The Difficult Road To Cybersecurity

1
The Difficult Road To Cybersecurity

• Steve Katz, CISSP
• Security Risk Solutions
• 631-692-5175
• stevekatz_at_securityrisksolutions.org

2
Mission

• To prevent, detect and respond to acts that could
  impact the ability of a company to provide
  essential services.
• To maintain public/customer confidence in a
  companys ability to ensure the confidentiality,
  integrity and availability of information and
  services.
• To enable a company to pursue business
  opportunities while meeting security and privacy
  commitments.
• To create a culture where security is an integral
  part of the business governance process.

3
Key Drivers

• The Need to Deliver Trust to Customers, Partners
  and Staff
• Legal/Regulatory
• ISO17799/ISF/BITS/COSO/COBIT Security Standards
• Company Policy, Standards and Practices
• Internal Audit Practices and Procedures

4
Operating Assumptions

• All companies are targets
• All technology is vulnerable to intrusion
• Web commerce systems are the windows to the
  company
• Internet based Malware is a prevalent reality
• What is secure today, wont be tomorrow
• Ongoing assessment is mandatory
• Security is a Journey NOT a Destination
• Metrics If You Cant Measure It, You Cant
  Manage It!

5
Some Top Concerns

• Not Having An Effective Vulnerability/Patch
  Management Process.
• Not Using Vulnerability Assessment and IDS/IPS
  Tools.
• Not Analyzing Source Code.
• Not Having Effective End Point Security.
• Not Having Effective Application Level Security.
• Having Improperly Secured Remote Access.
• Unprotected Laptop Computers Being Stolen.
• Ineffective Security For Web Services.

6
Some Top Concerns

• Having Improperly Configured Firewalls Servers.
• Not Having Effective Security Over Stored and
  Transmitted Data.
• Using Non-secured E-Mail for Restricted/Private
  Information.
• Not Pen-Testing Internet Based Applications.
• Not Analyzing Security Event Logs
• Not Changing/Deleting Entitlements after Changes
  in Job or Employment Status.
• Not Effectively Communicating with Business
  Management and the Board.

7
Classification of ThreatFirst Generation

• Spread via email, or sharing files, disks, etc.
• Examples would be the common viruses of the
  80s/90s.
• Remedy Human action and anti-virus programs

8
Classification of ThreatSecond Generation

• Threat usually self propagating worms.
• Leverage known vulnerabilities.
• Mostly non-destructive.
• Remedy Identify the vulnerability and fix ASAP.

9
Classification of ThreatThird Generation

• Leverage known and unknown vulnerabilities where
  patches may not be available.
• May be targeted attacks.
• May hide behind encryption.
• Attacks aimed at obtaining information, including
  phishing/pharming.
• Remedy Automated vulnerability management tools
  and processes.

10
2005 Symantec ReportBased on 24,000 Sensors in
180 Companies

• Increasing use of sophisticated, Worms, Trojans,
  and Bots sold to the highest bidder.
• Information Theft is on the rise 74 of code
  submitted could steal information.
• Almost 11,000 new Malware programs identified in
  first half of 2005 up 48 over 2004.
• Increase in number of Phishing attacks.
• Average time from disclosing an exploit to a
  working attack 6 days.
• Average time between exploit and patch release
  54 Days
• Biggest Threat worms, trojans, viruses and bots.
• Number of attacks is decreasing - severity of
  attacks is increasing.

11
Vulnerability-to-Exploit Window
12
2005 CSI/FBI Security Survey

• 700 Respondents vs. 494 in 2004
• Causes of Financial Loss
• Viruses 42.8M
• Unauthorized Access 31.2M
• Theft of Information 30.9M
• DOS 7.3M

13
2005 CSI/FBI Security Survey

• Security Technology Used
• Firewalls 97
• Antivirus 96
• IDS 72
• Server Based ACLs 70
• Encrypting Data in Transit 68
• Encrypted Files 46
• Password Tokens 42
• Biometrics 15

14
Need To Look At Additional Tools

• Risk, Vulnerability Remediation Management
• Vulnerability Assessments Threat Alerts
• Impact Assessment
• Patch Validation Distribution
• Anti-phishing/anti-pharming tools
• Identity Access Management
• End Point Security Products
• Event Log Analyzers
• Network Security Intelligence
• Source Code Analysis
• Web Services/XML Security Tools

15
Security Risk Framework
16
Thank You