Information Security

1
Information Security
Thomas Waszak, CISSP Black Hat Briefing Asia 2002
October 3, 2002
2

• Introduction and Background
• U.S. Army Sigint, Humint, SOCOM
• Corporate experience messaging specialist,
  private investigator, network admin, principal
  consultant, director of professional services.
• Currently with Washington Mutual Banks
  Information Security Technology Solutions Group
  Information Security Special Projects
  Leader/CSIRT Investigator
• Participated or lead many different types of
  InfoSec projects for many corporations in
  different industries.

3

• Disclaimer
• I am not representing Washington Mutual Bank.
• All views and opinions I share with you today
  are my own and do not necessarily represent the
  policies of my employer.

4
Changes Since September 11th

• Re-evaluation and improvement of travel
  security
• Acceptance of travel inconvenience
• U.S. Homeland Security concerned about the
  national infrastructure
• President Bush issues executive order to
  improve critical infrastructure
• Disaster recovery and business continuity big
  winners of corporate acceptance
• Physical security also a big winner of corporate
  acceptance

5
Waning Interest and Corporate Lip Service

• Initial fear of follow-on cyber attacks
• No published or publicized terrorist cyber
  attacks back to sleep
• Corporate attitudes towards Information Security
  have not improved since September 11.
• Any additional corporate emphasis on
  Information Security related to mandated
  government requirements of GLBA and HIPPA.

6
Status Quo for Corporate Security Should we
care?

• YES!!!! things are getting worse each day.
• The Computer Security Institute recently (2001)
  surveyed 503 corporations
• 90 detected computer security breaches in the
  previous 12 months (BTW 10 are liars) (Up from
  70 in 1999)
• 80 suffered financial losses due to computer
  security breaches (Up from 74 in 1999)
• 40 detected system penetration from the outside
  (Up from 25 in 1999)

7
Bad Things Happen But No Real Change

• Companies lose money and go out of business
• Billions and billions of dollars lost every year
• Cloud Nine British ISP DOSed out of business
• Barings Nick Leeson
• Exodus Almost ordered to remove client servers
  from the Internet because of a competitor
  complaint.
• Microsoft Passport privacy violations. Court
  required implementation of security program.
• All resulting security changes were isolated and
  not wide spread.

8
No Change Unless

• One of, or a combination of, three things must
  happen before corporate attitudes about security
  will improve
• Change must provide economic benefit.
• Public outrage must demand it.
• Governments must mandate it.

9
An Unwanted And Painful Nudge

• Change will be a long time coming unless a cyber
  related catastrophic attack occurs
• Titanic syndrome all three conditions met
• Digital 9/11
• Barings could have been a Titanic event if
  computer security issues had been more prevalent.
  (Complete, total, sudden, and immediate
  failure. Billions of dollars lost, millions of
  people affected)

10
Its hopeless so lets sit on our hands and wait
for the digital Pearl Harbor and be prepared to
.
Say I told you so.

11
Or lets do the best we can to make things
happen without the unwanted and painful nudge

• Information Security Professionals have a
  fiduciary responsibility
• Its easy to get discouraged but most of us are
  up for the challenge

12
But first.we must understand whos to blame for
this sorry state of affairs, and why?

• IT Vendors for producing products with
  shameful security deficiencies and for denying
  security problems
• Security vendors for confusing the issues, for
  rushing to release immature products in order to
  be the first to release the next better mouse
  trap.

13
The Blame Game

• Business management for not taking pre-incident
  intangible risks serious enough.
• Information Technology Professionals for
  consistently putting uptime and network speed at
  a much higher priority than security. And for
  always pretending that they know as much about
  security as we do.

14
The Blame Game

• Information Security Professionals The sorry
  state of information security is as much our
  fault as anyones because we

• Often fail to effectively partner with and
  communicate with our corporate management,
  business, and or technology people.

• Often forget that the purpose of information
  security is to protect existing money, and to
  safeguard revenue streams. Its purpose is not
  to lock down every single desktop computer.

15
The Blame Game

• Information Security Professionals because
  we

• Sometimes get wrapped up in minutia when we
  should be looking at and seeing the bigger
  picture.

• Sometimes alienate our user communities by
  acting like the secret police instead the fire
  department.

16
The Blame Game.

• Information Security Professionals because
  we

• Fail to understand the business our corporation
  is in.

• Sometimes fall in love with technology and force
  the problem to fit the technology instead of
  forcing technology to solve the problem.

17
The Blame Game.

• Information Security Professionals because
  we

• Sometimes allow our technology bigotry to cloud
  our judgment and impair our objectivity.
  (Novell/Microsoft/Unix Bigot)

• Sometimes waste our energy fighting small tiny
  security problems instead of focusing on the big
  issues that matter the most.

18
The Blame Game.

• Information Security Professionals because
  we

• Sometimes undermine our credibility by making
  the mistake of using too much or exaggerated FUD.
  

• Usually spend too much time preaching to the
  choir rather than trying to convert the masses

19
The Blame Game.

• Information Security Professionals because
  we

• Try to show business and IT people that we are
  cool and understand business by rushing to make
  poor business and security decisions. We
  already own 30K of junk that doesnt work.
  Lets not loose our initial investment of junk
  that doesnt work and so lets buy 300K more of
  it. That way well have enough junk to spread
  around everywhere.

20
The Blame Game.

• Information Security Professionals because
  we

• Try to force a square peg in a round hole by
  trying to quantify the unquantifiable with
  quantitative analysis. Show me a strong advocate
  of the liberal use of quantitative analysis, for
  information security business cases.

21
Blame Game Reality.

• Relax, Its not really ALL of your fault.
• But, you can do an awful lot more than you would
  think
• An Information Security Professional must rise
  above the fray and understand everything and
  everyone.

22
We Need an Attitude Adjustment Learn To Enjoy
And Appreciate Stupid People

• Remember that your company is in the business of
  making widgets and not in the security business.
• Your mission is to analyze, notify, and advise.
  It is a rare situation where you are obligated to
  care more than your CEO does.

23
Tips, Summary, and, Final Words

• It will always be easier for you to understand
  management, IT, and business.
• Dont let security vendors confuse your people.
• Document Document Document and protect yourself
  live by the paper trail

24
Tips, Summary, and, Final Words

• Manage perception. Protect your credibility.
• Its not worth losing sleep
• Its painful being stupid but sometimes it isnt
  painful enough or as painful as it should be

25
Tips, Summary, and, Final Words
Thank You
26
Tips, Summary, and, Final Words
All Your Base Are Belong To Us