Security Trends and Predictions 2008 Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating ...
Who is Anton? <ul><li>Chief “Evangelist” @ LogLogic (San Jose, CA) </li></ul><ul><li>Formerly Chief Security Strategist @ ...
Today’s Outline <ul><li>Where is security now? </li></ul><ul><li>How security got to where it is now? </li></ul><ul><li>Wh...
Key theme: Compliance  and  Security Why  do you wear seat belts for fear of $50 fine, but do not wear them out of fear fo...
Trends: 1990s <ul><li>Explosive global malware : Blaster, Slammer, ILoveYou </li></ul><ul><li>Server exploits : IIS is a k...
Trends: Early 2000s <ul><li>Small circulation  commercial malware , spyware (but lots of it!) </li></ul><ul><li>Bots : “ i...
Trends: Late 2000s – Near Future <ul><li>Mobile malware?  Cell/mobile phones, PDAs,  </li></ul><ul><li>New Technologies : ...
Meet the Defenses of Today <ul><li>Anti-virus / anti-spyware </li></ul><ul><li>Firewalls and “firewalling” network gear </...
A Question! <ul><li>But Do These  Really  Work? </li></ul>
Attacks vs Defenses? <ul><li>“ Security Is Just As Bad as It Can Be, but  No Worse !” (Marcus Ranum) </li></ul><ul><li>Q: ...
Meet the Defenses of  Tomorrow <ul><li>Best prediction:  more of the same! </li></ul><ul><li>More encryption (including  b...
Meet the “Security Laws” of Today (US) <ul><li>Sarbanes – Oxley, GLBA, etc </li></ul><ul><li>HIPAA, FISMA </li></ul><ul><l...
Meet the Security Laws of Tomorrow <ul><li>? </li></ul><ul><li>Trend : the rise and  subsequent fall  of the  “checkbox se...
Predictions 2008: Platform security  <ul><li>Windows 2008  makes us secure =  no .  </li></ul><ul><li>Increase in Mac hack...
<ul><li>Predictions 2008 </li></ul>
Predictions 2008: Hacking <ul><li>Loss of trust towards Internet sites =  yes </li></ul><ul><li>A massive data theft to dw...
Predictions 2008: Malware <ul><li>The year of mobile malware =  no   </li></ul><ul><li>More fun bots =  yes  (bots are “ev...
Predictions 2008: Compliance and RM <ul><li>PCI DSS continues its march =  yes .  </li></ul><ul><li>ISO17799, ITIL, COBIT ...
Predictions 2008: Security Defenses <ul><li>Full disk encryption becomes popular =  no.  </li></ul><ul><li>More whitelisti...
Final Thoughts <ul><li>Security is here not because of “TCP/IP” or Mr Bill G.  It is here because of  humans    </li></ul...
Thank You For Attending!!! <ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li>http://www.chuvakin.org </li>...
Thank You Q & A СПАСИБО  ЗА ВНИМАНИЕ
Upcoming SlideShare
Loading in …5
×

1st Russian CSO Summit Trends 2008

2,153
-1

Published on

1st Russian CSO Summit Trends 2008

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,153
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Предсказания и тенденции по безопасности
  • 1st Russian CSO Summit Trends 2008

    1. Security Trends and Predictions 2008 Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating Compliance. CSO Summit Moscow, March 24-25, 2008
    2. Who is Anton? <ul><li>Chief “Evangelist” @ LogLogic (San Jose, CA) </li></ul><ul><li>Formerly Chief Security Strategist @ netForensics </li></ul><ul><li>Book author : “Security Warrior”, “Hacker’s Challenge 3”, “PCI Compliance”, “Know Your Enemy 2”, “ISM” </li></ul><ul><li>Presentations: SANS, CSI, FBI, USMA, CESG (UK) </li></ul><ul><li>Involved with security standards: CEE, CVSS, OVAL </li></ul><ul><li>Security blogger – www.securitywarrior.org </li></ul>
    3. Today’s Outline <ul><li>Where is security now? </li></ul><ul><li>How security got to where it is now? </li></ul><ul><li>What will happen next? </li></ul><ul><li>How will we deal with it? </li></ul>
    4. Key theme: Compliance and Security Why do you wear seat belts for fear of $50 fine, but do not wear them out of fear for your life?
    5. Trends: 1990s <ul><li>Explosive global malware : Blaster, Slammer, ILoveYou </li></ul><ul><li>Server exploits : IIS is a kind of Swiss cheese </li></ul><ul><li>Hacking for fun and fame…mostly : system penetrations, DDoS “for fun” </li></ul><ul><li>Buffer overflows everywhere </li></ul><ul><li>Purchasing : Incident-driven (or F.U.D.-based) </li></ul>
    6. Trends: Early 2000s <ul><li>Small circulation commercial malware , spyware (but lots of it!) </li></ul><ul><li>Bots : “ industrial revolution ” in hacking </li></ul><ul><li>Web and “Web 2.0” attacks </li></ul><ul><li>Rapid rise of client-side attacks </li></ul><ul><li>Hacking for money : Phishing, Spam, DDoS for ransom, etc </li></ul><ul><li>Purchasing : Incident-driven + regulatory purchasing + some “best practices” </li></ul>
    7. Trends: Late 2000s – Near Future <ul><li>Mobile malware? Cell/mobile phones, PDAs, </li></ul><ul><li>New Technologies : VOIP, “Web 2.0”, etc </li></ul><ul><li>More application and web application hacking: </li></ul><ul><li>Attackers focus more on data , less on infrastructure </li></ul><ul><li>Purchasing: Mostly regulatory + “best practices” + some incident-driven </li></ul>
    8. Meet the Defenses of Today <ul><li>Anti-virus / anti-spyware </li></ul><ul><li>Firewalls and “firewalling” network gear </li></ul><ul><li>Network intrusion detection (IDS) </li></ul><ul><li>Network intrusion prevention and UTM </li></ul><ul><li>Host (mostly server) intrusion prevention </li></ul><ul><li>Vulnerability scanners </li></ul><ul><li>Encryption </li></ul><ul><li>Multi-factor authentication </li></ul><ul><li>Security awareness </li></ul><ul><li>System hardening and patch management </li></ul>
    9. A Question! <ul><li>But Do These Really Work? </li></ul>
    10. Attacks vs Defenses? <ul><li>“ Security Is Just As Bad as It Can Be, but No Worse !” (Marcus Ranum) </li></ul><ul><li>Q: So, Do Our Defenses Match the Attacks? </li></ul><ul><li>A: We Don’t Know! </li></ul><ul><li>Corollary: neither buyers nor sellers know … </li></ul>
    11. Meet the Defenses of Tomorrow <ul><li>Best prediction: more of the same! </li></ul><ul><li>More encryption (including bad !) everywhere </li></ul><ul><li>Secure coding ? Code analysis tools? </li></ul><ul><li>XML firewalls? VOIP defenses? </li></ul><ul><li>HIPS NG with full behavior blocking </li></ul><ul><li>Auditing Everything? Logs, Logs, Logs! </li></ul><ul><li>Mobile anti-malware? </li></ul>
    12. Meet the “Security Laws” of Today (US) <ul><li>Sarbanes – Oxley, GLBA, etc </li></ul><ul><li>HIPAA, FISMA </li></ul><ul><li>PCI DSS </li></ul><ul><li>ISO2700x, ITIL, COBIT, etc </li></ul><ul><li>Standards: CVSS, CEE, OVAL, etc </li></ul><ul><li>Trend : control assurance , audit, proof of “due diligence”, documentation, processes, breach disclosure, privacy </li></ul>
    13. Meet the Security Laws of Tomorrow <ul><li>? </li></ul><ul><li>Trend : the rise and subsequent fall of the “checkbox security,” more data governance laws </li></ul>
    14. Predictions 2008: Platform security <ul><li>Windows 2008 makes us secure = no . </li></ul><ul><li>Increase in Mac hacking = yes. </li></ul><ul><li>Web application hacking still grows = yes </li></ul><ul><li>0days use becomes ‘normal’ = yes </li></ul>
    15. <ul><li>Predictions 2008 </li></ul>
    16. Predictions 2008: Hacking <ul><li>Loss of trust towards Internet sites = yes </li></ul><ul><li>A massive data theft to dwarf TJX = yes </li></ul><ul><li>Major utility/SCADA hack = no (not yet) </li></ul><ul><li>Cyber-terrorism = no (again, not yet!) </li></ul>
    17. Predictions 2008: Malware <ul><li>The year of mobile malware = no </li></ul><ul><li>More fun bots = yes (bots are “evil IT automation”) </li></ul><ul><li>Fewer worms and viruses = yes (why write one if you can make money off bots?) </li></ul><ul><li>Facebook malware/malicious app = yes . </li></ul>
    18. Predictions 2008: Compliance and RM <ul><li>PCI DSS continues its march = yes . </li></ul><ul><li>ISO17799, ITIL, COBIT frameworks = maybe </li></ul><ul><li>Will we know what risk management actually is in IT security = no . </li></ul>
    19. Predictions 2008: Security Defenses <ul><li>Full disk encryption becomes popular = no. </li></ul><ul><li>More whitelisting for host and network security = yes (but combined with blacklisting) </li></ul><ul><li>Secure coding becomes mainstream = no </li></ul><ul><li>NAC adoption = some </li></ul><ul><li>Academic security research stays ridiculous = yes </li></ul>
    20. Final Thoughts <ul><li>Security is here not because of “TCP/IP” or Mr Bill G. It is here because of humans  </li></ul><ul><li>New technologies -> new attacks -> new defenses: endless cycle </li></ul><ul><li>Following “ checkbox security ” of the near future -> protected as much as the next guy -> get 0wned as much as him  </li></ul><ul><li>Now go review your incident response plans! </li></ul>
    21. Thank You For Attending!!! <ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li>http://www.chuvakin.org </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Author of “Security Warrior” book (O’Reilly 2004) and “PCI Compliance (2008) – www.securitywarrior.org </li></ul><ul><li>See www.info-secure.org for my papers, books, reviews and other security resources related to security and logs </li></ul>
    22. Thank You Q & A СПАСИБО ЗА ВНИМАНИЕ

    ×