Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tina LaCroix & Jason Witty

Similar presentations

Presentation on theme: "Tina LaCroix & Jason Witty"— Presentation transcript:


2 Tina LaCroix & Jason Witty
Trends in Information Security: Threats, Vulnerabilities and Mitigation Strategies Presented By: Tina LaCroix & Jason Witty

3 Presentation Overview
Introduction and Benefits of InfoSec Trends and Statistics Hacking Tools Discussion / Demonstration Proactive Threat and Vulnerability Management Security Lifecycle Recommendations Wrap-up / Questions

4 Q: In Today’s Down Market, What Can:
Give your company a competitive advantage? Improve your reputation in the eyes of your customer? Demonstrate compliance to international and federal privacy laws? Improve system uptime and employee productivity? Ensure viable eCommerce? Answer: Information Security.

5 What’s the Problem? Your security people have to protect against
thousands of security problems. Hackers only need one thing to be missed. But with appropriate attention given to security, companies can be reasonably well protected.

6 Some InfoSec Statistics
General Internet attack trends are showing a 64% annual rate of growth – Riptech The average [security conscious] company experienced 32 attacks per week over the past 6 months – Riptech The average cost of a serious security incident in Q1/Q was approximately $50, UK Dept of Trade & Industry Several companies experienced single incident losses in excess of $825, UK Dept of Trade & Industry

7 Computer Incident Statistics
In 1988 there were only 6 computer incidents reported to CERT/CC. There were 52,658 reported and handled last year.

8 General Trends in Attack Sophistication

9 Information Security Threats: Attackers
Bored IT guys…… “Hacktivists” Competitors Ex-employees Terrorists Disgruntled employees Real system crackers (Hackers) The infamous “script kiddie”

10 Hacker Tools: Web Hacking

11 More Web Hacking Tools

12 Password Cracking Tools

13 Password Cracking: Windows

14 Need More Tools? has tens of thousands of free hacker tools available for download

15 Full Disclosure: What’s That?
When a vulnerability is discovered, all details of that vulnerability are reported to the vendor Vendor then works on a patch for a “reasonable” amount of time Discoverer of the vulnerability then releases full details of the problem found, and typically, a tool to prove it can be exploited Hopefully the vendor has a patch available

16 Hacker Techniques: The Scary Reality
Growing trend by some hackers NOT to report vulnerabilities to vendors – KEEP EXPLOITS UNPUBLISHED AND KNOWN ONLY TO THE HACKER COMMUNITY Exploit services that HAVE to be allowed for business purposes (HTTP, , etc.) Initiate attacks from *inside* the network It’s much easier to destroy than protect!

17 So How Do We Protect Against All of This?

18 Start by Acknowledging the Problem…
(No More of This)

19 Security Risk Management Principles
Information Security is a business problem, not just an IT problem Information Security risks need to be properly managed just like any other business risk Lifecycle management is essential – there are always new threats and new vulnerabilities to manage (and new systems, technologies, etc., etc.)

20 Proactive Threat and Vulnerability Management
Internal Security Risk Management Program User Education Selective Outsourcing / Partnerships

21 Security Risk Management: IT Control Evolution
Year “Secure Enough” Control Security Goal 1995 Statefull Firewalls and desktop anti-virus (AV) Keep external intruders and viruses out 1997 Above plus Network Intrusion Detection Systems (N-IDS) and application proxy servers Keep external intruders out, but let admins know when they do get in 2000 Above plus Network AV, URL Screening, Host Based IDS, and VPNs Control and monitor all network access but allow flexibility 2002 Above plus strong authentication, application firewalls Protect against blended threats Future Gateway IDS (GIDS), application aware proxies, integrated exposure management, standard metrics and measurements True enterprise security risk management

22 InfoSec Risk Examples Threat Damage Mitigation Strategies
Web Site Defacement Loss in Customer confidence, loss in revenue IT Controls, User Education, 24 x 7 monitoring Data theft Loss of competitive advantage IT Controls, User Education, employee screening Wide-spread Virus infection System downtime, loss in productivity, loss or corruption of data IT Controls, User Education, sanitization Unauthorized network access Any of the above IT Controls, User Education, network entry point consolidation

23 Security Risk Management Program
Should include (not an exhaustive list): Governance and sponsorship by senior management Staff and leadership education Implementation of appropriate technical controls Written enterprise security policies & standards Formal risk assessment processes Incident response capabilities Reporting and measuring processes Compliance processes Ties to legal, HR, audit, and privacy teams

24 Security Risk Management: Education
One of the largest security risks in your enterprise is untrained employees – this especially includes upper management Who cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk? Are users aware of their roles and responsibilities as they relate to information security? Are users aware of security policies and procedures? Do users know who to call when there are security problems? How many employees would challenge a stranger in the office with no badge? Is security an integral part of the systems development lifecycle? Do users know it is?

25 Security Risk Management: IT Controls
The average enterprise needs Firewalls, Intrusion Detection, Authentication Systems, Proxies, URL Screening, Anti-Virus, and a slew of other things. A major reason we need all of this technology is because systems continue to be shipped / built insecurely!!! Every one of us needs to push vendors to ship secure software, and to include security testing in their QA processes

26 Security Risk Management: Selective Outsourcing
Things you might consider outsourcing: The cyber risk itself (Insurance, Re-insurance) filtering and sanitization 24 x 7 security monitoring 1st level incident response (viruses, etc.) Password resets Others? Strong check and balance processes must be in place if anything related to security will be given to a 3rd party.

27 Wrap Up: What Can You Do Going Forward?
Urge (contractually obligate if possible) vendors to build, QA test, and ship secure products!!!!!!! Remember that security is not a “thing” or a one time event, it is a continual process…….. Manage security risks like other business risks Conduct periodic security risk assessments that recommend appropriate security controls Ensure security is inserted early in project lifecycles Support your internal InfoSec team – they have a tough job managing threats and vulnerabilities

28 Credits CERT/CC –
Internet Security Alliance – Riptech – UK Department of Trade and Industry –

29 Questions?

Download ppt "Tina LaCroix & Jason Witty"

Similar presentations

Ads by Google