the evolution of threats and their impact upon technology
DESCRIPTION
Security-related threats have changed substantially over the years. Only one decade ago network sniffing attacks, IP spoofing, viruses, worms, and externally initiated break-ins that exploited buffer overflow conditions were the most common types of attacks. Keystroke capturing Trojan horses and exploits that target Web browsers are among the most frequent types of current attacks. Additionally, information security practices face new risks for failure meeting compliance requirements (SoX, HIPAA, GLBA, and so on). Fortunately new security technology has emerged to deal with the changing threat. Much of it is more user-friendly that ever before, something that often results in proficient use and a reduced need for extensive training. Understand today's security technology and changes that can improve your ability to address threats and risks.TRANSCRIPT
The Evolution of Threats and The Evolution of Threats and The Evolution of Threats and The Evolution of Threats and
their Impact upon Technologytheir Impact upon Technologytheir Impact upon Technologytheir Impact upon TechnologyInterop 2008
Las Vegas, Nevada
E. Eugene Schultz, PhD., CISSP,
CISMChief Technology Officer & Chief
Information Security Officer
High Tower Software
Copyright 2008 High Tower – All
Rights Reserved
titletitletitletitle
Copyright 2008 High Tower – All Rights Reserved
About information securityAbout information securityAbout information securityAbout information security----related related related related threatsthreatsthreatsthreats
• Formal definition of threat—” An expression of an intention to inflict pain, injury, evil, or punishment. An indication of impending danger or harm.”
• In information security—threats are sources of potential or actual security-related compromise, damage, disruption or loss– Must be thoroughly evaluated and understood if a risk analysis is to be valid and meaningful
– Usually evaluated in terms of type, nature and extent
– Subject to sudden and drastic change
Copyright 2008 High Tower – All Rights Reserved
About information securityAbout information securityAbout information securityAbout information security----related related related related
technologytechnologytechnologytechnology
• A wide range of technology, all of which is purported to
be able to very effectively mitigate security-related risk,
exists
• How does one even start in evaluating all of this
technology?
• Major issues to be addressed in this presentation
include
– Has security technology provided sufficient control over threats that
have surfaced over the years?
– Which security technologies have in general worked worst/best and why?
Copyright 2008 High Tower – All Rights Reserved
A threat timelineA threat timelineA threat timelineA threat timeline
1950s 1960s 1970s 1980s 1990s 2000s Present
First computer crime
First salami slicing ploy
Crude attacks to obtain computer access
Remote password attacks (often using modem access)
First social engineering attacks
First interna-tionalespionage
First worm in the wild
Morris Worm
Exploitation of vulnerabilities
Sniffer attacks
Automated scans
DNS cache poisoning attacks
First virus in the wild
First DDoSattack
Attacks on root DNS servers
First PC virus
First IP spoofing
First buffer overflow attack
SQL injection
Attacks on browsers
Web defacements
Wireless attacks
Copyright 2008 High Tower – All Rights Reserved
A security technology A security technology A security technology A security technology timelinetimelinetimelinetimeline
1950s 1960s 1970s 1980s 1990s 2000s Present
RACF, ACF2 and similar tools
First anti-virus software
First IDS
First password cracking tool
First commercial vulnerability scanner
First firewall
Lucifer encryption
DES encryption
First password filter
First tripwire technology
Early strong authentication
VPNs
PKI
First IPS
IDMS
SIEM
Patch mgmt
NAC
Data Leakage
Copyright 2008 High Tower – All Rights Reserved
Has security technology provided sufficient control Has security technology provided sufficient control Has security technology provided sufficient control Has security technology provided sufficient control over threats?over threats?over threats?over threats?
• No amount of technology, no matter how good, can
solve the whole problem– There will always be residual risk
• New technology invariably lags behind new threats
• BUT—security risks have proliferated and have
become so technical in nature that they are now not
manageable without suitable security technology– Insufficient human resources available
– Speed of response needed not possible with humans
– Potentially prohibitive costs
– Lack of necessary skills and knowledge
Copyright 2008 High Tower – All Rights Reserved
A comparison of certain security A comparison of certain security A comparison of certain security A comparison of certain security
technologiestechnologiestechnologiestechnologies
LESS ADEQUATE
• Password filters
• PKI
• Network Access
Control (NAC)
• Some types of intrusion
prevention
MUCH MORE ADEQUATE
• Tripwire tools
• Identity management
tools
• Patch management tools
• Security
Information/Event
Management (SIEM) tools
Copyright 2008 High Tower – All Rights Reserved
Some technologies have proven useful, but are Some technologies have proven useful, but are Some technologies have proven useful, but are Some technologies have proven useful, but are starting to starting to starting to starting to show their ageshow their ageshow their ageshow their age
• Firewalls
• Intrusion detection systems
• Anti-virus software
Copyright 2008 High Tower – All Rights Reserved
Why some technologies work better than Why some technologies work better than Why some technologies work better than Why some technologies work better than othersothersothersothers
• Some are more conducive to mitigating particular
types of risk resulting from threats than others
• Cost versus benefit ratios are higher for some
types of technology
• Some technologies have proven more flexible
and adaptive than others
• Some are more strategic and long lasting than
others
• Some solve both security and non-security needs
(the “two-in-one” benefit)
Copyright 2008 High Tower – All Rights Reserved
• Security threat has evolved to the point that security
technology is now more of a necessary component of
every security practice than ever before
• Information security staff need to recognize where
each given technology fits into a basic prevention-
detection-response framework
• Obtaining information about the probable longevity of
any security technology is essential while the
technology is being evaluated
ConclusionConclusionConclusionConclusion
Copyright 2008 High Tower – All Rights Reserved
ConclusioConclusioConclusioConclusio
nnnn
• Understanding the amount of residual risk and
the implications after technology is deployed is
also necessary
• No matter how automated any technology is,
there is still a critical need for humans in the loop
• Ultimately, any security technology is successful
only to the degree that it produces a favorable
cost-benefit ratio– Metrics must be developed and used to determine whether
technology controls are meeting their objectives
Continued
Copyright 2008 High Tower – All Rights Reserved
Questions?Questions?Questions?Questions?
h i g h t o w e r s o f t w a r e
Questions?