320 likes | 530 Views
Trends in Information Security: Security Update 2003. Presented By: Tina LaCroix & Jason Witty. Presentation Overview. Introduction and Benefits of InfoSec Trends and Statistics Hacking Tools Discussion / Demonstration Proactive Threat and Vulnerability Management Security Lifecycle
E N D
Trends in Information Security:Security Update 2003 Presented By: Tina LaCroix & Jason Witty
Presentation Overview • Introduction and Benefits of InfoSec • Trends and Statistics • Hacking Tools Discussion / Demonstration • Proactive Threat and Vulnerability Management • Security Lifecycle • Recommendations • Wrap-up / Questions
Q: In Today’s Down Market, What Can: • Give your company a competitive advantage? • Support your reputation in the eyes of your customers and business partners? • Demonstrate compliance to local, federal and international regulatory statutes? • Improve system uptime and employee productivity? • Ensure viable long term e-Commerce? Answer: The appropriate Information Security Program.
What’s the Problem? Your security people have to protect against thousands of security problems… Hackers only need one thing to be missed. But with appropriate planning and execution, a comprehensive information security program will protect your corporate assets.
Some InfoSec Statistics • General Internet attack trends are showing a 64% annual rate of growth –Symantec • The average [security conscious] company experienced 32 attacks per week over the past 6 months – Symantec • The average measurable cost of a serious security incident in Q1/Q2 2002 was approximately $50,000 – UK Dept of Trade & Industry • Identify theft related information is selling for $50-$100 per record – LOMA Resource 12/02
Top 10 Security Laws (provided by Microsoft) • Technology is not a panacea • Security isn't about risk avoidance, it's about risk management • The most secure network is a well-administered one • There really is someone out there trying to guess your passwords • Eternal vigilance is the price of security • It doesn't do much good to install security fixes on a computer that was never secured to begin with • If you don't keep up with security fixes,your network won't be yours for long • Security only works if the secure way also happens to be the easy way • Nobody believes anything bad can happen to them,until it does • The difficulty of defending a network is directly proportional to its complexity
Computer Incident Statistics • In 1988 there were only 6 computer incidents reported to CERT/CC. • There were 52,658 reported and handled last year.
Virus Threat Evolution The Threat is spreading faster # of infections/hour at peak of outbreak. Klez 7000 6000 5000 4000 Nimda CodeRed Anna Kournikova LoveLetter ExploreZip Melissa The time required for malicious code to spread to a point where it can do serious infrastructure damage halves every 18 months. 1998 1999 2000 2001 2002 Year Source: Network Associates, January 2003, used with permission
Information Security Threats: Attackers • Bored IT guys…… • “Hacktivists” • Competitors • Terrorists • Disgruntled (or former) employees • Real system crackers (Hackers) • The infamous “script kiddie” • Increasingly……Mob sponsored professionals
Need More Tools? http://www.packetstormsecurity.org has tens of thousands of free hacker tools available for download
Full Disclosure: What’s That? • When a vulnerability is discovered, all details of that vulnerability are reported to the vendor • Vendor then works on a patch for a “reasonable” amount of time • Discoverer of the vulnerability then releases full details of the problem found, and typically, a tool to prove it can be exploited • Hopefully the vendor has a patch available
Hacker Techniques: The Scary Reality • Growing trend by some hackers NOT to report vulnerabilities to vendors – KEEP EXPLOITS UNPUBLISHED AND KNOWN ONLY TO THE HACKER COMMUNITY • Exploit services that HAVE to be allowed for business purposes (HTTP, E-Mail, etc.) • Initiate attacks from *inside* the network • 2002 – Large Increase in “hacking for hire” – US Secret Service
Most companies can improve their information protection program… (No More of This)
Security Risk Management Concepts • Information Security must be handled jointly by IT and the business you serve • Information Security risks need to be identified and managed like any other business risk • System, data and application lifecycle management is essential • The business climate has radically changed in the past two years. How your company handles its confidential information is being scrutinized.
NON-TECHNICAL TECHNICAL POLICY APPLICATION PRESENTATION PROCESSES SESSION Security Strategy Management Commitment Security Management Structure Awareness Program PROCEDURES TRANSPORT NETWORK STANDARDS DATA LINK GUIDELINES PHYSICAL Required Security Controls Source: Forsythe Solutions, used with permission
Security Policy Security Organization Computer & Network Management Personnel Security Compliance 8 7 9 6 10 System Development & Maintenance 1 5 2 4 3 Business Continuity Planning System Access Controls How Much Security do We Need Today? ISO 17799 (Best Practices) How much is Enough? 1 2 3 4 5 6 Classification & Control of Assets 7 8 Environmental & Physical Security 9 8 6 10 7 1 5 2 4 3 9 10 Source: Forsythe Solutions, used with permission
Security Risk Management Program Should include (not an exhaustive list): • Governance and sponsorship by senior management • Staff and leadership education • Implementation of appropriate technical controls • Written enterprise security policies & standards • Formal risk assessment processes • Incident response capabilities • Reporting and measuring processes • Compliance processes • Ties to Legal, HR, Audit, and Privacy teams
Security Risk Management: Education • One of the largest security risks in your enterprise is untrained employees – this especially includes upper management • Who cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk? • Are users aware of their roles and responsibilities as they relate to information security? • Are users aware of security policies and procedures? • Do users know who to call when there are security problems?
Security Risk Management: IT Controls • The average enterprise needs Firewalls, Intrusion Detection, Authentication Systems, Proxies, URL Screening, Anti-Virus, and a slew of other things. • A major reason we need all of this technology is because systems continue to be shipped / built insecurely!!! • Every one of us needs to push vendors to ship secure software, and to include security testing in their QA processes
Security Risk Management: Selective Outsourcing Things you might consider outsourcing: • The cyber risk itself (Insurance, Re-insurance) • E-mail filtering and sanitization • 24 x 7 monitoring of security systems • 1st level incident response (viruses, etc.) • Password resets • Others?
Wrap Up: What Can You Do Going Forward? • Urge (contractually obligate if possible) vendors to build, QA test, and ship secure products!!!!!!! • Remember that security is not a “thing” or a one time event, it is a continual process…….. • Manage security risks like other business risks • Conduct periodic security risk assessments that recommend appropriate security controls • Ensure security is inserted early in project lifecycles • Support your internal InfoSec team – they have a tough job managing threats and vulnerabilities
Credits • CERT/CC • Internet Security Alliance – http://www.isalliance.org • Symantec – http://www.symantec.com • UK Department of Trade and Industry • LOMA – www.loma.org