4/27/2011                                The Future                                of Security                            ...
4/27/2011    Balancing the Business           Usability               xSecurity               Performance                 ...
4/27/2011Challenges in the 21st century                        Information           Safety &       Explosion     Knowledg...
4/27/2011        The Growth Of Complexity                                                Higher                           ...
4/27/2011      Major Trends for Software Process     • System of systems is becoming more complex     • Increasing softwar...
4/27/2011           Vertical Convergence with an           Industry     Technology:                Telecom:              N...
4/27/2011    Convergence reduces costs and risks   SecurityInformation &                                               Sys...
4/27/2011       Change, Uncertainty, and Complexity                     Economic & Financial       Virtual Worlds   Techno...
4/27/2011  Innovation is AcceleratingThe “Fat Pipe”                                      9
4/27/2011                                                   Growth of Broadband Users                                     ...
4/27/2011  Fixed Mobile ConvergenceThe latest buzzword in the  collaborative industry is fixed  mobile convergence (FMC) t...
4/27/2011     Wireless Broadband Changes     Everything….Habits and behaviors sometimes change quickly: Once you had a gre...
4/27/2011Top Ten Attacks•   Trusted Website attacks•   Effectiveness in Botnets•   Data Loss – Phishing•   Mobile phone th...
4/27/2011 Threats and Vulnerabilities– What’s at Stake  • Critical Infrastructures  • Key Resources  • New Resources– The ...
4/27/2011     Threat numbers - Malware     5500 new malicious software threats per month     Attack Trends                ...
4/27/2011    IT Trends                                                                                Ubiquitous          ...
4/27/2011Programming Trends   Source: Tiobe Software Aug. 2010Programming Community Index for August 2010                 ...
4/27/2011                Entry points - email - social                engineering           Security patch           Famou...
4/27/2011                                                                                        Ubiquitous               ...
4/27/2011        Security is a System                SECURITY  Product                               Configuration        ...
4/27/2011         Growth at the Edge of the Network                                 4,000                                 ...
4/27/2011     A Riskier World?                             Risk Management – A changing framework Value of Tangible assets...
4/27/2011Hierarchy of Needs                     Copyright, 2008 © HBMG, Inc.                                              ...
4/27/2011         Social Media                             Copyright, 2008 © HBMG, Inc.Collaboration Technologies         ...
4/27/2011                                           Evolving—Self Forming                                          A.I.   ...
4/27/2011            Disruptors can be:                Technology                Regulatory                Economic       ...
4/27/2011Risk ModelExample   ‘PEST’ model   Technical                 Economic   IT/Systems Breakdown         Industrial A...
4/27/2011 Elements of the Web of TrustAll solutions to Identity Management must provide a solution for each ofthese seven ...
4/27/2011     Risk Formula      Threat Modeling & Risk ForecastingThreat agent: Any person or thing that can do harm Threa...
4/27/2011In Parting: Be Paranoid “Sooner or later, somethingfundamental in your business     world will change.”        ⎯ ...
Upcoming SlideShare
Loading in …5
×

The Future of Security

1,156 views
1,094 views

Published on

Presented by David Smith for InnoTech Oregon 2011

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,156
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Future of Security

  1. 1. 4/27/2011 The Future of Security David Smith CEO  HBMGInc. dsmith@HBMGINC.com linkedin.com/in/davidsmithaustinWhy is Security Hard?No system can be 100% secure – Reality is risk mitigation, not risk avoidanceDifficult to prove good security – Bad security gets proven for us!Good security and no security can look the same – How does one know how secure they are?Many things to secure – People, equipment, OS, network, Application Servers, applications, phones, and databases 1
  2. 2. 4/27/2011 Balancing the Business Usability xSecurity Performance 2
  3. 3. 4/27/2011Challenges in the 21st century Information Safety & Explosion Knowledge Security Economy Accelerating Globalization Change International PartnershipsComplexTechnologies Finite Diverse Resources Workforce Sustainable Life-Long Development Learning Citizen Engagement Copyright, 2008 © HBMG, Inc. 3
  4. 4. 4/27/2011 The Growth Of Complexity Higher Technical Complexity DOD weapon Embedded system automotive Telecom switch National Air application Commercial Traffic Control compiler System Lower HigherManagement ManagementComplexity Large-scale simulation Complexity Small scientific Enterprise simulation Enterprise information application systems DOD management information system Business spreadsheet Lower Technical Complexity HBMG Inc. Copyright 2009 Mega Trends to Consider… • Digitization of all content (listening = getting!) • Distribution is the default (just having a network won’t be enough) • Virtualization (location matters less and less) • Niche-ization of content & lifestyles • Mass-Personalization of media will become standard • Democratization of creation, & peer production • Amateurization of the entire value chain (but NOT to the detriment of experts) • “Godzilla-zation” of users/consumers Copyright, 2008 © HBMG, Inc. 4
  5. 5. 4/27/2011 Major Trends for Software Process • System of systems is becoming more complex • Increasing software criticality and need for dependability • Increasing emphasis on end users – both inside and outside the enterprise • Decreasing value of IT • Geography doesn’t matter • The fabric of software and computing is evolving • Continuous integration - continuous delivery – group mind • Increasing software autonomy • Combination of biology and computing Copyright, 2009 © HBMG, Inc. The Limits of Technology Fundamental The laws of physics The laws of software The challenge of algorithms The difficulty of distribution The problems of design The importance of organization The impact of economics The influence of politics The limits of human imaginationHBMG Inc. Copyright Human2009 5
  6. 6. 4/27/2011 Vertical Convergence with an Industry Technology: Telecom: Network: Content: Entertainment: • Computers & • Communication • Networking / IP • Media & New • Broadcasting Peripherals p Equipment q p Networking g • Media • Film • Semi- • Service • Service conductors Providers: Providers: • Advertising • Music • Internet apps Telephone/ Internet Service • Printing, • Gaming Voice & Data Providers Publishing and • Software • Sports Newspapers Mobile Wireless/ Broadband • Internet Voice & Data devices Satellite Broadcast Cable Copyright, 2008 © HBMG, Inc. Horizontally Across Different Industry Sectors: Technology: Telecom: Network: Content: Entertainment Computers & Communication Networking/ Media & BroadcastingDesign Equipment IP Networking New Media Film Peripherals Semiconductors Service ServiceContent Advertising Music Providers: Providers: Telephone/ Printing, PublishingManufacturing Internet apps ISP(s) & Newspapers Gaming Voice & Data Software Mobile Wireless/Infrastructure Broadband Sports Voice & DataServices Internet devices Satellite Broadcast CableSoftwareDevicesDistribution Copyright, 2008 © HBMG, Inc. 6
  7. 7. 4/27/2011 Convergence reduces costs and risks SecurityInformation & Systems Events Comprehensive Security & Compliance Identity & Access Privileges 7
  8. 8. 4/27/2011 Change, Uncertainty, and Complexity Economic & Financial Virtual Worlds Technology Acceleration Cyber WarfareRussia - China Intangible K-12 Science Capital & Math Crisis PandemicTerrorism Global Talent Explosion Offshore Competition p English as 2nd3 Billion New Demographics Capitalists Economic Unions Flat Wages Regional Economic End of Moore’s Law Dislocation New Economic Superpowers in 2050? 8
  9. 9. 4/27/2011 Innovation is AcceleratingThe “Fat Pipe” 9
  10. 10. 4/27/2011 Growth of Broadband Users 4,000 3,500 3,000 Millions of Users 2,500 Cellular Subscribers 2,000 World Broadband 20 1,500 Broadband Users 1,000 Internet 500 Users 005 0 1990 1995 2000 2005 2010 2015 2020 Historical Data Source: ITU Year Source: Technology Futures, Inc. Copyright, 2008 © HBMG, Inc. Regional Forecasts—Broadband 500 100% Millions of Broadband Subscribers Broadband 450 Broadband 90% useholds 400 80% Korea 350 AP 70% Europe Percentage of Hou 300 60% NA Europe SA 250 50% World Broadband 2005 World Broadband 2006 Korea 200 40% AP NA 150 30% 100 20% SA MA MA 50 10% 0 0% 1995 2000 2005 2010 2015 2020 2025 1995 2000 2005 2010 2015 2020 2025Historical Data Source: ITU Year Source: Technology Futures, Inc. Historical Data Source: ITU Year Source: Technology Futures, Inc. The first looking at millions of broadband subscribers, and the second looking at the penetration. 10
  11. 11. 4/27/2011 Fixed Mobile ConvergenceThe latest buzzword in the collaborative industry is fixed mobile convergence (FMC) the bil (FMC), th integration of wire line and wireless technologies to provide users with a seamless communication environment. 11
  12. 12. 4/27/2011 Wireless Broadband Changes Everything….Habits and behaviors sometimes change quickly: Once you had a great (and affordable) experience with new technology, you usually don’t want to miss it anymore. See: Blackberry iPod Skype in flight Wi Fi HD radio Blackberry, iPod, Skype, in-flight Wi-Fi, radio…Wireless enables two-way, personalized media (as opposed to mass media)Mobile content access will dwarf desktop-based access 10:1In wireless broadband, interaction takes on a whole new meaning: – “Sharing” will become a default standard – Multimedia communications will abound (messages, video, photo, sound) – Games become all-pervasive (posing other problems) – Shared content creation is now “on the fly” (contributing, remixing, mashing, etc.) – Location-based CONTENT services will explodeReceivers become senders too Copyright, 2008 © HBMG, Inc. “Mobile phones are more than a billion smart computers we can’t ignore that may create a software spiral like that of PC over the next 10 years.” —Paul Otellini, CEO, Intel “We really believe we are on the cusp of a whole new era of mobile computing ” computing. —Steve Ballmer, CEO, Microsoft Copyright, 2008 © HBMG, Inc. 12
  13. 13. 4/27/2011Top Ten Attacks• Trusted Website attacks• Effectiveness in Botnets• Data Loss – Phishing• Mobile phone threats (iphones)• Insider attacks• Identity Theft• Malicious Spyware• Web Application Security Exploits• VoIP event Phishing• Supply Chain AttacksPillars of Information Protection Pillars of Information Protection Secure Systems S In Network Security N Physical Security P nformation Managemen nt 13
  14. 14. 4/27/2011 Threats and Vulnerabilities– What’s at Stake • Critical Infrastructures • Key Resources • New Resources– The Case for Action • Cyber Threats • Insider Threats • External Threats • Cyber Terrorism • Physical Attacks Security Incident Trend, 1995–2003 (CERT/CC) 27 What kind of threats are there?External threats Internal threats – Malware – User response to unsolicited – Rootkits email or instant messages – Adware – May have a network that is – Spam difficult to maintain – Phishing – “The Enemy Within” – The code for malware isn’t – “Ransomware” p particularly difficult to find y and launch. 14
  15. 15. 4/27/2011 Threat numbers - Malware 5500 new malicious software threats per month Attack Trends Data Breaches Information on data breaches that could lead to identity theft. The Education sector accounted for the majority of data breaches with 30%, followed by Government (26%) and Healthcare (15%) - almost half of breaches (46%) were due to theft or loss with hacking only accounting for 16%. 16% Hacking resulted in 73% of identities being exposed30 15
  16. 16. 4/27/2011 IT Trends Ubiquitous Cloud Virtualization Grid Internet Appliances WEB Client Server Network Punch Mainframe/ Card Midrange 1960 1970 1980 1990 2000 2010 2020HBMG Inc. Copyright2009 Top 10 Programming Languages 16
  17. 17. 4/27/2011Programming Trends Source: Tiobe Software Aug. 2010Programming Community Index for August 2010 17
  18. 18. 4/27/2011 Entry points - email - social engineering Security patch Famous person photo p p Anti-virus program Mp3,video Computer game “Cracked” software Serial numbers file Electronic postcard Satellite Radio Wireless TV Receivers Wireless Cameras Monitors PDAs Digital Cameras Digital Video AdaptersDigital MusicAdapters Smart Phones Game Consoles Desktop PCs Smart Displays Networked Storage Centers Laptop PCs Networked DVD Player Wireless Gaming Mobile Gaming Adapters Devices “Fourth Generation” Movies-on-Demand Set-top Boxes Receivers 802.11 Speakers Digital Media Receivers Personal Video MP3 Players Recorders Copyright, 2008 © HBMG, Inc. 18
  19. 19. 4/27/2011 Ubiquitous Computing Mobile Peer-to-Peer Internet/Network Computing Client/Server ComputingComplexity Mainframe/ Midrange Computing Punch Card Computing 1960 1970 1980 1990 2000 2010 2020 2025 Department Intra- Extra- Personal Anytime- Process Centered Enterprises Enterprises Anywhere Copyright, 2008 © HBMG, Inc. INFOSEC Research Councils “Hard Problems” list 1. Global-Scale Identity – Identification required to produce an infrastructure capable of and reliable for commercial and national security purposes 2. Insider Threat – All security technologies and approaches rely practically on modeled behavior of external bad actors. This runs contrary to a majority of the security data, which shows damaged caused by insiders to be orders of magnitude more frequent and costly 3. Availability of Time-Critical Systems – Implementing effective security for systems where timeliness, performance and availability are higher priority services than security (i.e. control systems) 4. Scalable Secure Systems – The development of large-scale secure systems where individual components or dependencies may be flawed or compromised 5. Situational Understanding and Attack Attribution – Determining the current state of security for large scale and complex systems and being able to conduct assessments and provide attribution for security incidents 6. Information Provenance – Developing systems and methods to determine and manage the integrity of information and information systems 7. Security with Privacy – Designing methods and processes to improve security while preserving or enhancing privacy through granularity of activities and systems improvements 8. Enterprise-Level Security Metrics –Scalable methods to determine or represent security or risk are needed in order to optimize resource allocation and decision making. 19
  20. 20. 4/27/2011 Security is a System SECURITY Product Configuration Implementation Policy and Process SOA Reference Architecture Browsers Voice User Interface Policy, Process, Monitoring, Reporting, Usage TrackingUsers Channel PC PDA Cell Phone IPhone IVR Se Portals / Websites User ecurity, Operations, & GovAccess Points Web Applications ASP JSP HTML CSS Voice/XML Interactions Orchestrated Web Services Business ProcessService Service DiscoveryManagement Service Transformations Messaging“Enterprise Service Mediation, Routing, Logging, Auditing ManagementService Bus” Bus” Identity Policy Enforcement“Service Registry” Registry” Authentication Single Sign-OnWeb Atomic Composite Federated Business vernance ,Services Data Access Logic/Rules SystemPlatform Mainframe UNIX Windows .NET Java J2EE COBOL CICS Administration NetworkNetwork Firewalls Routers XML Accelerators Proxy Servers TCP/IP Administration 40 20
  21. 21. 4/27/2011 Growth at the Edge of the Network 4,000 3,500 • Mobile • Device to Device 3,000 Petabytes/Day Global • Sensors • Entertainment 2,500 • Smart Home • Distributed Industrial 2,000 • Autos/Trucks • Smart Toys 1,500 Converged 1,000 Content 500 Traditional Computation 0 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Year 41 Copyright, 2008 © HBMG, Inc. Cloud Computing - a Disruptive New Paradigm “Clouds will transform the information technology (IT) industry… profoundly change the way people work and companies operate.” A “cloud” is an IT service delivered to users that provides: • Simple user interface that automatically provisions IT resources p yp • Capacity on demand with massive scalability 2015 • New application service delivery models • Platform for next generation data centers Cloud Computing • Development in the cloud, for the cloud Software as a Service 1990 Utility ComputingGrid Computing 21
  22. 22. 4/27/2011 A Riskier World? Risk Management – A changing framework Value of Tangible assets Knowledge Reputation Management ImageValue of Intangible assets Traditional Asset  Protection1970’s 2000+ Knowledge based  economy 12 Components of an Effective Information Security Program – Risk Management – Policy Management – Organizing Information Security g g y – Asset Protection – Human Resource Security – Physical and Environmental Security – Communication and Operations Management – Access Control – Information Systems Acquisition, Development and Maintenance – Incident Management – Disaster Recovery Management – Compliance 44 22
  23. 23. 4/27/2011Hierarchy of Needs Copyright, 2008 © HBMG, Inc. 23
  24. 24. 4/27/2011 Social Media Copyright, 2008 © HBMG, Inc.Collaboration Technologies Copyright, 2008 © HBMG, Inc. 24
  25. 25. 4/27/2011 Evolving—Self Forming A.I. Deep Search Intelligent Intelligent Virtual Agents Marketplaces Group Worlds Weak Inference Intelligence Signals Engines Knowledge Reed’s - Enterprise mational Networks XML Semantic Web Self Formation Minds Knowledge Metaweb MassiveSpeed of Connectivity — Inform Multiplayer Digital W ld Di it l World Ontologies Knowledge Group Games Minds Knowledge Management Life Logs Bases Life Market Emergent Taxonomics Casting Places Groups Enterprise Wikis Search Engines Portals Mobile Technologies WeBlogs Content Portals Websites SOCIAL MEDIA Social d WEB Groupware G Auctions A ti People P l Information Networks Email PIMs Computer Community Databases Conferencing Portals Conference Calls P2P File Phone Calls Sharing File Servers IM Speed of Connectivity — Social Copyright, 2008 © HBMG, Inc. Along for the Ride⎯Security Element Is in the Infrastructure The current and future working environment is one without perimeters or boundaries, so collaboration tools are a necessity. In the future Data collaborative environment, users will , no llonger have the “living in the h th “li i i th inbox” mentality, and will rely less on Application standard tools like e-mail and more on other collaborative tools and Host technology as a part of daily operations. Internal Network The security element for such tools will be managed at the infrastructure level, using existing and new Perimeter enterprise and network tools. The demand for security⎯managing Physical Security identities, identities data protection secure protection, networks, and transactions and Policies, Procedures, & resiliency⎯will be handled by the Awareness infrastructure itself. 25
  26. 26. 4/27/2011 Disruptors can be: Technology Regulatory Economic Civil Natural Disasters … Risk“Risk is inherent in life. As it is the antithesis of security, we naturally strive to eliminate risk. As worthy as that goal is, however, we learn with each experience that complete security is however, we learn with each experience that complete security isnever possible. Even if it were possible to eliminate all risk, the cost of achieving that total risk avoidance would have to be compared against the cost of the possible losses resulting from having accepted rather than having eliminated risk. The results of such an analysis could include pragmatic decisions as to whether achieving risk avoidance at such cost was reasonable. Applying reason in choosing how much risk we can accept and, hence, how much security we can afford is risk management. “Julie H. RyanBooz‐Allen & Hamilton 26
  27. 27. 4/27/2011Risk ModelExample ‘PEST’ model Technical Economic IT/Systems Breakdown Industrial Accidents                                                  Contamination Government Crisis Government Crisis Industrial Accident Utilities failure On‐site product tampering Sabotage Malicious acts Terrorism Organisational failure Labour strikes Off‐site product tampering Off site product tampering People Social 27
  28. 28. 4/27/2011 Elements of the Web of TrustAll solutions to Identity Management must provide a solution for each ofthese seven elements. Risk Management And Needed Security High mpact Unacceptable Risk Business defines im Impact to business Risk management drives risk to an acceptable level Acceptable Risk Probability of exploit Low High Security engineering defines probability 28
  29. 29. 4/27/2011 Risk Formula Threat Modeling & Risk ForecastingThreat agent: Any person or thing that can do harm Threat: Anything that could harm an asset  Risk is a statement ofVulnerability: A deficiency that leaves an asset open to harm  probability. It is the probabilityAsset: Anything with value—what we want to protect  that a given threat will exploit aExposure: Harm caused when a threat becomes real E given vulnerability and causeCountermeasure: Any protective measure we take to  harm.safeguard an asset. This is measured by reducing the probability of successful exploitation External External External Customers Competitors Non-related Businesses Business Partners Internal Operations B2B (i.e. Insider Threats) Giv cts es Business Partners R A ffe ise To Suppliers : Internal Operations (i.e. Financial) Global Threat Governments, etc. Sources Mitigated By Of fs e Exploits Internal ts Technology External Technology-driven Internal (threats) Processes External Physical (BC-type threats) 58 29
  30. 30. 4/27/2011In Parting: Be Paranoid “Sooner or later, somethingfundamental in your business world will change.” ⎯ Andrew S. Grove, Founder, Intel “Only the Paranoid Survive” Copyright @2008 HBMG Inc.In Parting: Be Paranoid “Sooner or later, somethingfundamental in your business world will change.” ⎯ Andrew S. Grove, Founder, Intel “Only the Paranoid Survive” Copyright @2008 HBMG Inc. 30

×