The Future of Security
-
Upload
innotech -
Category
Technology
-
view
1.325 -
download
2
description
Transcript of The Future of Security
4/27/2011
1
The Futureof Security
David SmithCEO [email protected]/in/davidsmithaustin
Why is Security Hard?No system can be 100% secure
– Reality is risk mitigation, not risk avoidance
Difficult to prove good security– Bad security gets proven for us!
Good security and no security can look the same– How does one know how secure they are?
Many things to secure– People, equipment, OS, network, Application Servers,
applications, phones, and databases
4/27/2011
2
Balancing the Business
Usability
x
PerformanceSecurity
4/27/2011
3
KnowledgeEconomy
InformationExplosion
Challenges in the 21st century
Safety & Security
Finite
InternationalPartnerships
GlobalizationAccelerating Change
ComplexTechnologies
DiverseWorkforce
SustainableDevelopment
Resources
Life-LongLearning Citizen
Engagement
Copyright, 2008 © HBMG, Inc.
4/27/2011
4
The Growth Of Complexity
DOD
HigherTechnical
Complexity
LowerManagementComplexity
HigherManagementComplexity
weaponsystem
National AirTraffic ControlSystem
Telecom switch
Large-scalesimulation
DODmanagementinformation
Enterpriseinformationsystems
Enterpriseapplication
Smallscientificsimulation
Embeddedautomotiveapplication Commercial
compiler
HBMG Inc. Copyright 2009
informationsystemBusiness
spreadsheetLower
TechnicalComplexity
Mega Trends to Consider…• Digitization of all content (listening = getting!)• Distribution is the default (just having a network
won’t be enough)• Virtualization (location matters less and less)• Niche-ization of content & lifestyles• Mass-Personalization of media will become
standard• Democratization of creation, & peer productionDemocratization of creation, & peer production• Amateurization of the entire value chain (but
NOT to the detriment of experts)• “Godzilla-zation” of users/consumers
Copyright, 2008 © HBMG, Inc.
4/27/2011
5
Major Trends for Software Process
• System of systems is becoming more complex• Increasing software criticality and need for
dependability• Increasing emphasis on end users – both
inside and outside the enterprise• Decreasing value of IT• Geography doesn’t matter• The fabric of software and computing is
evolvingevolving• Continuous integration - continuous delivery – group mind• Increasing software autonomy• Combination of biology and computing
Copyright, 2009 © HBMG, Inc.
The Limits of Technology
The laws of physics
The laws of software
Fundamental
The challenge of algorithms
The difficulty of distribution
The problems of design
The importance of organization
The impact of economics
The influence of politics
The limits of human imaginationHBMG Inc. Copyright 2009
Human
4/27/2011
6
Vertical Convergence with an Industry
Technology:• Computers &
Peripherals
Telecom:• Communication
Equipment
Network:• Networking / IP
Networking
Content:
• Media & New
Entertainment:
• Broadcastingp
• Semi-conductors
• Internet apps
• Software
• Internet devices
q p
• Service Providers:
Telephone/ Voice & Data
Mobile Wireless/ Voice & Data
g
• Service Providers:
Internet Service Providers
Broadband
Satellite
Broadcast Cable
• Media
• Advertising
• Printing, Publishing and Newspapers
• Film
• Music
• Gaming
• Sports
Copyright, 2008 © HBMG, Inc.
Design
Technology:
Computers & Computers & PeripheralsPeripherals
Telecom: Communication Communication EquipmentEquipment
Network:Networking/Networking/IP NetworkingIP Networking
Content:Media & Media & New MediaNew Media
EntertainmentBroadcastingBroadcastingFilmFilm
Horizontally Across Different Industry Sectors:
Manufacturing
Infrastructure
Services
Content
PeripheralsPeripherals
SemiconductorsSemiconductors
Internet appsInternet apps
SoftwareSoftware
Internet devicesInternet devices
Service Service Providers:Providers:
Telephone/Telephone/Voice & DataVoice & Data
Mobile Wireless/Mobile Wireless/Voice & DataVoice & Data
Service Service Providers:Providers:
ISP(s)ISP(s)
BroadbandBroadband
SatelliteSatellite
AdvertisingAdvertising
Printing, Publishing Printing, Publishing & Newspapers& Newspapers
MusicMusic
GamingGaming
SportsSports
Devices
Software
Distribution
Broadcast CableBroadcast Cable
Copyright, 2008 © HBMG, Inc.
4/27/2011
7
Convergence reduces costs and risks
SecurityInformation &
Events Systems
ComprehensiveSecurity &
Compliance
Identity & Access Privileges
4/27/2011
8
Change, Uncertainty, and Complexity
Technology Acceleration
Intangible
Virtual WorldsEconomic & Financial
Russia - ChinaCyber Warfare
K-12 Science& Math Crisis
IntangibleCapital
Offshore Competition
Global TalentExplosion
English as 2nd
Terrorism
Pandemic
3 Billion New Capitalists
Demographics
p
Regional EconomicDislocation
English as 2nd
Economic Unions
Flat Wages End of Moore’s Law
New Economic Superpowers in 2050?
4/27/2011
9
Innovation is Accelerating
The “Fat Pipe”
4/27/2011
10
Growth of Broadband Users
3,500
4,000
500
1,000
1,500
2,000
2,500
3,000M
illio
ns o
f Use
rsW
orld Broadband 20
CellularSubscribers
InternetUsers
BroadbandUsers
01990 1995 2000 2005 2010 2015 2020
Year
Source: Technology Futures, Inc.
005
Historical Data Source: ITU
Users
Copyright, 2008 © HBMG, Inc.
Regional Forecasts—Broadband
350
400
450
500
Sub
scrib
ers
AP
Broadband
70%
80%
90%
100%
useh
olds
Europe
Broadband
Korea
0
50
100
150
200
250
300
1995 2000 2005 2010 2015 2020 2025Year
Mill
ions
of B
road
band
Source: Technology Futures, Inc.
World B
roadband 2006
Historical Data Source: ITU
Europe
NA
SA MA
Korea
0%
10%
20%
30%
40%
50%
60%
1995 2000 2005 2010 2015 2020 2025Year
Perc
enta
ge o
f Hou
Source: Technology Futures, Inc.
World B
roadband 2005
Historical Data Source: ITU
AP
EuropeNASA
MA
The first looking at millions of broadband subscribers, and the second looking at the penetration.
4/27/2011
11
Fixed Mobile Convergence
The latest buzzword in the collaborative industry is fixed
bil (FMC) thmobile convergence (FMC), the integration of wire line and wireless technologies to provide users with a seamless communication environment.
4/27/2011
12
Wireless Broadband Changes Everything….
Habits and behaviors sometimes change quickly: Once you had a great (and affordable) experience with new technology, you usually don’t want to miss it anymore. See: Blackberry iPod Skype in flight Wi Fi HD radioSee: Blackberry, iPod, Skype, in-flight Wi-Fi, HD radio…
Wireless enables two-way, personalized media (as opposed to mass media)
Mobile content access will dwarf desktop-based access 10:1
In wireless broadband, interaction takes on a whole new meaning:– “Sharing” will become a default standard– Multimedia communications will abound (messages, video, photo, sound)– Games become all-pervasive (posing other problems)– Shared content creation is now “on the fly” (contributing, remixing, mashing, etc.)– Location-based CONTENT services will explode
Receivers become senders tooCopyright, 2008 © HBMG, Inc.
“Mobile phones are more than a billion smart computers we can’t ignore that may create a software spiral like that of PC over the next 10software spiral like that of PC over the next 10 years.”
—Paul Otellini, CEO, Intel
“We really believe we are on the cusp of a whole new era of mobile computing ”whole new era of mobile computing.
—Steve Ballmer, CEO, Microsoft
Copyright, 2008 © HBMG, Inc.
4/27/2011
13
Top Ten Attacks
• Trusted Website attacks• Effectiveness in Botnets
Data Loss Phishing• Data Loss – Phishing• Mobile phone threats (iphones)• Insider attacks• Identity Theft• Malicious Spyware• Web Application Security ExploitsWeb Application Security Exploits• VoIP event Phishing• Supply Chain Attacks
Pillars of Information Protection
Pillars of Information Protection
S In N PSecure S
ystems
nformation M
anagemen
Netw
ork Security
Physical S
ecurity
nt
4/27/2011
14
Threats and Vulnerabilities– What’s at Stake
• Critical Infrastructures• Key Resources• New Resources
– The Case for Action• Cyber Threats• Insider Threats• External Threats• Cyber Terrorism• Physical Attacks
27
Security Incident Trend, 1995–2003 (CERT/CC)
What kind of threats are there?
External threatsMalware
Internal threatsUser response to unsolicited– Malware
– Rootkits– Adware– Spam– Phishing– “Ransomware”
– User response to unsolicited email or instant messages
– May have a network that is difficult to maintain
– “The Enemy Within” – The code for malware isn’t particularly difficult to find p yand launch.
4/27/2011
15
Threat numbers - Malware
5500 new malicious software threats per month
Attack Trends Data Breaches Information on data breaches that could lead to identity theft. The Education sector accounted for the majority of data breaches with 30%, followed by Government (26%) and Healthcare (15%) - almost half of breaches (46%) were due to theft or loss with hacking only accounting for 16%16%.Hacking resulted in 73% of identities being exposed
30
4/27/2011
16
IT Trends
Ubiquitous
Cloud
Mainframe/
Client Server
Appliances
Punch
Network
InternetWEB
Virtualization
Grid
HBMG Inc. Copyright 2009
1960 1970 1980 1990 2000 2010 2020
Mainframe/Midrange
Punch Card
Top 10 Programming Languages
4/27/2011
17
Programming Trends
Source: Tiobe Software Aug. 2010
Programming Community Index for August 2010
4/27/2011
18
Entry points - email - social engineering
Security patchFamous person photop pAnti-virus programMp3,videoComputer game“Cracked” softwareSerial numbers file Electronic postcard
Digital Video Adapters
Satellite Radio Receivers
Digital CamerasPDAs
Wireless CamerasWireless TV Monitors
Digital Music Adapters
Networked Storage Centers
Game Consoles
Smart Displays
Smart Phones
Laptop PCs
Desktop PCs
Wireless Gaming Adapters
Movies-on-DemandReceivers
“Fourth Generation”Set-top Boxes
MP3 PlayersDigital Media Receivers Personal Video Recorders
Networked DVD Player Mobile Gaming Devices
802.11 Speakers
Copyright, 2008 © HBMG, Inc.
4/27/2011
19
Ubiquitous Computing
Peer-to-PeerMobile
Complexity
Punch Card
Mainframe/Midrange Computing
Client/Server Computing
Internet/Network Computing
1960 1970 1980 1990 2000 2010 2020 2025
Computing
Department Intra- Extra- Personal Anytime-Process Centered Enterprises Enterprises Anywhere
Copyright, 2008 © HBMG, Inc.
INFOSEC Research Council's“Hard Problems” list
1. Global-Scale Identity – Identification required to produce an infrastructure capable of andreliable for commercial and national security purposes2. Insider Threat – All security technologies and approaches rely practically on modeledbehavior of external bad actors. This runs contrary to a majority of the security data, whichshows damaged caused by insiders to be orders of magnitude more frequent and costly3. Availability of Time-Critical Systems – Implementing effective security for systems wheretimeliness, performance and availability are higher priority services than security (i.e. controlsystems)4. Scalable Secure Systems – The development of large-scale secure systems where individualcomponents or dependencies may be flawed or compromised5. Situational Understanding and Attack Attribution – Determining the current state of securityfor large scale and complex systems and being able to conduct assessments and provideattribution for security incidents6. Information Provenance – Developing systems and methods to determine and manage theintegrity of information and information systems7. Security with Privacy – Designing methods and processes to improve security whilepreserving or enhancing privacy through granularity of activities and systems improvements8. Enterprise-Level Security Metrics –Scalable methods to determine or represent security or riskare needed in order to optimize resource allocation and decision making.
4/27/2011
20
Security is a System
SECURITYSECURITY
Product Configuration Implementation
Policy and Process
SOA Reference ArchitectureSOA Reference Architecture
UsersUsersBrowsers Voice
Channel PC PDA Cell Phone IPhone IVRUser Interface
Se
Se
Policy, P
Portals / Websites User
ecurity, O
peratio
ns, &
Gov
ecurity, O
peratio
ns, &
Gov
rocess, M
onito
ring, R
eportin
g,
WebWeb Atomic Composite Business Federated
ServiceServiceManagementManagement
““Enterprise Enterprise Service BusService Bus””
““Service RegistryService Registry””
Orchestrated Web ServicesService Discovery
Service Transformations
Service Mediation, Routing, Logging, Auditing
Identity Policy Enforcement
Messaging
Management
AuthenticationSingle Sign-On
Business Process
Access PointsAccess PointsPortals / Websites
Web Applications ASP JSP HTML CSSUser
InteractionsVoice/XML
40
PlatformPlatform Mainframe UNIX Windows .NET Java J2EE COBOL CICS System Administration
NetworkNetwork Firewalls Routers XML Accelerators Proxy Servers TCP/IP Network Administration
vernan
cevern
ance
, Usag
e Tracking
WebWebServicesServices
Atomic CompositeData Access
Business Logic/Rules
Federated
4/27/2011
21
3,500
4,000
• Mobile • Device to Device
Growth at the Edge of the Network
1,000
1,500
2,000
2,500
3,000
Pet
abyt
es/D
ay G
loba
l • Device to Device • Sensors • Entertainment• Smart Home• Distributed Industrial• Autos/Trucks• Smart Toys
ConvergedContent
41
0
500
2003 2004 2005 2006 2007 2008 2009 2010 2011
Year
2012
Traditional Computation
Copyright, 2008 © HBMG, Inc.
Cloud Computing - a Disruptive New Paradigm
A “cloud” is an IT service delivered to users that provides:• Simple user interface that automatically provisions IT resources 2015
“Clouds will transform the information technology (IT) industry… profoundly change the way people work and companies operate.”
1990
p y p• Capacity on demand with massive scalability• New application service delivery models• Platform for next generation data centers• Development in the cloud, for the cloud
2015
Software as a Service
Utility Computing
Cloud Computing
Grid Computing
4/27/2011
22
A Riskier World?A Riskier World?
Risk Management – A changing framework
Value of Tangible assets
1970’s 2000+
Value of Intangible assets
KnowledgeReputationManagementImage
TraditionalAsset Protection
Knowledge based economy
12 Components of an Effective Information Security Program
– Risk Management– Policy Management– Organizing Information Security g g y– Asset Protection– Human Resource Security – Physical and Environmental Security– Communication and Operations Management– Access Control– Information Systems Acquisition, Development and
Maintenance– Incident Management– Disaster Recovery Management – Compliance
44
4/27/2011
23
Hierarchy of Needs
Copyright, 2008 © HBMG, Inc.
4/27/2011
24
Social Media
Copyright, 2008 © HBMG, Inc.
Collaboration Technologies
Copyright, 2008 © HBMG, Inc.
4/27/2011
25
A.I. Deep Search Intelligent Agents
Weak Signals
Inference Engines
XML
Knowledge Networks
Intelligent Marketplaces Group
Intelligence
Enterprise MindsSemantic Web
Knowledge
Reed’s -Self Formation
MetawebDi it l W ld
Virtual Worlds
Massive
Evolving—Self Forming
mat
iona
l
Ontologies
Taxonomics
Knowledge Bases
Knowledge Management
Life Casting
Life LogsGroup Minds
Emergent Groups
Market Places
Search Engines
Content Portals Websites
Enterprise Portals
G
Mobile Technologies
A ti
Wikis
SocialSOCIAL MEDIAP lWEB
Digital WorldMultiplayer Games
WeBlogs
d of
Con
nect
ivity
—In
form
Databases
File Servers
Groupware
PIMs
P2P File Sharing
Auctions
IM
Social Networks
PeopleWEBInformation
Phone Calls
Conference Calls
Computer Conferencing Community
Portals
Speed of Connectivity — Social
Spe
ed
Copyright, 2008 © HBMG, Inc.
Along for the Ride⎯Security Element Is in the Infrastructure
The current and future working environment is one without perimeters or boundaries, so collaboration tools are a necessity. In the future collaborative environment, users will
l h th “li i i th
DataData,
no longer have the “living in the inbox” mentality, and will rely less on standard tools like e-mail and more on other collaborative tools and technology as a part of daily operations. The security element for such tools will be managed at the infrastructure level, using existing and new enterprise and network tools. The demand for security⎯managing identities data protection secure
Physical Security
Perimeter
Internal Network
Host
Application
Physical Security
Perimeter
Internal Network
Host
Application
identities, data protection, secure networks, and transactions and resiliency⎯will be handled by the infrastructure itself.
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
4/27/2011
26
Disruptors can be:
TechnologyRegulatoryRegulatoryEconomicCivilNatural DisastersNatural Disasters…
Risk“Risk is inherent in life. As it is the antithesis of security, we naturally strive to eliminate risk. As worthy as that goal is, however, we learn with each experience that complete security ishowever, we learn with each experience that complete security is never possible. Even if it were possible to eliminate all risk, the cost of achieving that total risk avoidance would have to be compared against the cost of the possible losses resulting from having accepted rather than having eliminated risk. The results of such an analysis could include pragmatic decisions as to whether achieving risk avoidance at such cost was reasonable. Applying reason in choosing how much risk we can accept and, hence, how much security we can afford is risk management. “Julie H. RyanBooz‐Allen & Hamilton
4/27/2011
27
Risk Model Example ‘PEST’ model
IT/Systems BreakdownContamination
Industrial Accidents Government Crisis
Technical Economic
ContaminationIndustrial Accident
On‐site product tamperingMalicious acts
Organisational failure
Government CrisisUtilities failure
SabotageTerrorism
Labour strikesOff‐site product tamperingOff site product tampering
People Social
4/27/2011
28
Elements of the Web of TrustAll solutions to Identity Management must provide a solution for each of these seven elements.
Risk Management And Needed Security
Unacceptable RiskUnacceptable Risk
HighHigh
mpa
ctm
pact
Acceptable RiskAcceptable Risk
Impa
ct to
bus
ines
s
Bus
ines
s de
fines
imB
usin
ess
defin
es im
Risk management drives risk to an acceptable level
Security engineering defines probabilitySecurity engineering defines probability
Probability of exploitLowLow HighHigh
4/27/2011
29
Risk Formula
Risk is a statement of probability. It is the probability that a given threat will exploit a given vulnerability and cause
Threat agent: Any person or thing that can do harm
Threat: Anything that could harm an asset
Vulnerability: A deficiency that leaves an asset open to harm
Asset: Anything with value—what we want to protect
E
Threat Modeling & Risk Forecasting
Gives Rise To:Affects
Internal Operations(i.e. Insider Threats)
ExternalCustomers
ExternalCompetitors
ExternalNon-related Businesses
Business PartnersB2B
Business PartnersSuppliers
Internal Operations
(i.e. Financial) GlobalGovernments,
etc.ThreatSources
given vulnerability and cause harm.
Exposure: Harm caused when a threat becomes real
Countermeasure: Any protective measure we take to safeguard an asset. This is measured by reducing the probability of successful exploitation
Exploits
Mitigated B
y
OffsetsInternal
Technology
Internal Processes
External Physical(BC-type threats)
External Technology-driven
(threats)
Sources
58
4/27/2011
30
In Parting: Be Paranoid
“Sooner or later, something fundamental in your business“Sooner or later, something
fundamental in your businessfundamental in your business world will change.”
⎯ Andrew S. Grove, Founder, Intel“Only the Paranoid Survive”
fundamental in your business world will change.”
⎯ Andrew S. Grove, Founder, Intel“Only the Paranoid Survive”
Copyright @2008 HBMG Inc.
In Parting: Be Paranoid
“Sooner or later, something fundamental in your business“Sooner or later, something
fundamental in your businessfundamental in your business world will change.”
⎯ Andrew S. Grove, Founder, Intel“Only the Paranoid Survive”
fundamental in your business world will change.”
⎯ Andrew S. Grove, Founder, Intel“Only the Paranoid Survive”
Copyright @2008 HBMG Inc.