The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security Risk Solutions
Mission To prevent, detect and respond to acts that could impact the ability of a company to provide essential services. To maintain public/customer confidence in a company’s ability to ensure the confidentiality, integrity and availability of information and services. To enable a company to pursue business opportunities while meeting security and privacy commitments. To create a culture where security is an integral part of the business governance process. To prevent, detect and respond to acts that could impact the ability of a company to provide essential services. To maintain public/customer confidence in a company’s ability to ensure the confidentiality, integrity and availability of information and services. To enable a company to pursue business opportunities while meeting security and privacy commitments. To create a culture where security is an integral part of the business governance process.
Key Drivers The Need to Deliver Trust to Customers, Partners and Staff Legal/Regulatory ISO17799/ISF/BITS/COSO/COBIT Security Standards Company Policy, Standards and Practices Internal Audit Practices and Procedures The Need to Deliver Trust to Customers, Partners and Staff Legal/Regulatory ISO17799/ISF/BITS/COSO/COBIT Security Standards Company Policy, Standards and Practices Internal Audit Practices and Procedures
Operating Assumptions All companies are targets All technology is vulnerable to intrusion Web commerce systems are the windows to the company Internet based Malware is a prevalent reality What is secure today, won’t be tomorrow Ongoing assessment is mandatory Security is a Journey NOT a Destination Metrics – If You Can’t Measure It, You Can’t Manage It! All companies are targets All technology is vulnerable to intrusion Web commerce systems are the windows to the company Internet based Malware is a prevalent reality What is secure today, won’t be tomorrow Ongoing assessment is mandatory Security is a Journey NOT a Destination Metrics – If You Can’t Measure It, You Can’t Manage It!
Some Top Concerns Not Having An Effective Vulnerability/Patch Management Process. Not Using Vulnerability Assessment and IDS/IPS Tools. Not Analyzing Source Code. Not Having Effective End Point Security. Not Having Effective Application Level Security. Having Improperly Secured Remote Access. Unprotected Laptop Computers Being Stolen. Ineffective Security For Web Services. Not Having An Effective Vulnerability/Patch Management Process. Not Using Vulnerability Assessment and IDS/IPS Tools. Not Analyzing Source Code. Not Having Effective End Point Security. Not Having Effective Application Level Security. Having Improperly Secured Remote Access. Unprotected Laptop Computers Being Stolen. Ineffective Security For Web Services.
Some Top Concerns Having Improperly Configured Firewalls & Servers. Not Having Effective Security Over Stored and Transmitted Data. Using Non-secured for Restricted/Private Information. Not “Pen-Testing” Internet Based Applications. Not Analyzing Security Event Logs Not Changing/Deleting Entitlements after Changes in Job or Employment Status. Not Effectively Communicating with Business Management and the Board. Having Improperly Configured Firewalls & Servers. Not Having Effective Security Over Stored and Transmitted Data. Using Non-secured for Restricted/Private Information. Not “Pen-Testing” Internet Based Applications. Not Analyzing Security Event Logs Not Changing/Deleting Entitlements after Changes in Job or Employment Status. Not Effectively Communicating with Business Management and the Board.
Classification of Threat First Generation Spread via , or sharing files, disks, etc. Examples would be the common viruses of the 80s/90s. Remedy: Human action and anti-virus programs Spread via , or sharing files, disks, etc. Examples would be the common viruses of the 80s/90s. Remedy: Human action and anti-virus programs
Classification of Threat Second Generation Threat: usually self propagating worms. Leverage known vulnerabilities. Mostly non-destructive. Remedy: Identify the vulnerability and fix ASAP. Threat: usually self propagating worms. Leverage known vulnerabilities. Mostly non-destructive. Remedy: Identify the vulnerability and fix ASAP.
Classification of Threat Third Generation Leverage known and unknown vulnerabilities where patches may not be available. May be targeted attacks. May hide behind encryption. Attacks aimed at obtaining information, including phishing/pharming. Remedy: Automated vulnerability management tools and processes. Leverage known and unknown vulnerabilities where patches may not be available. May be targeted attacks. May hide behind encryption. Attacks aimed at obtaining information, including phishing/pharming. Remedy: Automated vulnerability management tools and processes.
2005 Symantec Report Based on 24,000 Sensors in 180 Companies Increasing use of sophisticated, Worms, Trojans, and Bots sold to the highest bidder. Information Theft is on the rise: 74% of code submitted could steal information. Almost 11,000 new Malware programs identified in first half of 2005; up 48% over Increase in number of Phishing attacks. Average time from disclosing an exploit to a working attack: 6 days. Average time between exploit and patch release: 54 Days Biggest Threat: worms, trojans, viruses and bots. Number of attacks is decreasing - severity of attacks is increasing. Increasing use of sophisticated, Worms, Trojans, and Bots sold to the highest bidder. Information Theft is on the rise: 74% of code submitted could steal information. Almost 11,000 new Malware programs identified in first half of 2005; up 48% over Increase in number of Phishing attacks. Average time from disclosing an exploit to a working attack: 6 days. Average time between exploit and patch release: 54 Days Biggest Threat: worms, trojans, viruses and bots. Number of attacks is decreasing - severity of attacks is increasing.
Vulnerability-to-Exploit Window Vulnerability Discovered Vendor Notified Patch Release Last System Patched
2005 CSI/FBI Security Survey 700 Respondents vs. 494 in 2004 Causes of Financial Loss Viruses42.8M Unauthorized Access31.2M Theft of Information30.9M DOS 7.3M 700 Respondents vs. 494 in 2004 Causes of Financial Loss Viruses42.8M Unauthorized Access31.2M Theft of Information30.9M DOS 7.3M
2005 CSI/FBI Security Survey Security Technology Used Firewalls 97% Antivirus 96% IDS 72% Server Based ACLs 70% Encrypting Data in Transit 68% Encrypted Files 46% Password Tokens 42% Biometrics 15% Security Technology Used Firewalls 97% Antivirus 96% IDS 72% Server Based ACLs 70% Encrypting Data in Transit 68% Encrypted Files 46% Password Tokens 42% Biometrics 15%
Need To Look At Additional Tools Risk, Vulnerability & Remediation Management Vulnerability Assessments & Threat Alerts Impact Assessment Patch Validation & Distribution Anti-phishing/anti-pharming tools Identity & Access Management End Point Security Products Event Log Analyzers Network Security Intelligence Source Code Analysis Web Services/XML Security Tools Risk, Vulnerability & Remediation Management Vulnerability Assessments & Threat Alerts Impact Assessment Patch Validation & Distribution Anti-phishing/anti-pharming tools Identity & Access Management End Point Security Products Event Log Analyzers Network Security Intelligence Source Code Analysis Web Services/XML Security Tools
People-WhoProcess-WhatTechnology-How Prevention Awareness Programs Security Training Policy & Standards Trust Permit Risk Acceptance Anti-Virus ID & Access Management App. Code Review Detection Security Report Violation Logs Event Logs IDS Report Analysis Violation Analysis Tools IDS Event Log Analysis Tools Investigation & Forensics Cyber Security Investigators SIRT Data Mirroring/Forensics Tools Recovery & Reconstitution Verification & Validation Metrics Pen Testing War Games Assessment Tools Remediation Verification App. Code Analysis Security & Risk Framework
Thank You