greatest Security Concerns;
Top Management supportPatch ManagementMalwareLegal and regulatory issuesInternal threatsAccess control and identity managementSDLC support for Information SecurityPrivacyBusiness Continuity and Disaster RecoverySPAMFirewall and IDS ConfigurationsExternal Connectivity to other organisations
* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
Peter Gregory, Computerworld survey – a summary*
Greatest Security Concerns/Hype for 2004;SPAM
Internet access filtering
Desktop management
Personal Firewalls
Leaky Metadata
Wi-Fi break in
Bluetooth
Mobile phone hacking
Instant Messaging incident
Organised Crime
Shorter time to exploitation
* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
CSI/FBI June 2004 survey – highlightsDecline in reported unauthorised use
Decrease in reported dollar loss from security breaches
Denial of Service most expensive computer crime
Percentage companies reporting incidents declining
Economic evaluation of security expenditures:ROI – 55% of companies
IRR – 28% of companies
NPV – 25% of companies
Most companies conduct security audits (>80%)
Outsourcing – most companies do not (63%)When done – selective areas (25% …less than 20% of function)
Not enough security awareness focus in organisations
Sarbanes-Oxley Act beginning to have an impact
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS
CSI/FBI June 2004 survey – highlightsAction taken after experiencing computer intrusion:
Patched holes (91%)
Did not report (48%)
Reported to law enforcement (20%)
Reported to legal council (16%)
Prime reasons cited for not going to authorities:Negative publicity – hurt stock/image (51%)
Competitors could use to their advantage (35%)
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS?
The problem with these statistics:Each survey has different respondent profile
Each survey questions posed differently
Survey questions have to change from year to year
Surveys not quoted entirely in contextPurveyors of news
Purveyors of information
Vendors
Recipients of information
Access to surveys is often restrictedClosed/special user communities
Some surveys are only for paid up members
Analysing only one (or parts of one) survey can be fatal
© 2004 SensePost and RedPay. All rights reserved.
SETTING THE SCENE – STATISTICS?
How does one obtain value?Have to be actively involved in the industry
Globally
Multiple clients
Multiple industries
Constantly evaluate new technologies
Do trending from industry knowledge sharing lists
Analysis of multiple sources is absolutely essential
Correlation study of threats, solutions and environment
Share knowledgeshare knowledge
share knowledge...
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
Information Security – a problem definition
Statistics, suitable statistics and perceptions
Major Global Trends:The Business Environment
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT
Increased online availability of informationMore sophisticated information systems
Increased need for communication with others
Increased need for sharing information with others
Improved transport mechanisms for information
Multiple client channels to service providers
Multiple partner channels between organisations
ERP systems – company information repositories.
Increased use of standard computing delivery platforms
Ubiquitous Internet and Web
GT - Complexity is the number one enemy of Information Security
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT
Increased business model sophisticationLarger, more complex organisations
Mix of centralisation and de-centralisation
Diffuse and ill defined responsibilities, accountabilities and authorities in organisations
Complex, interlinked internal processes
Complex relationships with other entities
Multitude of legacy, current and futuristic computing platforms in organisations
Incomplete understanding of asset and risk classification
GT - Complexity is the number one enemy of Information Security
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
Information Security – a problem definition
Statistics, suitable statistics and perceptions
Major Global Trends:The Business Environment
Regulatory and Legal Issues…or in layman’s terms “When can I sue?”
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS – REGULATORY AND LEGAL ISSUES
A large number of “new” Laws, Regulations and Standards
NERC Cyber Security Standard 1200 (USA)
BS7799, ISO17799, FISMA (USA), ISG (USA)
ISF, COBIT
King II Report
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley (SOX)
Gramm, Leach, Bliley Act (GLBA)
ECT Act, Commsec Act
……and many, many more!.....to be tested in the courts!!GT: New legal landscape will force enhanced security!
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
Information Security – a problem definition
Statistics, suitable statistics and perceptions
Major Global Trends:The Business Environment
Regulatory and Legal Issues
Threats
*Note* Do not be scared – be aware!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
21 May 2001 – approximately 100 website defacements per day (Attrition.org)
9 January 2003, 15h30 - 177 defacements
2 March 2004, 18h30 - 403 defacements
18 July 2004, 14h30 – 1096 defacements
GT: A continued increase in website defacements!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
Just in case you missed out on the whole ordeal last
week, we were hacked 4 times by an elite group called r 139.
So we thought we would help the hackers out by hacking
our own page to save them some time...
Just in case you missed out on the whole ordeal last
week, we were hacked 4 times by an elite group called r 139.
So we thought we would help the hackers out by hacking
our own page to save them some time...
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
HACKERS …..and other (bigger?) beasts.Website defacements:
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
MALWARE – Viruses, Worms and Horses
Usual Suspects - Code Red Initiation: 19-07-2001 @ 00.00Completion: 19-07-2001 @ 19.50
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
MALWARE – Viruses, Worms and Horses
Usual Suspects – Saphire/SQL Initiation: 25-01-2003 @ 05:29 Completion: 25-01-2003 @ 06:00
GT: A continued increase in speed of infections!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
Characteristics of attack profile trends Speed of attack generation increasing
Sophistication levels of attacks increasing
Time from Vulnerability to Exploit decreasing
Coordination levels of attacks increasingFrom DOS to DDOS to GDOS
Attacks utilise ever larger number of combined techniques
Definite increase in Application Level Attacks…in addition to simpler Network Level Attacks
GT: A continued increase in Attack Sophistication!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
IDENTITY THEFT - Definition: When an entity pretends to be another entity, without any authorisation, with the aim of gain.
“It is not only the most difficult thing to know oneself, but the most inconvenient, too.” H.W. Shaw
“Why steal from someone if you can just become that person?” Bruce Schneier
Considered the fastest growing crime globallyFigures ranging between 46% and 58% ACGR
Consists of personal and corporate ID theft.
GT: ID theft – the fastest growing crime globally!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
IDENTITY THEFT and PHISHINGMechanisms and components in online world
SPAM – using spoofed e-mails
Social Engineering
Corporate Website Spoofing
SPAM – in excess of 50% of Internet traffic
PHISHINGObtaining personal financial information online.
Hijacking of trusted brands
419 Scams
List making for further SPAM
Malware Distribution
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
IDENTITY THEFT and PHISHING
It is a complex problem: Show me all the domains on the Internet that look and sound like my company, but that do not belong to me…
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
IDENTITY THEFT and PHISHING
GT: Phishing attack trend points to huge IDtheft attack increase on the Web!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS - THREATS
In Summary:All information points to increase in attack vectors on the Internet.
Sophistication and speed of attacks increase
The Internet environment is increasingly used by criminal elements.
However – this by no means implies that one does not use the environment……which brings us to trends in the Technologies and Solutions space…
© 2004 SensePost and RedPay. All rights reserved.
TOPICS TO COVER
Setting the Scene:Introduction – Major Global trends
Information Security – a problem definition
Statistics, suitable statistics and perceptions
Major Global Trends:The Business Environment
Regulatory and Legal Issues
Threats
Technologies and Solutions
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS
What are most companies spending their security efforts on?
Anti Virus Systems
Firewalls
IDS/IPS solutions
Patch Management
These assist in reducing effects of intrusion attacks and malware attacks
Reduces potential financial and reputational loss
Improves Quality of Service….but….
Insufficient to combat fraud and reduce criminal element
GT: Most companies still focused on Perimeter Security
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS
Additionally - what are leading companies spending their security efforts on?
Substantial User Awareness Programs
Improvement of processes that have security implication
Classification of user base and risk profiling
Classification of Information
Gearing up legal and forensics department
Ongoing Security Assessments
Multi-layering of security environments
Implementing and monitoring Security Baselining standards
GT: Leading Companies are starting to look at Information Security using business principles!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS
Additionally - what are leading companies spending their security efforts on?
Multi-factor authentication for selected applications
Securing selected Web Applications
Incorporating security in the I.T. System development Life Cycle (SDLC)
Identity Management for complex environments
Analysing end-to-end security for selected applications
Clearer understanding of Acceptable Residual Risk
GT: Leading Companies are looking after the basics! GT: Leading Companies are viewing Information Security as an important part of doing business!GT: Some Leading Companies are viewing Information Security as a Competitive differentiator!
© 2004 SensePost and RedPay. All rights reserved.
MAJOR GLOBAL TRENDS – A FINAL THOUGHT
“Information security will continue to be a catch-up game….
the complex environment and the criminal nature of the lunatic fringe will force organisations to do the best they can within their given constraints.
One hundred percent security is not the aim. Trade as safely as your risk profile will allow and keep a look out for the trends.”
“THE TREND IS YOUR FRIEND!”
© 2004 SensePost and RedPay. All rights reserved.
SELECTED REFERENCES
Curran, Terri. “Security trends from a practitioner’s perspective.” CSI NetSec04 paper.
Marc R. Menninger, Fiora Stevens. “Deriving Privacy Due Care practices from HIPAA and GLBA.”
Ninth Annual (2004) CSI/FBI Computer Crime and Security Survey
Symantec Internet Security Threat Report, Volume V, Published March 2004
Peltier and Associates. “Mapping Policies to the Enterprise.”
David Lynas. “Return on Investment from Information Security.”
www.antiphishing.org
www.attrition.org
www.cio.com
www.csoonline.com
www.dshield.org
www.ftc.gov
www.gocsi.com
www.metagroup.com
www.redpay.com
www.searchsecurity.com
www.schneier.com
www.sensepost.com
www.siia.net
www.zone-h.org
© 2004 SensePost and RedPay. All rights reserved.
Contact Details and Questions
Luc de [email protected]
+27 (012) 667 4737
QUESTIONS?
THANK YOU!
© 2004 SensePost and RedPay. All rights reserved.