The Difficult Road To Cybersecurity

1
The Difficult Road To Cybersecurity

• Steve Katz, CISSP
• Security Risk Solutions
• 631-692-5175
• stevekatz_at_securityrisksolutions.org

2
Mission

• To prevent, detect and respond to acts that could
  impact the ability of a company to provide
  essential services.
• To maintain public/customer confidence in a
  companys ability to ensure the confidentiality,
  integrity and availability of information and
  services.
• To enable a company to pursue business
  opportunities while meeting security and privacy
  commitments.
• To create a culture where security is an integral
  part of the business governance process.

3
Key Drivers

• The Need to Deliver Trust to Customers, Partners
  and Staff
• Legal/Regulatory
• ISO17799/ISF/BITS/COSO/COBIT Security Standards
• Company Policy, Standards and Practices
• Internal Audit Practices and Procedures

4
Operating Assumptions

• All companies are targets
• All technology is vulnerable to intrusion
• Web commerce systems are the windows to the
  company
• Internet based Malware is a prevalent reality
• What is secure today, wont be tomorrow
• Ongoing assessment is mandatory
• Security is a Journey NOT a Destination
• Metrics If You Cant Measure It, You Cant
  Manage It!

5
Some Top Concerns

• Not Having An Effective Vulnerability/Patch
  Management Process.
• Not Using Vulnerability Assessment and IDS/IPS
  Tools.
• Not Analyzing Source Code.
• Not Having Effective End Point Security.
• Not Having Effective Application Level Security.
• Having Improperly Secured Remote Access.
• Unprotected Laptop Computers Being Stolen.
• Ineffective Security For Web Services.

6
Some Top Concerns

• Having Improperly Configured Firewalls Servers.
• Not Having Effective Security Over Stored and
  Transmitted Data.
• Using Non-secured E-Mail for Restricted/Private
  Information.
• Not Pen-Testing Internet Based Applications.
• Not Analyzing Security Event Logs
• Not Changing/Deleting Entitlements after Changes
  in Job or Employment Status.
• Not Effectively Communicating with Business
  Management and the Board.

7
Classification of ThreatFirst Generation

• Spread via email, or sharing files, disks, etc.
• Examples would be the common viruses of the
  80s/90s.
• Remedy Human action and anti-virus programs

8
Classification of ThreatSecond Generation

• Threat usually self propagating worms.
• Leverage known vulnerabilities.
• Mostly non-destructive.
• Remedy Identify the vulnerability and fix ASAP.

9
Classification of ThreatThird Generation

• Leverage known and unknown vulnerabilities where
  patches may not be available.
• May be targeted attacks.
• May hide behind encryption.
• Attacks aimed at obtaining information, including
  phishing/pharming.
• Remedy Automated vulnerability management tools
  and processes.

10
2005 Symantec ReportBased on 24,000 Sensors in
180 Companies

• Increasing use of sophisticated, Worms, Trojans,
  and Bots sold to the highest bidder.
• Information Theft is on the rise 74 of code
  submitted could steal information.
• Almost 11,000 new Malware programs identified in
  first half of 2005 up 48 over 2004.
• Increase in number of Phishing attacks.
• Average time from disclosing an exploit to a
  working attack 6 days.
• Average time between exploit and patch release
  54 Days
• Biggest Threat worms, trojans, viruses and bots.
• Number of attacks is decreasing - severity of
  attacks is increasing.

11
Vulnerability-to-Exploit Window
12
2005 CSI/FBI Security Survey

• 700 Respondents vs. 494 in 2004
• Causes of Financial Loss
• Viruses 42.8M
• Unauthorized Access 31.2M
• Theft of Information 30.9M
• DOS 7.3M

13
2005 CSI/FBI Security Survey

• Security Technology Used
• Firewalls 97
• Antivirus 96
• IDS 72
• Server Based ACLs 70
• Encrypting Data in Transit 68
• Encrypted Files 46
• Password Tokens 42
• Biometrics 15

14
Need To Look At Additional Tools

• Risk, Vulnerability Remediation Management
• Vulnerability Assessments Threat Alerts
• Impact Assessment
• Patch Validation Distribution
• Anti-phishing/anti-pharming tools
• Identity Access Management
• End Point Security Products
• Event Log Analyzers
• Network Security Intelligence
• Source Code Analysis
• Web Services/XML Security Tools

15
Security Risk Framework
People-Who Process-What Technology-How
Prevention Awareness Programs Security Training Policy Standards Trust Permit Risk Acceptance Anti-Virus ID Access Management App. Code Review
Detection Security Report Violation Logs Event Logs IDS Report Analysis Violation Analysis Tools IDS Event Log Analysis Tools
Investigation Forensics Cyber Security Investigators SIRT Data Mirroring/Forensics Tools
Recovery Reconstitution
Verification Validation Metrics Pen Testing War Games Assessment Tools Remediation Verification App. Code Analysis
16
Thank You