Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say information security is highly important for their business But Critical Security Gaps Persist… –34% rate themselves less than adequate in ability to determine whether they are under attack –33% rate themselves inadequate to respond to attack And Security Resources Are Skewed –Only 29% make employee awareness and training a top area of focus and spending (compared to 83% who say technology is top information security spending area)
A Never-Ending Challenge (and Getting Worse) We are all targets: –Constant external probes and attacks are now the norm for all size companies (and individuals) connected to the Internet via the web or Financial consequence are enormous: –Skyrocketing fraud and identity theft damages –Frequent denial of service and virus disruptions Estimated cost of viruses and worms =$12.5 billion worldwide in 2003 Only 6% of global companies surveyed by InformationWeek in 2004 report no attack-related downtime – 16% of companies had systems down from 1 to 3 days Companies now spend average of 12% of IT budgets on security
Classifying Security Attacks Passive (eavesdropping) attacks –A hostile party is snooping on your network Risks: –Loss of confidentiality (customer and employee records, contracts, trade secrets, financials, passwords, etc.) –Analysis of your traffic and network use and vulnerability (to be used for future attacks) Active (insertion) attacks –False Identity or message modification in transit (fraud) –Rogue programs (viruses and worms) –Denial of service (network shut down) Security solutions must build on each other to deal with both types of attacks "Authentication" Who are you, basis for everything else "Authorization" Given who you are, what can you do? "Accountability" Given both the above, what did you actually do? "Non-repudiability" Strict proof that nothing has been changed in transit
Risk Management Focus To manage online risks, understand –a) what is possible b) what matters most to you c) what security practices generate the best results Insider attacks Typically cannot be detected until after the fact Must be prevented through internal policies, education and employee awareness Outsider attacks Typically cannot be prevented Must be detected and stopped from causing damage
Biggest Security Fallacy: Focus Primarily on Outsider Attacks Outsider attacks are not preventable by an individual company –They can be costly and disruptive, but are unlikely to threaten long-term competitiveness or survival Average outside attack costs $57,000 at large corporation Insider attacks are often more damaging –Insiders often have vindictive motivation, multiple opportunities and company specific expertise on their side Insider attacks estimated to cause $2.7 million in damages 70% of attacks costing over $100,000 come from inside Such attacks can and have put companies out of business Good internal security policy and practice addresses external risk factors as a side effect
Core Best Practices (CSO Magazine September 2004) Define your overall security architecture and plan in relation to business goals and priorities Create a comprehensive risk assessment process to classify and prioritize threats and vulnerabilities Perform a complete security audit to identify threats to employees and intellectual property (annually) Establish a quarterly review process, with metrics (for example, employee compliance rates) to measure your security's effectiveness. Patch, Update and Test your network and application security on a regular cycle