Taking Control of Enterprise Security

1
Taking Control of Enterprise Security
FBI ----------------------------------------- INFR
AGARD National Conference ------------------------
----------------- 2005
Your Logo Here
John G. OLeary, CISSP Computer Security
Institute Session 7, Aug 10, 2005
2
Abstract
With risks and security challenges becoming
increasingly complex, organizations often find
themselves playing catch-up in their responses.
Possible results include tremendous costs, bad
publicity, loss of reputation and customer
loyalty, maybe even fines and criminal
charges. What should they be doing
differently? Is technology the answer? Is it
possible to win the "the battle of good vs. evil"
in an increasingly online, integrated
environment?
3
Abstract
In this session, well take a look at the state
of Information Security in August 2005 and into
the future. Well try to view it from a business
perspective, understanding the limitations of an
ever-changing environment and a finite budget.
Taking selected data from the CSI/FBI computer
crime survey and other clues from headlines and
the 6 oclock news, well identify some trends
and try to give realistic ideas for taking
control and managing the various and sundry
issues that invariably appear in the security
arena.
4
Agenda
State of security in August 2005 Business
perspective on threats Taking control what
you can do
5
State of Security August 2005
Evolving Threat Scenarios Shrinking Envelope for
Reaction Market Pressures Media Hype Corporate
Irresponsibility Excerpts from CSI/FBI Survey
6
Evolving Threat Scenarios

• Complex, sophisticated attacks
• Created by truly clever hackers
• Not mythical, but relatively rare
• Perpetration by script kiddies
• Little knowledge of what they are doing
• Less ethical concern
• Large portion of what your IDS flags
• Chance of catching and bringing them to justice
• Slim, but improving
• Press venerates them

7
Evolving Threat Scenarios

• Criminals in mid-2005 dont just lurk or hack
  transmitted messages
• They go for specific stored information (e.g.,
  credit card numbers, demand deposit account
  numbers, purchase histories, etc.) on databases
  and websites
• Possible downstream liability if you cannot show
  due care with customer information
• Repeated demonstrations that denial of service
  can be a very serious matter

8
Evolving Threat Scenarios

• Internal, authorized users who become
  disgruntled or greedy can cause more damage
  than ever (internal threat)
• Note See todays newspapers, or yesterdays or
  tomorrows
• Merger/acquisition/divestiture activity breeds
  more disgruntlement
• Absolute dependence on systems, websites,
  internet connections, e-mail, data warehouse,
  etc. to do business

9
Shrinking envelope for reaction

• Time from public disclosure of a vulnerability
  to in-the-wild exploits using that
  vulnerability to infect or damage
  actual sites is getting shorter
• Witty worm in 2004 48 hours
• Zero-day exploits now feasible
• .. but you cant patch everything constantly

10
Market Pressures

• Some really bad products being touted as the
  answer to all your problems
• Some really good products with really bad
  marketing
• Woefully inadequate training (not just by
  vendors) on the use of products, even excellent
  products
• Whatever your question, marketers reply Sure,
  itll do that or next release

11
Market Pressures

• More vendors of security-related hardware
  and software than ever
• Venture capitalists active again
• Shakeout has already started
• Merger activity increasing
• Best product isnt always the survivor in a
  merger
• Support tends to get less emphasis

12
Media Hype

• Detailed, readable, believable, entertaining
  stories, full of inaccuracies, written by
  reporters who have no clue about IT or security
  or business in general
• Try to name one movie where the hacker is not
  heroic and noble, with a justifiable gripe
• And, of course, companies, government agencies,
  accounting firms, universities, investigatory or
  enforcement entities, etc., are all evil

As for government/industry cooperative
organizations, . . .
13
Corporate Irresponsibility

• Sep, 2004
• Sven Jaschan of Rotenberg, in Saxony caught by
  German police
• He admitted writing Sasser worm and being part
  of Skynet (Authors of NetSky)
• Securepoint offered him a job
• July 11, 2005 21 month suspended sentence, 30
  hrs. community service

14
Corporate Irresponsibility

• 2004 and 2005
• Rash of privacy incidents
• Universities
• Credit bureaus
• Banks
• Retailers
• Follow letter of the law
• Notify those they must (e. g., Cal citizens)
• No legal requirement, no notification

15
Excerpts from CSI/FBI Computer Crime and Security
Survey
16
CSI/FBI Survey
17
Types of attack by percent
18
Types of attack by percent
19
Types of attack by percent
20
Cybercrime Losses
Figure 15 dollar losses
21
Why More DoS? Organized Crime

• Prior to 2003, DoS attacks were almost always
  non-financial crimes
• 2003 Superbowl betting protection schemes
• 2004 blackmail of smaller sites
• Example small credit card clearing business in
  Kentucky 2 weeks offline

22
Basic DoS Scenario
You
23
Average Cybercrime Losses
?
24
Tools Technology
25
Takeaways

• DoS is on the rise. Proactive configuration of
  firewalls, IDS, and servers can mitigate DoS
  attacks somewhat
• Long term focus on enterprise security is
  yielding better results over time
• The threat and resulting damages will likely
  vary with high volatility

26
CSI/FBI Survey managed by CSI Editorial
Director Robert Richardson rrichardson_at_cmp.com Go
CSI.com
27
Business Perspective on Threats

• The Compliance Monster
• Outsourcing
• Privacy
• Wireless Everything
• Physical Security
• Software Complexity

28
The Compliance Monster

• Sarbanes-Oxley
• Gramm-Leach-Bliley
• Basel II
• FFIEC
• Cal 1386
• Privacy laws
• Disclosure requirements
• in multiple operating venues

29
The Compliance Monster

• 10 of IT costs for at least the next few years
• People dedicated to compliance functions
• Technical controls documentation
• Control validity assurance
• Proposed-law impact assessment
• Consulting fees
• Meta Group says it will cost the average
  American company 7.2 million in 2005

30
Outsourcing

• Do it or not?
• Political fallout, especially if offshore
• Laws in different venues
• Data ownership
• Security reviews
• Privacy of customers customers
• Inclusion in outsourcers DRP
• Quality of customer service

31
Outsourcing

• Protection of your data at their site
• Bring it back in-house plan
• Dependence on outsourcer
• Vulnerability to their disgruntled employees
• Are you really saving that much??

32
Outsourcing

• Expertise and experience of the firm
• Detailed, specialty knowledge
• Too many other things to do
• Not enough people
• Back to your core competence
• Can you afford not to??

33
Privacy

• ChoicePoint, CardSystems
• Multiple Universities
• DSW
• Banks
• Loss of public confidence
• New Laws (see compliance monster)
• Civil suits
• Business effects of breaches

34
Privacy

• Effect on stock price
• May 2004 study
• Prof. Larry Gordon
• University of Maryland
• Average negative market reaction of 5
  following a breach
• Public relations aspects
• Manage your privacy incidents

35
Wireless Everything

• Tendency to avoid encryption
• WEP was a porous band-aid for a femoral artery
• WPA2 is better perfect??? Not a chance
• More devices
• More users
• More data flowing
• More data stored
• More potential risk

36
Wireless Everything

• Marketing methods of vendors
• Send a dozen live devices to the CEO
• Instant wireless executive LAN
• No security- it slows things down
• You IT guys can support this, right?
• Standards Adoption
• Cisco We like LEAP
• No, we now like EAP-FAST
• Tune in next week

37
Physical Security
Size and form factor of devices Executives
losing notebooks and wireless items Targeted
hits Physical access to workspaces Background
checks Financial industry is generally good at
this Complacency can be a danger Industrial
Espionage (Lenovo??)
38
Software Complexity
Operating systems Applications Middleware Ma
ssive size and complexity Impossible to test all
paths through There will be flaws Patching is
here to stay, must be managed
39
Taking Control What you Can do
Areas of Emphasis Continuing Need for Good
Management
40
Areas of Emphasis
Network Security Architecture Moving from
Rules- to Risk-based
41
Network Security Architecture

• A set of rules and conventions by which we create
  structures that serve specific needs.
• Network Security Architecture depends on
• Goals
• Environment
• Usable technology

42
Security ArchitectureCrucial Points

• Its not just technology
• It derives from the business requirements
• It must call for usability, scalability,
  interoperability and integration with existing
  (if any) IS architecture
• It should be vendor-neutral and technology-neutral

43
Security ArchitectureCrucial Points

• Isolated islands of solution dont make an
  architecture.
• ...however, they may be part of an architecture
• Checklists can help, but they are not the entire
  answer, either.

44
Security ArchitectureCrucial Points

• Requirements definition must be done carefully
  and completely and attentively
• There are no shortcuts.

45
Areas of Emphasis
CRM and IM related to Risk Strong
authentication Vetting and credentialing Ident
ity federation Provisioning SSO
46
Areas of Emphasis
Preparing for Threats Protection,
detection, mitigation, correction Classification
Compliance Risk Management Crisis
Management and Recovery Audit trails
47
What should organizations be doing differently?
Depends on the organization For some, not a whole
lot Some industries and agencies are generally
in better security shape than others Keep your
eye on the ball Emphasize security
internally Maybe emphasize security as a selling
point or a differentiation point from
competitors Stress privacy, compliance,
reputation, trust
48
Is technology the answer?
Its part of the answer Danger if you think of it
as the entire answer Policies, procedures,
standards are the foundation Security
architecture describes the structure Technology
to support these can work well Isolated islands
of uncoordinated security technology, no matter
how new or clever, or individually effective at a
point or versus a specific threat, are not
adequate
49
Is it possible to win the battle of good vs. evil
in an increasingly online, integrated environment?
Yes, but dont declare victory too soon Ongoing,
continuously-changing battle Must be
ever-vigilant Dont underestimate the bad
guys Expect some setbacks Be ready to respond and
recover quickly
50
Continuing Need for Good Management
Security is still a sales job Elegant technical
solutions dont always work Some superb
technicians are very poor politicians People
still need to be motivated to do the
security- related aspects of their jobs well
51
Summary We have covered
State of security in August 2005 Business
perspective on threats Taking control what you
can do
52
Thank you for your
Patience Attention Participation