Trends in Information Security:

Threats, Vulnerabilities and Mitigation Strategies

Presented By:

Tina LaCroix & Jason Witty

Presentation Overview

• Introduction and Benefits of InfoSec• Trends and Statistics• Hacking Tools Discussion / Demonstration• Proactive Threat and Vulnerability Management• Security Lifecycle• Recommendations• Wrap-up / Questions

Q: In Today’s Down Market, What Can:• Give your company a competitive advantage?• Improve your reputation in the eyes of your

customer?• Demonstrate compliance to international and

federal privacy laws?• Improve system uptime and employee

productivity?• Ensure viable eCommerce?

Answer: Information Security.

What’s the Problem?

Your security people have to protect against

thousands of security problems.

Hackers only need one thing to be missed.

But with appropriate attention given to

security, companies can be

reasonably well protected.

Some InfoSec Statistics• General Internet attack trends are showing a 64%

annual rate of growth – Riptech

• The average [security conscious] company experienced 32 attacks per week over the past 6 months – Riptech

• The average cost of a serious security incident in Q1/Q2 2002 was approximately $50,000 - UK Dept of Trade & Industry

• Several companies experienced single incident losses in excess of $825,000 - UK Dept of Trade & Industry

Computer Incident Statistics

Number of Incidents Handled by CERT/CC

0

10000

20000

30000

40000

50000

60000

• In 1988 there were only 6 computer incidents reported to CERT/CC.

• There were 52,658 reported and handled last year.

General Trends in Attack Sophistication

Over Time, Attacks have Gotten More Complex, While Knowledge Required to Attack has Gone WAY Down

0

2

4

6

8

10

Level of DamageCapable

Level of Knowledgerequired

Information Security Threats: Attackers• Bored IT guys……

• “Hacktivists”

• Competitors

• Ex-employees

• Terrorists

• Disgruntled employees

• Real system crackers (Hackers)

• The infamous “script kiddie”

Hacker Tools: Web Hacking

More Web Hacking Tools

Password Cracking Tools

Password Cracking: Windows

Need More Tools?http://www.packetstormsecurity.org has tens of thousands of free hacker tools available for download

Full Disclosure: What’s That?

• When a vulnerability is discovered, all details of that vulnerability are reported to the vendor

• Vendor then works on a patch for a “reasonable” amount of time

• Discoverer of the vulnerability then releases full details of the problem found, and typically, a tool to prove it can be exploited

• Hopefully the vendor has a patch available

Hacker Techniques: The Scary Reality

• Growing trend by some hackers NOT to report vulnerabilities to vendors – KEEP EXPLOITS UNPUBLISHED AND KNOWN ONLY TO THE HACKER COMMUNITY

• Exploit services that HAVE to be allowed for business purposes (HTTP, E-Mail, etc.)

• Initiate attacks from *inside* the network• It’s much easier to destroy than protect!

So How Do We Protect Against

All of This?

(No More of This)

Start by Acknowledging the Problem…

Security Risk Management Principles• Information Security is a business problem, not

just an IT problem• Information Security risks need to be properly

managed just like any other business risk• Lifecycle management is essential – there are

always new threats and new vulnerabilities to manage (and new systems, technologies, etc., etc.)

Proactive Threat and Vulnerability Management

• Internal Security Risk Management Program

• User Education

• Selective Outsourcing / Partnerships

Security Risk Management: IT Control EvolutionYear “Secure Enough” Control Security Goal

1995 Statefull Firewalls and desktop anti-virus (AV)

Keep external intruders and viruses out

1997 Above plus Network Intrusion Detection Systems (N-IDS) and application proxy servers

Keep external intruders out, but let admins know when they do get in

2000 Above plus Network AV, URL Screening, Host Based IDS, and VPNs

Control and monitor all network access but allow flexibility

2002 Above plus strong authentication, application firewalls

Protect against blended threats

Future Gateway IDS (GIDS), application aware proxies, integrated exposure management, standard metrics and measurements

True enterprise security risk management

InfoSec Risk ExamplesThreat Damage Mitigation Strategies

Web Site Defacement

Loss in Customer confidence, loss in revenue

IT Controls, User Education, 24 x 7 monitoring

Data theft Loss of competitive advantage

IT Controls, User Education, employee screening

Wide-spread Virus infection

System downtime, loss in productivity, loss or corruption of data

IT Controls, User Education, email sanitization

Unauthorized network access

Any of the above IT Controls, User Education, network entry point consolidation

Security Risk Management ProgramShould include (not an exhaustive list):• Governance and sponsorship by senior management• Staff and leadership education• Implementation of appropriate technical controls• Written enterprise security policies & standards• Formal risk assessment processes• Incident response capabilities• Reporting and measuring processes• Compliance processes• Ties to legal, HR, audit, and privacy teams

Security Risk Management: Education

• One of the largest security risks in your enterprise is untrained employees – this especially includes upper management

• Who cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk?

• Are users aware of their roles and responsibilities as they relate to information security?

• Are users aware of security policies and procedures?

• Do users know who to call when there are security problems?

Security Risk Management: IT Controls

• The average enterprise needs Firewalls, Intrusion Detection, Authentication Systems, Proxies, URL Screening, Anti-Virus, and a slew of other things.

• A major reason we need all of this technology is because systems continue to be shipped / built insecurely!!!

• Every one of us needs to push vendors to ship secure software, and to include security testing in their QA processes

Security Risk Management: Selective OutsourcingThings you might consider outsourcing:• The cyber risk itself (Insurance, Re-insurance)• Email filtering and sanitization• 24 x 7 security monitoring• 1st level incident response (viruses, etc.)• Password resets• Others?

Wrap Up: What Can You Do Going Forward?1. Urge (contractually obligate if possible) vendors to

build, QA test, and ship secure products!!!!!!! 2. Remember that security is not a “thing” or a one time

event, it is a continual process……..3. Manage security risks like other business risks4. Conduct periodic security risk assessments that

recommend appropriate security controls5. Ensure security is inserted early in project

lifecycles6. Support your internal InfoSec team – they

have a tough job managing threats and vulnerabilities

Credits• CERT/CC – http://www.cert.org/present/cert-overview-trends/

• Internet Security Alliance – http://www.isalliance.org

• Riptech – http://www.riptech.com

• UK Department of Trade and Industry –

https://www.security-survey.gov.uk/View2002SurveyResults.htm

Questions?