in the crossfire - presentation

8/14/2019 In the crossfire - presentation

1/25

January 28, 2010

In the Crossfire

Critical Infrastructure in the Age of Cyber WarStewart BakerCenter for Strategic and International Studies

Steptoe & Johnson


2/25

January 28, 20102 Confidential McAfee Internal Use Only

Summary

1. The threat is real

2. Preparedness is spotty

3. Adoption of security measures lags behind the threat

4. The many roles of governments

5. Outlier regions and sectors


3/25




4/25



60% reported theft-of-service cyberattacks Low: Germany, UK (42%)

High: India (83%), Brazil (77%), France (76%)

29% reported multiple large-scale denial of service attacks each month,and nearly two-thirds of those reported an impact on operations

High: France (60%), India (50%)

20% reported extortion via network attacks

High: India (40%), Middle East (35%) Low: US, Germany (12%)

89 percent report infection with viruses or other malware

70-plus percent report a wide range of other attacks

E.g., phishing and pharming. More sophisticated attacks like DNS poisoning or SQL injection are less

common, but still widespread more than half of respondents report these attacks


5/25


Extortion is widespread

Why? Because the reported cost of a 24-hour network outage is $6.3 million


6/25January 28, 20106 Confidential McAfee Internal Use Only

Most believe things are getting worse, not better-

Major incident: an outage of at least 24 hours, loss of life or failure of a company

Nearly twice as many see vulnerability growing (37%) asshrinking (21%)

Two-fifths expect a major incident within a year

Four-fifths expect a major incident within 5 years


7/25




8/25




9/25


Low confidence in others preparedness

30% lacked confidence in their banks and telecom providers

ability to withstand attack

High confidence: China (10-22%). Germany (20%), US (25%)

Low confidence: Japan (50-60%)

Wide differences in national preparedness assessments

In Middle East, 95% said that their sector was not very prepared forGhostnet-style attacks; in Japan, 50% said the same

In Germany, US and Spain, only 13-17% said their sector was not very

prepared for such attacks


10/25


Resources are tight due to recession

Security budget cuts are widespread

but most believe they can cope with reduced resources


11/25


3. Adoption of security measures lags

behind the threat


12/25


3. Adoption of security measures lags behind the threat

Basic, key security measures are not widely adopted

Fewer than 60% patched and updated software on a regular schedule

User name and password the most common form of login/authentication

more than three-quarters of SCADA/ICS systems are connected to an IPnetwork or the Internet

nearly half of those admitted that these connections create unresolvedsecurity issues

Security measure adoption rates vary widely by country Chinese respondents report the highest rate

Italy, Spain and India had the lowest rates


13/25


Security measure adoption rate

More than two dozen different security measures -- technologies,policies and procedures

Security Information and EventManagement tools

Network access control measures

Intrusion prevention systems

Database security and access

controlsData leak prevention tools

Intrusion detection systems

Firewalls to public network

Firewalls between systems

Application whitelisting

Role and activity anomaly detection

Standardized desktopUse threat monitoring service

Encryption for

Online transmission tonetworkLaptop hard drives

Individual emails

Data in databases

Data while in network storage

Tapes, portable media

Authentication by

User name and passwordToken

Biometrics

Regular patches and updates

Threat information sharingRestrict or ban USB sticks


14/25


China leads in adopting security measures


15/25




16/25



Regulators

Regulation seen as generally positive

74% have implemented new measures as a result of regulation

58% say regulation has sharpened policy and improved security 28% say it has diverted resources from improving security to

recording/reporting incidents or other forms of compliance

Audit frequency varies widely

Partners Co-operation levels vary widely

72% of Chinese respondents participated in an industry information sharingassociation; only 33% of Italian respondents did

Policemen

Widespread skepticism about governments ability to protect networks

Attackers, infiltrators and adversaries


17/25


Regulator: auditing to enforce compliance varies widely


18/25


Policeman: Little faith in laws against cyber-attack


19/25


Attacker: 60% believe governments are alreadyattacking their infrastructure


20/25


Attacker: Many report government-style attacks

Half report stealthy infiltration by high-level adversary like in Ghostnet

Half report DDOS attacks by high-level adversaries including governments:


21/25


Attacker: United States and China are most feared


22/25


5. Outlier regions and sectors


23/25


China the outlier

Chinese executives report --

Uniquely close cooperation with officials

High levels of regulation and auditing

Very robust confidence in government

Much higher adoption of security measures

China is taking concerted steps to bolster its industriesdefenses

Are the steps effective?

Chinese companies report low to average levels of attack and damage

China does appear better protected than other large developing

countries, such as India and Brazil


24/25


Oil and gas sector at risk

The oil and gas sector stands out as a target

Reports more Ghostnet-style infiltration than any other sector (71% v. 54% overall)

More large-scale DDOS attacks than other sectors (66% v. 54% overall)

More extortion attacks than other sectors (31% v. 20% overall)

More theft of service attacks than others (75% v. 60% overall)

Attackers more likely to target SCADA systems of oil and gas sector (other sectors

see financial information as main target)

Highest cost from 24 hours of down time ($8.4 million v $6.3 m overall)

Second highest recession-driven cuts in security resources (73% v. 66% overall)


25/25


Principal Authors

Stewart Baker

Former official at both Department of Homeland Security and NationalSecurity Agency

Cybersecurity law practice at Steptoe & Johnson Distinguished Visiting Fellow, Center for Strategic and International

Studies

Shaun Waterman

Journalist formerly with BBC and UPI Center for Strategic and International Studies

Further questions for Stewart Baker:

202-429-6402

[email protected]

in the crossfire - presentation

Documents