Larry Clinton Deputy Executive Director, Internet Security Alliance lclinton@isalliance.

org 703-907-7028

The Past

The Present

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

Growth in Incidents Reported to the CERT/CC

120000
110,000

100000 80000
55,100

60000 40000

21,756

20000
6 132 252 406 773 1,334 2,340 2,412 2,573 2,134 3,734 9,859

0 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

The Dilemma: Growth in Number of Vulnerabilities Reported to CERT/CC

4,500 4,000 3,500 3,000 2,500 2,000 1,500 1,000 500 171 0
1995

4,129

2,437

1,090 417 345 311 262

2002

Machines Infected per Hour at Peak

100,000 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 Code Red Nimda Goner Slammer

Computer Virus Costs (in billions)

$

150
billion

120 90 60 30 0

Range Dam age

'96 '97 '98 '99 '00 '01 '02 '03

(Through Oct 7)

The Threats The Risks

Human Agents Hackers Disgruntled employees White collar criminals Organized crime Terrorists Exposures Information theft, loss & corruption Monetary theft & embezzlement Critical infrastructure failure Hacker adventures, e-graffiti/ defacement Business disruption Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-Toys Hactivist campaign, Love Bug, Melissa Viruses

Methods of Attack Brute force Denial of Service Viruses & worms Back door taps & misappropriation, Information Warfare (IW) techniques

Attack Sophistication v. Intruder Technical Knowledge

stealth / advanced scanning techniques

Tools

High
Intruder Knowledge

packet spoofing sniffers sweepers

denial of service DDOS attacks www attacks automated probes/scans GUI

back doors disabling audits burglaries

network mgmt. diagnostics

Attack Sophistication

hijacking sessions exploiting known vulnerabilities password cracking self-replicating code

Low
1980

password guessing

Attackers 1995 2000

1985

1990

Putnam Legislation
Risk Assessment Risk Mitigation Incident Response Program Tested Continuity plan Updated Patch management program

Putnam has said it wont work.

Public Policy
Policy Must Address Internet as a new Technology No one owns the Internet It is Constantly Evolving International Operation makes regulation difficult Mandates will Truncate innovation and the economy

Corporate Information Security Working Group

INCENTIVE PRINCIPLES Positive incentives will be more effective -leverage industy innovation -apply golobaly -respond to tech change -get executive buy-in -deal with industry across sectors

Corporate Information Security Working Group

REGULATION IN CYEBR SPACE MAY BE INNEFFECTIVE & COUNTERPRODUCTIVE International regulation difficult Constant technology change Politics lead to compromise not maximize Notice and comment insecure Regulation could blunt technology

Corporate Information Security Working Group

INCENTIVE RECOMMENDATIONS Common Measurement Tools/Seals of Approval/ Vendor Certification Use Insurance Discounts Market Entry Incentives Safe Harbor/Tort Reform incent best practices Tax incentives

A Risk Management Approach is Needed

Installing a network security device is not a substitute for a constant focus and keeping our defenses up to date There is no special technology that can make an enterprise completely secure.
National Plan to Secure Cyberspace, 2/14/03

ISAlliance Program
Information Sharing and ANALYSIS

Best practices development Education Training and Assessment Market Incentives (QUALIFIED MEMEBRS)

Sponsors

Larry Clinton Deputy Executive Director, Internet Security Alliance lclinton@isalliance.org 703-907-7028