Society for Information Management Information Security Trends and Issues

1
Society for Information ManagementInformation
Security Trends and Issues

• Neil Cooper, CISSP, CISA
• December 2, 2003Philadelphia, PA

2
Agenda

• Introduction
• Current State of Security
• What Have We Seen?
• Risks and Threats
• Conclusion

3
Current State of Security
4
Current State of Security

• CSI/FBI 2002 Computer Crime and Security Survey
• 60 of respondents knew of unauthorized use of
  their computer systems
• Only 44 of the respondents could quantify the
  loss due to unauthorized access
• Total cost of theft of proprietary information in
  2002 170M
• Highest reported quantified amount was 50M, with
  the average being more than 6M
• Total cost of financial fraud in 2002 115M
• Reputation loss is difficult to quantify

5
Current State of Security

• 74 of respondents who were aware of an attack or
  security incident sited the Internet as the
  attack point
• Likely source of an attack Independent Hackers
• Only 34 of those respondents who experienced a
  computer intrusion reported it to law enforcement

6
The Risks are Real

• 78 Detected inappropriate Use of Computer
  Systems within the last 12 months
• 74 Reported attacks from the Internet
• 33 Reported attacks from the inside
• 40 Detected a Denial of Service attack
• 85 Detected a virus attack
• 90 Detected computer security breaches
• 78 Detected Insider abuse of network access

7
Current State of Security

• The State of Information Security 2003 from CIO
  Magazine PricewaterhouseCoopers
• 7500 respondents to the survey
• Survey results show that companies around the
  world (42 of total respondents) are beginning to
  look at security from a strategic perspective
• Fifty-four percent place raising awareness about
  security at the top of their list for 2004.

8
Current State of Security

• Threat and vulnerability management initiatives
• blocking unauthorized access (53)
• detecting viruses (49),
• security audits (44) and
• security monitoring (49)
• all rank high on the list of priorities for next
  year

9
Survey Demographics

• Across all industries in 54 countries, including
  financial services, manufacturing, healthcare,
  telecommunications, government
• Company sizes ranged from small to multinational
• 51 up to 500M
• 22 500M to 25B
• 3 more than 25B
• Remainder either did not know revenue size or
  were government/non-profits
• Job titles largely IT and security related
• VPs of IT, CSOs, Security Directors, Network or
  System Administrators

10
Key Findings Security Still a Reactive Culture

• Security initiatives are still driven in large
  part by external factors (regulations and
  industry practices) and not from a risk
  assessment perspective
• Security policies are blocking and tackling and
  covering user behavior, employee awareness and
  network and system administration issues
• One-third or less included monitoring standards,
  enforcing standards, incident response or
  classifying value of data in their security
  policy
• Few companies are including partners and
  suppliers in their policy planning
• Ten percent of those surveyed said their
  organization had no formal security policy

11
Top Security Initiatives for 2004

• Leading security initiatives
• Block unauthorized access (58)
• Enhance network security (55)
• Detect malicious programs -- viruses/hostile
  code (54)
• Conduct security audits (51)
• Conduct security risk assessment (48)
• Monitor user compliance with policy (45)
• Top three organizational priorities
• Raise end-user awareness of policy and procedures
  (60)
• Train staff (44)
• Develop security policy standards (39)

12
An Increased Demand on Security
The Security of Inclusion
The Security of Exclusion
Enablement
Protection
13
Challenges of Inclusion and Exclusion

• Increased
• Threats
• Vulnerabilities
• Complexity

• Increased
• Identities
• Control Requirements
• Complexity

14
New and Continuing Risks

• Intra and Extra-net content
• Malicious E-mail attachments
• Sensitive or misleading Internet postings
• Pirate / counterfeit / diverted products
• Cybercrime both Internal and External
• Demands to produce relevant electronic
  information
• Loss of control of key digital assets

15
Security Risk Categories

• Financial
• Return on Investments Unclear
• Insecure Transactions
• Technology
• Immature / Unstable
• Lack of Standards
• Limited Skilled workers

16
Risk Categories

• Reputation
• Public Embarrassment
• Third Party
• Legal Regulatory

17
Top Management Errors

• Assign untrained people to maintain security and
  provide neither the training nor the time to make
  it possible to do the job.
• Fail to understand the relationship of
  information security to the business problem --
  they understand physical security but do not see
  the consequences of poor information security.
• Fail to deal with the operational aspects of
  security make a few fixes and then not allow the
  follow through necessary to ensure the problems
  stay fixed.

18
Top Management Errors

• Rely primarily on a firewall.
• Too much trust of employees
• Fail to realize how much money their information
  and organizational reputations are worth.
• Not identifying root cause issues. Authorize
  reactive, short-term fixes so problems re-emerge
  rapidly.
• It wont happen to us attitude

19
The Threat is multifaceted

• Insiders
• Current employees
• Former employees
• Business partners
• Contractors / consultants
• Temporary employees

• Outsiders
• Freelance or Mercenary crackers
• Professional Cybercriminals
• Thrill Seekers Kids
• Competitors

20
Attack Trends

• Both the nonprofit and financial services sectors
  experienced higher rates of overall attack volume
  and severe event incidence, respectively.
• 21 of companies in the sample set suffered at
  least one severe event over the past six months
• Attacks from countries included on the Cyber
  Terrorist Watch List accounted for less than 1
  of all activity.
• Cases of internal misuse and abuse accounted for
  more than 50 of incident response engagements.
• Source Symantec Internet Threat Report Feb 2003

21
What Areas Require Focus?
Reliability
Availability
Scalability
Integrity
Key Area for Internal Security
Key Area
Confidentiality
Capacity
22
Abilities

• Security
• Ability to Prevent, Detect, React to
  Unauthorized Access
• Ability to specifically identify users
• Ability to specifically authorize access to
  technology data

23
Controls

• Security Controls
• Protective - Authentication, Authorization,
  Firewalls, SSL, Locks, Guards, Security Testing
• Detective - Logging, Firewalls, Network IDS, Host
  IDS, Security testing

24
Controls

• Reactive Controls - require detective controls
  first!
• With Detective controls in place, you MUST have
  well planned tested reactive control processes
  to adequately address
• Security Events
• Capacity Problems
• Component or Site Outages
• Performance Problems

25
What Have We Seen?
26
What Have We Seen?

• Perimeter secured from the Internet but...
• Perimeter not secured from the Internet.
• Internal network insecure.
• Access to systems that contain sensitive
  information not controlled.
• Proliferation of Wireless Networks.
• Unsecured laptop computers.
• Uncontrolled use of email and instant messaging

27
What are Companies Doing?

• Reading e-mail selectively
• Filtering out Internet access
• Filtering outbound and inbound e-mail
• Restricting employee access
• Imposing penalties on violations of security
  policy
• up to and including termination

28
Risks and Threats
29
Risks and Threats - Internal

• Source of Attacks and Security Incidents
• Current Employees Authorized Access 26
• Current Employees Unauthorized Access 25
• Former Employees Unauthorized Access 16
• The Risk is very High
• Most companies grant too much access to their
  information
• Give Joe the same access as Sally had
• Trusted IT professionals
• Educated Users

30
Risks and Threats - Regulations

• Many industries are regulated and must protect
  their customers information from unauthorized
  access
• HIPAA
• GLBA and others in Financial Services
• CA 1386
• US Notification of Risk to Personal Information
  Act (SB 1350)

31
Risks and Threats - Technology

• Camera Phones
• Flash Disks
• Wireless Networks
• Instant Messaging Tools
• Modems and Cable Modems

32
Camera Phones

• New Technology sweeping the country and world
• Easy to use
• No Controls
• Attach and send picture in e-mail

33
Flash Disks

• Small Devices
• Connect to USB Ports
• Large Capacity
• Easy to Use
• Circumvent all Controls on Computers

34
Wireless LANS

• Benefits
• Mobility for internal users

35
Wireless LANS

• Disadvantages
• Weak or no Encryption
• Extends your network perimeter
• Ease of eavesdropping
• Denial of Service
• Easy to setup and install
• Not as easy to detect

36
Wireless LANS

• Risk Mitigation Techniques
• Utilize strong encryption
• Isolate Wireless LANs
• Implement security policies and procedures
• Dont use
• Scan for existence

37
Wireless LANS Is this your network?
http//www.worldwidewardrive.org/wwwd1/baltimore.j
pg
38
Instant Messaging

• According to Gartner Research, by the fourth
  Quarter of 2002 approximately 70 of enterprises
  used unmanaged consumer instant messaging on
  their networks to conduct business.
• As both legitimate and unauthorized usage rises,
  the threat of malicious code that uses instant
  messaging clients for propagation is becoming
  more significant.

39
Instant Messaging

• Gartner survey - 58 of those surveyed said the
  careless use of personal communications by their
  employees - especially e-mail and instant
  messaging (IM) - poses the most dangerous
  security risk to their networks.
• In a study by INT Media Research, 70 of
  businesses surveyed said they don't offer their
  employees guidelines on acceptable use of IM
  technology.

40
Instant Messaging

• March 2001 ICQ logs spark corporate nightmare
• hundreds of pages of ICQ logs posted to web
• allegedly unedited logs available in entirety at
  http//www.echostation.com/efront/
• stolen from PC of CEO Sam Jain of eFront
• several senior management team members resigned

41
Instant Messaging

• File transfer enables transfer of worms or other
  malicious code
• Bypass of desktop and perimeter firewall
  implementations makes harder to detect than other
  threats
• Easier to find victims -- select from current
  lists of users versus scanning blocks of
  addresses
• All major IM networks support Person-person (p2p)
  file sharing, leads to spread of infected files

42
Instant Messaging

• Clients can specify ports to defeat firewalls
• New versions include file transfer features
• Proprietary data
• Inappropriate Content
• Productivity

43
Modems and Cable Modems

• May be connected to sensitive systems
• Attempted penetration through war-dialing
• Internal access to network should be restricted
• Home Use and telecommuters

44
Incident Response and Forensics

• Incident response minimizes the impact of
  security failures. Goal is to detect, isolate,
  and correct security lapses and intrusions.
• Forensics increases the ability of a company to
  investigate, remediate and recover in litigation
  or otherwise the damages caused by a security
  incident

45
Emergency Response Considerations

• How Will You Define and Identify an Incident?
• Do You Have the Skill Sets to Respond?
• How Will You Respond?
• Ignore, Use to Misinform, or Prosecute?
• Cost vs. Response Time

46
Reducing Internal Risk within an Organization

• Security Policies and Procedures
• Virtual Private Networks
• Incident Response Procedures

PricewaterhouseCoopers
Toolbox Map
47
Questions?
48
Contact Information

• Neil Cooper, CISSP, CISA
• Director, Security and Privacy Practice
• Philadelphia, PA
• 267-330-2518
• neil.f.cooper_at_us.pwc.com

49
Your worlds Our people