Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP.

Similar presentations


Presentation on theme: "Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP."— Presentation transcript:

1

2 Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP

3 Stephen Cobb, CISSP2 of 35 This session: What are the threats? Agenda: –Terms of reference –Statistical and empirical data –Examples of information security breaches and their effects on companies –Putting threats in perspective –The main threat categories in more detail Themes: Threats may seem technical, but many defenses require non- technical skills Threats are not constant, may increase when times are tight Skills required to deal with these issues are in short supply

4 Stephen Cobb, CISSP3 of 35 So, what are the information security needs of the Internet-enabled company: You need to protect the confidentiality, integrity and availability of data, given that: A. Private data is now travelling on a public (untrusted) network B. Your private network is now connected to a public (untrusted) network C. Your private network users now have access to a public (untrusted) network

5 Stephen Cobb, CISSP4 of 35 So who am I to talk about this? First infosecurity book from client perspective, 1992 Certified Information System Security Professional Formerly with National Computer Security Association Former Director, Miora Systems Consulting (MSC) InfoSec Labs, Rainbow Technologies MSC beat Digital and Entrust in a security services RFP competition, April 98 — short-listed with Coopers & Lybrand, Price Waterhouse and CISCO Wheelgroup Involved in wide range of authorized penetration tests with 100% success rate

6 Stephen Cobb, CISSP5 of 35 Statistics from the 5th Annual Information Security Survey, % of European companies report information security risks have increased this year Highest security concern: –network security (86%) Next highest security concerns: –end-user security awareness (80%) –winning top management commitment (80%) Ernst&Young Computerworld Survey Global Results from 29 Countries

7 Stephen Cobb, CISSP6 of 35 Perceived security threats: Computer terrorists 28% Authorized users 26% Former employees 24% Unauthorized users 23% Contractors 19% Ernst&Young Computerworld Survey Global Results from 29 Countries 55 % of companies lacked confidence that their systems could withstand an internal attack -- are these your business partners?

8 Stephen Cobb, CISSP7 of 35 Statistics from a 1998 Survey by Computer Security Institute / FBI 64% of companies had incidents of unauthorized use of computer systems within the last 12 months. More than a third of incidents were from inside. 65% of companies experienced laptop theft.

9 Stephen Cobb, CISSP8 of 35 Hong Kong Reuters Office Hacked: Traders at 5 banks lose price data for 36 hours PA Teenager Charged With 5 Counts of Hacking: Southwestern Bell, BellCore, Sprint, and SRI hit Costs to Southwestern Bell alone exceed $500,000 Citibank Hit in $10 Million Hack: Russian hacker had inside help. Several $100K not yet recovered. Pair of surveys show 54%-58% of companies lost money due to computer break-ins in 1996 Compaq Ships Infected PCs: Virus Taints Big Japanese Debut Computer Attack Knocks Out 3,000 Web Sites 40 hour shutdown during busiest shopping season U.S. Government Web Sites Hacked: NASA, Air Force, NASA, DoJ, CIA Is it really that bad? YES! And these are just ones that made the news....

10 Stephen Cobb, CISSP9 of 35 Experience in the field About 50 information system security penetration assignments in the last 18 months 80% of these were corporations, the rest were state and local government agencies Some of these clients wanted tests because they lacked confidence in their security, but others asked because they were confident Number of systems we failed to penetrate: 0 –Average skill level required: 2 on a scale of 5

11 Stephen Cobb, CISSP10 of 35 A closer look at one category: web site hacking

12 Stephen Cobb, CISSP11 of 35 Hacked by Trix and Vertex

13 Stephen Cobb, CISSP12 of 35 But the military would be tougher, right? 1st Communications Squadron USAF, Langley, Virginia

14 Stephen Cobb, CISSP13 of 35 Why? This one was a protest

15 Stephen Cobb, CISSP14 of 35 They were not the only ones: bestboard.com puckplace.com websignal.com cybservice.com threedot.com yorktours.com dpss.com superbio.com quinx.com textscape.com thewharf.com rebel-tech.com midtenn.com biohaz.com sunsite.ust.hk/ sistematix.com allwrestling.com intellus.no/ iposerve.de saatchi.com/innovation/ more in first 3 weeks of Feb 98 Then the hacked site was hacked!

16 Stephen Cobb, CISSP15 of 35 But what’s the harm? Web servers may be a path to internal systems Web servers may reveal information that can be leveraged to access internal systems Lost time, lost customers and confidence Lost revenue (if the site is doing e-commerce) But probably the biggest harm: Reputations – personal, professional and corporate

17 Stephen Cobb, CISSP16 of 35

18 Stephen Cobb, CISSP17 of 35 We need perspective on these threats Why are we having these problems now? –Same old problems, different manifestation? –Deep-rooted problems only now coming to light Who is causing these problems? –Threat agent assessment –Threats vary according to social and economic factors, such as redundancies, downsizing

19 Stephen Cobb, CISSP18 of 35 Glass house Limited attack points Limited vulnerabilities Trustworthy friends and known enemies Computer knowledge and networks limited Clear motives Distributed computing Multiple attack points Vulnerable technology The best of friends may not have the best security Widespread computer literacy and connectivity Mixed motives That was then --- This is now

20 Stephen Cobb, CISSP19 of 35 Data on level of threat are hard to find, but we can ask: Who is likely to be a problem? Sample table of responses from security officers -- subject to change due to social and economic factors

21 Stephen Cobb, CISSP20 of 35 Map threats relative to technical skills and business knowledge

22 Stephen Cobb, CISSP21 of 35 This was an early version of the government’s critical infrastructure protection plan, circa 1998

23 Stephen Cobb, CISSP22 of 35

24 Stephen Cobb, CISSP23 of 35 LANs to WANs, to GANs, problems long postponed are finally catching up

25 Stephen Cobb, CISSP24 of 35 The rush to deploy technology means the wrong tools are used, and warnings go unheeded

“Don't rely on hidden variables for security.” WWW Security FAQ, 1995 Bank access page, using hidden variables. 1998

26 Stephen Cobb, CISSP25 of 35 Penetration Plan Gather data Map resources Probe for access Exploit holes Escalate access Execute plans From: Information Warfare: Principles & Operations, E. Waltz, 1998

27 Stephen Cobb, CISSP26 of 35 Threat: viruses Large US bank, assets $50 billion+ Computer virus brought down operations for 2 days Infected 90% of the bank's 300 file servers and 10,000 client workstations across 6 cities in 4 states. Production data was not damaged, but company’s balance sheet was, by at least $400,000. Recent studies show average cost of recovering from a virus incident on a network = $10,000 to $15,000 But as much as $1 million has been lost in a single virus incident!

28 Stephen Cobb, CISSP27 of 35 Top 8 Viruses = 54% of Incidents According to Virus Bulletin and Joe Wells’ Wild List, January 98

29 Stephen Cobb, CISSP28 of ! One Virus = 77% of Incidents According to Virus Bulletin and Joe Wells’ Wild List, August 2002

30 Stephen Cobb, CISSP29 of 35 Other malicious code Logic bomb: dormant code inserted within a larger program, activation of which causes harm (e.g. recent $10 million Omega case) Trojan Horse: a program designed to appear legitimate in order to enter a system and execute its own agenda (e.g. AIDS disk) Worm: a program which copies itself many times over, hogging space and other resources, without permission (e.g. Internet worm, 1988) Active content (Java, ActiveX)

31 Stephen Cobb, CISSP30 of 35 Virus types Boot sector File viruses Multi-partite Macro viruses Virtual (hoax) viruses Miscellaneous INFECTED Server INFECTED Home PC Office PC INFECTED Company Network Let’s take a look at how a typical computer virus infection spreads...

32 Stephen Cobb, CISSP31 of 35 Former General Motors employee Lopez allegedly stole approximately 90,000 text pages of trade secrets transferring them from US to Germany via GM's intranet then downloading them onto VW's computers... It cost Lopez his job. VW paid over $100 million to GM to settle the case. Threat: insider abuse, a major threat to company secrets Exploited by competitors –American v. Northwest –GM and VW Exploited by partners –BA v. Virgin –others By government agencies –sting operations, piracy

33 Stephen Cobb, CISSP32 of 35 Do people really do that? Yes, they do! October 1996, Daniel Worthing obtained work at PPG Industries through a contract with Affiliated Building Services. Began to stockpile proprietary information, including special formulas relating to new products such as an experimental fiberglass. When he tried to sell to PPG’s competitor, Owens- Corning Fiberglass, they turned him in to FBI. He pled guilty to the theft of proprietary information, value? $20 million!

34 Stephen Cobb, CISSP33 of 35 Do people really do that? The United States counterintelligence community has specifically identified the suspicious collection and acquisition activities of foreign entities from at least 23 countries. NACIC 1997 Annual Report on Foreign Economic Collection & Industrial Espionage Unauthorized access by employees: 44% Denial of service attacks: 25% System penetration from the outside: 24% Theft of proprietary information: 18% Incidents of financial fraud: 15% Sabotage of data or networks: 14% 1998 CSI/FBI Study

35 Stephen Cobb, CISSP34 of , and mindless attacks continue Hackers broke into the computer systems belonging to a clinic in the UK, altered medical records of 6 patients who had just been screened for cancer—switched test results from negative to positive—those patients spent several days thinking that they had cancer The night before a patient was due to have a brain tumor removed, hackers broke into the computer where the tests were stored and corrupted the database. Surgery had to be postponed while the tests were redone Source: Richard Pethia, CERT Software Engineering Institute (SEI) Pittsburgh Why? Because We Can Slogan from DEF CON III Las Vegas, 1995

36 Stephen Cobb, CISSP35 of 35 Thank You! Questions? me at sc at cobb associates dot com Visit


Download ppt "Information Security & Corporate Strategy Threats to Information Security Presentation in London, 1998 With Notes on Changes, 2002 Stephen Cobb, CISSP."

Similar presentations


Ads by Google