TruSecure - PowerPoint PPT Presentation

1 / 35

About This Presentation

Title:

TruSecure

Description:

ICSA Labs - Set Standards, Perform Research, Track ... Hacking, Sniffing. Spoofing. Malicious Code. Viruses, Worms. Java, ActiveX. Trojans. Physical / Human ... – PowerPoint PPT presentation

Number of Views:22

Avg rating:3.0/5.0

Slides: 36

Provided by: laurie97

Category:

more less

Transcript and Presenter's Notes

Title: TruSecure

1
How do you think about risk? The state of
Internet Security
Dr. Peter Tippett
2
ICSA.net Corporate Overview
3
ICSA Uniquely Positioned To Provide Internet
Security

ICSA.net - Customer solutions and support for
continuous and dynamic Internet security
assurance
Leverages expertise and framework from ICSA Labs
Publishes Information Security Magazine
Over 200 companies rely on ICSAs TruSecure
process

ICSA Labs - Set Standards, Perform Research,
Track and Measure Risks, Lead Industry,
Test and Certify Products
Anti-Virus Products 100
Firewall Products 100
Malicious Mobile Code 100
Internet Service Providers 80 of Backbone
Cryptography Products 100 IPSec
Intrusion Detection Systems 80
Commercial Biometrics Products

4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
ICSA Studies Show Internet Security is Weak and
Breaches are Costly

28 new high priority security vulnerabilities
logged and distributedeach month by ICSA Labs
200-300 new viruses are released each month with
about 5 making it to the wildlist
93 million is the estimated cost of the Melissa
virus to US businesses

13
Todays Corporate SecurityWorse Than Expected
ICSA Vulnerability Study May 1999

Over 70 of sites with firewalls still vulnerable
to known attacks
Over 60 of sites susceptible to denial of
service attacks
Over 80 dont know whats on their network and
visible over the Internet
Over 80 have insufficient security policies

14
Complexity
Vulnerability
15
Risk Threat Vulnerability EventCost

Threat
The likelihood that a security event will happen
in a given time span or the rate.
Security Event Rate (per month, hour etc.)
Composed of world-wide rate modified by local
Target Index, other factors.
The threat of purse-snatching by breaking the
passenger window of a car with a heavy object
was zero nationwide in 1960 (it never happened)
The threat became significant in Miami in 1970
The threat in Iowa City is still zero.

16
Risk Threat Vulnerability EventCost

Vulnerability
A given target is either vulnerable or not to a
particular well defined threat (0 or 1).
A given target is variably vulnerable to a class
of threats. (Vulnerability between 0 and 1)
A given organization is composed of numerous
targets which, as a group, are variably
vulnerable to a given threat category
(Vulnerability Index)
Car passenger windows have always been vulnerable
to breakage by heavy bricks moving fast enough
Since there was no threat until 1970, there was
no risk until 1970.

17
Risk Threat Vulnerability EventCost

EventCost
Security Events result from a threat successfully
exercised against a vulnerable system.
The total costs of all of the ramifications of a
security event are made up of numerous factors
and include both hard and soft costs.
Total sum of all ramifications of a security
event called EventCost Dollars per SecurityEvent

18
Risk Threat Vulnerability EventCost

If Threat 0Vulnerability 0or EventCost
0There is no Risk
Risk per Year
Of these, we have
good control over Vulnerability,
some control over EventCost and
minimal control over Threat Rate

19
Risk
20
All Risks are Not Equal
Cost / Impact
21
ICSAs Five Categories of Risk

Electronic
(External / Internal)
Hacking, Sniffing
Spoofing
Malicious Code
Viruses, Worms
Java, ActiveX
Trojans
Physical / Human
Theft, Social Engineering
Sticky-note
Terminal hijack

Privacy
employee
customer data
corporate data
DownTime
DoS attacks
Bugs
Power
Civil Unrest
Natural Disasters

22
Controls Doing Something About Risk
ICSA Control Matrix
Objective of the Control
Protect
Detect
Recover
AdministrativeHuman Factors
Technical Application/Service
Category
Technical System / Platform
TechnicalNetwork / Logical
Physical Environment
23
Controls Themselves Have Costs

Software, hardware, training costs
Infringement costs
User / network management time (costs)
Reduction of opportunity costs

24
What kind of controls actually work?

Most security strategies are based upon
Very strong controls
Static in nature
Made to last without changes
Heavily based on policy and user education
Tend to be infringing on time, users, resources
(and patience)
Tend to be costly

25
Static Controls

Not only costly, but --- Effectiveness declines
over time
B1
C2
Completely Re-engineer the system
Comprehensive Local Risk Assessments
Simple Local risk assessments
Tiger team assessments

26
Minimizing total costs
27
Synergistic Controls Increased effectiveness,
less infringing
Objective of the Control
Protect
Detect
Recover
Physical
Your Data Systems
Environment
Technical
Network / Logical
Category
Technical
System / Platform
Technical
Application/Service
Administrative
Human / Policy
28
Line up Synergistic Controls Each With
Independent Effectiveness (I)
Why is this effective?
Total efficacy - at constant level of
effectiveness 50 60 70
80 90
serial screens
1 2 3 4 5
50.0 75.0 87.5 93.8 96.9
60.0 84.0 93.6 94.7 99.0
70.0 91.0 97.3 99.2 99.8
80.0 96.0 99.2 99.8 100.0
90.0 99.0 99.9 100.0 100.0
29
Security Assurance Dynamic Risk Reduction
30
Line up Synergistic Controls Each With
Independent Effectiveness (II)
Example 1
Serial policies
Effectiveness
Level of risk reduction
Simple, broad security practices, high compliance
rate Keep sys admins abreast of current threats,
vulnerabilities, and corrective
actions Frequently verify compliance of
technical and other practices
80 80 80
5 - fold 25 - fold 125 - fold
or or or
80.0 96.0 99.2
31
Most want very strong, static controls, made to
last
Resistance to threat as ()
Dynamic,Synergistic methods
Fundamental System design
1/mo
Audits Assessments
2/mo
Tiger Team
4/mo
21
22
23
24
Months
32
Dynamic Security Assurance Life Cycle (1 of 2)
Real,Prevalent, Costly, Risks
Analysis of Potential Risks
11 Risk Categories
Exceedingly Rare
Postulated, Theoretical
w/o Significant Impact
Elucidation of Possible Controls
33
Dynamic Security Assurance Life Cycle (2 of 2)
Public Vetting
Controls
Practical, Attainable Now-Oriented Security
Practices
34
Security Needs a Web Approach
35
Requirements For Security That Works
36
(No Transcript)
37
Internet Security That Works
38
The TruSecure Security Solution

A fully integrated suite of products services
providing real-time security assurance.
A proven solution based on years of research from
the trusted authority on security.

39
TruSecure Continuous Real-time Internet Security
Security roadmap for IP-enabled companies
Comprehensive verification, measurement and
support
continuous
continuous
Updates, alerts and recommendations
Cost-effective process to protect against
important vulnerabilities

24x7 Vigilance
Biweekly e-mail monitor
Information on emerging threats
Ad hoc alerts released as needed
Security analysts available to help with sudden
emergencies

40
TruSecure Most Cost-Effective Solution
Cost Effectiveness
Scope

Maximizes effectiveness of existing security
products
No new products required
Provides evaluation and configuration
recommendations for installed products
Off-loads security research from internal IS
department, freeing them to shift focus to other
tasks

41
TruSecure Deliverables

SecureGuide
TruSecure Monitor
Security Analyst Support
Perimeter Check
Intranet Assessment
Onsite Visit
Performance Reports
Certification
Emergency Alerts
Repeated Assessments
Open Communication

Human / Policy
Application / Service
OS / Platform
Network / Logical
Environment / Physical
42
TruSecure Unmatched Support For Multi-Vendor
Environments