What would Yogi do

1
Press any key to continue Press any other key to
quit
What would Yogi do?
2
The Things You Dont Know Its Dangerous Out
There !

• Jim. Hogler
• Vice President and Division Manager Information
  Assurance
• CACI, Inc.

3
An Absence of Change
The capability to do harm - particularly through
information networks - is real it is growing at
an alarming rate and we have little defense
against it. Transmittal Letter Presidents
Commission on Critical Infrastructure Protection
1998
NOT A LOT HAS CHANGED
4
Toffler's Waves of Change

• Agricultural
• Industrial
• Information and Knowledge
• Fourth Wave?

5
Sun Tzu Said it Best In The Agricultural Age
Attack when they are unprepared, make your move
when they do not expect it.
6
Carl Von Clausewitz Said it Best in the
Industrial Age
.it will be self -evident that a change in the
nature of tactics will automatically react on
strategy
7
Ben Kingsley Said it Best

• The world isnt run by weapons anymore, or
  energy, or money. Its run by little ones and
  zeros, by little bits of data its all just
  electronics.
• Sneakers
• Universal Studios

8
An Interesting Progression
But Wait Are We There Yet?
9
Is There A Fourth Wave ?
10
The Cyber Wave ?

• Availability and acceptance of information
  systems and technology.
• Growth in use and sophistication of information
  technology and applications.
• Knowledge and ability to use information
  technology.
• Dependence on information technology
• Inability to keep up with and control technology.

11
Cyberspace Defined

• Cyberspace is where all our money is, except for
  the cash in our pocket.
• Winn Schwartau
• Information Warfare

12
Wise Men Predicted The Cyber Age?
"I see a world wide market for about three
computers.
Industry CEO 1947
13
The Cyber Age

• Toys
• Automobiles
• Entertainment Systems
• Communications Systems
• Household Appliances
• Garage Door Openers
• ...

14
Information Assurance

• Protection
• Availability
• Integrity
• Authentication
• Confidentiality
• Non-Repudiation
• Attack
• Denial of Service
• Corruption
• Manipulation
• Perception

15
The Impact of Cyber Attacks
Asymmetrical Results
16
Cyber Attacks

• Can be continuous.
• Not limited to military targets.
• Know no boundaries or rules.
• Are happening today.
• Can affect all of us!

17
Threat Spectrum

• Information Seekers
• Insiders
• Disgruntled Employees
• Hackers
• Sponsored
• Rogue Element
• The Curious

18
The Targets Are Many

• Businesses
• Governments
• Organizations
• People Like us

19
The Private You ???

• Web Use - Cookies or Worse
• Telephone Calls - Electronic Logging
• Credit Card Purchase - Buying Profile
• Doctor Visit - Medical History
• Warranty Registration - Needed Info?

How Secure is Your Information?
20
The IA Domain

• Its Bigger Than Just Computers !

21
Diverse Threats
Data Corruption
Viruses
Data Diddling
Brute Force
War Dialing
Spamming
Penetration
Cracking
INFOWAR
Social Engineering
Shoulder Surfing
Slamming
Trojan Horses
Identity Theft
Hoaxes
Phreaking
Denial of Service
22
OK
So is it really something to worry about ?
23
Success Comes Easy
Globally, companies lost 1.6 trillion in
revenue in the last year due to downtime
resulting from security breaches and virus
attacks.
Information Week Global Information Security
Survey
24
Fourth Wave Waves

• 1999 9,859 Reported Incidents to CERT
• 2000 21,756
• 2001 15,476 (First Six Months)
• I Love You 8 billion
• Code Red
• White House changed website address
• DoD shut down public websites
• Treasury FMS disconnected systems from Internet
• Qwest high-speed Internet service outages
• FedEx package deliveries delayed

GAO-01-1132T 9/12/2001
25
So Sayeth the GAO

• Agencies were not fully aware of the information
  security risks to their operations
• Had accepted an unknown level of risk by default
  rather that consciously deciding what level of
  risk was tolerable
• Had a false sense of security because they were
  relying on ineffective controls, and
• Could not make informed judgments to whether they
  were spending too little of too much of their
  resources on security.

GAO-01-1132T 9/12/01
26
Information Crime - An Affordable Alternative

• Computer
• Modem
• Internet Access
• Public Domain Software
• Motivation

27
Tools of the Trade
Sophistication of Attackers Tools
High
Tools with GUI
Packet Spoofing
Stealth Diagnostics
Sniffers
Sweepers
Hijacking Sessions
Disabled Audits
Exploiting Know Vulnerabilities
Password Cracking
Required Knowledge of Attackers
Self-replicating Code
Password Guessing
Low
Then
Now
GAO, Information Security Computer Attacks at
Department of Defense Pose Increasing Risks
28
We Keep Making It Easier

• Cable Modems
• DSL
• Lap Tops
• PDAs
• Wireless

29
Where to Start?
30
Know The Enemys Tactics

• Find the Easy Way
• Exploit known system vulnerabilities
• Cover tracks
• Leave a return route
• Hide probes
• Get an insider
• Become an insider

31
GAO on GISRA Findings

• Lack of Senior Management attention to IS
• Inadequate accountability for job and program
  performance for IT security
• Limited security training
• Inadequate integration of security into capital
  planning and investment control process
• Poor security for contractor provided services
• Limited capability to detect, report and share
  information on vulnerabilities or to detect
  intrusions, suspected intrusions, or virus
  infections.

Robert F. Dacey Director, Information Security
Issues GAO Testimony March 6, 2002
32
Doors to Close

• Poorly designed software applications
• Complex, insecure operating systems
• Lack of training and awareness
• Lack of monitoring tools
• Trusted relationships
• Unqualified personnel
• Lack of sound and enforced policies

33
Protection Challenges

• Networks have Weak Links
• Source may be Undetectable
• Numerous Attacks
• Inexpensive Attack Tools
• Reliance on Commercial Networks
• Anonymity of Attack
• People with Access
• Laws and Response

34
A Wakeup Call
If these systems are so important to the federal
government, why isnt someone paying attention to
patch the security?
Analyzer
35
Work the Triad

• People
• Aware
• Trained
• Practices
• Good Workable Policies
• Culturally Acceptable
• Technology
• Properly Selected
• Properly Configured
• Properly Monitored

36
What To Do

• Establish a Goal
• Required Level of Confidence
• Know your Starting Point
• Security Audit
• Risk Assessment
• Build a Plan
• Acceptable Costs
• Tradeoffs
• Execute
• Verify

It's Show Time
37
Parting Thoughts

• A Firewall is Not Security
• Technology is not Security
• Training is Essential for Security
• Assume that Someone is Interested
• Continually Assess and Evaluate
• You and Your Organization are Targets
• IA can be the ENABLER

38
QUESTIONS