Presentation on theme: "Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP."— Presentation transcript:
Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP
Stephen Cobb, CISSP2 of 35 This session: What are the threats? Agenda: –Terms of reference –Statistical and empirical data –Examples of information security breaches and their effects on companies –Putting threats in perspective –The main threat categories in more detail Themes: Threats may seem technical, but many defenses require non- technical skills Threats are not constant, may increase when times are tight Skills required to deal with these issues are in short supply
Stephen Cobb, CISSP3 of 35 So, what are the information security needs of the Internet-enabled company: You need to protect the confidentiality, integrity and availability of data, given that: A. Private data is now travelling on a public (untrusted) network B. Your private network is now connected to a public (untrusted) network C. Your private network users now have access to a public (untrusted) network
Stephen Cobb, CISSP4 of 35 So who am I to talk about this? First infosecurity book from client perspective, 1992 Certified Information System Security Professional Formerly with National Computer Security Association Former Director, Miora Systems Consulting (MSC) InfoSec Labs, Rainbow Technologies MSC beat Digital and Entrust in a security services RFP competition, April 98 — short-listed with Coopers & Lybrand, Price Waterhouse and CISCO Wheelgroup Involved in wide range of authorized penetration tests with 100% success rate
Stephen Cobb, CISSP5 of 35 Statistics from the 5th Annual Information Security Survey, % of European companies report information security risks have increased this year Highest security concern: –network security (86%) Next highest security concerns: –end-user security awareness (80%) –winning top management commitment (80%) Ernst&Young Computerworld Survey Global Results from 29 Countries
Stephen Cobb, CISSP6 of 35 Perceived security threats: Computer terrorists 28% Authorized users 26% Former employees 24% Unauthorized users 23% Contractors 19% Ernst&Young Computerworld Survey Global Results from 29 Countries 55 % of companies lacked confidence that their systems could withstand an internal attack -- are these your business partners?
Stephen Cobb, CISSP7 of 35 Statistics from a 1998 Survey by Computer Security Institute / FBI 64% of companies had incidents of unauthorized use of computer systems within the last 12 months. More than a third of incidents were from inside. 65% of companies experienced laptop theft.
Stephen Cobb, CISSP8 of 35 Hong Kong Reuters Office Hacked: Traders at 5 banks lose price data for 36 hours PA Teenager Charged With 5 Counts of Hacking: Southwestern Bell, BellCore, Sprint, and SRI hit Costs to Southwestern Bell alone exceed $500,000 Citibank Hit in $10 Million Hack: Russian hacker had inside help. Several $100K not yet recovered. Pair of surveys show 54%-58% of companies lost money due to computer break-ins in 1996 Compaq Ships Infected PCs: Virus Taints Big Japanese Debut Computer Attack Knocks Out 3,000 Web Sites 40 hour shutdown during busiest shopping season U.S. Government Web Sites Hacked: NASA, Air Force, NASA, DoJ, CIA Is it really that bad? YES! And these are just ones that made the news....
Stephen Cobb, CISSP9 of 35 Experience in the field About 50 information system security penetration assignments in the last 18 months 80% of these were corporations, the rest were state and local government agencies Some of these clients wanted tests because they lacked confidence in their security, but others asked because they were confident Number of systems we failed to penetrate: 0 –Average skill level required: 2 on a scale of 5
Stephen Cobb, CISSP10 of 35 A closer look at one category: web site hacking
Stephen Cobb, CISSP11 of 35 Hacked by Trix and Vertex
Stephen Cobb, CISSP12 of 35 But the military would be tougher, right? 1st Communications Squadron USAF, Langley, Virginia
Stephen Cobb, CISSP13 of 35 Why? This one was a protest
Stephen Cobb, CISSP14 of 35 They were not the only ones: bestboard.com puckplace.com websignal.com cybservice.com threedot.com yorktours.com dpss.com superbio.com quinx.com textscape.com thewharf.com rebel-tech.com midtenn.com biohaz.com sunsite.ust.hk/ sistematix.com allwrestling.com intellus.no/ iposerve.de saatchi.com/innovation/ more in first 3 weeks of Feb 98 Then the hacked site was hacked!
Stephen Cobb, CISSP15 of 35 But what’s the harm? Web servers may be a path to internal systems Web servers may reveal information that can be leveraged to access internal systems Lost time, lost customers and confidence Lost revenue (if the site is doing e-commerce) But probably the biggest harm: Reputations – personal, professional and corporate
Stephen Cobb, CISSP16 of 35
Stephen Cobb, CISSP17 of 35 We need perspective on these threats Why are we having these problems now? –Same old problems, different manifestation? –Deep-rooted problems only now coming to light Who is causing these problems? –Threat agent assessment –Threats vary according to social and economic factors, such as redundancies, downsizing
Stephen Cobb, CISSP18 of 35 Glass house Limited attack points Limited vulnerabilities Trustworthy friends and known enemies Computer knowledge and networks limited Clear motives Distributed computing Multiple attack points Vulnerable technology The best of friends may not have the best security Widespread computer literacy and connectivity Mixed motives That was then --- This is now
Stephen Cobb, CISSP19 of 35 Data on level of threat are hard to find, but we can ask: Who is likely to be a problem? Sample table of responses from security officers -- subject to change due to social and economic factors
Stephen Cobb, CISSP20 of 35 Map threats relative to technical skills and business knowledge
Stephen Cobb, CISSP21 of 35 This was an early version of the government’s critical infrastructure protection plan, circa 1998
Stephen Cobb, CISSP22 of 35
Stephen Cobb, CISSP23 of 35 LANs to WANs, to GANs, problems long postponed are finally catching up
Stephen Cobb, CISSP24 of 35 The rush to deploy technology means the wrong tools are used, and warnings go unheeded