Transcript Document

Trends in Information
Security:
Threats, Vulnerabilities and
Mitigation Strategies
Presented By:
Tina LaCroix & Jason Witty
Presentation Overview
•
•
•
•
•
•
•
Introduction and Benefits of InfoSec
Trends and Statistics
Hacking Tools Discussion / Demonstration
Proactive Threat and Vulnerability Management
Security Lifecycle
Recommendations
Wrap-up / Questions
Q: In Today’s Down Market,
What Can:
• Give your company a competitive advantage?
• Improve your reputation in the eyes of your
customer?
• Demonstrate compliance to international and
federal privacy laws?
• Improve system uptime and employee
productivity?
• Ensure viable eCommerce?
Answer: Information Security.
What’s the Problem?
Your security people have to protect against
thousands of security problems.
Hackers only need one thing to be missed.
But with appropriate attention given to
security, companies can be
reasonably well protected.
Some InfoSec Statistics
• General Internet attack trends are showing a 64%
annual rate of growth – Riptech
• The average [security conscious] company
experienced 32 attacks per week over the past 6
months – Riptech
• The average cost of a serious security incident in
Q1/Q2 2002 was approximately $50,000
- UK Dept of Trade & Industry
• Several companies experienced single
incident losses in excess of $825,000
- UK Dept of Trade & Industry
Computer Incident Statistics
• In 1988 there were only 6 computer incidents reported to CERT/CC.
• There were 52,658 reported and handled last year.
Number of Incidents Handled by CERT/CC
60000
50000
40000
30000
20000
10000
19
88
19
89
19
90
19
91
19
92
19
93
19
94
19
95
19
96
19
97
19
98
19
99
20
00
20
01
0
General Trends in Attack
Sophistication
Over Time, Attacks have Gotten More Complex, While
Knowledge Required to Attack has Gone WAY Down
10
8
6
Level of Damage
Capable
4
Level of Knowledge
required
2
19
88
19
89
19
9
19 0
9
19 1
9
19 2
9
19 3
9
19 4
9
19 5
96
19
97
19
9
19 8
99
20
0
20 0
01
0
Information Security Threats:
Attackers
•
•
•
•
•
•
•
•
Bored IT guys……
“Hacktivists”
Competitors
Ex-employees
Terrorists
Disgruntled employees
Real system crackers (Hackers)
The infamous “script kiddie”
Hacker Tools: Web Hacking
More Web Hacking Tools
Password Cracking Tools
Password Cracking: Windows
Need More Tools?
http://www.packetstormsecurity.org has tens of thousands of free
hacker tools available for download
Full Disclosure: What’s That?
• When a vulnerability is discovered, all details of that
vulnerability are reported to the vendor
• Vendor then works on a patch for a “reasonable” amount of
time
• Discoverer of the vulnerability then releases full details of
the problem found, and typically, a tool to prove it can be
exploited
• Hopefully the vendor has a patch available
Hacker Techniques:
The Scary Reality
• Growing trend by some hackers NOT to
report vulnerabilities to vendors – KEEP
EXPLOITS UNPUBLISHED AND
KNOWN ONLY TO THE HACKER
COMMUNITY
• Exploit services that HAVE to be allowed for
business purposes (HTTP, E-Mail, etc.)
• Initiate attacks from *inside* the network
• It’s much easier to destroy than protect!
So How Do We
Protect Against
All of This?
Start by Acknowledging the
Problem…
(No More of This)
Security Risk Management
Principles
• Information Security is a business problem, not
just an IT problem
• Information Security risks need to be properly
managed just like any other business risk
• Lifecycle management is essential – there are
always new threats and new vulnerabilities
to manage (and new systems,
technologies, etc., etc.)
Proactive Threat and
Vulnerability Management
• Internal Security Risk Management Program
• User Education
• Selective Outsourcing / Partnerships
Security Risk Management: IT Control Evolution
Year
“Secure Enough” Control
Security Goal
1995
Statefull Firewalls and desktop
anti-virus (AV)
Keep external
intruders and viruses
out
1997
Above plus Network Intrusion
Detection Systems (N-IDS) and
application proxy servers
Keep external
intruders out, but let
admins know when
they do get in
2000
Above plus Network AV, URL
Screening, Host Based IDS, and
VPNs
Control and monitor
all network access
but allow flexibility
2002
Above plus strong authentication, Protect against
application firewalls
blended threats
Future Gateway IDS (GIDS), application True enterprise
aware proxies, integrated
security risk
exposure management, standard
management
metrics and measurements
InfoSec Risk Examples
Threat
Damage
Mitigation Strategies
Web Site
Defacement
Loss in Customer
confidence, loss in
revenue
IT Controls, User
Education, 24 x 7
monitoring
Data theft
Loss of competitive IT Controls, User
advantage
Education, employee
screening
Wide-spread
Virus
infection
System downtime, IT Controls, User
loss in productivity, Education, email
loss or corruption
sanitization
of data
Unauthorized
network
access
Any of the above
IT Controls, User
Education, network
entry point
consolidation
Security Risk Management Program
Should include (not an exhaustive list):
• Governance and sponsorship by senior management
• Staff and leadership education
• Implementation of appropriate technical controls
• Written enterprise security policies & standards
• Formal risk assessment processes
• Incident response capabilities
• Reporting and measuring processes
• Compliance processes
• Ties to legal, HR, audit, and privacy teams
Security Risk Management:
Education
• One of the largest security risks in your enterprise is
untrained employees – this especially includes upper
management
• Who cares what technology you have if an employee will
give their password over the phone to someone claiming to
be from the help desk?
• Are users aware of their roles and responsibilities
as they relate to information security?
• Are users aware of security policies and
procedures?
• Do users know who to call when there are
security problems?
Security Risk Management:
IT Controls
• The average enterprise needs Firewalls, Intrusion
Detection, Authentication Systems, Proxies, URL
Screening, Anti-Virus, and a slew of other things.
• A major reason we need all of this technology is
because systems continue to be shipped / built
insecurely!!!
• Every one of us needs to push vendors
to ship secure software, and to include
security testing in their QA processes
Security Risk Management:
Selective Outsourcing
Things you might consider outsourcing:
• The cyber risk itself (Insurance, Re-insurance)
• Email filtering and sanitization
• 24 x 7 security monitoring
• 1st level incident response (viruses, etc.)
• Password resets
• Others?
Wrap Up: What Can You Do
Going Forward?
1. Urge (contractually obligate if possible) vendors to build,
QA test, and ship secure products!!!!!!!
2. Remember that security is not a “thing” or a one time
event, it is a continual process……..
3. Manage security risks like other business risks
4. Conduct periodic security risk assessments that
recommend appropriate security controls
5. Ensure security is inserted early in project
lifecycles
6. Support your internal InfoSec team – they
have a tough job managing threats and
vulnerabilities
Credits
• CERT/CC – http://www.cert.org/present/cert-overview-trends/
• Internet Security Alliance – http://www.isalliance.org
• Riptech – http://www.riptech.com
• UK Department of Trade and Industry –
https://www.security-survey.gov.uk/View2002SurveyResults.htm
Questions?