security 2.0: the next generation of security for the public sector
DESCRIPTION
Security 2.0: The Next Generation of Security for the Public Sector. John McCumber, Strategic Programs Manager. Security Perceptions. 1. Critical Connections Survey Results . 2. Security 1.0. 3. Security 2.0. 4. Bridging the Gap – Preparing for a 2.0 World. 5. Agenda. - PowerPoint PPT PresentationTRANSCRIPT
Security 2.0:The Next Generation of Security for the Public SectorJohn McCumber, Strategic Programs Manager
Symantec V
ision 2007
2
Agenda
Security Perceptions1
Critical Connections Survey Results 2
Security 1.03
Security 2.04
Bridging the Gap – Preparing for a 2.0 World5
Critical Connections
68%
48%
59%
Symantec recently announced the results
of the 2008 Critical Connections Study,
which polled 600 IT executives across
Federal, state and local government, as
well as private sector organizations to
identify information security connections,
disconnects, and opportunities for
improvement. Download Full Study:www.symantec.com/symposium
About the Study
Report Includes:
Connections: Common nightmares, barriers, and areas
of progress
Disconnects: Public/private collaboration and
preparedness
Critical Connections: Perspectives on the National
Cyber Security Initiative
Critical Connections
0
10
20
30
40
50
60
70
68%
48%
59%
Federal
State and Local
Private Sector
Is there a requirement for increased
public/private collaboration in securing
cyber space? Yes:
Take Away: It Takes Two to Tango – Increased Coordination Required
Agreement on Need For Collaboration
Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium
Disconnects
0
10
20
30
40
50
60
70
FedsState and LocalPrivate Sector
Take Away: Talk the Talk and Walk the Walk – Action Must Match Priority
Diverse Preparedness Behaviors; Steps Needed to Improve Security
My organization has participated in cyber security
preparedness exercises
My organization has automated cyber threat/vulnerability
reporting
0
10
20
30
40
50
60
70
FedsState and LocalPrivate Sector
63%
32%
39%
64%
38%
44%
Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium
Federal Opportunity
Federal Government Can Offer Best Practices Based on its Progress
78%of private sector
respondents want
more information
from the government
on cyber threats
Take Away: Open Door for Feds to Improve National Cyber Security
Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium
National Cyber Security Initiative
When asked to name the most significant benefit
of the National Cyber Security Initiative, few
respondents picked, “Common cyber security
operating picture,” the principle program
objective
Take Away: Strong Enthusiasm, but Education Needed
Believe the National Cyber Security
Initiative will have a positive impact
Support Underscores Need for Cyber Security Leadership
FedsState and
Local
Private
Sector
86% 70% 76%
12% 11% 11%
Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium
Security versus Risk Management
• Security: something you feel
• Risk: something you manage
9 – 2002 Symantec Corporation, All Rights Reserved
Risk in IT Systems
Find out the cause of this effect,
Or rather say, the cause of this defect,
For this effect defective comes by cause.
- William Shakespeare, Hamlet
The Complete Threat Model
Destruction– Availability– Reliability
Disclosure– Data analysis– Traffic analysis
Delay– Denial of service– System degradation
Distortion– Data integrity– Accuracy
Outsider Malicious Threats
Insider Malicious Threats
Non-malicious Threats
Environmental
11 –
Threat Classifications
Environmental
Threat
Man-Made
Internal External
Hostile Non-Hostile
Structured Unstructured Structured Unstructured
Evolution from 1.0 to 2.0
12
–
20
02
Sy
m
an
te
c
Co
rp
or
ati
on
,
All
Ri
gh
ts
Re
se
rv
ed
Physical vulnerabilities
Data confidentiality
Outsider threats
1980s: GATES, GUNS & GUARDS
Electronic vulnerabilities
Data confidentiality, integrity & availability
Outsider & insider threats
1990s: FIND & FIX
Risk & vulnerability analysis
Active network monitoring
Network security accreditation
Incident response & recovery
2000s: ASSESS & MANAGE
Proactive
Mitigate the risk with
technology, processes, or
transfer it
Reactive
Vulnerability
discovered, fix it and
close the hole
13 – 2002 Symantec Corporation, All Rights Reserved
Find-and-Fix Security
• Technical issues only• Vulnerability-centric• Probes exterior boundaries• Little “analysis”• Recommends point solutions
– tied to specific vulnerabilities– based on consultant’s experience
14 – 2002 Symantec Corporation, All Rights Reserved
Penetration-and-Patch Security
Time
Tech
nolo
gy
IT systems evolution
defensive capabilities
}vulnerability
gap
15 – 2002 Symantec Corporation, All Rights Reserved
Compliance-based Security Audit
• Static• Subjective• Intuitive• Inconsistent results• Compliance-based
16 – 2002 Symantec Corporation, All Rights Reserved
Security Objective
Time
Tech
nolo
gy
IT systems evolution
risk management/security 2.0
17 –
IT Risk Management
The process of designing, developing, sustaining, and modifying operational processes and systems in consideration of applicable risks* to asset confidentiality, integrity, and availability.
*Applicable risks are those reasonably expected to be realized and to cause an unacceptable impact.
18 –
IT Risk Management
• Incorporates an analytical, systems approach into the entire operational and support cycle
• Provides systems and operational leaders a reliable decision support process
• Encourages protection of only that which requires protection
• Manages cost while achieving significant performance benefits
19 – 2002 Symantec Corporation, All Rights Reserved
IT Risk Management Principles• Anti-hacking does not = security• Data does not = information• Systems security certification does not = risk
management• Meeting the demands of risk management
requires more than assessing and mandating security features.
/
Managing Risk
20 – 2002 Symantec Corporation, All Rights Reserved
"When you can measure what you are
speaking about, and express it in
numbers, you know something about it;
But when you cannot measure it, when
you cannot express it in numbers, your
knowledge is of a meager and
unsatisfactory kind:
It may be the beginning of knowledge, but
you have scarcely in your thoughts
advanced to the stage of science."
William Thomson
1824 - 1907
21 – 2002 Symantec Corporation, All Rights Reserved
Assessing Risk: Empirical Objective
Applying Safeguards
Cost
Risk
Performance
Essential Elements of Risk
• Threats• Assets• Vulnerabilities• Safeguards
– Products– Procedures– People
Mathematical Relationship
T x V x A = R
S
T x V x A= R
1:
2: r
b
RISK RISKRISKRISK
RISKRISK
Baseline RiskResidual Risk after Safeguards
Applied
Asset
Threat
Vulnerability
Asset
Threat
Vulnerability
Risk = Volume of a Cube
• 25
Knowledge Gathered from the Symantec Global Intelligence Network
• 25
• Managed devices in 70+ countries• 120 Million Threat/ Virus Submission
Systems
• 40,000+ Sensors in 200+
Countries
• 2 Billion+ events logged daily• Over 100,000 security alerts generated
annually
• 200,000 daily code submissions
Vulnerability
Database
Fraud: Spam
& Phishing
Honeypot Network
•55,000+ technologies from over 8000
vendors
•30+ Million Probe Messages a day
•Generates statistics on 1+ Billion email
messages a day
•Geo-location capabilities on servers and
zombies
•Capturing previously unseen threats and
attack methods
26
• Sydney, Aus
• Alexandria, VA
• Reading, Green Park, GBR
• Chennai, India
• Dublin, Ireland
• Austin Texas
• Mountain View, CA
• San Francisco, CA
• Pune, India
• Taipei, Taiwan
• Tokyo, Japan
• Culver City, CA
• Calgary, Alberta, CA
• Chengdu, China
Intelligence Behind the Global Intelligence Network
• 26
• 11 Security Research Centers
• 29 Global Support
• Centers
• 4 MSS Security Operations
Centers
• Brisbane, Aus
• Buenos Aires, Argentina
• Durham, NC
• Heathrow, FL
• Herndon, VA
• Miami, FL
• Milan, Italy
• Aschheim, Germany
• Atlanta, Georgia
• Beijing, China
• Brussels, Belgium
• Cupertino, CA• Dallas, TX • Dubai, UAE
• Englewood, CO
• Gotheburg, Sweden
• Houston, TX
• Hong Kong, China
• Madrid, Spain
• Melbourne, Aus
• Mexico City, Mexico
• Mumbai, India
• Newton/Waltham, MA
• Oak Brook, IL• Orem, UT
• Roseville, MN
• San Luis Obispo, CA
• Sandton, South Africa
• Santa Monica, CA
• Sao Paola, Brazil
• Seattle, WA
• Seoul, South Korea
• Shannon, Ireland
• Shanghai, China
• Singapore
• Springfield, OR
• Ratingen, Germany
• Riyadh, Saudi Arabia
• Bloomfield Hills, MI
• Wiesbaden, Germany
• Zaltbommel, NLD• Toronto, CA
• Warsaw, Poland
Symantec V
ision 2007
27
Threat EvolutionThreat Evolution Timeline
curi
osit
ycr
ime
1988 2008
Virus Destructive Virus Macro Virus
Vulnerabilities
Openly Discussed
Mass Mailing Worms Network
Worms
SpamTracking
CookiesSpam Explodes
Bots &
Botnets
DDoS
Attacks
Bots
Explode
Paid Vulnerability
Research
Adware SpywareRootkits
On the Rise
Spyware & Adware Explode
Phishing CrimewarePhishing
Explodes
Zero Day Exploits
& Threats
indi
vidu
als
natio
n-st
ates
Threat Landscape – Overarching Themes
• The Web is quickly becoming the distribution point for malicious code and
attacks
• Malicious activity that targets end-users rather than computers
• Consolidation and maturation in the Underground Economy
– Specialized production and provisioning
– Outsourcing
– Multivariate pricing
– Flexible business models
• Rapid adaptability of attackers and attack activity
28
29
The Web as the Focal Point
• Vulnerabilities in websites are more popular because they allow for more sophisticated
and multi-staged attacks.
• Site-specific vulnerabilities outnumber traditional vulnerabilities nearly 5 to 1 with much
lower patch rates – only 473 of the site-specific vulnerabilities had been patched at the
time of reporting.
Vulnerabilities - TraditionalSite-specific vulnerabilities
30
End-Users are the Primary Target
• Social networking Web sites are easy for criminals to spoof and, because social
networking pages are generally trusted by users, phishing attacks mimicking
them may have a better chance of success.
• Symantec measured the adoption rate of applications and found that out of
54,609 unique applications that were deployed on Microsoft Windows PCs, and
65 percent of those applications were malicious.
Phishing Web Site HostsTop Phishing Countries and Targets
31
Underground Economy Specialization
• The significant
increase in new
threats over the past
year is indicative of
the work of
specialized malicious
code authors and the
existence of
organizations that
employ programmers
dedicated to the
production of these
threats.
32
Underground Economy -
Outsourcing, Pricing Flexibility
• Romania was home to the third most phishing Web sites during this period and the most phishing Web
sites in EMEA.
• In order to take advantage of economic efficiencies and entice buyers, sellers will offer reduced prices
on larger volumes of goods for sale.
• A mature, consolidated economy is characterized by the development and implementation of specific
business models that are suitable to the prevailing influences within the economy .
33
Rapid Adaptation – New Markets
• Adaptability in the form of geographic mobility and new markets as attackers seek digital
“safe-havens”.
• Relocation to regions or countries in which security practices, legislation and/or
infrastructure are not particularly well developed.
34
Vulnerability Trends - Additional Metrics
• Symantec documented 2,134 vulnerabilities in the current reporting period, 13% fewer
than the previous reporting period.
• Severity classification: High severity 3%, Medium severity 61% and Low severity 36%.
• Web applications constituted 58% of all documented vulnerabilities.
• 73% of vulnerabilities documented this period were easily exploitable compared to 72%
in the previous period.
• The W.O.E. for enterprise vendors was 46 days, a decrease from the 55 day average in
the first half of 2007.
• Mozilla had the most vulnerabilities of any browser at 88 but Microsoft had the highest
browser W.O.E. at 11 days.
• From July 1st - December 31st 2007, Symantec documented 9 zero-day vulnerabilities,
an increase over the previous reporting period. All affected 3rd party applications for the
Windows platform.
• 92 vulnerabilities were documented in security products this period, down from 113 in
the previous period.
Symantec V
ision 2007
35
Filling the Policy Gap
Policy – what you can define/mandate
Technology tools – what you can enforce
“policy gap”
Predicting the Future
37
Future Watch
• Increasing use of whitelisting technologies
•Portable media and shrink-wrapped devices
•The decline of IRC controlled bot networks
• Increase in threats attempting to influence US election
results
Managing Security 2.0
If you can measure, you can:
justify
target
control
predict
If you can measure, you can actively MANAGE,
and help security evolve from art to science.