Security best practices in the larger management picture
Common Public Sector Security Requirements:
Customer/Citizen trust: Safeguard privacy, sensitive data
Continuity of operations: Smooth recovery during crises
Demonstrate preparedness: Ability to spot new dangers
Security management: Is security actually “happening?”
Create/maintain safe IT environment: Resolve vulnerabilities
Comply with applicable regulatory measures: HIPAA, FISMA
Obtain some tangible measure of security benefit to the organization
As applied to end users and their devices:
Perimeters are disappearing: Tablet PCs, laptops, handhelds, etc. must be able to securely operate outside the office defenses
Hardening devices with disparate firewall, antivirus, intrusion prevention, etc. is complex and/or degrades device performance
With mobile assets accompanying individuals in new, joint environments, trust depends on consistent standards
The “undesired” ranks are expanding: Need solutions that encompass relatively recent threats via P2P sharing, adware, spyware, etc. without undue burden
Blurring lines between “securing” IT assets across the board and assuming “management” of these items.
What do we own? Asset management is a significant security impediment in large organizations.
Beyond users’ credentials , how safe is their machine and data ?
World-Wide Attack Trends 0 Infection Attempts *Analysis by Symantec Security Response using data from Symantec, IDC & ICSA; 2003 estimated **Source: CERT Network Intrusion Attempts 0 Blended Threats (CodeRed, Nimda, Slammer) Denial of Service (Yahoo!, eBay) Mass Mailer Viruses (Love Letter/Melissa) Zombies Polymorphic Viruses (Tequila) Malicious Code Infection Attempts * Network Intrusion Attempts ** high 25,000 50,000 75,000 100,000 125,000 150,000 1996 1997 1998 1999 2000 2001 2002 2003 100M 200M 300M 400M 500M 600M 700M 800M 900M
Attack Trend Highlights:
Security Focus: Almost one third of all attacking systems targeted the vulnerability exploited by Blaster and its successors. Other worms that surfaced in previous periods continue to survive and target Firewall and IDS systems globally. A sufficient number of unpatched systems remain to sustain them.
Vuln UDP/1434 TCP/7122 UDP/41170 UDP/137 UDP/53 TCP/445 TCP/6346 TCP/4662 TCP/80 TCP/135 Port 10 9 8 7 6 5 4 3 2 1 Rank 2.4% Microsoft SQL Server (Slammer) 2.5% Unknown 3.2% Blubster / Peer-to-peer Filesharing 4.7% Microsoft CIFS Filesharing 5.9% DNS 6.9% Microsoft CIFS Filesharing 8.9% Gnutella / Peer-to-peer file sharing 9.8% E-donkey / Peer-to-peer file sharing 19.7% HTTP / Web 32.9% Microsoft / DCE-Remote Procedure Call (Blaster) Percentage of Attackers Description
Software Vulnerabilities Source: Bugtraq Vulnerabilities Average number of new vulnerabilities discovered every week Highl
Vulnerability Trend Highlights
Security Focus reports that 70% of the vulnerabilities found in 2003 could be easily exploited, due to the fact that an exploit was either not required or was readily available. This is a 10% increase over 2002, where only 60% were easily exploitable.
Percentage of Easily Exploitable New Vulnerabilities exp Month Percentage of vulnerabilities
Current Vulnerability Management expenditure Time Vulnerability Activity T0 T1 T2 T3 TOO LATE BEST ROI Spending occurs here Best$$ Vulnerability Safeguard Applied Vulnerability Signature Issued/ Safeguard posted Major Vulnerability Exposure Outbreak Vulnerability Discovered
Vulnerability Management Best ROI t0-t2 Time Vulnerability Activity T0 T1 T2 T3 TOO LATE BEST ROI Maltrend Vulnerability Signature Issued/ Safeguard posted Major Vulnerability Exposure Outbreak Vulnerability Discovered Vulnerability Safeguard Applied Spending needs to occur pre T2
Malicious Code Trend Highlights
Two and a half times the number of Win32 viruses and worms were released in 2003 than over the same period in 2002. Over the second half of 2003, more than 1702 new Win32 viruses and worms, a 250% increase over the 687 documented in the second half of 2002.
New Win32 Viruses and Worms Highl Period Number of viruses and worms Jan 1, 2001 - Jun 30, 2001 Jul 1, 2001 - Dec 31, 2001 Jan 1, 2002 - Jun 30, 2002 Jul 1, 2002 - Dec 31, 2002 Jan 1, 2003 - Jun 30, 2003 Jul 1, 2003 - Dec 31, 2003
Malicious Code Trend Highlights
Blended threats make up 54% of the top ten submissions over the past six months.
Blended threats have begun targeting core operating system component vulnerabilities
More widespread than the server software targeted by previous network-based worms
Much higher density of vulnerable systems.
These worms also increase from two other factors
The decrease in time between vulnerability disclosure and release of exploit code
The overall increase in exploit code development.
Within the top ten malicious code submissions, the number of mass-mailer worms with their own mail engine increased by 61% over first half of 2003.
What do these statistics mean?
Users’ devices are increasingly targeted for attack:
More vulnerabilities in:
Core operating system components
Common desktop applications (i.e. browsers)
Threats growing around instant messaging apps, P2P, etc.
E-mail remains a troubling attack avenue. Example: one out of every 12 messages carried MyDoom in Jan. 2004
With computing power and applications pushed to new locations (border checkpoints, vehicles, etc.), protections need to be in place to prevent widespread compromise
One Mid-Atlantic county’s experience:
New crisis command center forced client system access across fire, police and rescue agencies, plus transportation, FEMA, and others
No consistent security tools/configurations in place, even among same-jurisdiction agencies.
Significant fears of infection, cleanup, re-infection…
Rapid proliferation of computers in multiple locations and vehicles
“ Workstations” in police cruisers, command vans, etc.
Many with no OEM security
Need to only permit trusted devices to connect, as security is pushed to all machines
IT staffs under CIO’s office and those supporting first responders had different perspectives on priorities, including security
The need to share data rapidly helped define security challenges
County Deploys Client Firewall with Antivirus:
Client antivirus, firewall and intrusion protection
resource efficient footprint
Easy transparent updates
Blocks numerous attacks by default
Stops outbound activity that is suspect or malicious, containing damage
VPN compliancy permits VPN access only when policies are correct (i.e. IDS enabled, AV defs. current, etc.)
Place Users & Devices Within Core Security Functions Detail Alert Protect Manage Respond Proactive Control
Early awareness of threats
Prevent unwanted attacks
Detect physical breaches
Security of information assets
Policies and Vulnerabilities
Events and incidents
Alert Alert Protect Manage Respond Proactive Control
Alert: Spotting the ‘Blaster’ worm early Notification’s IP Addresses Infected With The Blaster Worm Prot 7/16 - initial alerts on the RPC DCOM attack 7/23 - warnings of suspected exploit code in the wild. Advises to expedite patching. 7/25 - exploit code confirmed in the wild. Clear text IDS signatures released. 8/5 - warnings of impending worm. 8/7 activity is being seen in the wild. 8/11 - Blaster worm breaks out.
Protect – multi-tier, multi-layer, integrated Client Gateway Server Resp
and Content Update
and Content Update
and Content Update
Combine technology with proactive and reactive intelligence….
Anticipate new threats
Develop and practice emergency response teams
Respond to security outbreaks with intelligence and fix tools from your security partner
and minimize damage
Repair costs to bring systems back online
Damage to reputation/brand
Collect and log security events from all sources of input
Correlate (real-time and statistical), analyze, identify and report incidents
Execute a continuous vulnerability assessment
Ensure policy compliance
Recommend action and track workflow
Present a real-time dashboard
Link to other management systems
Apply automated remediation
The Reality of Converging Management Requirements: Central
Assure security policy compliance
Receive early awareness of threats
Prevent & detect attacks & breaches
Protect privacy of information
Rapidly & easily recover from loss of critical systems & information
Insure via policies that adequate storage available for applications & backup
Create secure archives for preserving information assets
Discover & track HW/SW assets
Provision, update & configure systems via automated policies
Instantly push security patches & signatures to all managed devices