Beruflich Dokumente
Kultur Dokumente
Founders
Angie Carfrae, VP Risk Management, Ceridian Corporation Tim McKnight, CSO, Northrop Grumman Jeff Brown, CISO/Director IT Infrastructure, Raytheon Paul Smocer, SVP/CIO, Mellon Financial Matt Broda, Chief Strategic Security, Nortel Marc-Anthony Signorino, Director Technology Policy, National Association of Manufacturers Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences Matt Flanagen, President, EIelctronic Industries Alliance
Our Partners
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
1995
2002
100000 80000
55,100
60000 40000
21,756
20000
6 132 252 406 773 1,334 2,340 2,412 2,573 2,134 3,734 9,859
0 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
2002-2004 almost 100 medium-to-high risk attacks (Slammer; SoBig). 2005, there were only 6 2006 and 2007.. Zero
Joseph McElroy Hacked US Dept of Energy Chen-Ing Hau CIH Virus Jeffrey Lee Parson Blaster-B Copycat
Early Attacks
Who: Kids, researchers, hackers, isolated criminals Why: Seeking fame & glory, use widespread attacks for maximum publicity Risk Exposure: Downtime, business disruption, information loss, defacement
Early Attacks
Defense: Reactive AV signatures Recovery: Scan & remove Type: Virus, worm, spyware
Newer Threats
Designer malware: Malware designed for a specific target or small set of targets Spear Phishing: Combines Phishing and social engineering Ransomware: Malcode packs important files into encrypted archive & deletes original then ransom is demanded RootKits: shielding technology to make malcode invisible to the op system
2004 financial
2005 operational
2006
---Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)
2004
2005
2006
Most common insider incidents in 2006 survey: rogue wireless access points (72%), theft of IP (64%), exposure of sensitive or confidential information (56%) In 2006 insiders committed more theft of IP & proprietary information and sabotage than outsiders!
Management is WRONG
A Stanford Global Supply Chain Management Forum Study clearly demonstrated that investments in security can provide business value and significant ROI through: Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness of shipping info (30%)
Security ROI
Increase in supply chain information access (50%) Improved product handling (43%) Reduction in cargo delays (48% reduction in inspections) Reduction in transit time (29%) Reduction in problem identification time (30%) Higher customer satisfaction (26%)
How do we do that?
Business must take the lead.
We have a changing technology environment We have a changing business model We have a constantly changing legal and regulatory environment
ISA/CMU:
Elements of Effective Security Governance
Security is an enterprise wide issue horizontally, vertically and cross functionally throughout the organization Leaders are Accountable to the organization, stakeholders and the community (its a shared resource/responsibility) Security must be viewed as a business requirement and aligned with organizational strategic goals; business units dont decide how much security they want
ISA/CMU:
Elements of Effective Security Governance
Assess security based on risk - not tolerance to exposure, compliance, liability, operational disruptions, financial needs or reputation Define security roles and responsibilities draw clear lines of delineation as to who does what and reports to who Address and enforce security in policy include rewards and recognition
ISA/CMU
Elements of Effective Security Governance
Commit adequate security resources including authority and time to build and maintain core competencies Expected staff awareness and training is reflected in job descriptions and expressed as cultural norm Implement a life cycle system for software development, acquisitions, operations and retirement
ISA/CMU
Elements of Effective Security Governance
Plan, define and manage clear security objectives measure results and integrate lessons learned into future plans Risk committee conducts regular reviews and integrates digitalization into business plan---both positive and negative; Board Reviews and Audits
LEGAL/REG
BUS/OPERATIONAL
PROBLEM / ISSUE
POLICY
ISAlliance
Integrated Business Security Program Outsourcing Risk Management Security Breech Notification Privacy Insider Threats Auditing Contractual Relationships (suppliers, partners, sub-contractors, customers)
Conclusions
1. Band-Aids (or patches) dont cure Systemic treatments do 2. You need to stay ahead of the problem just to keep up with the field 3. You are not in this alone, join the ISA team