Your SlideShare is downloading. ×
1st Russian CSO Summit Trends 2008
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

1st Russian CSO Summit Trends 2008

2,065
views

Published on

1st Russian CSO Summit Trends 2008

1st Russian CSO Summit Trends 2008

Published in: Technology

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,065
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Предсказания и тенденции по безопасности
  • Transcript

    • 1. Security Trends and Predictions 2008 Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating Compliance. CSO Summit Moscow, March 24-25, 2008
    • 2. Who is Anton?
      • Chief “Evangelist” @ LogLogic (San Jose, CA)
      • Formerly Chief Security Strategist @ netForensics
      • Book author : “Security Warrior”, “Hacker’s Challenge 3”, “PCI Compliance”, “Know Your Enemy 2”, “ISM”
      • Presentations: SANS, CSI, FBI, USMA, CESG (UK)
      • Involved with security standards: CEE, CVSS, OVAL
      • Security blogger – www.securitywarrior.org
    • 3. Today’s Outline
      • Where is security now?
      • How security got to where it is now?
      • What will happen next?
      • How will we deal with it?
    • 4. Key theme: Compliance and Security Why do you wear seat belts for fear of $50 fine, but do not wear them out of fear for your life?
    • 5. Trends: 1990s
      • Explosive global malware : Blaster, Slammer, ILoveYou
      • Server exploits : IIS is a kind of Swiss cheese
      • Hacking for fun and fame…mostly : system penetrations, DDoS “for fun”
      • Buffer overflows everywhere
      • Purchasing : Incident-driven (or F.U.D.-based)
    • 6. Trends: Early 2000s
      • Small circulation commercial malware , spyware (but lots of it!)
      • Bots : “ industrial revolution ” in hacking
      • Web and “Web 2.0” attacks
      • Rapid rise of client-side attacks
      • Hacking for money : Phishing, Spam, DDoS for ransom, etc
      • Purchasing : Incident-driven + regulatory purchasing + some “best practices”
    • 7. Trends: Late 2000s – Near Future
      • Mobile malware? Cell/mobile phones, PDAs,
      • New Technologies : VOIP, “Web 2.0”, etc
      • More application and web application hacking:
      • Attackers focus more on data , less on infrastructure
      • Purchasing: Mostly regulatory + “best practices” + some incident-driven
    • 8. Meet the Defenses of Today
      • Anti-virus / anti-spyware
      • Firewalls and “firewalling” network gear
      • Network intrusion detection (IDS)
      • Network intrusion prevention and UTM
      • Host (mostly server) intrusion prevention
      • Vulnerability scanners
      • Encryption
      • Multi-factor authentication
      • Security awareness
      • System hardening and patch management
    • 9. A Question!
      • But Do These Really Work?
    • 10. Attacks vs Defenses?
      • “ Security Is Just As Bad as It Can Be, but No Worse !” (Marcus Ranum)
      • Q: So, Do Our Defenses Match the Attacks?
      • A: We Don’t Know!
      • Corollary: neither buyers nor sellers know …
    • 11. Meet the Defenses of Tomorrow
      • Best prediction: more of the same!
      • More encryption (including bad !) everywhere
      • Secure coding ? Code analysis tools?
      • XML firewalls? VOIP defenses?
      • HIPS NG with full behavior blocking
      • Auditing Everything? Logs, Logs, Logs!
      • Mobile anti-malware?
    • 12. Meet the “Security Laws” of Today (US)
      • Sarbanes – Oxley, GLBA, etc
      • HIPAA, FISMA
      • PCI DSS
      • ISO2700x, ITIL, COBIT, etc
      • Standards: CVSS, CEE, OVAL, etc
      • Trend : control assurance , audit, proof of “due diligence”, documentation, processes, breach disclosure, privacy
    • 13. Meet the Security Laws of Tomorrow
      • ?
      • Trend : the rise and subsequent fall of the “checkbox security,” more data governance laws
    • 14. Predictions 2008: Platform security
      • Windows 2008 makes us secure = no .
      • Increase in Mac hacking = yes.
      • Web application hacking still grows = yes
      • 0days use becomes ‘normal’ = yes
    • 15.
      • Predictions 2008
    • 16. Predictions 2008: Hacking
      • Loss of trust towards Internet sites = yes
      • A massive data theft to dwarf TJX = yes
      • Major utility/SCADA hack = no (not yet)
      • Cyber-terrorism = no (again, not yet!)
    • 17. Predictions 2008: Malware
      • The year of mobile malware = no
      • More fun bots = yes (bots are “evil IT automation”)
      • Fewer worms and viruses = yes (why write one if you can make money off bots?)
      • Facebook malware/malicious app = yes .
    • 18. Predictions 2008: Compliance and RM
      • PCI DSS continues its march = yes .
      • ISO17799, ITIL, COBIT frameworks = maybe
      • Will we know what risk management actually is in IT security = no .
    • 19. Predictions 2008: Security Defenses
      • Full disk encryption becomes popular = no.
      • More whitelisting for host and network security = yes (but combined with blacklisting)
      • Secure coding becomes mainstream = no
      • NAC adoption = some
      • Academic security research stays ridiculous = yes
    • 20. Final Thoughts
      • Security is here not because of “TCP/IP” or Mr Bill G. It is here because of humans 
      • New technologies -> new attacks -> new defenses: endless cycle
      • Following “ checkbox security ” of the near future -> protected as much as the next guy -> get 0wned as much as him 
      • Now go review your incident response plans!
    • 21. Thank You For Attending!!!
      • Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
      • http://www.chuvakin.org
      • Chief Logging Evangelist
      • LogLogic, Inc
      • Author of “Security Warrior” book (O’Reilly 2004) and “PCI Compliance (2008) – www.securitywarrior.org
      • See www.info-secure.org for my papers, books, reviews and other security resources related to security and logs
    • 22. Thank You Q & A СПАСИБО ЗА ВНИМАНИЕ