security alert: latest trends in global attacks, sources and impact vince steckler vice president,...
TRANSCRIPT
Security Alert: Latest Trends in Global Attacks, Sources and Impact
Vince StecklerVice President, Asia Pacific
2 © 2003 Symantec Corporation.
New Technologies and Targets
Broadband
120M subscribers worldwide by 2005
SCADAUsed by oil and natural gas,
controls electric power and water supplies
Instant Messaging/P2P
Over 500M users by 2005
Wireless
484M users worldwide by 2005
Grid Computing
$4.1B market by 2005
Web Services Security
$4.4B market by 2006
3 © 2003 Symantec Corporation.
High
Low
1980 1985 1990 1995 2000 2005
Less Knowledge Required to Attack
IntruderKnowledge
Automated Tools &
Attack Sophisticatio
n
4 © 2003 Symantec Corporation.
Flash threats? Massive worm-driven
DDoS? Critical infrastructure
attacks?
Regional
Sc
op
e
IndividualPCs
Individual Orgs.
Sector
GlobalImpact
2000 2003
1st gen. viruses Individual DoS Web defacement
1990s
General Threat Evolution
email worms DDoS Credit hacking
Blended threats Limited Warhol threats Worm-driven DDoS National credit hacking Infrastructure hacking
Time
5 © 2003 Symantec Corporation.
Hours
Time
Weeks or months
Days
Minutes
Seconds
Class IIHuman response: difficult/impossibleAutomated response: possible
Early 1990s Mid 1990s Late 1990s 2000 2003
Class IIIHuman response: impossibleAutomated response: unlikelyProactive blocking: possible
Threat Evolution: Malicious Code
Co
nta
gio
n T
imef
ram
e
File Viruses
Macro Viruses
e-mail Worms
Blended Threats
“Warhol” Threats
“Flash” Threats
Class I Human response: possible
6 © 2003 Symantec Corporation.
Vulnerabilities on the RiseNew vulnerabilities per week
10
2530
50
70
0
10
20
30
40
50
60
70
'99 '00 '01 '02 '03 proj.Source: Bugtraq
7 © 2003 Symantec Corporation.
Vulnerability-ThreatWindow
VulnerabilityIdentified
ThreatReleased
Time
Threat Evolution: Day-zero Threats
A day-zero threat exploits a previously unknown, and therefore unprotected vulnerability.
8 © 2003 Symantec Corporation.
Vulnerabilityidentified
Threatreleased
Time
Day-zero exploit
Threatreleased
Threat Evolution: Day-zero Threats
A day-zero threat exploits a previously unknown, and therefore unprotected vulnerability.
Months
Days
Hours
“Day 0”Novice
ProgrammerSophisticated Programmer
Organized Crime/Terrorist Organization
Nation/State Threat
As attacker demographics shift,we expect a reduction in the vulnerability-threat window.
Time Until Exploitation
9 © 2003 Symantec Corporation.
Wireless Infrastructure Web ServicesInternet Backbone/
Broadband
Flash andDay-Zero Threats
Warhol and Day-Zero Threats
Blended Threats
DDoS
TargetedHacking
Threats
Targets
Major disruption of B2B services
sector-level impact
Majordisruption to
multiple networks
Short-term disruption
of individual networks
Account theft/ corruption, DoS
GlobalInternet
Disruption
Short-term/ localized Internet
disruption
Data theft/ corruption, DoS
Threat Impact on Emerging Targets
10 © 2003 Symantec Corporation.
Instant Messaging & Peer to Peer
Grid ComputingPhysical
Infrastructure/SCADA
Flash andDay-Zero Threats
Warhol and Day-Zero Threats
Blended Threats
DDoS
TargetedHacking
Threats
Targets
Potential disruption of all participating
grid nodes.
Possible major compromise of
hosts.
Potential disruption of millions of IM/P2P
agents.
Possible major compromise of
hosts.
Content eavesdropping, password theft
Impact to:
Power Comm Hydro Chemical Other infra.
Disruption of inter-networked SCADA
Disruptionof targeted
infrastructures
Data theft and corruption to grid
and host
Threat Impact on Emerging Targets
Short-term disruption to grid
computations.
Short-term service disruption
11 © 2003 Symantec Corporation.
Threat Class Sensing StrategiesReactive Protection
StrategiesProactive Protection
Strategies
Class III threats(Flash threats,
Day-Zero)
Class II threats(Blended threats, Warhol, Day-Zero)
Class I threats(Blended threats, worms, viruses)
Distributed Sensor Networks
ProtocolAnomaly Detection
Rule and Statistical
Correlation
Malicious Code Protection Strategies
Generic Exploit Blocking
Network Intrusion
Prevention
Host Intrusion Prevention
Only useful after initial wave
Manual Fingerprints
Auto Fingerprint Generation
Auto Fingerprint Generation(for slower
Class II threats)
Adaptive Security
13 © 2003 Symantec Corporation.
IT Governance
Part of overall enterprise governance, to ensure that
• IT is aligned to enable business objectives and deliver value
• IT resources are responsibly used
• IT risks are mitigated and managed appropriately
Governance
IT Governance
14 © 2003 Symantec Corporation.
Information Security Governance
Governance
IT Governance
Information Security
Governance
15 © 2003 Symantec Corporation.
Information Security Governance
• Specific value drivers for
– Integrity of information
– Continuity of service
– Protection of information assets
• Outcomes:
– Strategic Alignment
– Value Delivery
– Risk Management
– Performance Measurement
Source: IT Governance Institute
16 © 2003 Symantec Corporation.
Security Performance Metrics Examples
• Summary and Trends
• Incidents
• Awareness
• Risk and Compliance
• Financial
17 © 2003 Symantec Corporation.
Metrics Are a Challenge with Typical Information Security Solutions
• Fragmented functionality
• Little to no integration
• Lack of a cohesive security management capability
• Doesn’t provide an overall view of security posture
Authen-Authen-ticationtication
AntivirusAntivirus
FirewallFirewall
IntrusionIntrusionDetectionDetection
VulnVulnAssessAssess
VPNVPN
Content Content Updates & Updates &
SecuritySecurityResponseResponse
24x724x7GlobalGlobal
CustomerCustomerSupportSupport
Attack Attack Recovery Recovery ServicesServices
Threat Threat ManagementManagement
& Early & Early WarningWarning
Honey PotHoney Pot& Decoy& Decoy
TechnologyTechnology
Vuln Vuln MgmtMgmt
Policy Policy MgmtMgmt
Event & Event & Incident Incident
MgmtMgmt
Access Access ControlControl& Auth& Auth
IdentityIdentityMgmtMgmt
Config.Config.MgmtMgmt
CommonCommonConsoleConsole
SecuritySecurityServicesServices
18 © 2003 Symantec Corporation.
Conclusion – Critical Success Factors
• Information security reports to senior management / CIOs
• Information security audit is integral part of audit program
• Clearly defined roles, responsibilities and accountability
• Security policy in place and compliance monitored
• Scorecards to ensure common alignment with overall objectives and to provide transparency
IT Audit, Control, Security and Assurance professionals play pivotal role in successful governance