2 Tina LaCroix & Jason Witty Trends in Information Security: Threats, Vulnerabilities and Mitigation StrategiesPresented By:Tina LaCroix & Jason Witty
3 Presentation Overview Introduction and Benefits of InfoSecTrends and StatisticsHacking Tools Discussion / DemonstrationProactive Threat and Vulnerability ManagementSecurity LifecycleRecommendationsWrap-up / Questions
4 Q: In Today’s Down Market, What Can: Give your company a competitive advantage?Improve your reputation in the eyes of your customer?Demonstrate compliance to international and federal privacy laws?Improve system uptime and employee productivity?Ensure viable eCommerce?Answer: Information Security.
5 What’s the Problem? Your security people have to protect against thousands of security problems.Hackers only need one thing to be missed.But with appropriate attention given tosecurity, companies can bereasonably well protected.
6 Some InfoSec Statistics General Internet attack trends are showing a 64% annual rate of growth – RiptechThe average [security conscious] company experienced 32 attacks per week over the past 6 months – RiptechThe average cost of a serious security incident in Q1/Q was approximately $50, UK Dept of Trade & IndustrySeveral companies experienced single incident losses in excess of $825, UK Dept of Trade & Industry
7 Computer Incident Statistics In 1988 there were only 6 computer incidents reported to CERT/CC.There were 52,658 reported and handled last year.
14 Need More Tools?has tens of thousands of free hacker tools available for download
15 Full Disclosure: What’s That? When a vulnerability is discovered, all details of that vulnerability are reported to the vendorVendor then works on a patch for a “reasonable” amount of timeDiscoverer of the vulnerability then releases full details of the problem found, and typically, a tool to prove it can be exploitedHopefully the vendor has a patch available
16 Hacker Techniques: The Scary Reality Growing trend by some hackers NOT to report vulnerabilities to vendors – KEEP EXPLOITS UNPUBLISHED AND KNOWN ONLY TO THE HACKER COMMUNITYExploit services that HAVE to be allowed for business purposes (HTTP, , etc.)Initiate attacks from *inside* the networkIt’s much easier to destroy than protect!
18 Start by Acknowledging the Problem… (No More of This)
19 Security Risk Management Principles Information Security is a business problem, not just an IT problemInformation Security risks need to be properly managed just like any other business riskLifecycle management is essential – there are always new threats and new vulnerabilities to manage (and new systems, technologies, etc., etc.)
21 Security Risk Management: IT Control Evolution Year“Secure Enough” ControlSecurity Goal1995Statefull Firewalls and desktop anti-virus (AV)Keep external intruders and viruses out1997Above plus Network Intrusion Detection Systems (N-IDS) and application proxy serversKeep external intruders out, but let admins know when they do get in2000Above plus Network AV, URL Screening, Host Based IDS, and VPNsControl and monitor all network access but allow flexibility2002Above plus strong authentication, application firewallsProtect against blended threatsFutureGateway IDS (GIDS), application aware proxies, integrated exposure management, standard metrics and measurementsTrue enterprise security risk management
22 InfoSec Risk Examples Threat Damage Mitigation Strategies Web Site DefacementLoss in Customer confidence, loss in revenueIT Controls, User Education, 24 x 7 monitoringData theftLoss of competitive advantageIT Controls, User Education, employee screeningWide-spread Virus infectionSystem downtime, loss in productivity, loss or corruption of dataIT Controls, User Education, sanitizationUnauthorized network accessAny of the aboveIT Controls, User Education, network entry point consolidation
23 Security Risk Management Program Should include (not an exhaustive list):Governance and sponsorship by senior managementStaff and leadership educationImplementation of appropriate technical controlsWritten enterprise security policies & standardsFormal risk assessment processesIncident response capabilitiesReporting and measuring processesCompliance processesTies to legal, HR, audit, and privacy teams
24 Security Risk Management: Education One of the largest security risks in your enterprise is untrained employees – this especially includes upper managementWho cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk?Are users aware of their roles and responsibilities as they relate to information security?Are users aware of security policies and procedures?Do users know who to call when there are security problems?How many employees would challenge a stranger in the office with no badge?Is security an integral part of the systems development lifecycle? Do users know it is?
25 Security Risk Management: IT Controls The average enterprise needs Firewalls, Intrusion Detection, Authentication Systems, Proxies, URL Screening, Anti-Virus, and a slew of other things.A major reason we need all of this technology is because systems continue to be shipped / built insecurely!!!Every one of us needs to push vendors to ship secure software, and to include security testing in their QA processes
26 Security Risk Management: Selective Outsourcing Things you might consider outsourcing:The cyber risk itself (Insurance, Re-insurance)filtering and sanitization24 x 7 security monitoring1st level incident response (viruses, etc.)Password resetsOthers?Strong check and balance processes must be in place if anything related to security will be given to a 3rd party.
27 Wrap Up: What Can You Do Going Forward? Urge (contractually obligate if possible) vendors to build, QA test, and ship secure products!!!!!!!Remember that security is not a “thing” or a one time event, it is a continual process……..Manage security risks like other business risksConduct periodic security risk assessments that recommend appropriate security controlsEnsure security is inserted early in project lifecyclesSupport your internal InfoSec team – they have a tough job managing threats and vulnerabilities
28 Credits CERT/CC – http://www.cert.org/present/cert-overview-trends/ Internet Security Alliance –Riptech –UK Department of Trade and Industry –