Society For Information Management Information Security Trends And Issues
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Society For Information Management Information Security Trends And Issues as PDF for free.
More details
- Words: 1,793
- Pages: 49
Society for Information Management Information Security Trends and Issues Neil Cooper, CISSP, CISA December 2, 2003 Philadelphia, PA
Agenda Introduction Current State of Security What Have We Seen? Risks and Threats Conclusion
2
PricewaterhouseCoopers
Current State of Security
Current State of Security CSI/FBI 2002 Computer Crime and Security Survey 60% of respondents knew of unauthorized use of their computer systems Only 44% of the respondents could quantify the loss due to unauthorized access Total cost of theft of proprietary information in 2002: $170M • Highest reported quantified amount was $50M, with the average being more than $6M • Total cost of financial fraud in 2002: $115M • Reputation loss is difficult to quantify 4
PricewaterhouseCoopers
Current State of Security 74% of respondents who were aware of an attack or security incident sited the Internet as the attack point Likely source of an attack: Independent Hackers Only 34% of those respondents who experienced a computer intrusion reported it to law enforcement
5
PricewaterhouseCoopers
The Risks are Real… • 78% Detected inappropriate Use of Computer Systems within the last 12 months • 74% Reported attacks from the Internet • 33% Reported attacks from the inside • 40% Detected a Denial of Service attack • 85% Detected a virus attack • 90% Detected computer security breaches • 78% Detected Insider abuse of network access 6
PricewaterhouseCoopers
Current State of Security The State of Information Security 2003 from CIO Magazine & PricewaterhouseCoopers • 7500 respondents to the survey • Survey results show that companies around the world (42% of total respondents) are beginning to look at security from a strategic perspective • Fifty-four percent place raising awareness about security at the top of their list for 2004.
7
PricewaterhouseCoopers
Current State of Security • Threat and vulnerability management initiatives: – blocking unauthorized access (53%) – detecting viruses (49%), – security audits (44%) and – security monitoring (49%) – all rank high on the list of priorities for next year
8
PricewaterhouseCoopers
Survey Demographics Across all industries in 54 countries, including financial services, manufacturing, healthcare, telecommunications, government Company sizes ranged from small to multinational: • 51% = up to $500M • 22% = $500M to $25B •
3% = more than $25B
• Remainder either did not know revenue size or were government/non-profits Job titles largely IT and security related: 9
• VPs of IT, CSOs, Security Directors, Network or System PricewaterhouseCoopers Administrators
Key Findings: Security Still a Reactive Culture Security initiatives are still driven in large part by external factors (regulations and industry practices) and not from a risk assessment perspective Security policies are “blocking and tackling” and covering user behavior, employee awareness and network and system administration issues One-third or less included monitoring standards, enforcing standards, incident response or classifying value of data in their security policy Few companies are including partners and suppliers in their policy planning PricewaterhouseCoopers 10
Top Security Initiatives for 2004 Leading security initiatives: • Block unauthorized access (58%) • Enhance network security (55%) • Detect malicious programs -- viruses/hostile code (54%) • Conduct security audits (51%) • Conduct security risk assessment (48%) 11
• Monitor user compliance with policy (45%)
PricewaterhouseCoopers
An Increased Demand on Security
The Security of Inclusion 12
“Enablement”
The Security of Exclusion
“Protection” PricewaterhouseCoopers
Challenges of Inclusion and Exclusion
Increased:
Increased:
• Identities
• Threats
• Control Requirements
• Vulnerabilities
• Complexity 13
• Complexity PricewaterhouseCoopers
New and Continuing Risks • Intra and Extra-net content • Malicious E-mail attachments • Sensitive or misleading Internet postings • Pirate / counterfeit / diverted products • Cybercrime both Internal and External • Demands to produce relevant electronic information • Loss of control of key digital assets 14
PricewaterhouseCoopers
Security Risk Categories • Financial – – Return on Investments Unclear – Insecure Transactions • Technology – – Immature / Unstable – Lack of Standards – Limited Skilled workers
15
PricewaterhouseCoopers
Risk Categories • Reputation – Public Embarrassment • Third Party – – Legal & Regulatory
16
PricewaterhouseCoopers
Top Management Errors… • Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job. • Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. • Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed.
17
PricewaterhouseCoopers
Top Management Errors… Rely primarily on a firewall. Too much trust of employees Fail to realize how much money their information and organizational reputations are worth. Not identifying root cause issues. Authorize reactive, short-term fixes so problems re-emerge rapidly. “It won’t happen to us” attitude
18
PricewaterhouseCoopers
The Threat is multifaceted… Insiders
Outsiders
• Current employees
• “Freelance” or “Mercenary” crackers
• Former employees • Business partners • Contractors / consultants • Temporary employees
19
• Professional Cybercriminals • Thrill Seekers & Kids • Competitors
PricewaterhouseCoopers
Attack Trends • Both the nonprofit and financial services sectors experienced higher rates of overall attack volume and severe event incidence, respectively. • 21% of companies in the sample set suffered at least one severe event over the past six months • Attacks from countries included on the Cyber Terrorist Watch List accounted for less than 1% of all activity. • Cases of internal misuse and abuse accounted for more than 50% of incident response engagements.
20
Source: Symantec Internet Threat Report Feb 2003
PricewaterhouseCoopers
What Areas Require Focus?
Reliability Availability
Scalability Key Area for Internal Security
Key Area
Integrity
Confidentiality Capacity 21
PricewaterhouseCoopers
Abilities • Security – Ability to Prevent, Detect, & React to Unauthorized Access – Ability to specifically identify users – Ability to specifically authorize access to technology & data
22
PricewaterhouseCoopers
Controls Security Controls • Protective - Authentication, Authorization, Firewalls, SSL, Locks, Guards, Security Testing • Detective - Logging, Firewalls, Network IDS, Host IDS, Security testing
23
PricewaterhouseCoopers
Controls Reactive Controls - require detective controls first! With Detective controls in place, you MUST have well planned & tested reactive control processes to adequately address: • Security Events • Capacity Problems • Component or Site Outages • Performance Problems
24
PricewaterhouseCoopers
What Have We Seen?
What Have We Seen? • Perimeter secured from the Internet but... • Perimeter not secured from the Internet. • Internal network insecure. • Access to systems that contain sensitive information not controlled. • Proliferation of Wireless Networks. • Unsecured laptop computers. 26
• Uncontrolled use of email and instant messaging
PricewaterhouseCoopers
What are Companies Doing? • Reading e-mail selectively • Filtering out Internet access • Filtering outbound and inbound e-mail • Restricting employee access • Imposing penalties on violations of security policy – up to and including termination
27
PricewaterhouseCoopers
Risks and Threats
Risks and Threats - Internal Source of Attacks and Security Incidents • Current Employees – Authorized Access – 26% • Current Employees – Unauthorized Access – 25% • Former Employees – Unauthorized Access – 16%
The Risk is very High Most companies grant too much access to their information • Give Joe the same access as Sally had • Trusted IT professionals • Educated Users
29
PricewaterhouseCoopers
Risks and Threats - Regulations Many industries are regulated and must protect their customers information from unauthorized access • HIPAA • GLBA and others in Financial Services • CA 1386 • US Notification of Risk to Personal Information Act (SB 1350) 30
PricewaterhouseCoopers
Risks and Threats - Technology Camera Phones Flash Disks Wireless Networks Instant Messaging Tools Modems and Cable Modems
31
PricewaterhouseCoopers
Camera Phones New Technology sweeping the country and world Easy to use No Controls Attach and send picture in e-mail
32
PricewaterhouseCoopers
Flash Disks Small Devices • Connect to USB Ports • Large Capacity • Easy to Use • Circumvent all Controls on Computers
33
PricewaterhouseCoopers
Wireless LANS Benefits: Mobility for internal users
34
PricewaterhouseCoopers
Wireless LANS Disadvantages: Weak or no Encryption Extends your network perimeter Ease of eavesdropping Denial of Service Easy to setup and install Not as easy to detect 35
PricewaterhouseCoopers
Wireless LANS Risk Mitigation Techniques • Utilize strong encryption • Isolate Wireless LANs • Implement security policies and procedures • Don’t use • Scan for existence
36
PricewaterhouseCoopers
Wireless LANS – Is this your network?
37
http://www.worldwidewardrive.org/wwwd1/baltimore.jpg
PricewaterhouseCoopers
Instant Messaging According to Gartner Research, by the fourth Quarter of 2002 approximately 70% of enterprises used unmanaged consumer instant messaging on their networks to conduct business. As both legitimate and unauthorized usage rises, the threat of malicious code that uses instant messaging clients for propagation is becoming more significant.
38
PricewaterhouseCoopers
Instant Messaging Gartner survey - 58% of those surveyed said the careless use of personal communications by their employees - especially e-mail and instant messaging (IM) - poses the most dangerous security risk to their networks. In a study by INT Media Research, 70% of businesses surveyed said they don't offer their employees guidelines on acceptable use of IM technology.“
39
PricewaterhouseCoopers
Instant Messaging March 2001 – “ICQ logs spark corporate nightmare” • hundreds of pages of ICQ logs posted to web • allegedly unedited logs available in entirety at http://www.echostation.com/efront/ • stolen from PC of CEO Sam Jain of eFront • several senior management team members resigned
40
PricewaterhouseCoopers
Instant Messaging File transfer enables transfer of worms or other malicious code Bypass of desktop and perimeter firewall implementations makes harder to detect than other threats Easier to find victims -- select from current lists of users versus scanning blocks of addresses All major IM networks support Person-person (p2p) file sharing, leads to spread of infected files
41
PricewaterhouseCoopers
Instant Messaging Clients can specify ports to defeat firewalls New versions include file transfer features • Proprietary data • Inappropriate Content • Productivity
42
PricewaterhouseCoopers
Modems and Cable Modems May be connected to sensitive systems Attempted penetration through war-dialing Internal access to network should be restricted Home Use and telecommuters
43
PricewaterhouseCoopers
Incident Response and Forensics • Incident response minimizes the impact of security failures. Goal is to detect, isolate, and correct security lapses and intrusions. • Forensics increases the ability of a company to investigate, remediate and recover in litigation or otherwise the damages caused by a security incident
44
PricewaterhouseCoopers
Emergency Response Considerations • How Will You Define and Identify an Incident?
• Do You Have the Skill Sets to Respond?
• How Will You Respond? – Ignore, Use to Misinform, or Prosecute?
• Cost vs. Response Time 45
PricewaterhouseCoopers
Reducing Internal Risk within an Organization Security Policies and Procedures Virtual Private Networks Incident Response Procedures
PricewaterhouseCoopers
46 [Toolbox Map]
Questions?
Contact Information Neil Cooper, CISSP, CISA • Director, Security and Privacy Practice • Philadelphia, PA • 267-330-2518 • [email protected]
48
PricewaterhouseCoopers
Your worlds 49
Our people PricewaterhouseCoopers
Agenda Introduction Current State of Security What Have We Seen? Risks and Threats Conclusion
2
PricewaterhouseCoopers
Current State of Security
Current State of Security CSI/FBI 2002 Computer Crime and Security Survey 60% of respondents knew of unauthorized use of their computer systems Only 44% of the respondents could quantify the loss due to unauthorized access Total cost of theft of proprietary information in 2002: $170M • Highest reported quantified amount was $50M, with the average being more than $6M • Total cost of financial fraud in 2002: $115M • Reputation loss is difficult to quantify 4
PricewaterhouseCoopers
Current State of Security 74% of respondents who were aware of an attack or security incident sited the Internet as the attack point Likely source of an attack: Independent Hackers Only 34% of those respondents who experienced a computer intrusion reported it to law enforcement
5
PricewaterhouseCoopers
The Risks are Real… • 78% Detected inappropriate Use of Computer Systems within the last 12 months • 74% Reported attacks from the Internet • 33% Reported attacks from the inside • 40% Detected a Denial of Service attack • 85% Detected a virus attack • 90% Detected computer security breaches • 78% Detected Insider abuse of network access 6
PricewaterhouseCoopers
Current State of Security The State of Information Security 2003 from CIO Magazine & PricewaterhouseCoopers • 7500 respondents to the survey • Survey results show that companies around the world (42% of total respondents) are beginning to look at security from a strategic perspective • Fifty-four percent place raising awareness about security at the top of their list for 2004.
7
PricewaterhouseCoopers
Current State of Security • Threat and vulnerability management initiatives: – blocking unauthorized access (53%) – detecting viruses (49%), – security audits (44%) and – security monitoring (49%) – all rank high on the list of priorities for next year
8
PricewaterhouseCoopers
Survey Demographics Across all industries in 54 countries, including financial services, manufacturing, healthcare, telecommunications, government Company sizes ranged from small to multinational: • 51% = up to $500M • 22% = $500M to $25B •
3% = more than $25B
• Remainder either did not know revenue size or were government/non-profits Job titles largely IT and security related: 9
• VPs of IT, CSOs, Security Directors, Network or System PricewaterhouseCoopers Administrators
Key Findings: Security Still a Reactive Culture Security initiatives are still driven in large part by external factors (regulations and industry practices) and not from a risk assessment perspective Security policies are “blocking and tackling” and covering user behavior, employee awareness and network and system administration issues One-third or less included monitoring standards, enforcing standards, incident response or classifying value of data in their security policy Few companies are including partners and suppliers in their policy planning PricewaterhouseCoopers 10
Top Security Initiatives for 2004 Leading security initiatives: • Block unauthorized access (58%) • Enhance network security (55%) • Detect malicious programs -- viruses/hostile code (54%) • Conduct security audits (51%) • Conduct security risk assessment (48%) 11
• Monitor user compliance with policy (45%)
PricewaterhouseCoopers
An Increased Demand on Security
The Security of Inclusion 12
“Enablement”
The Security of Exclusion
“Protection” PricewaterhouseCoopers
Challenges of Inclusion and Exclusion
Increased:
Increased:
• Identities
• Threats
• Control Requirements
• Vulnerabilities
• Complexity 13
• Complexity PricewaterhouseCoopers
New and Continuing Risks • Intra and Extra-net content • Malicious E-mail attachments • Sensitive or misleading Internet postings • Pirate / counterfeit / diverted products • Cybercrime both Internal and External • Demands to produce relevant electronic information • Loss of control of key digital assets 14
PricewaterhouseCoopers
Security Risk Categories • Financial – – Return on Investments Unclear – Insecure Transactions • Technology – – Immature / Unstable – Lack of Standards – Limited Skilled workers
15
PricewaterhouseCoopers
Risk Categories • Reputation – Public Embarrassment • Third Party – – Legal & Regulatory
16
PricewaterhouseCoopers
Top Management Errors… • Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job. • Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security. • Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed.
17
PricewaterhouseCoopers
Top Management Errors… Rely primarily on a firewall. Too much trust of employees Fail to realize how much money their information and organizational reputations are worth. Not identifying root cause issues. Authorize reactive, short-term fixes so problems re-emerge rapidly. “It won’t happen to us” attitude
18
PricewaterhouseCoopers
The Threat is multifaceted… Insiders
Outsiders
• Current employees
• “Freelance” or “Mercenary” crackers
• Former employees • Business partners • Contractors / consultants • Temporary employees
19
• Professional Cybercriminals • Thrill Seekers & Kids • Competitors
PricewaterhouseCoopers
Attack Trends • Both the nonprofit and financial services sectors experienced higher rates of overall attack volume and severe event incidence, respectively. • 21% of companies in the sample set suffered at least one severe event over the past six months • Attacks from countries included on the Cyber Terrorist Watch List accounted for less than 1% of all activity. • Cases of internal misuse and abuse accounted for more than 50% of incident response engagements.
20
Source: Symantec Internet Threat Report Feb 2003
PricewaterhouseCoopers
What Areas Require Focus?
Reliability Availability
Scalability Key Area for Internal Security
Key Area
Integrity
Confidentiality Capacity 21
PricewaterhouseCoopers
Abilities • Security – Ability to Prevent, Detect, & React to Unauthorized Access – Ability to specifically identify users – Ability to specifically authorize access to technology & data
22
PricewaterhouseCoopers
Controls Security Controls • Protective - Authentication, Authorization, Firewalls, SSL, Locks, Guards, Security Testing • Detective - Logging, Firewalls, Network IDS, Host IDS, Security testing
23
PricewaterhouseCoopers
Controls Reactive Controls - require detective controls first! With Detective controls in place, you MUST have well planned & tested reactive control processes to adequately address: • Security Events • Capacity Problems • Component or Site Outages • Performance Problems
24
PricewaterhouseCoopers
What Have We Seen?
What Have We Seen? • Perimeter secured from the Internet but... • Perimeter not secured from the Internet. • Internal network insecure. • Access to systems that contain sensitive information not controlled. • Proliferation of Wireless Networks. • Unsecured laptop computers. 26
• Uncontrolled use of email and instant messaging
PricewaterhouseCoopers
What are Companies Doing? • Reading e-mail selectively • Filtering out Internet access • Filtering outbound and inbound e-mail • Restricting employee access • Imposing penalties on violations of security policy – up to and including termination
27
PricewaterhouseCoopers
Risks and Threats
Risks and Threats - Internal Source of Attacks and Security Incidents • Current Employees – Authorized Access – 26% • Current Employees – Unauthorized Access – 25% • Former Employees – Unauthorized Access – 16%
The Risk is very High Most companies grant too much access to their information • Give Joe the same access as Sally had • Trusted IT professionals • Educated Users
29
PricewaterhouseCoopers
Risks and Threats - Regulations Many industries are regulated and must protect their customers information from unauthorized access • HIPAA • GLBA and others in Financial Services • CA 1386 • US Notification of Risk to Personal Information Act (SB 1350) 30
PricewaterhouseCoopers
Risks and Threats - Technology Camera Phones Flash Disks Wireless Networks Instant Messaging Tools Modems and Cable Modems
31
PricewaterhouseCoopers
Camera Phones New Technology sweeping the country and world Easy to use No Controls Attach and send picture in e-mail
32
PricewaterhouseCoopers
Flash Disks Small Devices • Connect to USB Ports • Large Capacity • Easy to Use • Circumvent all Controls on Computers
33
PricewaterhouseCoopers
Wireless LANS Benefits: Mobility for internal users
34
PricewaterhouseCoopers
Wireless LANS Disadvantages: Weak or no Encryption Extends your network perimeter Ease of eavesdropping Denial of Service Easy to setup and install Not as easy to detect 35
PricewaterhouseCoopers
Wireless LANS Risk Mitigation Techniques • Utilize strong encryption • Isolate Wireless LANs • Implement security policies and procedures • Don’t use • Scan for existence
36
PricewaterhouseCoopers
Wireless LANS – Is this your network?
37
http://www.worldwidewardrive.org/wwwd1/baltimore.jpg
PricewaterhouseCoopers
Instant Messaging According to Gartner Research, by the fourth Quarter of 2002 approximately 70% of enterprises used unmanaged consumer instant messaging on their networks to conduct business. As both legitimate and unauthorized usage rises, the threat of malicious code that uses instant messaging clients for propagation is becoming more significant.
38
PricewaterhouseCoopers
Instant Messaging Gartner survey - 58% of those surveyed said the careless use of personal communications by their employees - especially e-mail and instant messaging (IM) - poses the most dangerous security risk to their networks. In a study by INT Media Research, 70% of businesses surveyed said they don't offer their employees guidelines on acceptable use of IM technology.“
39
PricewaterhouseCoopers
Instant Messaging March 2001 – “ICQ logs spark corporate nightmare” • hundreds of pages of ICQ logs posted to web • allegedly unedited logs available in entirety at http://www.echostation.com/efront/ • stolen from PC of CEO Sam Jain of eFront • several senior management team members resigned
40
PricewaterhouseCoopers
Instant Messaging File transfer enables transfer of worms or other malicious code Bypass of desktop and perimeter firewall implementations makes harder to detect than other threats Easier to find victims -- select from current lists of users versus scanning blocks of addresses All major IM networks support Person-person (p2p) file sharing, leads to spread of infected files
41
PricewaterhouseCoopers
Instant Messaging Clients can specify ports to defeat firewalls New versions include file transfer features • Proprietary data • Inappropriate Content • Productivity
42
PricewaterhouseCoopers
Modems and Cable Modems May be connected to sensitive systems Attempted penetration through war-dialing Internal access to network should be restricted Home Use and telecommuters
43
PricewaterhouseCoopers
Incident Response and Forensics • Incident response minimizes the impact of security failures. Goal is to detect, isolate, and correct security lapses and intrusions. • Forensics increases the ability of a company to investigate, remediate and recover in litigation or otherwise the damages caused by a security incident
44
PricewaterhouseCoopers
Emergency Response Considerations • How Will You Define and Identify an Incident?
• Do You Have the Skill Sets to Respond?
• How Will You Respond? – Ignore, Use to Misinform, or Prosecute?
• Cost vs. Response Time 45
PricewaterhouseCoopers
Reducing Internal Risk within an Organization Security Policies and Procedures Virtual Private Networks Incident Response Procedures
PricewaterhouseCoopers
46 [Toolbox Map]
Questions?
Contact Information Neil Cooper, CISSP, CISA • Director, Security and Privacy Practice • Philadelphia, PA • 267-330-2518 • [email protected]
48
PricewaterhouseCoopers
Your worlds 49
Our people PricewaterhouseCoopers
Related Documents
Information Security Management System
July 2020 45
Trends And Issues Management
June 2020 7
Information Society
April 2020 10
Information Technology And Society
December 2019 29
