Trends in Information Security: Threats, Vulnerabilities and Mitigation Strategies

1
(No Transcript)
2
Trends in Information Security Threats,
Vulnerabilities and Mitigation Strategies
Presented By Tina LaCroix Jason Witty
3
Presentation Overview

• Introduction and Benefits of InfoSec
• Trends and Statistics
• Hacking Tools Discussion / Demonstration
• Proactive Threat and Vulnerability Management
• Security Lifecycle
• Recommendations
• Wrap-up / Questions

4
Q In Todays Down Market, What Can

• Give your company a competitive advantage?
• Improve your reputation in the eyes of your
  customer?
• Demonstrate compliance to international and
  federal privacy laws?
• Improve system uptime and employee productivity?
• Ensure viable eCommerce?
• Answer Information Security.

5
Whats the Problem?

• Your security people have to protect against
• thousands of security problems.
• Hackers only need one thing to be missed.
• But with appropriate attention given to
• security, companies can be
• reasonably well protected.

6
Some InfoSec Statistics

• General Internet attack trends are showing a 64
  annual rate of growth Riptech
• The average security conscious company
  experienced 32 attacks per week over the past 6
  months Riptech
• The average cost of a serious security incident
  in Q1/Q2 2002 was approximately 50,000
  - UK Dept of Trade Industry
• Several companies experienced single
  incident losses in excess of 825,000
  - UK Dept of Trade Industry

7
Computer Incident Statistics

• In 1988 there were only 6 computer incidents
  reported to CERT/CC.
• There were 52,658 reported and handled last year.

8
General Trends in Attack Sophistication
9
Information Security Threats Attackers

• Bored IT guys
• Hacktivists
• Competitors
• Ex-employees
• Terrorists
• Disgruntled employees
• Real system crackers (Hackers)
• The infamous script kiddie

10
Hacker Tools Web Hacking
11
More Web Hacking Tools
12
Password Cracking Tools
13
Password Cracking Windows
14
Need More Tools?
http//www.packetstormsecurity.org has tens of
thousands of free hacker tools available for
download
15
Full Disclosure Whats That?

• When a vulnerability is discovered, all details
  of that vulnerability are reported to the vendor
• Vendor then works on a patch for a reasonable
  amount of time
• Discoverer of the vulnerability then releases
  full details of the problem found, and typically,
  a tool to prove it can be exploited
• Hopefully the vendor has a patch available

16
Hacker Techniques The Scary Reality

• Growing trend by some hackers NOT to report
  vulnerabilities to vendors KEEP EXPLOITS
  UNPUBLISHED AND KNOWN ONLY TO THE HACKER
  COMMUNITY
• Exploit services that HAVE to be allowed for
  business purposes (HTTP, E-Mail, etc.)
• Initiate attacks from inside the network
• Its much easier to destroy than protect!

17
So How Do We Protect Against All of This?
18
Start by Acknowledging the Problem
(No More of This)
19
Security Risk Management Principles

• Information Security is a business problem, not
  just an IT problem
• Information Security risks need to be properly
  managed just like any other business risk
• Lifecycle management is essential there are
  always new threats and new vulnerabilities
  to manage (and new systems,
  technologies, etc., etc.)

20
Proactive Threat and Vulnerability Management

• Internal Security Risk Management Program
• User Education
• Selective Outsourcing / Partnerships

21
Security Risk Management IT Control Evolution
Year Secure Enough Control Security Goal
1995 Statefull Firewalls and desktop anti-virus (AV) Keep external intruders and viruses out
1997 Above plus Network Intrusion Detection Systems (N-IDS) and application proxy servers Keep external intruders out, but let admins know when they do get in
2000 Above plus Network AV, URL Screening, Host Based IDS, and VPNs Control and monitor all network access but allow flexibility
2002 Above plus strong authentication, application firewalls Protect against blended threats
Future Gateway IDS (GIDS), application aware proxies, integrated exposure management, standard metrics and measurements True enterprise security risk management
22
InfoSec Risk Examples
Threat Damage Mitigation Strategies
Web Site Defacement Loss in Customer confidence, loss in revenue IT Controls, User Education, 24 x 7 monitoring
Data theft Loss of competitive advantage IT Controls, User Education, employee screening
Wide-spread Virus infection System downtime, loss in productivity, loss or corruption of data IT Controls, User Education, email sanitization
Unauthorized network access Any of the above IT Controls, User Education, network entry point consolidation
23
Security Risk Management Program

• Should include (not an exhaustive list)
• Governance and sponsorship by senior management
• Staff and leadership education
• Implementation of appropriate technical controls
• Written enterprise security policies standards
• Formal risk assessment processes
• Incident response capabilities
• Reporting and measuring processes
• Compliance processes
• Ties to legal, HR, audit, and privacy teams

24
Security Risk Management Education

• One of the largest security risks in your
  enterprise is untrained employees this
  especially includes upper management
• Who cares what technology you have if an employee
  will give their password over the phone to
  someone claiming to be from the help desk?
• Are users aware of their roles and
  responsibilities as they relate to
  information security?
• Are users aware of security policies and
  procedures?
• Do users know who to call when there are
  security problems?

25
Security Risk Management IT Controls

• The average enterprise needs Firewalls, Intrusion
  Detection, Authentication Systems, Proxies, URL
  Screening, Anti-Virus, and a slew of other
  things.
• A major reason we need all of this technology is
  because systems continue to be shipped / built
  insecurely!!!

• Every one of us needs to push vendors to ship
  secure software, and to include security testing
  in their QA processes

26
Security Risk Management Selective Outsourcing

• Things you might consider outsourcing
• The cyber risk itself (Insurance, Re-insurance)
• Email filtering and sanitization
• 24 x 7 security monitoring
• 1st level incident response (viruses, etc.)
• Password resets
• Others?

27
Wrap Up What Can You Do Going Forward?

• Urge (contractually obligate if possible) vendors
  to build, QA test, and ship secure
  products!!!!!!!
• Remember that security is not a thing or a one
  time event, it is a continual process..
• Manage security risks like other business risks
• Conduct periodic security risk assessments that
  recommend appropriate security controls
• Ensure security is inserted early in project
  lifecycles
• Support your internal InfoSec team they
  have a tough job managing threats
  and vulnerabilities

28
Credits

• CERT/CC http//www.cert.org/present/cert-overvie
  w-trends/
• Internet Security Alliance http//www.isalliance
  .org
• Riptech http//www.riptech.com
• UK Department of Trade and Industry
• https//www.security-survey.gov.uk/View2002SurveyR
  esults.htm

29
Questions?