1 / 49

Society for Information Management Information Security Trends and Issues

Explore the current state of information security based on survey findings, risks, and evolving threats, alongside top security initiatives and organizational priorities for 2004.

erinmanuel
Download Presentation

Society for Information Management Information Security Trends and Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Society for Information ManagementInformation Security Trends and Issues Neil Cooper, CISSP, CISA December 2, 2003Philadelphia, PA

  2. Agenda • Introduction • Current State of Security • What Have We Seen? • Risks and Threats • Conclusion

  3. Current State of Security

  4. Current State of Security • CSI/FBI 2002 Computer Crime and Security Survey • 60% of respondents knew of unauthorized use of their computer systems • Only 44% of the respondents could quantify the loss due to unauthorized access • Total cost of theft of proprietary information in 2002: $170M • Highest reported quantified amount was $50M, with the average being more than $6M • Total cost of financial fraud in 2002: $115M • Reputation loss is difficult to quantify

  5. Current State of Security • 74% of respondents who were aware of an attack or security incident sited the Internet as the attack point • Likely source of an attack: Independent Hackers • Only 34% of those respondents who experienced a computer intrusion reported it to law enforcement

  6. The Risks are Real… • 78% Detected inappropriate Use of Computer Systems within the last 12 months • 74% Reported attacks from the Internet • 33% Reported attacks from the inside • 40% Detected a Denial of Service attack • 85% Detected a virus attack • 90% Detected computer security breaches • 78% Detected Insider abuse of network access

  7. Current State of Security • The State of Information Security 2003 from CIO Magazine & PricewaterhouseCoopers • 7500 respondents to the survey • Survey results show that companies around the world (42% of total respondents) are beginning to look at security from a strategic perspective • Fifty-four percent place raising awareness about security at the top of their list for 2004.

  8. Current State of Security • Threat and vulnerability management initiatives: • blocking unauthorized access (53%) • detecting viruses (49%), • security audits (44%) and • security monitoring (49%) • all rank high on the list of priorities for next year

  9. Survey Demographics • Across all industries in 54 countries, including financial services, manufacturing, healthcare, telecommunications, government • Company sizes ranged from small to multinational: • 51% = up to $500M • 22% = $500M to $25B • 3% = more than $25B • Remainder either did not know revenue size or were government/non-profits • Job titles largely IT and security related: • VPs of IT, CSOs, Security Directors, Network or System Administrators

  10. Key Findings: Security Still a Reactive Culture • Security initiatives are still driven in large part by external factors (regulations and industry practices) and not from a risk assessment perspective • Security policies are “blocking and tackling” and covering user behavior, employee awareness and network and system administration issues • One-third or less included monitoring standards, enforcing standards, incident response or classifying value of data in their security policy • Few companies are including partners and suppliers in their policy planning • Ten percent of those surveyed said their organization had no formal security policy

  11. Top Security Initiatives for 2004 • Leading security initiatives: • Block unauthorized access (58%) • Enhance network security (55%) • Detect malicious programs -- viruses/hostile code (54%) • Conduct security audits (51%) • Conduct security risk assessment (48%) • Monitor user compliance with policy (45%) • Top three organizational priorities: • Raise end-user awareness of policy and procedures (60%) • Train staff (44%) • Develop security policy & standards (39%)

  12. An Increased Demand on Security The Security of Exclusion The Security of Inclusion “Enablement” “Protection”

  13. Challenges of Inclusion and Exclusion • Increased: • Identities • Control Requirements • Complexity • Increased: • Threats • Vulnerabilities • Complexity

  14. New and Continuing Risks • Intra and Extra-net content • Malicious E-mail attachments • Sensitive or misleading Internet postings • Pirate / counterfeit / diverted products • Cybercrime both Internal and External • Demands to produce relevant electronic information • Loss of control of key digital assets

  15. Security Risk Categories • Financial – • Return on Investments Unclear • Insecure Transactions • Technology – • Immature / Unstable • Lack of Standards • Limited Skilled workers

  16. Risk Categories • Reputation • Public Embarrassment • Third Party – • Legal & Regulatory

  17. Top Management Errors… • Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job. • Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. • Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed.

  18. Top Management Errors… • Rely primarily on a firewall. • Too much trust of employees • Fail to realize how much money their information and organizational reputations are worth. • Not identifying root cause issues. Authorize reactive, short-term fixes so problems re-emerge rapidly. • “It won’t happen to us” attitude

  19. The Threat is multifaceted… Insiders Current employees Former employees Business partners Contractors / consultants Temporary employees Outsiders “Freelance” or “Mercenary” crackers Professional Cybercriminals Thrill Seekers & Kids Competitors

  20. Attack Trends • Both the nonprofit and financial services sectors experienced higher rates of overall attack volume and severe event incidence, respectively. • 21% of companies in the sample set suffered at least one severe event over the past six months • Attacks from countries included on the Cyber Terrorist Watch List accounted for less than 1% of all activity. • Cases of internal misuse and abuse accounted for more than 50% of incident response engagements. • Source: Symantec Internet Threat Report Feb 2003

  21. What Areas Require Focus? Reliability Availability Scalability Key Area Integrity Key Area for Internal Security Confidentiality Capacity

  22. Abilities • Security • Ability to Prevent, Detect, & React to Unauthorized Access • Ability to specifically identify users • Ability to specifically authorize access to technology & data

  23. Controls • Security Controls • Protective - Authentication, Authorization, Firewalls, SSL, Locks, Guards, Security Testing • Detective - Logging, Firewalls, Network IDS, Host IDS, Security testing

  24. Controls • Reactive Controls - require detective controls first! • With Detective controls in place, you MUST have well planned & tested reactive control processes to adequately address: • Security Events • Capacity Problems • Component or Site Outages • Performance Problems

  25. What Have We Seen?

  26. What Have We Seen? • Perimeter secured from the Internet but... • Perimeter not secured from the Internet. • Internal network insecure. • Access to systems that contain sensitive information not controlled. • Proliferation of Wireless Networks. • Unsecured laptop computers. • Uncontrolled use of email and instant messaging

  27. What are Companies Doing? • Reading e-mail selectively • Filtering out Internet access • Filtering outbound and inbound e-mail • Restricting employee access • Imposing penalties on violations of security policy • up to and including termination

  28. Risks and Threats

  29. Risks and Threats - Internal • Source of Attacks and Security Incidents • Current Employees – Authorized Access – 26% • Current Employees – Unauthorized Access – 25% • Former Employees – Unauthorized Access – 16% • The Risk is very High • Most companies grant too much access to their information • Give Joe the same access as Sally had • Trusted IT professionals • Educated Users

  30. Risks and Threats - Regulations • Many industries are regulated and must protect their customers information from unauthorized access • HIPAA • GLBA and others in Financial Services • CA 1386 • US Notification of Risk to Personal Information Act (SB 1350)

  31. Risks and Threats - Technology • Camera Phones • Flash Disks • Wireless Networks • Instant Messaging Tools • Modems and Cable Modems

  32. Camera Phones • New Technology sweeping the country and world • Easy to use • No Controls • Attach and send picture in e-mail

  33. Flash Disks • Small Devices • Connect to USB Ports • Large Capacity • Easy to Use • Circumvent all Controls on Computers

  34. Wireless LANS • Benefits: • Mobility for internal users

  35. Wireless LANS • Disadvantages: • Weak or no Encryption • Extends your network perimeter • Ease of eavesdropping • Denial of Service • Easy to setup and install • Not as easy to detect

  36. Wireless LANS • Risk Mitigation Techniques • Utilize strong encryption • Isolate Wireless LANs • Implement security policies and procedures • Don’t use • Scan for existence

  37. Wireless LANS – Is this your network? http://www.worldwidewardrive.org/wwwd1/baltimore.jpg

  38. Instant Messaging • According to Gartner Research, by the fourth Quarter of 2002 approximately 70% of enterprises used unmanaged consumer instant messaging on their networks to conduct business. • As both legitimate and unauthorized usage rises, the threat of malicious code that uses instant messaging clients for propagation is becoming more significant.

  39. Instant Messaging • Gartner survey - 58% of those surveyed said the careless use of personal communications by their employees - especially e-mail and instant messaging (IM) - poses the most dangerous security risk to their networks. • In a study by INT Media Research, 70% of businesses surveyed said they don't offer their employees guidelines on acceptable use of IM technology.“

  40. Instant Messaging • March 2001 – “ICQ logs spark corporate nightmare” • hundreds of pages of ICQ logs posted to web • allegedly unedited logs available in entirety at http://www.echostation.com/efront/ • stolen from PC of CEO Sam Jain of eFront • several senior management team members resigned

  41. Instant Messaging • File transfer enables transfer of worms or other malicious code • Bypass of desktop and perimeter firewall implementations makes harder to detect than other threats • Easier to find victims -- select from current lists of users versus scanning blocks of addresses • All major IM networks support Person-person (p2p) file sharing, leads to spread of infected files

  42. Instant Messaging • Clients can specify ports to defeat firewalls • New versions include file transfer features • Proprietary data • Inappropriate Content • Productivity

  43. Modems and Cable Modems • May be connected to sensitive systems • Attempted penetration through war-dialing • Internal access to network should be restricted • Home Use and telecommuters

  44. Incident Response and Forensics • Incident response minimizes the impact of security failures. Goal is to detect, isolate, and correct security lapses and intrusions. • Forensics increases the ability of a company to investigate, remediate and recover in litigation or otherwise the damages caused by a security incident

  45. Emergency Response Considerations • How Will You Define and Identify an Incident? • Do You Have the Skill Sets to Respond? • How Will You Respond? • Ignore, Use to Misinform, or Prosecute? • Cost vs. Response Time

  46. Reducing Internal Risk within an Organization • Security Policies and Procedures • Virtual Private Networks • Incident Response Procedures PricewaterhouseCoopers [Toolbox Map]

  47. Questions?

  48. Contact Information • Neil Cooper, CISSP, CISA • Director, Security and Privacy Practice • Philadelphia, PA • 267-330-2518 • neil.f.cooper@us.pwc.com

  49. Your worlds Our people

More Related