Title: Society for Information Management Information Security Trends and Issues
1Society for Information ManagementInformation
Security Trends and Issues
- Neil Cooper, CISSP, CISA
- December 2, 2003Philadelphia, PA
2Agenda
- Introduction
- Current State of Security
- What Have We Seen?
- Risks and Threats
- Conclusion
3Current State of Security
4Current State of Security
- CSI/FBI 2002 Computer Crime and Security Survey
- 60 of respondents knew of unauthorized use of
their computer systems - Only 44 of the respondents could quantify the
loss due to unauthorized access - Total cost of theft of proprietary information in
2002 170M - Highest reported quantified amount was 50M, with
the average being more than 6M - Total cost of financial fraud in 2002 115M
- Reputation loss is difficult to quantify
5Current State of Security
- 74 of respondents who were aware of an attack or
security incident sited the Internet as the
attack point - Likely source of an attack Independent Hackers
- Only 34 of those respondents who experienced a
computer intrusion reported it to law enforcement
6The Risks are Real
- 78 Detected inappropriate Use of Computer
Systems within the last 12 months - 74 Reported attacks from the Internet
- 33 Reported attacks from the inside
- 40 Detected a Denial of Service attack
- 85 Detected a virus attack
- 90 Detected computer security breaches
- 78 Detected Insider abuse of network access
7Current State of Security
- The State of Information Security 2003 from CIO
Magazine PricewaterhouseCoopers - 7500 respondents to the survey
- Survey results show that companies around the
world (42 of total respondents) are beginning to
look at security from a strategic perspective - Fifty-four percent place raising awareness about
security at the top of their list for 2004.
8Current State of Security
- Threat and vulnerability management initiatives
- blocking unauthorized access (53)
- detecting viruses (49),
- security audits (44) and
- security monitoring (49)
- all rank high on the list of priorities for next
year
9Survey Demographics
- Across all industries in 54 countries, including
financial services, manufacturing, healthcare,
telecommunications, government - Company sizes ranged from small to multinational
- 51 up to 500M
- 22 500M to 25B
- 3 more than 25B
- Remainder either did not know revenue size or
were government/non-profits - Job titles largely IT and security related
- VPs of IT, CSOs, Security Directors, Network or
System Administrators
10Key Findings Security Still a Reactive Culture
- Security initiatives are still driven in large
part by external factors (regulations and
industry practices) and not from a risk
assessment perspective - Security policies are blocking and tackling and
covering user behavior, employee awareness and
network and system administration issues - One-third or less included monitoring standards,
enforcing standards, incident response or
classifying value of data in their security
policy - Few companies are including partners and
suppliers in their policy planning - Ten percent of those surveyed said their
organization had no formal security policy
11Top Security Initiatives for 2004
- Leading security initiatives
- Block unauthorized access (58)
- Enhance network security (55)
- Detect malicious programs -- viruses/hostile
code (54) - Conduct security audits (51)
- Conduct security risk assessment (48)
- Monitor user compliance with policy (45)
- Top three organizational priorities
- Raise end-user awareness of policy and procedures
(60) - Train staff (44)
- Develop security policy standards (39)
12An Increased Demand on Security
The Security of Inclusion
The Security of Exclusion
Enablement
Protection
13Challenges of Inclusion and Exclusion
- Increased
- Threats
- Vulnerabilities
- Complexity
- Increased
- Identities
- Control Requirements
- Complexity
14New and Continuing Risks
- Intra and Extra-net content
- Malicious E-mail attachments
- Sensitive or misleading Internet postings
- Pirate / counterfeit / diverted products
- Cybercrime both Internal and External
- Demands to produce relevant electronic
information - Loss of control of key digital assets
15Security Risk Categories
- Financial
- Return on Investments Unclear
- Insecure Transactions
- Technology
- Immature / Unstable
- Lack of Standards
- Limited Skilled workers
16Risk Categories
- Reputation
- Public Embarrassment
- Third Party
- Legal Regulatory
17Top Management Errors
- Assign untrained people to maintain security and
provide neither the training nor the time to make
it possible to do the job. - Fail to understand the relationship of
information security to the business problem --
they understand physical security but do not see
the consequences of poor information security. - Fail to deal with the operational aspects of
security make a few fixes and then not allow the
follow through necessary to ensure the problems
stay fixed.
18Top Management Errors
- Rely primarily on a firewall.
- Too much trust of employees
- Fail to realize how much money their information
and organizational reputations are worth. - Not identifying root cause issues. Authorize
reactive, short-term fixes so problems re-emerge
rapidly. - It wont happen to us attitude
19The Threat is multifaceted
- Insiders
- Current employees
- Former employees
- Business partners
- Contractors / consultants
- Temporary employees
- Outsiders
- Freelance or Mercenary crackers
- Professional Cybercriminals
- Thrill Seekers Kids
- Competitors
20Attack Trends
- Both the nonprofit and financial services sectors
experienced higher rates of overall attack volume
and severe event incidence, respectively. - 21 of companies in the sample set suffered at
least one severe event over the past six months - Attacks from countries included on the Cyber
Terrorist Watch List accounted for less than 1
of all activity. - Cases of internal misuse and abuse accounted for
more than 50 of incident response engagements. - Source Symantec Internet Threat Report Feb 2003
21What Areas Require Focus?
Reliability
Availability
Scalability
Integrity
Key Area for Internal Security
Key Area
Confidentiality
Capacity
22Abilities
- Security
- Ability to Prevent, Detect, React to
Unauthorized Access - Ability to specifically identify users
- Ability to specifically authorize access to
technology data
23Controls
- Security Controls
- Protective - Authentication, Authorization,
Firewalls, SSL, Locks, Guards, Security Testing - Detective - Logging, Firewalls, Network IDS, Host
IDS, Security testing
24Controls
- Reactive Controls - require detective controls
first! - With Detective controls in place, you MUST have
well planned tested reactive control processes
to adequately address - Security Events
- Capacity Problems
- Component or Site Outages
- Performance Problems
25What Have We Seen?
26What Have We Seen?
- Perimeter secured from the Internet but...
- Perimeter not secured from the Internet.
- Internal network insecure.
- Access to systems that contain sensitive
information not controlled. - Proliferation of Wireless Networks.
- Unsecured laptop computers.
- Uncontrolled use of email and instant messaging
27What are Companies Doing?
- Reading e-mail selectively
- Filtering out Internet access
- Filtering outbound and inbound e-mail
- Restricting employee access
- Imposing penalties on violations of security
policy - up to and including termination
28Risks and Threats
29Risks and Threats - Internal
- Source of Attacks and Security Incidents
- Current Employees Authorized Access 26
- Current Employees Unauthorized Access 25
- Former Employees Unauthorized Access 16
- The Risk is very High
- Most companies grant too much access to their
information - Give Joe the same access as Sally had
- Trusted IT professionals
- Educated Users
30Risks and Threats - Regulations
- Many industries are regulated and must protect
their customers information from unauthorized
access - HIPAA
- GLBA and others in Financial Services
- CA 1386
- US Notification of Risk to Personal Information
Act (SB 1350)
31Risks and Threats - Technology
- Camera Phones
- Flash Disks
- Wireless Networks
- Instant Messaging Tools
- Modems and Cable Modems
32Camera Phones
- New Technology sweeping the country and world
- Easy to use
- No Controls
- Attach and send picture in e-mail
33Flash Disks
- Small Devices
- Connect to USB Ports
- Large Capacity
- Easy to Use
- Circumvent all Controls on Computers
34Wireless LANS
- Benefits
- Mobility for internal users
35Wireless LANS
- Disadvantages
- Weak or no Encryption
- Extends your network perimeter
- Ease of eavesdropping
- Denial of Service
- Easy to setup and install
- Not as easy to detect
36Wireless LANS
- Risk Mitigation Techniques
- Utilize strong encryption
- Isolate Wireless LANs
- Implement security policies and procedures
- Dont use
- Scan for existence
37Wireless LANS Is this your network?
http//www.worldwidewardrive.org/wwwd1/baltimore.j
pg
38Instant Messaging
- According to Gartner Research, by the fourth
Quarter of 2002 approximately 70 of enterprises
used unmanaged consumer instant messaging on
their networks to conduct business. - As both legitimate and unauthorized usage rises,
the threat of malicious code that uses instant
messaging clients for propagation is becoming
more significant.
39Instant Messaging
- Gartner survey - 58 of those surveyed said the
careless use of personal communications by their
employees - especially e-mail and instant
messaging (IM) - poses the most dangerous
security risk to their networks. - In a study by INT Media Research, 70 of
businesses surveyed said they don't offer their
employees guidelines on acceptable use of IM
technology.
40Instant Messaging
- March 2001 ICQ logs spark corporate nightmare
- hundreds of pages of ICQ logs posted to web
- allegedly unedited logs available in entirety at
http//www.echostation.com/efront/ - stolen from PC of CEO Sam Jain of eFront
- several senior management team members resigned
41Instant Messaging
- File transfer enables transfer of worms or other
malicious code - Bypass of desktop and perimeter firewall
implementations makes harder to detect than other
threats - Easier to find victims -- select from current
lists of users versus scanning blocks of
addresses - All major IM networks support Person-person (p2p)
file sharing, leads to spread of infected files
42Instant Messaging
- Clients can specify ports to defeat firewalls
- New versions include file transfer features
- Proprietary data
- Inappropriate Content
- Productivity
43Modems and Cable Modems
- May be connected to sensitive systems
- Attempted penetration through war-dialing
- Internal access to network should be restricted
- Home Use and telecommuters
44Incident Response and Forensics
- Incident response minimizes the impact of
security failures. Goal is to detect, isolate,
and correct security lapses and intrusions. - Forensics increases the ability of a company to
investigate, remediate and recover in litigation
or otherwise the damages caused by a security
incident
45Emergency Response Considerations
- How Will You Define and Identify an Incident?
- Do You Have the Skill Sets to Respond?
- How Will You Respond?
- Ignore, Use to Misinform, or Prosecute?
- Cost vs. Response Time
46Reducing Internal Risk within an Organization
- Security Policies and Procedures
- Virtual Private Networks
- Incident Response Procedures
PricewaterhouseCoopers
Toolbox Map
47Questions?
48Contact Information
- Neil Cooper, CISSP, CISA
- Director, Security and Privacy Practice
- Philadelphia, PA
- 267-330-2518
- neil.f.cooper_at_us.pwc.com
49Your worlds Our people