Major global information security trends - a summary

“ Major Global Information Security Trends – a Summary” Luc de Graeve SensePost and RedPay

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends Information Security – a problem definition Statistics, suitable statistics and perceptions Major Global Trends: The Business Environment Regulatory and Legal Issues Threats Technologies and Solutions A final thought References, Contact details and Questions

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends

SETTING THE SCENE - INTRODUCTION A summary – an oxymoron Huge environment Complex environment Fast-moving environment Interactions with multiple areas Each area – subject matter of its own A whirlwind 45-minute tour Subset….no time for exhaustive areas Non Technical…….as much as possible.

SETTING THE SCENE - INTRODUCTION Source Background Sell no products Clients all over the world Spend huge amounts of time researching the space Consult to International Private, Public and Government Involvement in Information gathering – CSI to DefCon Provide some references later

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends Information Security – a problem definition

SETTING THE SCENE – A PROBLEM CHRONOLOGY Obscurity Phase Predominantly cryptographic culture Time of Line, data, voice, PIN crypto Access Phase The company network and database effect Time of Access control Start of sharing of information across companies Interconnected Phase The Internet effect Time of Firewalls, AVS, IDS/IPS and many others Fear and control Phase The Terrorist and Fraudster effect Time of Legal and Regulatory controls … ..possibly the beginning of end-to-end security? Wood for the trees Different companies in different phases

SETTING THE SCENE – A PROBLEM DEFINITION Information Security – present definition Often hype driven Regularly perception driven Threat event driven Supplier driven Interconnected companies Diffuse responsibilities…………. ……… Many things to many people Today’s summary – cover a number of aspects Keep the definition broad-based

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends Information Security – a problem definition Statistics, suitable statistics and perceptions

SETTING THE SCENE – STATISTICS Terri Curran – respected security consultant in USA…Analysis of following sources Nov 2003 – June 2004: Multiple Information Security mail-lists Computer Security Institute poll CISSP forum analysis META Group Research on Trends 2003 Yankee Group 2003 Enterprise Security Spending Survey Kenneth Knapp survey – Auburn University (CISSP) Peter Gregory, Computer World December 2003 Independent Security Practitioner’s Poll 2004 CSI/FBI Computer Crime and Security Survey March 2004 Symantec Internet Security Threat Report … ..Too many sources to mention

SETTING THE SCENE – STATISTICS CISSP Forum analysis – a summary* ROI & Information Security Metrics SPAM Malware Legislation, Regulation (SOX) Cyberterrorism Perimeter security Product Selection issues Firewall deployment Security Certification Best Practices * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)

SETTING THE SCENE – STATISTICS META Group Research on Trends – a summary* Security strategy Confidentiality Organization/Governance/Budget Identity Threat and Vulnerability Physical Security Content Security Application Security Isolation Strategic Processes * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)

SETTING THE SCENE – STATISTICS The Yankee Group 2003 Enterprise Security Spending Survey – a summary* Top 4 product areas budgeted for 2004 Antivirus IDS and IPS Firewalls Web Application Security Other items on top 10 product list: VPN Access Control Storage Security Antispam Authentication Wireless Security * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)

SETTING THE SCENE – STATISTICS The Yankee Group 2003 Enterprise Security Spending Survey – a summary* Top service area budgeted for 2004: Firewalls Four important service areas budgeted for 2004: IDS Vulnerability Management User Identity Administration Security Assessments Other service areas budgeted for 2004: Strategic Consulting Regulatory Compliance * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)

SETTING THE SCENE – STATISTICS The Yankee Group 2003 Enterprise Security Spending Survey – a summary* Security incidents experienced in 2003: Virus/Worms (83%) Denial of Service attacks (40%) Unauthorised data access (34%) Misconfiguration (32%) Web Site penetration (29%) Theft of customer data (13%) Disclosure of customer data (8%) * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)

SETTING THE SCENE – STATISTICS Kenneth Knapp CISSP survey – a summary* Greatest Security Concerns; Top Management support Patch Management Malware Legal and regulatory issues Internal threats Access control and identity management SDLC support for Information Security Privacy Business Continuity and Disaster Recovery SPAM Firewall and IDS Configurations External Connectivity to other organisations * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)

SETTING THE SCENE – STATISTICS Peter Gregory, Computerworld survey – a summary* Greatest Security Concerns/Hype for 2004; SPAM Internet access filtering Desktop management Personal Firewalls Leaky Metadata Wi-Fi break in Bluetooth Mobile phone hacking Instant Messaging incident Organised Crime Shorter time to exploitation * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)

SETTING THE SCENE – STATISTICS CSI/FBI June 2004 survey – highlights Decline in reported unauthorised use Decrease in reported dollar loss from security breaches Denial of Service most expensive computer crime Percentage companies reporting incidents declining Economic evaluation of security expenditures: ROI – 55% of companies IRR – 28% of companies NPV – 25% of companies Most companies conduct security audits (>80%) Outsourcing – most companies do not (63%) When done – selective areas (25% …less than 20% of function) Not enough security awareness focus in organisations Sarbanes-Oxley Act beginning to have an impact

SETTING THE SCENE – STATISTICS CSI/FBI June 2004 survey – highlights Action taken after experiencing computer intrusion: Patched holes (91%) Did not report (48%) Reported to law enforcement (20%) Reported to legal council (16%) Prime reasons cited for not going to authorities: Negative publicity – hurt stock/image (51%) Competitors could use to their advantage (35%)

SETTING THE SCENE – STATISTICS? The problem with these statistics: Each survey has different respondent profile Each survey questions posed differently Survey questions have to change from year to year Surveys not quoted entirely in context Purveyors of news Purveyors of information Vendors Recipients of information Access to surveys is often restricted Closed/special user communities Some surveys are only for paid up members Analysing only one (or parts of one) survey can be fatal

SETTING THE SCENE – STATISTICS? How does one obtain value? Have to be actively involved in the industry Globally Multiple clients Multiple industries Constantly evaluate new technologies Do trending from industry knowledge sharing lists Analysis of multiple sources is absolutely essential Correlation study of threats, solutions and environment Share knowledge share knowledge share knowledge...

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends Information Security – a problem definition Statistics, suitable statistics and perceptions Major Global Trends: The Business Environment

MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT Increased online availability of information More sophisticated information systems Increased need for communication with others Increased need for sharing information with others Improved transport mechanisms for information Multiple client channels to service providers Multiple partner channels between organisations ERP systems – company information repositories. Increased use of standard computing delivery platforms Ubiquitous Internet and Web GT - Complexity is the number one enemy of Information Security

MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT Increased business model sophistication Larger, more complex organisations Mix of centralisation and de-centralisation Diffuse and ill defined responsibilities, accountabilities and authorities in organisations Complex, interlinked internal processes Complex relationships with other entities Multitude of legacy, current and futuristic computing platforms in organisations Incomplete understanding of asset and risk classification GT - Complexity is the number one enemy of Information Security

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends Information Security – a problem definition Statistics, suitable statistics and perceptions Major Global Trends: The Business Environment Regulatory and Legal Issues … or in layman’s terms “When can I sue?”

MAJOR GLOBAL TRENDS – REGULATORY AND LEGAL ISSUES A large number of “new” Laws, Regulations and Standards NERC Cyber Security Standard 1200 (USA) BS7799, ISO17799, FISMA (USA), ISG (USA) ISF, COBIT King II Report Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Gramm, Leach, Bliley Act (GLBA) ECT Act, Commsec Act …… and many, many more!.....to be tested in the courts!! GT: New legal landscape will force enhanced security!

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends Information Security – a problem definition Statistics, suitable statistics and perceptions Major Global Trends: The Business Environment Regulatory and Legal Issues Threats *Note* Do not be scared – be aware!

MAJOR GLOBAL TRENDS - THREATS HACKERS …..and other (bigger?) beasts. Website defacements: 21 May 2001 – approximately 100 website defacements per day (Attrition.org) 9 January 2003, 15h30 - 177 defacements 2 March 2004, 18h30 - 403 defacements 18 July 2004, 14h30 – 1096 defacements GT: A continued increase in website defacements!

MAJOR GLOBAL TRENDS - THREATS HACKERS …..and other (bigger?) beasts. Website defacements:

MAJOR GLOBAL TRENDS - THREATS HACKERS …..and other (bigger?) beasts. Website defacements: Just in case you missed out on the whole ordeal last week, we were hacked 4 times by an elite group called r 139. So we thought we would help the hackers out by hacking our own page to save them some time...

MAJOR GLOBAL TRENDS - THREATS MALWARE – Viruses, Worms and Horses Usual Suspects - Code Red Initiation: 19-07-2001 @ 00.00 Completion: 19-07-2001 @ 19.50

MAJOR GLOBAL TRENDS - THREATS MALWARE – Viruses, Worms and Horses Usual Suspects – Saphire/SQL Initiation: 25-01-2003 @ 05:29 Completion: 25-01-2003 @ 06:00 GT: A continued increase in speed of infections!

MAJOR GLOBAL TRENDS - THREATS Characteristics of attack profile trends Speed of attack generation increasing Sophistication levels of attacks increasing Time from Vulnerability to Exploit decreasing Coordination levels of attacks increasing From DOS to DDOS to GDOS Attacks utilise ever larger number of combined techniques Definite increase in Application Level Attacks … in addition to simpler Network Level Attacks GT: A continued increase in Attack Sophistication!

MAJOR GLOBAL TRENDS - THREATS IDENTITY THEFT - Definition: When an entity pretends to be another entity, without any authorisation, with the aim of gain. “ It is not only the most difficult thing to know oneself, but the most inconvenient, too.” H.W. Shaw “ Why steal from someone if you can just become that person?” Bruce Schneier Considered the fastest growing crime globally Figures ranging between 46% and 58% ACGR Consists of personal and corporate ID theft. GT: ID theft – the fastest growing crime globally!

MAJOR GLOBAL TRENDS - THREATS IDENTITY THEFT and PHISHING Mechanisms and components in online world SPAM – using spoofed e-mails Social Engineering Corporate Website Spoofing SPAM – in excess of 50% of Internet traffic PHISHING Obtaining personal financial information online. Hijacking of trusted brands 419 Scams List making for further SPAM Malware Distribution

MAJOR GLOBAL TRENDS - THREATS IDENTITY THEFT and PHISHING It is a complex problem: Show me all the domains on the Internet that look and sound like my company, but that do not belong to me…

MAJOR GLOBAL TRENDS - THREATS IDENTITY THEFT and PHISHING GT: Phishing attack trend points to huge IDtheft attack increase on the Web!

MAJOR GLOBAL TRENDS - THREATS In Summary: All information points to increase in attack vectors on the Internet. Sophistication and speed of attacks increase The Internet environment is increasingly used by criminal elements. However – this by no means implies that one does not use the environment……which brings us to trends in the Technologies and Solutions space…

TOPICS TO COVER Setting the Scene: Introduction – Major Global trends Information Security – a problem definition Statistics, suitable statistics and perceptions Major Global Trends: The Business Environment Regulatory and Legal Issues Threats Technologies and Solutions

MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS What are most companies spending their security efforts on? Anti Virus Systems Firewalls IDS/IPS solutions Patch Management These assist in reducing effects of intrusion attacks and malware attacks Reduces potential financial and reputational loss Improves Quality of Service….but…. Insufficient to combat fraud and reduce criminal element GT: Most companies still focused on Perimeter Security

MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS Additionally - what are leading companies spending their security efforts on? Substantial User Awareness Programs Improvement of processes that have security implication Classification of user base and risk profiling Classification of Information Gearing up legal and forensics department Ongoing Security Assessments Multi-layering of security environments Implementing and monitoring Security Baselining standards GT: Leading Companies are starting to look at Information Security using business principles!

MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS Additionally - what are leading companies spending their security efforts on? Multi-factor authentication for selected applications Securing selected Web Applications Incorporating security in the I.T. System development Life Cycle (SDLC) Identity Management for complex environments Analysing end-to-end security for selected applications Clearer understanding of Acceptable Residual Risk GT: Leading Companies are looking after the basics! GT: Leading Companies are viewing Information Security as an important part of doing business! GT: Some Leading Companies are viewing Information Security as a Competitive differentiator!

MAJOR GLOBAL TRENDS – A FINAL THOUGHT “ Information security will continue to be a catch-up game…. the complex environment and the criminal nature of the lunatic fringe will force organisations to do the best they can within their given constraints. One hundred percent security is not the aim. Trade as safely as your risk profile will allow and keep a look out for the trends.” “ THE TREND IS YOUR FRIEND!”

SELECTED REFERENCES Curran, Terri. “ Security trends from a practitioner’s perspective.” CSI NetSec04 paper. Marc R. Menninger, Fiora Stevens. “Deriving Privacy Due Care practices from HIPAA and GLBA.” Ninth Annual (2004) CSI/FBI Computer Crime and Security Survey Symantec Internet Security Threat Report, Volume V, Published March 2004 Peltier and Associates. “Mapping Policies to the Enterprise.” David Lynas. “Return on Investment from Information Security.” www.antiphishing.org www.attrition.org www.cio.com www.csoonline.com www.dshield.org www.ftc.gov www.gocsi.com www.metagroup.com www.redpay.com www.searchsecurity.com www.schneier.com www.sensepost.com www.siia.net www.zone-h.org

Contact Details and Questions Luc de Graeve [email_address] [email_address] +27 (012) 667 4737 QUESTIONS? THANK YOU!

Major global information security trends - a summary

More Related Content

What's hot (18)

Viewers also liked (11)

Similar to Major global information security trends - a summary (20)

More from SensePost (20)

Recently uploaded (20)

Major global information security trends - a summary