2008 Year in Review By the Numbers Headliners and happenings Security marketplace 2009 and Beyond Drivers and influencers Threat landscape Emerging trends Focus areas

2008 Year in Review

By the Numbers

Headliners and happenings

Security marketplace

2009 and Beyond

Drivers and influencers

Threat landscape

Emerging trends

Focus areas

Google search for “security news 2008” provided over 4,000 entries…obviously this presentation will not discuss every event, news items, headline, prediction, trend, blog comment, tweet, etc etc etc

Google search for “security news 2008” provided over 4,000 entries…obviously this presentation will not discuss every event, news items, headline, prediction, trend, blog comment, tweet, etc etc etc

6,058* catalogued vulnerabilities Q1-Q3 [2] 145* vulnerability advisories published [2] 165 million web sites on the Internet [1]

6,058* catalogued vulnerabilities Q1-Q3 [2]

145* vulnerability advisories published [2]

165 million web sites on the Internet [1]

85% of malware via web [1] 50% of companies do not block access to social networking sites [3] Every 4.5 seconds a new infected web page is discovered [3] 97% of business email is spam [3]

85% of malware via web [1]

50% of companies do not block access to social networking sites [3]

Every 4.5 seconds a new infected web page is discovered [3]

97% of business email is spam [3]

656 breaches reported by Identity Theft Resource Center [4] 8.5% of reported breaches had password protection 2.4% of breaches had encryption or other strong protection methods in use

656 breaches reported by Identity Theft Resource Center [4]

8.5% of reported breaches had password protection

2.4% of breaches had encryption or other strong protection methods in use

Sophos predicted more Mac malware [5] CNCI established to strengthen federal government’s security of electronic networks and databases [6] January February US teenager pleaded guilty to seizing control of over 400,000 computers [7]

Sophos predicted more Mac malware [5]

CNCI established to strengthen federal government’s security of electronic networks and databases [6]

US teenager pleaded guilty to seizing control of over 400,000 computers [7]

Facebook enhanced its privacy settings [8] Hanaford Brothers breach disclosed 4.2m credit and debit card numbers [9] US State Department warned business executives visiting Beijing to leave their laptops at home [10] Jericho Forum unveils new architecture for Web 2.0 business collaboration [11] March April

Facebook enhanced its privacy settings [8]

Hanaford Brothers breach disclosed 4.2m credit and debit card numbers [9]

US State Department warned business executives visiting Beijing to leave their laptops at home [10]

Jericho Forum unveils new architecture for Web 2.0 business collaboration [11]

Government FISMA report card shows some progress [12] Wave of SQL injection attacks [13] Section 6.6 of PCI DSS came into force [14] Gartner announced that enterprise security industry is still booming [15] May June

Government FISMA report card shows some progress [12]

Wave of SQL injection attacks [13]

Section 6.6 of PCI DSS came into force [14]

Gartner announced that enterprise security industry is still booming [15]

Nasa hacker Gary McKinnon lost his extradition appeal [16] Vulnerabilities in the DNS were exploited for the first time [17] Facebook accidentally revealed personal information on 80 million users [18] Microsoft's Patch Tuesday on 12 August was the largest in years with 26 updates [19] 11 people with theft and sale of over 40 million credit and debit card numbers from at least nine U.S. retailers [20] International Space Station virus [21] July August

Nasa hacker Gary McKinnon lost his extradition appeal [16]

Vulnerabilities in the DNS were exploited for the first time [17]

Facebook accidentally revealed personal information on 80 million users [18]

Microsoft's Patch Tuesday on 12 August was the largest in years with 26 updates [19]

11 people with theft and sale of over 40 million credit and debit card numbers from at least nine U.S. retailers [20]

International Space Station virus [21]

Sarah Palin's email hacked [22] SecureWorks reported that computers in US launched most cyberattacks in first half 2008 [23] ISP Atrivo disconnected from Internet [24] European Union hinting that it could introduce data breach notification laws as soon as 2011 [25] ISO 27799:2008 released [26] US Army warns of twittering terrorists [27] September October

Sarah Palin's email hacked [22]

SecureWorks reported that computers in US launched most cyberattacks in first half 2008 [23]

ISP Atrivo disconnected from Internet [24]

European Union hinting that it could introduce data breach notification laws as soon as 2011 [25]

ISO 27799:2008 released [26]

US Army warns of twittering terrorists [27]

PCI introduced program to monitor QSAs [28] Symantec announced retirement of CEO John Thompson [29] Express Scripts claims extortion over data breach [30] Facebook awarded $873m in spam case [31] Center for Strategic and International Studies report describes drastic need for cybersecurity improvements [32] BitDefender identified a password stealing application disguised as a Mozilla Forefox Plugin. Targeted at least 100 banking sites [33] November December

PCI introduced program to monitor QSAs [28]

Symantec announced retirement of CEO John Thompson [29]

Express Scripts claims extortion over data breach [30]

Facebook awarded $873m in spam case [31]

Center for Strategic and International Studies report describes drastic need for cybersecurity improvements [32]

BitDefender identified a password stealing application disguised as a Mozilla Forefox Plugin. Targeted at least 100 banking sites [33]

Declines: # of deals Value of deals Valuation multiples [34]

Declines:

# of deals

Value of deals

Valuation multiples

[34]

Updata’s predictions for 2009: Recovery may be steep Non-traditional M&A on rise Underlying sector spending remains positive Best of breed players regaining upper hand [34]

Updata’s predictions for 2009:

Recovery may be steep

Non-traditional M&A on rise

Underlying sector spending remains positive

Best of breed players regaining upper hand

Software as a Service Virtualization Enterprise Mobility Energy-efficient data centers Security, risks and compliance Social networking Web 2.0 Document management and ediscovery Project management and portfolio management Web and video collaboration [35]

Software as a Service

Virtualization

Enterprise Mobility

Energy-efficient data centers

Security, risks and compliance

Social networking

Web 2.0

Document management and ediscovery

Project management and portfolio management

Web and video collaboration

[36]

Increased regulation Changing role of CISO and reporting Security outsourcing Security certification Private-public security coordination and critical infrastructure protection

Increased regulation

Changing role of CISO and reporting

Security outsourcing

Security certification

Private-public security coordination and critical infrastructure protection

More integration of end-point security Secure software development Information-centric security Encryption Identity and Entitlement management SaaS and Security-in-the-cloud [37, 38]

More integration of end-point security

Secure software development

Information-centric security

Encryption

Identity and Entitlement management

SaaS and Security-in-the-cloud

Adjust for risks related to economic downturn Review security architecture for web-based attacks Develop/enhance incident response processes Continue/update security awareness training Review approach for extended enterprise Address identity and access management

Adjust for risks related to economic downturn

Review security architecture for web-based attacks

Develop/enhance incident response processes

Continue/update security awareness training

Review approach for extended enterprise

Address identity and access management

1. State of Internet Security: Protecting the Perimeter, Webroot May 2008 2. CERT/CC Vulnerability remediation statistics (www.cert.org/stats/vulnerability_remediation.html) 3. Security threat report: 2009, Sophos (December 2008) 4. Identity Theft Resource Center (www. idtheftcenter.org) 5. “Sophos Security Threat Report reveals cybercriminals moving beyond Microsoft “, Sophos (January 23, 2008) 6. Senate Committee on Homeland Security and Government Affairs Press Release (May 2, 2008) 7. “Teenage zombie king pleads guilty to hacking US military computers”, Sophos press release (February 12, 2008) 8. Facebook press release 9. “Top 5 cybersecurity news stories of 2008”, SearchSecurity.com (December 29, 2008) 10. “Olympic visitors warned of digital monitoring”, The Washington Post (July 30, 2008) Jericho Forum website 11. “Jericho Forum Unveils New Architecture As Key To Safe Business Collaboration In A Web 2.0 World”, SecurityManager.net (April, 22 2008) 12. FISMA 13. “SQL injection attack infects hundreds of thousands of websites”, Michael Mimoso, SearchSecurity.com (April 30, 2008) 14. “2008 year in review: Security”, Phil Muncaster, vunet.com (December 22, 2008) 15. See 14 16. See 14 17. See 9 18. See 14 19. See 14 20. “11 Charged in Global Theft, Sale of 40 Million Credit Cards”, The Washington Post (August 6, 2008) 21. See 5 22. See 14 23. SecureWorks.com 24. See 5 25. See 14 26. “New ISO standard provides information security guidelines for the health sector”, SecurityManager.net (October 9, 2008) 27. “U.S. Army warns of twittering terrorists”, CNETNews, (October 24, 2008) 28. “PCI Quality Assurance Program Does Not Go Far Enough”, Gartner, Inc. (November 20, 2008) 29. See 14 30. Google News 31. See 14 32. “Securing Cyberspace for the 44 th Presidency”, Center for Strategic and International Studies (December 2008) 33. “New Bank-Targeted Trojan via Firefox Saps Consumer Confidence”, Gartner, Inc. (December 9, 2008) 34. “2009 M&A Outlook”, Updata Advisors (January 2009) 35. “Top 10 Trends in IT for 2009”, Samuel Greengard, Baseline Magazine (November 26, 2008) 36. Gartner 2008 IT Security Threat Projection Timeline, Gartner, Inc. (August 26, 2008) 37. “Looking ahead at security trends for 2009”, Jon Olstik, CNET News (December 23, 2008) 38. Utimaco 2009 IT Security Forecast Press Release (December 9, 2008)

1. State of Internet Security: Protecting the Perimeter, Webroot May 2008

2. CERT/CC Vulnerability remediation statistics (www.cert.org/stats/vulnerability_remediation.html)

3. Security threat report: 2009, Sophos (December 2008)

4. Identity Theft Resource Center (www. idtheftcenter.org)

5. “Sophos Security Threat Report reveals cybercriminals moving beyond Microsoft “, Sophos (January 23, 2008)

6. Senate Committee on Homeland Security and Government Affairs Press Release (May 2, 2008)

7. “Teenage zombie king pleads guilty to hacking US military computers”, Sophos press release (February 12, 2008)

8. Facebook press release

9. “Top 5 cybersecurity news stories of 2008”, SearchSecurity.com (December 29, 2008)

10. “Olympic visitors warned of digital monitoring”, The Washington Post (July 30, 2008) Jericho Forum website

11. “Jericho Forum Unveils New Architecture As Key To Safe Business Collaboration In A Web 2.0 World”, SecurityManager.net (April, 22 2008)

12. FISMA

13. “SQL injection attack infects hundreds of thousands of websites”, Michael Mimoso, SearchSecurity.com (April 30, 2008)

14. “2008 year in review: Security”, Phil Muncaster, vunet.com (December 22, 2008)

15. See 14

16. See 14

17. See 9

18. See 14

19. See 14

20. “11 Charged in Global Theft, Sale of 40 Million Credit Cards”, The Washington Post (August 6, 2008)

21. See 5

22. See 14

23. SecureWorks.com

24. See 5

25. See 14

26. “New ISO standard provides information security guidelines for the health sector”, SecurityManager.net (October 9, 2008)

27. “U.S. Army warns of twittering terrorists”, CNETNews, (October 24, 2008)

28. “PCI Quality Assurance Program Does Not Go Far Enough”, Gartner, Inc. (November 20, 2008)

29. See 14

30. Google News

31. See 14

32. “Securing Cyberspace for the 44 th Presidency”, Center for Strategic and International Studies (December 2008)

33. “New Bank-Targeted Trojan via Firefox Saps Consumer Confidence”, Gartner, Inc. (December 9, 2008)

34. “2009 M&A Outlook”, Updata Advisors (January 2009)

35. “Top 10 Trends in IT for 2009”, Samuel Greengard, Baseline Magazine (November 26, 2008)

36. Gartner 2008 IT Security Threat Projection Timeline, Gartner, Inc. (August 26, 2008)

37. “Looking ahead at security trends for 2009”, Jon Olstik, CNET News (December 23, 2008)

38. Utimaco 2009 IT Security Forecast Press Release (December 9, 2008)

Until recently, Graeme was a Principal in Ernst & Young's Technology & Security Risk Services practice. He has over 20 years experience in assisting companies in addressing information technology risk issues. He has provided strategic leadership and advice to many companies on a broad range of IT issues. In recent projects he has led enterprise-wide reviews of information security and privacy, developed recommendations for senior management to effect significant improvements to the enterprise's security governance, architecture and processes; provided leadership for the enhancement of identity and access management processes; and, advised senior management on business and technology risks and strategies. Graeme is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP) and Chartered Accountant (New Zealand). He received a Bachelor of Commerce from the University of Canterbury, New Zealand. Graeme Payne CA, CISSP, CISM, CISA, CIPP [email_address] 770 619 4278

Until recently, Graeme was a Principal in Ernst & Young's Technology & Security Risk Services practice. He has over 20 years experience in assisting companies in addressing information technology risk issues. He has provided strategic leadership and advice to many companies on a broad range of IT issues. In recent projects he has led enterprise-wide reviews of information security and privacy, developed recommendations for senior management to effect significant improvements to the enterprise's security governance, architecture and processes; provided leadership for the enhancement of identity and access management processes; and, advised senior management on business and technology risks and strategies. Graeme is a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP) and Chartered Accountant (New Zealand). He received a Bachelor of Commerce from the University of Canterbury, New Zealand.