Documente Academic
Documente Profesional
Documente Cultură
Security lacking in networks controlling critical infrastructure Hackers, terrorists could find way into controls of nuclear power stations, electrical grids, water lines. By Bob Keefe WEST COAST BUREAU Monday, October 02, 2006
The Past
The Present
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
Human Agents Hackers Disgruntled employees White collar criminals Organized crime Terrorists
Exposures n Information theft, loss & corruption n Monetary theft & embezzlement n Critical infrastructure failure n Hacker adventures, e-graffiti/ defacement n Business disruption
n n n n n n
Methods of Attack Brute force Denial of Service Viruses & worms Back door taps & misappropriation, Information Warfare (IW) techniques
Representative Incidents n Code Red, Nimda, Sircam n CD Universe extortion, e-Toys Hactivist campaign, n Love Bug, Melissa Viruses
n
SOBIG, SLAMMER
(CERT/cc)
1995
2002
100000 80000
55,100
60000 40000
21,756
20000
6 132 252 406 773 1,334 2,340 2,412 2,573 2,134 3,734 9,859
0 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every companys assumptions for growth. ---The Manufacturing Institute July 2006
2002-2004 almost 100 medium-to-high risk attacks. 2005, there were only 6 This year, 0.
attackers are motivated to perpetrate fraud, gather intelligence, or gain access to vulnerable systems. are now on client-side devices and applications (word processing, spreadsheet programs, wireless devices) that require interaction, instead of on servers
n Vulnerabilities
growth
nets are the engine driving growth n Increase in modular malicious code (initially limited functionality but updates itself with new, more damaging capabilities)
n Insider
threats
of our wealth---$3 trillion---is transmitted over the Internet daily n FBI: Cyber crime cost business $26 billion (probably a LOW estimate) n Financial Institutions are generally considered the safest---their losses were up 450% in the last year n There are more electronic financial transactions than paper checks now, 1% of cyber crooks are caught.
of every three small businesses in America were affected by MyDoom virus---- 2x the proportion of large companies effected by that virus. n Small Businesses get attacked more often, have less defenses, have smaller margins to protect against loss n Small businesses have needs and require a special program
House Judiciary Committee: Passed legislation on Thursday June 1st 2006 House Energy and Commerce Committee Passed legislation on Wednesday May 31st 2006
Senate Judiciary Committee S.1789 Personal Data and Privacy Act - Pending n Sponsor: Sen. Arlen Specter (PA) n Cosponsors: Sen. Patrick Leahy (VT), Sen. Russell D. Fiengold (WI), Sen. Dianne Fienstein (CA)
Confusion for business Inaction in the Congress Growing problems and costs
August 2006 was the worst month for data security breeches on record SANS Institute Sept 2006
conducted 2 International surveys (2004 & 2006) covering 15,000 corporations of all types 25% of the companies surveyed were found to have followed recognized best practices for cyber security.
n Apx
attacks n Reduces the amount of down-time suffered from attacks n Reduces the amount of money lost from attacks n Reduces the motivation to comply with extortion threats
Cited in US National Draft Strategy to Protect Cyber Space (September 2002) Endorsed by TechNet for CEO Security Initiative (April 2003) Endorsed US India Business Council (April 2003)
#1: nPractice #2: nPractice #3: nPractice #4: nPractice #5: nPractice #6: nPractice #7: nPractice #8: nPractice #9: nPractice #10: Recovery
General Management Policy Risk Management Security Architecture & Design User Issues System & Network Management Authentication & Authorization Monitor & Audit Physical Security Continuity Planning & Disaster
organizations have found it difficult to provide a business case to justify security investments and are reluctant to invest beyond the minimum. One of the main reasons for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realizedManufacturers Institute 06
* Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness of shipping info (30%)
in supply chain information access (50%) n Improved product handling (43%) n Reduction in cargo delays (48% reduction in inspections) n Reduction in transit time (29%) n Reduction in problem identification time (30%) n Higher customer satisfaction (26%)
is still viewed as a cost, not as something that could add strategic value and translate into revenue and savings. But if one digs into the results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan. PricewaterhoseCoopers Sept 2006
have a changing technology environment n We have a changing business model n We have a constantly changing legal and regulatory environment
n Business
n Legal
Perspective n The Business Perspective n The Technology perspective n The Policy Perspective
Management n Security Breech Notification n Privacy n Insider Threats n Auditing n Contractual Relationships (suppliers, partners, sub-contractors, customers)
by: n DHS n Chamber of Commerce n NAM n NFIB n ABA n Wholesale Memberships through trade associations
Sponsors
Larry Clinton Operations Officer Internet Security Alliance lclinton@eia.org 703-907-7028 202-236-0001