Why Security Architectures Fail - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Why Security Architectures Fail

Description:

Internet Security is Weak and Breaches are Costly ... Security concerns often delay the implementation of Internet-based technologies ... – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 31
Provided by: pierr96
Category:

less

Transcript and Presenter's Notes

Title: Why Security Architectures Fail


1
Why Security Architectures Fail
2
Internet Age Why Security Architectures Fail
Pierre NoelCEO - ICSA.net Asia Pacific
3
Agenda
  • Introduction
  • eCommerce Survey
  • Todays Security
  • Enterprise Security with an Internet Approach
  • Looking in the past
  • Security Evolution
  • Requirements
  • Conclusion

4
Introduction
  • The Black Hat Briefings is a pool of expertise
    when dealing with technical Internet Security
    Issues
  • The purpose of this presentation is to provide an
    operational feedback to the way Internet Security
    has been often dealt with

5
Introduction
  • Food for thoughts
  • Sharing from our companys experience in dealing
    with customers IT security
  • Distance and Strategic Thinking
  • Give elements to enable IS managers to take some
    distance to the problems, and analyze the
    situation from a different angle

6
How is Internet Security Perceived?
7
Survey - 1998
  • In a 1998 CommerceNet Survey on the barriers and
    inhibitors to eCommerce four out of the five
    most important inhibitors were security-related
  • Need for Privacy Protection
  • Integrity of Data
  • Authentication
  • Legal Framework

8
Survey - 1999
  • These Security-related inhibitors have been
    pushed back to rank 20 to 50
  • Should we infer that security is no longer an
    inhibitor to eCommerce?
  • Does that mean that solutions have been found to
    overcome these security inhibitors?

9
The Reality behind the Survey
  • Reality 1 - In Business-Oriented organizations,
    Business comes First, Security comes Second
  • Security solutions have not been found, its just
    that these companies could not wait any longer!
  • Reality 2 - Many companies took the excuse of
    security as a façade to mask an inability to
    adapt their Business to eCommerce

10
The Need For A New Approach To Web Security
11
Todays Corporate Security Worse Than Expected
ICSA Vulnerability Study May 1999
Over 70 of sites with firewalls still
vulnerable to known attacks Over 60 of sites
susceptible to denial of service attacks Over
80 don't know what's on their network
visible over the Internet Over 80 have
insufficient or inadequate security policies
12
Internet Security is Weak and Breaches are Costly
  • 256,000 average loss for security breaches
    during 1998
  • 28 new high priority security vulnerabilities
    logged and distributed each month by ICSA Labs
  • 200-300 new viruses released each month with
    about 5 making it to the wildlist
  • 93 mil. estimated cost of the Melissa virus to
    U.S. businesses

13
Why Are Companies So Vulnerable?
  • Most companies...
  • Have a multi-vendor, heterogeneous network
    environment
  • Have security vulnerabilities in many areas
  • Have problems keeping up with the knowledge
    required to maintain a good secure environment
  • Are interfacing with vendors/partners/customers
    in ways that were not previously possible
  • Have a limited ability to effectively manage
    security

14
Companies handling of Internet Security
  • Security is not well understood or easy to
    manage.
  • Threats change every day
  • Technology changes every day
  • Organizations are scrambling to find expertise.

Enterprises skill levels are lagging. They
require much more hand holding than ever before.
15
Technology Inhibitors to eBusiness Deployment
  • Security concerns often delay the implementation
    of Internet-based technologies
  • Risks are difficult to quantify
  • Liability seems too high

Information overload inhibits decisions and
actions
16
Security Needs anInternet Approach
17
Inadequacy of Solutions
  • The solutions put in place by enterprises to
    minimize their security exposure are often
    missing the point
  • The Product-Solves-it-all problem
  • Too much investment in technology, too little in
    support and education
  • Inadequacy of the solution and false confidence
    feeling

18
The Great Wall
19
The Great Wall
  • Are Analogies too Simplistic?
  • Threats
  • Multiple Barbarians Invasions from the North
  • Solution
  • To erect a wall to prevent invasions by
    horse-ridden Invaders
  • Validity
  • Very valid
  • as long as

20
The Great Wall
  • as long as nobody came up with a better idea,
    such as
  • In History, the invention, design and utilization
    of a plane to fly over the Great Wall was a
    process that could have taken Centuries
  • ...Giving plenty of time for the defenders to
    assess the new nature of threats and provide a
    counter-solution
  • Such as putting Canon Guns on top of the Wall.
  • Long-lasting defense strategies
  • Designed by the strategists, the army general etc

21
The Great Wall at Internet Speed
  • With the Internet comes the Internet Speed
  • Things change. Threats evolve at a fantastic pace
  • A Solution Today
  • Can never be total
  • Dont waste your time, you dont have too much of
    it
  • Can never be frozen
  • Adaptable and Manageable

22
Looking behindThe Maginot Line
23
The Maginot Line
France 1929, under the leadership of André
Maginot - the then Minister of War - started the
greatest construction work in Europe, designed to
protect France against possible invasion from
Germany. This was to be a permanent mark in the
pages of history which would secure France from
any further wars. This line certainly became a
permanent mark in history. But merely as an
unsuccessful oddity, a useless line that was to
be passed-by. It is not right to judge the whole
original plan, it simply was much too ambitious
and everyone expected too much from it. After all
the money was spent there was no more funds for
building fortresses along the Belgian border, and
the French military leaders held firm in their
belief of the impenetrability of the Ardennes
Forest. In 1940 the Germans took advantage and
actually came through theForest bypassing the
Maginot Line.
24
A Point-Answer to a Point-Problem
  • The Maginot Line was conceptually a superb
    element of defense against invasions
  • What it built was merely self-confidence on the
    defending-side
  • The project was so ambitious that it never got
    fully terminated
  • The Germans didnt even bother attacking the
    place, this was not needed
  • Typical case of a security architecture that
    politely request the assailants to do exactly
    what they are told

25
Whats fundamentally Wrong
  • Maginot Line leading to Security Architectures
  • Are a point-answer to a point-problem
  • Usually assume a long process to providing a
    stable enabling -infrastructure
  • The goals and blueprints are almost never met
  • even when met, they dont fulfill the goal
  • Security Architectures have a goal to provide
    100 security
  • Static in nature, it is inadequate for protecting
    against Internet Security threats

26
Internet Security Threats
  • Not necessarily motivated by standard financial
    considerations
  • Internet attacks are not necessarily intended
    against the valuable assets. Standard Risk
    Assessments dont apply
  • Paradigm-Shift
  • From an eCommerce perspective, we cant simply
    block the user from accessing the data
  • Ever Changing nature
  • How many new types of attacks from the Internet
    during the past 24 months?

27
Internet Security in its Dynamic Nature
28
Security Evolution _at_ Internet Time
29
Security Evolution - Adaptive Protection
30
Security Evolution - Static Protection
31
So
  • Rather than to focus on bringing a theoretically
    flawless security architecture - which does not
    exist - it is more important to focus on
  • A continuously adapting solution (to dynamically
    adjust to new threats)
  • Invest in the education and ensure the focus of
    the operating team
  • Find a feed to be kept current

32
Whats Required
  • Focus Knowledge
  • Its a three-dimensional Chess Game, where the
    whites are allowed to invent new weapons.
  • Awareness
  • You are Programming Satans Computer Ross
    Anderson

33
Conclusions
  • The Need for reducing the Internets Security
    Exposure is evident
  • Not at any cost though
  • Static or Frozen Solutions, of any kind, are to
    be avoided
  • More than revolutionary ideas, pragmatism,
    awareness and a unalterable focus deliver

34
Pierre NoelCEO - ICSA.net Asia Pacific
Write a Comment
User Comments (0)
About PowerShow.com