Information Security – Review Of 2008 And 2009 97 2003

871 views
827 views

Published on

A presentation to Technology Association of Georgia Security Group on January 29, 2009. The presentation covered a review of 2008 and a look forward to 2009

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
871
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Information Security – Review Of 2008 And 2009 97 2003

    1. 2. <ul><li>2008 Year in Review </li></ul><ul><ul><li>By the Numbers </li></ul></ul><ul><ul><li>Headliners and happenings </li></ul></ul><ul><ul><li>Security marketplace </li></ul></ul><ul><li>2009 and Beyond </li></ul><ul><ul><li>Drivers and influencers </li></ul></ul><ul><ul><li>Threat landscape </li></ul></ul><ul><ul><li>Emerging trends </li></ul></ul><ul><ul><li>Focus areas </li></ul></ul>
    2. 3. <ul><li>Google search for “security news 2008” provided over 4,000 entries…obviously this presentation will not discuss every event, news items, headline, prediction, trend, blog comment, tweet, etc etc etc </li></ul>
    3. 5. <ul><li>6,058* catalogued vulnerabilities Q1-Q3 [2] </li></ul><ul><li>145* vulnerability advisories published [2] </li></ul><ul><li>165 million web sites on the Internet [1] </li></ul>
    4. 6. <ul><li>85% of malware via web [1] </li></ul><ul><li>50% of companies do not block access to social networking sites [3] </li></ul><ul><li>Every 4.5 seconds a new infected web page is discovered [3] </li></ul><ul><li>97% of business email is spam [3] </li></ul>
    5. 7. <ul><li>656 breaches reported by Identity Theft Resource Center [4] </li></ul><ul><ul><li>8.5% of reported breaches had password protection </li></ul></ul><ul><ul><li>2.4% of breaches had encryption or other strong protection methods in use </li></ul></ul>
    6. 9. <ul><li>Sophos predicted more Mac malware [5] </li></ul><ul><li>CNCI established to strengthen federal government’s security of electronic networks and databases [6] </li></ul>January February <ul><li>US teenager pleaded guilty to seizing control of over 400,000 computers [7] </li></ul>
    7. 10. <ul><li>Facebook enhanced its privacy settings [8] </li></ul><ul><li>Hanaford Brothers breach disclosed 4.2m credit and debit card numbers [9] </li></ul><ul><li>US State Department warned business executives visiting Beijing to leave their laptops at home [10] </li></ul><ul><li>Jericho Forum unveils new architecture for Web 2.0 business collaboration [11] </li></ul>March April
    8. 11. <ul><li>Government FISMA report card shows some progress [12] </li></ul><ul><li>Wave of SQL injection attacks [13] </li></ul><ul><li>Section 6.6 of PCI DSS came into force [14] </li></ul><ul><li>Gartner announced that enterprise security industry is still booming [15] </li></ul>May June
    9. 12. <ul><li>Nasa hacker Gary McKinnon lost his extradition appeal [16] </li></ul><ul><li>Vulnerabilities in the DNS were exploited for the first time [17] </li></ul><ul><li>Facebook accidentally revealed personal information on 80 million users [18] </li></ul><ul><li>Microsoft's Patch Tuesday on 12 August was the largest in years with 26 updates [19] </li></ul><ul><li>11 people with theft and sale of over 40 million credit and debit card numbers from at least nine U.S. retailers [20] </li></ul><ul><li>International Space Station virus [21] </li></ul>July August
    10. 13. <ul><li>Sarah Palin's email hacked [22] </li></ul><ul><li>SecureWorks reported that computers in US launched most cyberattacks in first half 2008 [23] </li></ul><ul><li>ISP Atrivo disconnected from Internet [24] </li></ul><ul><li>European Union hinting that it could introduce data breach notification laws as soon as 2011 [25] </li></ul><ul><li>ISO 27799:2008 released [26] </li></ul><ul><li>US Army warns of twittering terrorists [27] </li></ul>September October
    11. 14. <ul><li>PCI introduced program to monitor QSAs [28] </li></ul><ul><li>Symantec announced retirement of CEO John Thompson [29] </li></ul><ul><li>Express Scripts claims extortion over data breach [30] </li></ul><ul><li>Facebook awarded $873m in spam case [31] </li></ul><ul><li>Center for Strategic and International Studies report describes drastic need for cybersecurity improvements [32] </li></ul><ul><li>BitDefender identified a password stealing application disguised as a Mozilla Forefox Plugin. Targeted at least 100 banking sites [33] </li></ul>November December
    12. 16. <ul><li>Declines: </li></ul><ul><ul><li># of deals </li></ul></ul><ul><ul><li>Value of deals </li></ul></ul><ul><ul><li>Valuation multiples </li></ul></ul>[34]
    13. 17. [34]
    14. 18. <ul><li>Updata’s predictions for 2009: </li></ul><ul><ul><li>Recovery may be steep </li></ul></ul><ul><ul><li>Non-traditional M&A on rise </li></ul></ul><ul><ul><li>Underlying sector spending remains positive </li></ul></ul><ul><ul><li>Best of breed players regaining upper hand </li></ul></ul>[34]
    15. 21. <ul><li>Software as a Service </li></ul><ul><li>Virtualization </li></ul><ul><li>Enterprise Mobility </li></ul><ul><li>Energy-efficient data centers </li></ul><ul><li>Security, risks and compliance </li></ul><ul><li>Social networking </li></ul><ul><li>Web 2.0 </li></ul><ul><li>Document management and ediscovery </li></ul><ul><li>Project management and portfolio management </li></ul><ul><li>Web and video collaboration </li></ul>[35]
    16. 22. [36]
    17. 23. <ul><li>Increased regulation </li></ul><ul><li>Changing role of CISO and reporting </li></ul><ul><li>Security outsourcing </li></ul><ul><li>Security certification </li></ul><ul><li>Private-public security coordination and critical infrastructure protection </li></ul>
    18. 24. <ul><li>More integration of end-point security </li></ul><ul><li>Secure software development </li></ul><ul><li>Information-centric security </li></ul><ul><li>Encryption </li></ul><ul><li>Identity and Entitlement management </li></ul><ul><li>SaaS and Security-in-the-cloud </li></ul>[37, 38]
    19. 25. <ul><li>Adjust for risks related to economic downturn </li></ul><ul><li>Review security architecture for web-based attacks </li></ul><ul><li>Develop/enhance incident response processes </li></ul><ul><li>Continue/update security awareness training </li></ul><ul><li>Review approach for extended enterprise </li></ul><ul><li>Address identity and access management </li></ul>
    20. 27. <ul><li>1. State of Internet Security: Protecting the Perimeter, Webroot May 2008 </li></ul><ul><li>2. CERT/CC Vulnerability remediation statistics (www.cert.org/stats/vulnerability_remediation.html) </li></ul><ul><li>3. Security threat report: 2009, Sophos (December 2008) </li></ul><ul><li>4. Identity Theft Resource Center (www. idtheftcenter.org) </li></ul><ul><li>5. “Sophos Security Threat Report reveals cybercriminals moving beyond Microsoft “, Sophos (January 23, 2008) </li></ul><ul><li>6. Senate Committee on Homeland Security and Government Affairs Press Release (May 2, 2008) </li></ul><ul><li>7. “Teenage zombie king pleads guilty to hacking US military computers”, Sophos press release (February 12, 2008) </li></ul><ul><li>8. Facebook press release </li></ul><ul><li>9. “Top 5 cybersecurity news stories of 2008”, SearchSecurity.com (December 29, 2008) </li></ul><ul><li>10. “Olympic visitors warned of digital monitoring”, The Washington Post (July 30, 2008) Jericho Forum website </li></ul><ul><li>11. “Jericho Forum Unveils New Architecture As Key To Safe Business Collaboration In A Web 2.0 World”, SecurityManager.net (April, 22 2008) </li></ul><ul><li>12. FISMA </li></ul><ul><li>13. “SQL injection attack infects hundreds of thousands of websites”, Michael Mimoso, SearchSecurity.com (April 30, 2008) </li></ul><ul><li>14. “2008 year in review: Security”, Phil Muncaster, vunet.com (December 22, 2008) </li></ul><ul><li>15. See 14 </li></ul><ul><li>16. See 14 </li></ul><ul><li>17. See 9 </li></ul><ul><li>18. See 14 </li></ul><ul><li>19. See 14 </li></ul><ul><li>20. “11 Charged in Global Theft, Sale of 40 Million Credit Cards”, The Washington Post (August 6, 2008) </li></ul><ul><li>21. See 5 </li></ul><ul><li>22. See 14 </li></ul><ul><li>23. SecureWorks.com </li></ul><ul><li>24. See 5 </li></ul><ul><li>25. See 14 </li></ul><ul><li>26. “New ISO standard provides information security guidelines for the health sector”, SecurityManager.net (October 9, 2008) </li></ul><ul><li>27. “U.S. Army warns of twittering terrorists”, CNETNews, (October 24, 2008) </li></ul><ul><li>28. “PCI Quality Assurance Program Does Not Go Far Enough”, Gartner, Inc. (November 20, 2008) </li></ul><ul><li>29. See 14 </li></ul><ul><li>30. Google News </li></ul><ul><li>31. See 14 </li></ul><ul><li>32. “Securing Cyberspace for the 44 th Presidency”, Center for Strategic and International Studies (December 2008) </li></ul><ul><li>33. “New Bank-Targeted Trojan via Firefox Saps Consumer Confidence”, Gartner, Inc. (December 9, 2008) </li></ul><ul><li>34. “2009 M&A Outlook”, Updata Advisors (January 2009) </li></ul><ul><li>35. “Top 10 Trends in IT for 2009”, Samuel Greengard, Baseline Magazine (November 26, 2008) </li></ul><ul><li>36. Gartner 2008 IT Security Threat Projection Timeline, Gartner, Inc. (August 26, 2008) </li></ul><ul><li>37. “Looking ahead at security trends for 2009”, Jon Olstik, CNET News (December 23, 2008) </li></ul><ul><li>38. Utimaco 2009 IT Security Forecast Press Release (December 9, 2008) </li></ul>
    21. 28. <ul><li>Until recently, Graeme was a Principal in Ernst & Young's Technology & Security Risk Services practice. He has over 20 years experience in assisting companies in addressing information technology risk issues. He has provided strategic leadership and advice to many companies on a broad range of IT issues. In recent projects he has led enterprise-wide reviews of information security and privacy, developed recommendations for senior management to effect significant improvements to the enterprise's security governance, architecture and processes; provided leadership for the enhancement of identity and access management processes; and, advised senior management on business and technology risks and strategies. Graeme is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP) and Chartered Accountant (New Zealand). He received a Bachelor of Commerce from the University of Canterbury, New Zealand. </li></ul>Graeme Payne CA, CISSP, CISM, CISA, CIPP [email_address] 770 619 4278

    ×