1 / 26

Information Security

Information Security. Thomas Waszak, CISSP Black Hat Briefing Asia 2002. October 3, 2002. Introduction and Background U.S. Army; Sigint, Humint, SOCOM Corporate experience – messaging specialist, private investigator, network admin, principal consultant, director of professional services.

liam
Download Presentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Security Thomas Waszak, CISSP Black Hat Briefing Asia 2002 October 3, 2002

  2. Introduction and Background • U.S. Army; Sigint, Humint, SOCOM • Corporate experience – messaging specialist, private investigator, network admin, principal consultant, director of professional services. • Currently with Washington Mutual Bank’s Information Security Technology Solutions Group – Information Security Special Projects Leader/CSIRT Investigator • Participated or lead many different types of InfoSec projects for many corporations in different industries.

  3. Disclaimer • I am not representing Washington Mutual Bank. • All views and opinions I share with you today are my own and do not necessarily represent the policies of my employer.

  4. Changes Since September 11th • Re-evaluation and improvement of travel security • Acceptance of travel inconvenience • U.S. Homeland Security concerned about the national infrastructure • President Bush issues executive order to improve critical infrastructure • Disaster recovery and business continuity big winners of corporate acceptance • Physical security also a big winner of corporate acceptance

  5. Waning Interest and Corporate Lip Service • Initial fear of follow-on cyber attacks • No published or publicized terrorist cyber attacks – back to sleep • Corporate attitudes towards Information Security have not improved since September 11. • Any additional corporate emphasis on Information Security related to mandated government requirements of GLBA and HIPPA.

  6. Status Quo for Corporate Security – Should we care? YES!!!! things are getting worse each day. The Computer Security Institute recently (2001) surveyed 503 corporations: • 90% detected computer security breaches in the previous 12 months (BTW 10% are liars) (Up from 70% in 1999) • 80% suffered financial losses due to computer security breaches (Up from 74% in 1999) • 40% detected system penetration from the outside (Up from 25% in 1999)

  7. Bad Things Happen But No Real Change • Companies lose money and go out of business • Billions and billions of dollars lost every year • Cloud Nine – British ISP DOS’ed out of business • Barings – Nick Leeson • Exodus – Almost ordered to remove client servers from the Internet because of a competitor complaint. • Microsoft – Passport privacy violations. Court required implementation of security program. • All resulting security changes were isolated and not wide spread.

  8. No Change Unless: One of, or a combination of, three things must happen before corporate attitudes about security will improve: • Change must provide economic benefit. • Public outrage must demand it. • Governments must mandate it.

  9. An Unwanted And Painful Nudge Change will be a long time coming unless a cyber related catastrophic attack occurs: • Titanic syndrome – all three conditions met • Digital 9/11 • Barings could have been a Titanic event if computer security issues had been more prevalent. (Complete, total, sudden, and immediate failure. Billions of dollars lost, millions of people affected)

  10. It’s hopeless so let’s sit on our hands and wait for the digital Pearl Harbor and be prepared to …. Say I told you so.

  11. … Or let’s do the best we can to make things happen without the unwanted and painful nudge… • Information Security Professionals have a fiduciary responsibility • It’s easy to get discouraged but most of us are up for the challenge

  12. But first….we must understand who’s to blame for this sorry state of affairs, and why? • IT Vendors – for producing products with shameful security deficiencies and for denying security problems • Security vendors – for confusing the issues, for rushing to release immature products in order to be the first to release the next better mouse trap.

  13. The Blame Game… • Business management – for not taking pre-incident intangible risks serious enough. • Information Technology Professionals – for consistently putting uptime and network speed at a much higher priority than security. And for always pretending that they know as much about security as we do.

  14. The Blame Game • Information Security Professionals – The sorry state of information security is as much our fault as anyone’s because we: • Often fail to effectively partner with and communicate with our corporate management, business, and or technology people. • Often forget that the purpose of information security is to protect existing money, and to safeguard revenue streams. It’s purpose is not to lock down every single desktop computer.

  15. The Blame Game • Information Security Professionals –…because we: • Sometimes get wrapped up in minutia when we should be looking at and seeing the bigger picture. • Sometimes alienate our user communities by acting like the secret police instead the fire department.

  16. The Blame Game. • Information Security Professionals –…because we: • Fail to understand the business our corporation is in. • Sometimes fall in love with technology and force the problem to fit the technology instead of forcing technology to solve the problem.

  17. The Blame Game. • Information Security Professionals –…because we: • Sometimes allow our technology bigotry to cloud our judgment and impair our objectivity. (Novell/Microsoft/Unix Bigot) • Sometimes waste our energy fighting small tiny security problems instead of focusing on the big issues that matter the most.

  18. The Blame Game. • Information Security Professionals –…because we: • Sometimes undermine our credibility by making the mistake of using too much or exaggerated FUD. • Usually spend too much time preaching to the choir rather than trying to convert the masses

  19. The Blame Game. • Information Security Professionals –…because we: • Try to show business and IT people that we are cool and understand business by rushing to make poor business and security decisions. “We already own $30K of junk that doesn’t work. Let’s not loose our initial investment of junk that doesn’t work and so lets buy $300K more of it. That way we’ll have enough junk to spread around everywhere.”

  20. The Blame Game. • Information Security Professionals –…because we: • Try to force a square peg in a round hole by trying to quantify the unquantifiable with quantitative analysis. Show me a strong advocate of the liberal use of quantitative analysis, for information security business case’s.

  21. Blame Game Reality. • Relax, It’s not really ALL of your fault…. • But, you can do an awful lot more than you would think • An Information Security Professional must rise above the fray and understand everything and everyone.

  22. We Need an Attitude Adjustment – Learn To Enjoy And Appreciate Stupid People • Remember that your company is in the business of making widgets and not in the security business. • Your mission is to analyze, notify, and advise. It is a rare situation where you are obligated to care more than your CEO does.

  23. Tips, Summary, and, Final Words • It will always be easier for you to understand management, IT, and business. • Don’t let security vendors confuse your people. • Document Document Document and protect yourself – live by the paper trail

  24. Tips, Summary, and, Final Words • Manage perception. Protect your credibility. • It’s not worth losing sleep • It’s painful being stupid but sometimes it isn’t painful enough or as painful as it should be

  25. Tips, Summary, and, Final Words Thank You

  26. Tips, Summary, and, Final Words All Your Base Are Belong To Us

More Related