2004 12 03 larry clinton philadelphia presentation about isa and coherent program of cyber security...

7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives

1/35

Larry ClintonOperations Officer

Internet Security [email protected]

202-236-0001


2/35

Presentation Outline

The Growing Problem of Cyber Security

Traditional Solutions and Why They Wont Work

A New Paradigm (tools and incentives) Bringing it all Together


3/35

The Past


4/35

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Present


5/35

Human Agents

Hackers Disgruntled employees White collar criminals Organized crime Terrorists

Methods of Attack

Brute force Denial of Service Viruses & worms Back door taps &

misappropriation,

Information Warfare (IW)techniques

Exposures

Information theft, loss &corruption

Monetary theft & embezzlement

Critical infrastructure failure Hacker adventures, e-graffiti/

defacement

Business disruption

Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-Toys

Hactivist campaign,

Love Bug, Melissa Viruses

The Threats The Risks


6/35

The Threats The Risks

Terrorists may view cyber-attacks standing alone or witha coordinated physical attack

as a way to cause economic

harm.

Considering that criticalinfrastructures, upon which theAmerican economy depend, are

increasingly electronic andinterconnected, attacks in or

through cyberspace arguablysupport the terrorist modusoperandi


7/35

The Threats The RisksPipeline Disruption

SubmarineCable Lost

Bomb Threats atGovernmentBuildings

Threat toWater

Supply

Bridge Down

Oil Refinery Explosion

Telephone ServiceInterrupted Phones

Jammed

911Unavailable

ISPs Out ofService Near

Wall Street

Air Traffic Control

Tower & Radar

Down

Train Derailmentin Tunnel

Electricity

Outage


8/35

Growth in Incidents Reported

to the CERT/CC

1988 1989 1990 1991 1992 1993 1994 19951996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


9/35

The Dilemma: Growth in Number ofVulnerabilities Reported to CERT/CC

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


10/35

Attack Sophistication v. Intruder

Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijackingsessions

sweepers

sniffers

packet spoofing

GUI

automated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

stealth / advancedscanning techniques

burglaries

network mgmt. diagnostics

DDOSattacks


11/35

Computer Virus Costs (in

billions)

0

30

60

90

120

150

'96 '97 '98 '99 '00 '01 '02 '03

Ran e

(Through Oct 7)

$

billion


12/35

Traditional Solutions &

Why They Wont Work

Technology Solutions (its like Y2K) Government Regulation (just mandate security) Great Wall of China (Secure our boarders)


13/35

Cyber Security is not an IT

Problem

Y2K WAS:

Finite

Passive Not an attack Cyber Security requires people, processes,

procedures and management of the risk.


14/35

A Risk Management

Approach is Needed

Installing a network security device is nota substitute for a constant focus andkeeping our defenses up to date There

is no special technology that can make anenterprise completely secure.

National Plan to Secure Cyberspace, 2/14/03


15/35

You Cant Mandate Cyber

Security Policy must address the Internet as a new

technology

No one owns the Internet It is constantly evolving International operation makes regulation difficult Mandates will truncate innovation and the economy Beware the Roadmap for mischief


16/35

Putnam Legislation

Risk Assessment Risk Mitigation

Incident Response Program Tested Continuity plan Updated Patch management program Putnam has said it wont work.


17/35

Build a Great Wall around

your Organization The Internet has no walls, no boarders -- No one

actually owns it.

You are only as secure as the organizations youinterconnect with -- And thats pretty mucheveryone.

The Internet is Interdependent, and Security,therefore, is Interdependent


18/35

Attacks are Inevitable

According to the USIntelligence community,

American networks will be

increasingly targeted by

malicious actors both for thedata and the power they

possess.

National Strategy to SecureCyberspace, 2/14/02


19/35

A New paradigm:Tools

and IncentivesTOOLS

INCENTIVES NOT MANDATES

Information Sharing Best Practice Development Standards/Certification/Qualification Training Policy Development A Total Systems Approach


20/35

Benefits of Information Sharing

Organizations

May lesson the likelihood of attackOrganizations that share information about computer break ins areless attractive targets for malicious attackers. NYT 2003

Participants in information sharing have theability to better prepare for attacks andrespond to them.


21/35

Old and New Info Sharing

2002 ISAlliance informed its membership aboutSNMP event 6 months ahead of time---No

ISAlliance members affected

2003 ISAlliance informed Membership aboutSlammer Vulnerability 9 months ahead of time---NO ISA members effected

2004---Events move too fast Now we focus on forecasting not analysis


22/35

Adopt and Implement

Best Practices

Cited in U.S. NationalDraft Strategy to Protect

Cyber Space Endorsed by TechNet for

CEO Security Initiative

Small Bus. Best Pract.Endorsed:DHS;ABA;

NAM;EIA; NCSA etc.


23/35

Common Sense Guide

Top Ten Practice Topics

Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster

Recovery


24/35

Cooperative work on

assessment/certification TechNet CEO Self-

Assessment Program

Bring cyber security to theC-level based on ISA BestPractices

Create a baseline ofsecurity even CEOs can

understand

American SecurityConsortium 3-Party

Assessment program

Risk Preparedness Indexfor assessment and

certification

Develop quantitativeindependent ROI for cybersecurity


25/35

ISAlliance/CERT Training

Concepts and Trends In Information Security Information Security for Technical Staff OCTAVE Method Training Workshop Overview of Managing Computer Security Incident

Response Teams

Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective


26/35

ISAlliance Incentive

Model Model Programs for market Incentives---AIG ----Nortel

---Visa ----Verizon

SemaTech Program

Tax Incentives

Liability Carrots

Procurement Model

Research and Development


27/35

Congress Appoints

CISWG INCENTIVES & LIABILITY GROUP FOUND

INCENTIVES FOR PUB & PRIVATE SECTOR

--Insurance Incentives

--Liability Incentives--Tax Incentives

--Expedited Permitting

--FEMA credits--Awards Programs


28/35

Chief Technology OfficersKnowledge of their Cyber Insurance

34% Incorrectlythought they werecovered

36% Did not haveInsurance

23% Did not know ifthey had insurance

7% Knew that theywere insured by aspecific policy


29/35

ISAlliance Cyber-Insurance

Program

Coverage for members

Free assessment through AIG Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance

Best Practices (July 2002)


30/35

ISAlliance Qualification

Program No Standardized Certification Program exists or

will exist soon

ISAlliance, in cooperation with Big 4 and insuranceindustry, create quantitative measurement forqualification for ISA discounts as proxy forcertification

ISA works with CMU CyLab on Certification


31/35

A Coherent 10 step

Program of Cyber Security

1. Members and CERT create best practices

2. Members and CERT share information

3. Cooperate with industry and government todevelop new models and products consistent with

best practices


32/35

A Coherent Program of

Cyber Security

4. Provide Education and Training programs based

on coherent theory and measured compliance

5. Coordinate across sectors

6. Coordinate across boarders


33/35

A coherent program

7. Develop the business case (ROI) for improvedcyber security

8. Develop market incentives and tools for consistent

maintenance of cyber security

9. Integrate sound theory and practice and

evaluation into public policy

10. Constantly expand the perimeter of cybersecurity by adding new members


34/35

Sponsors


35/35

Larry ClintonOperations Officer

Internet Security Alliance

[email protected]

202-236-0001

2004 12 03 larry clinton philadelphia presentation about isa and coherent program of cyber security...

Documents