The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum...

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You

Christopher Baum

Research Vice President

Global Government

NYSCIO Conference

July 13th 2005

Key Issues

What security threats are higher education institutions facing, and what are the trends?

What resources are institutions bringing to bear on the security challenge?

What principles should guide institutional IT security planning?

The Gartner/Chronicle of Higher Education IT Security Survey 2004/2005

Mail-based, US survey of Chronicle of Higher Ed subscribers, closed Nov 2004, Email Based EMEA/Australia survey closed May 2005

Topics: IT security organization, funding, attack/misuse incidence, technology, policy

US: 556 total respondents (138 CIOs used) Non-US 63 respondents (40 EMEA, 23

Australia)

Types of Attacks/Misuse Detected in the Past12 Months US Responses

No

3%

6%

7%

18%

24%

32%

38%

66%

77%

100%

Financial Fraud

Unauth Access Other Data

Unauth Access Student Data

Altered/vandalized Website

Ext Activity from Int Resources by Insiders

Ext Activity from Int Resources by Outsiders

System Penetration/compromise

Denial of Service Attack

Computer Theft

Virus/Trojan/Worm

Types of Attacks/Misuse Detected in the Past12 Months Non-US Responses

No

3%

5%

8%

22%

11%

17%

37%

59%

70%

95%

Financial Fraud

Unauth Access Other Data

Unauth Access Student Data


Ext Activity from Int Resources by Insiders

Ext Activity from Int Resources by Outsiders



Computer Theft

Virus/Trojan/Worm

Change in Attack/Misuse Incidence Compared to Previous 12 Months US Responses

No

13%

26%

13%

16%

14%

15%

17%

19%

9%

75%

38%

70%

57%

50%

30%

31%

31%

52%

49%

17%

25%

50%

30%

17%

38%

53%

55%

53%

31%

33%

74%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Financial Fraud

Unauthorized Access to Other Data

Unauthorized Access to Stu Data


Ext Activity from Internal Resources by Insiders

Ext Activity from Internal Resources by Outsiders



Laptop Theft

Desktop/Server Theft

Virus/Trojan/Worm

Fewer

Same

More

Change in Attack/Misuse Incidence Compared to Previous 12 Months Non-US Responses

No

33%

7%

14%

9%

7%

14%

27%

33%

25%

0%

67%

80%

71%

43%

64%

71%

43%

45%

50%

30%

100%

0%

20%

21%

43%

27%

22%

38%

27%

17%

45%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Financial Fraud








Laptop Theft


Virus/Trojan/Worm

Fewer

Same

More

US Responses: Calculated Financial Loss

No

50%

13%

10%

0%

0%

0%

2%

5%

58%

57%

8%

0% 10% 20% 30% 40% 50% 60% 70%

Financial Fraud








Laptop Theft


Virus/Trojan/Worm

Loss calculation favors “obvious” hard values--real

costs are going almost unmeasured

Non-US Responses: Calculated Financial Loss

No

100%

0%

20%

21%

43%

27%

22%

38%

27%

17%

45%

0% 20% 40% 60% 80% 100% 120%

Financial Fraud








Laptop Theft


Virus/Trojan/Worm

US Percentage of IT Budget Spent on Security

Current FY Mean: 6.24%

1%

42%

57%

Percentage compared to previous fiscal year

IncreasedSame

Decreased

Non-US Percentage of IT Budget Spent on Security

Current FY Mean: 4.78%

10%

43%

47%

Percentage compared to previous fiscal year

IncreasedSame

Decreased

US Information Security Officer: Status and Plans

Has institution designated an ISO?

If not, plan to designate one within 12 months?

YesNo

65%

No

Yes

Don’t Know

75%

12%

30%

70%

13%

Yes No No

Don’t Know

Yes

NoYes

Non-US Information Security Officer: Status and Plans

Has institution designated an ISO?

If not, plan to designate one within 12 months?

YesNo

65%

No

Yes

Don’t Know

80%

10%

35%

65%

10%

Yes No No

Don’t Know

Yes

US Security Planning & Training

41%

58%

1%

78%

22%

30%

69%

1%

YesNo

Don’t Know

Don’t Know

Yes

Yes

No

No

Have a formal IT Security Plan?

Plan to resume mission-critical

operations during crisis?

Offer security awareness training?

Non-US Security Planning & Training

54%

46%

81%

19%

81%

19%

YesNo

Don’t Know

Don’t Know

Yes

Yes

No

No

Have a formal IT Security Plan?

Plan to resume mission-critical

operations during crisis?

Offer security awareness training?

US: Frequency of Testing Plan to Resume The Operation of Mission-Critical Information Systems and Protect Related Data During a Crisis

0 10 20 30 40 50

>Once a Month

Once a Month

Once Every 2-3 Months

Once a Semester

Once a Year

Not Been Tested

Non-US: Frequency of Testing Plan to Resume The Operation of Mission-Critical Information Systems and Protect Related Data During a Crisis

0 10 20 30 40 50

>Once a Month

Once a Month

Once Every 2-3 Months

Once a Semester

Once a Year

Not Been Tested

CISOCIOCIO

Policy Management Policies and standards Risk assessment/profiling Policy compliance and consulting Awareness training Business security architecture Intellectual property managementSecurity Administration Platform/application user management

Security Engineering Minimum platform standards Technical security architecture

Incident Response ID threat + solution

BISO

PresidentPresident

Business/Academic Unit Management

Expertise in Practice: CISO Organisation

Board of TrusteesBoard of Trustees

0

10

20

30

40

50

60

70

80

Mandatory Optional Not Available

Faculty

Staff

Students

US Anti-Viral Software:

Mandatory, Optional, Not Available

0

10

20

30

40

50

60

70

80


Faculty

Staff

Students

Non-US Anti-Viral Software:

Mandatory, Optional, Not Available

0

10

20

30

40

50

60

70

80


Faculty

Staff

Students

US: VPN for Remote Access: Mandatory vs Optional

0

10

20

30

40

50

60

70

80


Faculty

Staff

Students

Non-US: VPN for Remote Access: Mandatory vs Optional

0

10

20

30

40

50

60

70


Faculty

Staff

Students

US: Personal Firewall: Mandatory, Optional or Not Available

0

10

20

30

40

50

60

70

80


Faculty

Staff

Students

Non-US: Personal Firewall: Mandatory, Optional or Not Available

Policy and Training

Security policies need to be concise, clear, role-based and enforceable– Nontech user issues: acceptable use, privacy, business

continuity

– Tech staff: privileged access & ethical statement, PW management, change management, role

– A policy that isn’t signed can’t be enforced

Focus security training on network and system administrator

Create a security culture

Establishing the Baseline

Building for Whom?

Omniscient

Nomadic

ConnectedTelepathic

Defense in Depth in Practice: Scan and Block

Scan Good: Allow Connect

Scan Bad: Block

Home PC

Corporate Laptop

Contractor Laptop

VPN

SwitchRadius Server

DHCP Server

Policy Server

Scan Results

Scan Results

Scan Results

Vulnerability Management Technologies

Baseline/Discover

Audit and Policy Compliance Tools

Security Management

Monitor

Network System

Application

Vulnerability Assessment

External Threat

Services

Prioritize Asset

Inventory andClassification

Patch Install

Mitigate Mitigation Workflow

Shielding

Provisioning

Configuration Management

Maintain

Firewall IPS Scan and Block

Understanding the Environment

Environ-mentalTrends


Forces in the universe

Trace the Value

BusinessDrivers

BusinessDrivers How they affect your organization

BusinessBusinessStrategiesStrategies

and Tacticsand Tactics

BusinessBusinessStrategiesStrategies

and Tacticsand Tactics How you react

What, who, when, how

InformationRequire-

ments

InformationRequire-

ments

“Thou shalt...”Architecture

DesignPrinciples

ArchitectureDesign

Principles

Businessand

TechnologyArchitecture

Businessand


Understanding the Environment



How you react

What, who, when, how

“Thou shalt...”Trace the Value

InformationRequire-

ments

InformationRequire-

ments

BusinessDrivers

BusinessDrivers

BusinessStrategies

and Tactics

BusinessStrategies

and Tactics

ArchitectureDesign

Principles

ArchitectureDesign

Principles

Forces on your organization

How you react

Businessand


Businessand


What do we know?What do we know?What do we need?What do we need?

Where do we get it?Where do we get it?Where does itWhere does itneed to be?need to be?

When does it needWhen does it needto be there?to be there?Who shouldWho shouldnot see it?not see it?

PeoplePeopleSystemsSystems

ProcessesProcessesDataData

INFORMATIONINFORMATIONREQUIREMENTSREQUIREMENTS

A New World

Variably Connected,

Variably Secure: Dimensions

Connectedness

Connection State

Disconnected

Occasionally Connected

Occasionally Disconnected

Connected with Dropouts

Connected

Throughput

Low

High

Bursty

Security

EnvironmentContained

Constrained

Urgency

Information

Source

Authenticity

Non reputability

Time Sensitivity

Confidentiality

Business Rules

DeviceIdentity

Trustworthiness

Agent

Identity

Trustworthiness

Role

Responsibility

Privilege

Seven Guiding Principles of IT Security Defense in Depth

– Combine proactive & reactive mechanisms

Principle of Least Privilege

– Users, processes, & resources get minimum necessary access

The Weakest Link

– Train against social engineering

Security Expertise is Key

– Establish a CISO office; mix central policy w. distributed implementation

Build Security in Early

– The earlier a defect is found, the cheaper it is to fix

Be Paranoid

– Don’t just build for legitimate or “correct” usage

Simplify, Simplify, Simplify

– Simpler systems are easier to deploy, manage, & maintain

The Way Ahead for Information Systems Security

Christopher Baum

Research Vice President

Global Government

NYSCIO Conference

July 13th 2005

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum...

Documents

Transcript of The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum...