The Evolving Cyber Threat

and what businesses can do about it

Larry Clinton, President

Direct 703/907-7028
lclinton@isalliance.org

Founders

ISA Board of Directors

Ken Silva, Chairman
CSO Verisgn

J. Michael Hickey, 2nd Vice Chair

VP Government Affairs, Verizon

Ty Sagalow, Esq. 1st Vice Chair

President Product Development, AIG

Dr. M. Sagar Vidyasagar, Treasurer

Exec VP, Tata Consulting Services

Angie Carfrae, VP Risk Management, Ceridian Corporation Tim McKnight, CSO, Northrop Grumman Jeff Brown, CISO/Director IT Infrastructure, Raytheon Paul Smocer, SVP/CIO, Mellon Financial Matt Broda, Chief Strategic Security, Nortel Marc-Anthony Signorino, Director Technology Policy, National Association of Manufacturers Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences Matt Flanagen, President, EIelctronic Industries Alliance

Our Partners

Industry Affairs/Government Relations

The Old Web

The Web Today

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Web is Inherently Insecure--and getting more so

The problems we see in cyber security are about to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue.TCP/IP was not designed to control power grids, financial networks and critical infrastructure. It will be used in future networks (particularly wireless) but it lacks the basic security controls to properly protect the network.
Source: Hancock, Cutter Technology Journal 06

The Earlier Threat:

Growth in vulnerabilities (CERT/cc)
4,500 4,000 3,500 3,000 2,500 2,000 1,500 1,000 500 171 0
345 311 262 417 1,090 2,437 4,129

1995

2002

The Earlier Threat:

Cyber incidents
120000
110,000

100000 80000
55,100

60000 40000

21,756

20000
6 132 252 406 773 1,334 2,340 2,412 2,573 2,134 3,734 9,859

0 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

The Changing Threat

A fast-moving virus or worm pandemic is not the threat it was...

2002-2004 almost 100 medium-to-high risk attacks (Slammer; SoBig). 2005, there were only 6 2006 and 2007.. Zero

Faces of Attackers Then

Joseph McElroy Hacked US Dept of Energy Chen-Ing Hau CIH Virus Jeffrey Lee Parson Blaster-B Copycat

Faces of Attackers Now

Jay Echouafni Competitive DDoS

Jeremy Jaynes $24M SPAM KING

Andrew Schwarmkoff Russian Mob Phisher

The Changing Threat

Today, attackers perpetrate fraud, gather intelligence, or conduct blackmail Vulnerabilities are on client-side applications word, spreadsheets, printers, etc. The future threat landscape around the world will be dictated by the soon-to-be-released Apple iPhone, Internet telephony and Internet videosharing, and other Web-based innovations (McAfee 2007)

The Threat Landscape is Changing

Early Attacks
Who: Kids, researchers, hackers, isolated criminals Why: Seeking fame & glory, use widespread attacks for maximum publicity Risk Exposure: Downtime, business disruption, information loss, defacement

New Era Attacks

Organized criminals, corporate spies, disgruntled employees, terrorists Seeking profits, revenge, use targeted stealth attacks to avoid detection Direct financial loss via theft and/or embezzlement, breach disclosure, IP compromised, business disruption, infrastructure failure

The Threat Landscape is Changing

Early Attacks
Defense: Reactive AV signatures Recovery: Scan & remove Type: Virus, worm, spyware

New Era Attacks

Multilayer pre-emptive and behavioral systems System wide, sometimes impossible without re-image of system Targeted malware, root kits, spear phishing, ransomware, denial of service, back door taps, trojans, IW

Newer Threats
Designer malware: Malware designed for a specific target or small set of targets Spear Phishing: Combines Phishing and social engineering Ransomware: Malcode packs important files into encrypted archive & deletes original then ransom is demanded RootKits: shielding technology to make malcode invisible to the op system

Characteristics of the New Attackers

Shift to profit motive Zero day exploits Increased investment and innovation in malcode Increased use of stealth techniques

Digital Growth? Sure

Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every companys assumptions for growth.
---Stanford University Study, July 2006

Digital Defense? Maybe Not

29% of Senior Executives acknowledged that they did not know how many negative security events they had in the past year 50% of Senior Executives said they did not know how much money was lost due to attacks

Source: PricewaterhouseCoopers survey of 7,000 companies 9/06

Digital Defense Not So Much

23% of CTOs did not know if cyber losses were covered by insurance. 34% of CTOs thought cyber losses would be covered by insurance----and were wrong. The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security.
---Source: DHS Chief Economist Scott Borg

Incidents & Losses

Average Number of Security Incidents Per Participant
140 120 100 80 60 40 20 0 2004 2005 2006 34 86 136

Percentage That Experienced Losses as a Result

100 80 60 40 20 0 25 56 28 55 40 63

2004 financial

2005 operational

2006

---Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)

Percentage of Participants Who Experienced an Insider Incident

100 80 60 40 20 0 41 39 55

2004

2005

2006

Insider Incidents - 2006

Total (%) Theft of IP Theft of Proprietary Info. Sabotage 30 36 33 Insider (%) 63 56 49 Outsider (%) 45 49 41

Most common insider incidents in 2006 survey: rogue wireless access points (72%), theft of IP (64%), exposure of sensitive or confidential information (56%) In 2006 insiders committed more theft of IP & proprietary information and sabotage than outsiders!

Economic Effects of Attacks

25% of our wealth---$3 trillion---is transmitted over the Internet daily FBI: Cyber crime cost business $26 billion (probably LOW estimate) Financial Institutions are generally considered the safest---their losses were up 450% in the last year There are more electronic financial transfers than paper checks now: Only 1% of cyber crooks are caught.

Cyber Attacks Effect Stock Price

Investigations into the stock price impact of cyber attacks show that identified target firms suffer losses of one to five percent in the days after an attack. For the average NYSE corporation, price drops of these magnitudes translate into shareholder losses between $50 and $200 million.
Source: US Congressional Research Service 2004

Indirect Economic Effects

While the tangible effects of a security incident can be measured in terms of lost productivity and staff time to recover and restore systems, the intangible effects can be of an order of magnitude larger. Intangible effects include the impact on an organizations trust relationships, harm to its reputation, and loss of economical and society confidence
Source Carnegie Mellon CyLab 2007

Can it be stopped ? Yes!

PricewaterhouseCoopers conducted 2 International surveys (2004 & 2006) covering 15,000 corporations of all types Approximately 25% of these companies follow recognized best practices for cyber security

Benefits of Best Practices

Reduces the number of successful attacks Reduces the amount of down-time suffered from attacks Reduces the amount of money lost from attacks Reduces the motivation to comply with extortion threats
Source:PricewatterhouseCoopers 2006

Senior Managers Best Practices

Cited in US National Draft Strategy to Protect Cyber Space Endorsed by TechNet for CEO Security Initiative Endorsed US India Business Council Currently Being Updated

Available Best Practice Resources

#1: #2: #3: #4: #5: #6: #7: #8: #9: General Management Policy Risk Management Security Architecture & Design User Issues System & Network Management Authentication & Authorization Monitor & Audit Physical Security

#10: Continuity Planning & Disaster Recovery

Best Practices for Insider Threat Prevention & Mitigation

#1: Institute periodic enterprise-wide risk assessments. #2: Institute periodic security awareness training for all employees. #3: Enforce separation of duties and least privilege. #4: Implement strict password and account management policies and practices. #5: Log, monitor, and audit employee online actions. #6: Use extra caution with system administrators and privileged users. #7: Actively defend against malicious code. #8: Use layered defense against remote attacks.

Best Practices for Insider Threat Prevention & Mitigation

#9: Monitor and respond to suspicious or disruptive behavior. #10: Deactivate computer access following termination. #11: Collect and save data for use in investigations. #12: Implement secure backup and recovery processes. #13: Clearly document threat controls.

Best Practices Model Contracts

Volume I
Volume II: published June 2007with ANSI gives greater emphasis to standards-based information security controls. (www.isalliance.org) Model Contract Clauses for Information Security Standards. This new book provides guidance on the contracting side of implementing prevailing international information security standards, notably ISO 17799, BS 7799 and ISO 27001.

Why Doesnt Everyone Comply with Established Best Practices?

Many organizations have found it difficult to provide a business case to justify security investments and are reluctant to invest beyond the minimum. One of the main reasons for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realized
---Stanford University 06

Management is WRONG
A Stanford Global Supply Chain Management Forum Study clearly demonstrated that investments in security can provide business value and significant ROI through: Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness of shipping info (30%)

Security ROI
Increase in supply chain information access (50%) Improved product handling (43%) Reduction in cargo delays (48% reduction in inspections) Reduction in transit time (29%) Reduction in problem identification time (30%) Higher customer satisfaction (26%)

Security, like Digital Technology, must be Integrated in the Business Plan

Security is still viewed as a cost, not as something that could add strategic value and translate into revenue and savings. But if one digs into the results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan.
PricewaterhoseCoopers, September 2006

How do we do that?
Business must take the lead.
We have a changing technology environment We have a changing business model We have a constantly changing legal and regulatory environment

ISA/CMU:
Elements of Effective Security Governance
Security is an enterprise wide issue horizontally, vertically and cross functionally throughout the organization Leaders are Accountable to the organization, stakeholders and the community (its a shared resource/responsibility) Security must be viewed as a business requirement and aligned with organizational strategic goals; business units dont decide how much security they want

ISA/CMU:
Elements of Effective Security Governance
Assess security based on risk - not tolerance to exposure, compliance, liability, operational disruptions, financial needs or reputation Define security roles and responsibilities draw clear lines of delineation as to who does what and reports to who Address and enforce security in policy include rewards and recognition

ISA/CMU
Elements of Effective Security Governance
Commit adequate security resources including authority and time to build and maintain core competencies Expected staff awareness and training is reflected in job descriptions and expressed as cultural norm Implement a life cycle system for software development, acquisitions, operations and retirement

ISA/CMU
Elements of Effective Security Governance
Plan, define and manage clear security objectives measure results and integrate lessons learned into future plans Risk committee conducts regular reviews and integrates digitalization into business plan---both positive and negative; Board Reviews and Audits

Cyber Security is NOT an IT Problem

TECH/R&D

Issues must simultaneously address all organization perspectives including:

LEGAL/REG

BUS/OPERATIONAL

Business Policy Legal Technology

PROBLEM / ISSUE

POLICY

ISAlliance
Integrated Business Security Program Outsourcing Risk Management Security Breech Notification Privacy Insider Threats Auditing Contractual Relationships (suppliers, partners, sub-contractors, customers)

Weekly Webinar Series

Sample of Recent Webinars

On Privacy and Compliance with Application to Healthcare Anupam Datta, CyLab Research Scientist, CMU Psychological Profiling Software to Aid in Forensic Investigation, Insider Detection and Relationship Management Eric Shaw, Clinical Psychologist & Visiting Scientist, SEI, CERT Outsourcing Risk Management: Legal Considerations Jody Westby, CEO, Global Cyber Risk Privacy and Security, it isn't Either/Or, it's Both/And Jon Callas, PGP Corporation Software Assurance in the Software Supply Chain Bill Scherlis, Professor, School of Computer Science, Director,
ISRI and director of CMU's PhD Program in Software Engineering

Conclusions
1. Band-Aids (or patches) dont cure Systemic treatments do 2. You need to stay ahead of the problem just to keep up with the field 3. You are not in this alone, join the ISA team

Larry Clinton President

Internet Security Alliance

lclinton@isalliance.org 703-907-7028 (O) 202-236-0001 (C)