security 2.0: the next generation of security for the public sector

Security 2.0:The Next Generation of Security for the Public SectorJohn McCumber, Strategic Programs Manager

Symantec V

ision 2007

2

Agenda

Security Perceptions1

Critical Connections Survey Results 2

Security 1.03

Security 2.04

Bridging the Gap – Preparing for a 2.0 World5

Critical Connections

68%

48%

59%

Symantec recently announced the results

of the 2008 Critical Connections Study,

which polled 600 IT executives across

Federal, state and local government, as

well as private sector organizations to

identify information security connections,

disconnects, and opportunities for

improvement. Download Full Study:www.symantec.com/symposium

About the Study

Report Includes:

Connections: Common nightmares, barriers, and areas

of progress

Disconnects: Public/private collaboration and

preparedness

Critical Connections: Perspectives on the National

Cyber Security Initiative

Critical Connections

0

10

20

30

40

50

60

70

68%

48%

59%

Federal

State and Local

Private Sector

Is there a requirement for increased

public/private collaboration in securing

cyber space? Yes:

Take Away: It Takes Two to Tango – Increased Coordination Required

Agreement on Need For Collaboration

Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

Disconnects

0

10

20

30

40

50

60

70

FedsState and LocalPrivate Sector

Take Away: Talk the Talk and Walk the Walk – Action Must Match Priority

Diverse Preparedness Behaviors; Steps Needed to Improve Security

My organization has participated in cyber security

preparedness exercises

My organization has automated cyber threat/vulnerability

reporting

0

10

20

30

40

50

60

70

FedsState and LocalPrivate Sector

63%

32%

39%

64%

38%

44%


Federal Opportunity

Federal Government Can Offer Best Practices Based on its Progress

78%of private sector

respondents want

more information

from the government

on cyber threats

Take Away: Open Door for Feds to Improve National Cyber Security


National Cyber Security Initiative

When asked to name the most significant benefit

of the National Cyber Security Initiative, few

respondents picked, “Common cyber security

operating picture,” the principle program

objective

Take Away: Strong Enthusiasm, but Education Needed

Believe the National Cyber Security

Initiative will have a positive impact

Support Underscores Need for Cyber Security Leadership

FedsState and

Local

Private

Sector

86% 70% 76%

12% 11% 11%


Security versus Risk Management

• Security: something you feel

• Risk: something you manage

9 – 2002 Symantec Corporation, All Rights Reserved

Risk in IT Systems

Find out the cause of this effect,

Or rather say, the cause of this defect,

For this effect defective comes by cause.

- William Shakespeare, Hamlet

The Complete Threat Model

Destruction– Availability– Reliability

Disclosure– Data analysis– Traffic analysis

Delay– Denial of service– System degradation

Distortion– Data integrity– Accuracy

Outsider Malicious Threats

Insider Malicious Threats

Non-malicious Threats

Environmental

11 –

Threat Classifications

Environmental

Threat

Man-Made

Internal External

Hostile Non-Hostile

Structured Unstructured Structured Unstructured

Evolution from 1.0 to 2.0

12

–

20

02

Sy

m

an

te

c

Co

rp

or

ati

on

,

All

Ri

gh

ts

Re

se

rv

ed

Physical vulnerabilities

Data confidentiality

Outsider threats

1980s: GATES, GUNS & GUARDS

Electronic vulnerabilities

Data confidentiality, integrity & availability

Outsider & insider threats

1990s: FIND & FIX

Risk & vulnerability analysis

Active network monitoring

Network security accreditation

Incident response & recovery

2000s: ASSESS & MANAGE

Proactive

Mitigate the risk with

technology, processes, or

transfer it

Reactive

Vulnerability

discovered, fix it and

close the hole


Find-and-Fix Security

• Technical issues only• Vulnerability-centric• Probes exterior boundaries• Little “analysis”• Recommends point solutions

– tied to specific vulnerabilities– based on consultant’s experience


Penetration-and-Patch Security

Time

Tech

nolo

gy

IT systems evolution

defensive capabilities

}vulnerability

gap


Compliance-based Security Audit

• Static• Subjective• Intuitive• Inconsistent results• Compliance-based


Security Objective

Time

Tech

nolo

gy

IT systems evolution

risk management/security 2.0

17 –

IT Risk Management

The process of designing, developing, sustaining, and modifying operational processes and systems in consideration of applicable risks* to asset confidentiality, integrity, and availability.

*Applicable risks are those reasonably expected to be realized and to cause an unacceptable impact.

18 –

IT Risk Management

• Incorporates an analytical, systems approach into the entire operational and support cycle

• Provides systems and operational leaders a reliable decision support process

• Encourages protection of only that which requires protection

• Manages cost while achieving significant performance benefits


IT Risk Management Principles• Anti-hacking does not = security• Data does not = information• Systems security certification does not = risk

management• Meeting the demands of risk management

requires more than assessing and mandating security features.

/

Managing Risk


"When you can measure what you are

speaking about, and express it in

numbers, you know something about it;

But when you cannot measure it, when

you cannot express it in numbers, your

knowledge is of a meager and

unsatisfactory kind:

It may be the beginning of knowledge, but

you have scarcely in your thoughts

advanced to the stage of science."

William Thomson

1824 - 1907


Assessing Risk: Empirical Objective

Applying Safeguards

Cost

Risk

Performance

Essential Elements of Risk

• Threats• Assets• Vulnerabilities• Safeguards

– Products– Procedures– People

Mathematical Relationship

T x V x A = R

S

T x V x A= R

1:

2: r

b

RISK RISKRISKRISK

RISKRISK

Baseline RiskResidual Risk after Safeguards

Applied

Asset

Threat

Vulnerability

Asset

Threat

Vulnerability

Risk = Volume of a Cube

• 25

Knowledge Gathered from the Symantec Global Intelligence Network

• 25

• Managed devices in 70+ countries• 120 Million Threat/ Virus Submission

Systems

• 40,000+ Sensors in 200+

Countries

• 2 Billion+ events logged daily• Over 100,000 security alerts generated

annually

• 200,000 daily code submissions

Vulnerability

Database

Fraud: Spam

& Phishing

Honeypot Network

•55,000+ technologies from over 8000

vendors

•30+ Million Probe Messages a day

•Generates statistics on 1+ Billion email

messages a day

•Geo-location capabilities on servers and

zombies

•Capturing previously unseen threats and

attack methods

26

• Sydney, Aus

• Alexandria, VA

• Reading, Green Park, GBR

• Chennai, India

• Dublin, Ireland

• Austin Texas

• Mountain View, CA

• San Francisco, CA

• Pune, India

• Taipei, Taiwan

• Tokyo, Japan

• Culver City, CA

• Calgary, Alberta, CA

• Chengdu, China

Intelligence Behind the Global Intelligence Network

• 26

• 11 Security Research Centers

• 29 Global Support

• Centers

• 4 MSS Security Operations

Centers

• Brisbane, Aus

• Buenos Aires, Argentina

• Durham, NC

• Heathrow, FL

• Herndon, VA

• Miami, FL

• Milan, Italy

• Aschheim, Germany

• Atlanta, Georgia

• Beijing, China

• Brussels, Belgium

• Cupertino, CA• Dallas, TX • Dubai, UAE

• Englewood, CO

• Gotheburg, Sweden

• Houston, TX

• Hong Kong, China

• Madrid, Spain

• Melbourne, Aus

• Mexico City, Mexico

• Mumbai, India

• Newton/Waltham, MA

• Oak Brook, IL• Orem, UT

• Roseville, MN

• San Luis Obispo, CA

• Sandton, South Africa

• Santa Monica, CA

• Sao Paola, Brazil

• Seattle, WA

• Seoul, South Korea

• Shannon, Ireland

• Shanghai, China

• Singapore

• Springfield, OR

• Ratingen, Germany

• Riyadh, Saudi Arabia

• Bloomfield Hills, MI

• Wiesbaden, Germany

• Zaltbommel, NLD• Toronto, CA

• Warsaw, Poland

Symantec V

ision 2007

27

Threat EvolutionThreat Evolution Timeline

curi

osit

ycr

ime

1988 2008

Virus Destructive Virus Macro Virus

Vulnerabilities

Openly Discussed

Mass Mailing Worms Network

Worms

SpamTracking

CookiesSpam Explodes

Bots &

Botnets

DDoS

Attacks

Bots

Explode

Paid Vulnerability

Research

Adware SpywareRootkits

On the Rise

Spyware & Adware Explode

Phishing CrimewarePhishing

Explodes

Zero Day Exploits

& Threats

indi

vidu

als

natio

n-st

ates

Threat Landscape – Overarching Themes

• The Web is quickly becoming the distribution point for malicious code and

attacks

• Malicious activity that targets end-users rather than computers

• Consolidation and maturation in the Underground Economy

– Specialized production and provisioning

– Outsourcing

– Multivariate pricing

– Flexible business models

• Rapid adaptability of attackers and attack activity

28

29

The Web as the Focal Point

• Vulnerabilities in websites are more popular because they allow for more sophisticated

and multi-staged attacks.

• Site-specific vulnerabilities outnumber traditional vulnerabilities nearly 5 to 1 with much

lower patch rates – only 473 of the site-specific vulnerabilities had been patched at the

time of reporting.

Vulnerabilities - TraditionalSite-specific vulnerabilities

30

End-Users are the Primary Target

• Social networking Web sites are easy for criminals to spoof and, because social

networking pages are generally trusted by users, phishing attacks mimicking

them may have a better chance of success.

• Symantec measured the adoption rate of applications and found that out of

54,609 unique applications that were deployed on Microsoft Windows PCs, and

65 percent of those applications were malicious.

Phishing Web Site HostsTop Phishing Countries and Targets

31

Underground Economy Specialization

• The significant

increase in new

threats over the past

year is indicative of

the work of

specialized malicious

code authors and the

existence of

organizations that

employ programmers

dedicated to the

production of these

threats.

32

Underground Economy -

Outsourcing, Pricing Flexibility

• Romania was home to the third most phishing Web sites during this period and the most phishing Web

sites in EMEA.

• In order to take advantage of economic efficiencies and entice buyers, sellers will offer reduced prices

on larger volumes of goods for sale.

• A mature, consolidated economy is characterized by the development and implementation of specific

business models that are suitable to the prevailing influences within the economy .

33

Rapid Adaptation – New Markets

• Adaptability in the form of geographic mobility and new markets as attackers seek digital

“safe-havens”.

• Relocation to regions or countries in which security practices, legislation and/or

infrastructure are not particularly well developed.

34

Vulnerability Trends - Additional Metrics

• Symantec documented 2,134 vulnerabilities in the current reporting period, 13% fewer

than the previous reporting period.

• Severity classification: High severity 3%, Medium severity 61% and Low severity 36%.

• Web applications constituted 58% of all documented vulnerabilities.

• 73% of vulnerabilities documented this period were easily exploitable compared to 72%

in the previous period.

• The W.O.E. for enterprise vendors was 46 days, a decrease from the 55 day average in

the first half of 2007.

• Mozilla had the most vulnerabilities of any browser at 88 but Microsoft had the highest

browser W.O.E. at 11 days.

• From July 1st - December 31st 2007, Symantec documented 9 zero-day vulnerabilities,

an increase over the previous reporting period. All affected 3rd party applications for the

Windows platform.

• 92 vulnerabilities were documented in security products this period, down from 113 in

the previous period.

Symantec V

ision 2007

35

Filling the Policy Gap

Policy – what you can define/mandate

Technology tools – what you can enforce

“policy gap”

Predicting the Future

37

Future Watch

• Increasing use of whitelisting technologies

•Portable media and shrink-wrapped devices

•The decline of IRC controlled bot networks

• Increase in threats attempting to influence US election

results

Managing Security 2.0

If you can measure, you can:

justify

target

control

predict

If you can measure, you can actively MANAGE,

and help security evolve from art to science.

Symantec V

ision 2007

39

&ANSWERSQUESTIONS

John McCumber

[email protected]

security 2.0: the next generation of security for the public sector

Documents

generation of security

security initiativewhen

cyber threatstake

local government

national cyber securitybased

critical connections

private sector executives

private sector respondents