Risk Management on the Internet

Internet: A critical tool for businesses today.

Internet Communication: Clients Suppliers Partners Personal

Communication:

Clients

Suppliers

Partners

Personal

Factors that increase the threat Broadband Technology ADSL, DSL, ISDN, Cable-Modem, etc. Economy Globalization A new era of interaction between nations, economies and people. Increase in technology complexity. The complexity is directly proportional to the bugs in the systems.

Broadband Technology

ADSL, DSL, ISDN, Cable-Modem, etc.

Economy Globalization

A new era of interaction between nations, economies and people.

Increase in technology complexity.

The complexity is directly proportional to the bugs in the systems.

What are the risks on the Internet? Key Cases & Events

Consequences of poor security Financial Loss Theft Intellectual Property Credit Card/Personal Information Virus Loss of Trust E-Graffiti Denial of Service

Financial Loss

Theft

Intellectual Property

Credit Card/Personal Information

Virus

Loss of Trust

E-Graffiti

Denial of Service

Consequences of poor security Virus I Love You – Caused financial loss in excess of $10 billion, estimates Computer Economics. It is estimated that the attacks on Yahoo!, Buy.com, eBay, CNN, & Amazon.com caused $1.2 billions of lost revenue. ( Source: The Yankee Group). Theft of credit card information have included CD Universe (300,000), VISA USA (485,000) and more recently a hacker accessed 5.6 million credit cards from a company that processes transactions on behalf of merchants. FINANCIAL LOSS

Virus I Love You – Caused financial loss in excess of $10 billion, estimates Computer Economics.

It is estimated that the attacks on Yahoo!, Buy.com, eBay, CNN, & Amazon.com caused $1.2 billions of lost revenue. ( Source: The Yankee Group).

Theft of credit card information have included CD Universe (300,000), VISA USA (485,000) and more recently a hacker accessed 5.6 million credit cards from a company that processes transactions on behalf of merchants.

Abuse & Losses in Industry, Goverment and Education... 90% detected intruders in their systems. 70% reported serious flaws in security: Theft of intellectual and digital property. Financial fraud. Faulty service and sabotage. 223 Respondents Source: SF CSI 0 10 20 30 40 50 60 70 80 90 Intrusions Flaws

90% detected intruders in their systems.

70% reported serious flaws in security:

Theft of intellectual and digital property.

Financial fraud.

Faulty service and sabotage.

Abuse & Losses in Industry, Goverment and Education... 80% acknowledged financial losses due to computer breaches . 44% were willing and/or able to quantify their financial losses . Losses Totaled $ 455,848,000 20 30 40 50 60 70 80 Losses Quantify 223 Respondents Source: SF CSI

80% acknowledged financial losses due to computer breaches .

44% were willing and/or able to quantify their financial losses .

Losses Totaled $ 455,848,000

Hackers, Crackers, Script Kiddies and Thieves

http://www.infochannel.com.mx/

http://www.sanpedro.gob.mx/

http://www. cordiplan.gov.ve /

How money was lost 2002 CSI/FBI Computer Crime and Security Survey Nota : Average Losses per ocurrence . Financial Fraud Theft of proprietary information System penetration by an outsider Unauthorized insider access Sabotage of data networks $6.5 M + $4.6 M + $541,000 $300,000 $226,000

How security has been handled until now

The traditional security model Prevention Increased revenues Confidentiality “Trust” “ Implementing a robust security will increase earnings, establish confidentiality between your clients, suppliers and partners”

Prevention

Increased revenues

Confidentiality “Trust”

Avoiding the threat is not sufficient Every security product has failed occasionally. 98% of all respondents acknowledged having anti-virus software, nevertheless 90% reported cases of contamination by virus. 91% of all respondents have firewalls in place, nevertheless 40% report ed system penetration , which has increased for the fourth consecutive year . -- Computer Security Institute / FBI, 2002

Every security product has failed occasionally.

98% of all respondents acknowledged having anti-virus software, nevertheless 90% reported cases of contamination by virus.

91% of all respondents have firewalls in place, nevertheless 40% report ed system penetration , which has increased for the fourth consecutive year .

-- Computer Security Institute / FBI, 2002

Lack of Security Consequences of… Loss of confidence in the market Reduction in the shareholding price Hiring additional personnel Difficulty when raising capital

Consequences of…

Loss of confidence in the market

Reduction in the shareholding price

Hiring additional personnel

Difficulty when raising capital

Too Much Security Consequences of… Loss of revenue Creates obstacles for the clients Loss of image in the market

Consequences of…

Loss of revenue

Creates obstacles for the clients

Loss of image in the market

The perfect Balance Providing the right balance between good security measures, which allow the right person to access the right data at the right time.

Providing the right balance between good security measures, which allow the right person to access the right data at the right time.

A new security perspective

Manage the Risk Quantify the risk Evaluate probabilities Consequences of a disastrous event

Quantify the risk

Evaluate probabilities

Consequences of a disastrous event

Manage the Risk… Take corrective measures Reduce the risk Diminish probabilities, consequences or both. Transfer the risk Acquire insurance policies to indemnify your organization and third-party.

Take corrective measures

Reduce the risk

Diminish probabilities, consequences or both.

Transfer the risk

Acquire insurance policies to indemnify your organization and third-party.

Manage the Risk… Effective use of security products to reduce the risk. Why effective? These tools should be implemented when the savings due to the reduction of the risk, justifies the investment in the product.

Effective use of security products to reduce the risk.

Why effective?

These tools should be implemented when the savings due to the reduction of the risk, justifies the investment in the product.

Manage the Risk… Safe $500,000 Safe $ 25,000 / Insurance Policy $ 16,000 Safe $5,000 & Insurance Policy $5,000 (requires a safe). Safe Diamond $ 50,000

Safe $500,000

Safe $ 25,000 / Insurance Policy $ 16,000

Safe $5,000 & Insurance Policy $5,000 (requires a safe).

Issues to consider when establishing a global security strategy Accept part of the risk. Reduce part of the risk using security products and procedures. Transfer part of the risk. Recruit adequate personnel based on responsability. Integration.

Accept part of the risk.

Reduce part of the risk using security products and procedures.

Transfer part of the risk.

Recruit adequate personnel based on responsability.

Integration.

Conclusion Information security should NOT be considered merely a technical problem. Information security should be a dynamic process that requires constant supervision, not only by technical personnel, but from personnel in general.

Information security should NOT be considered merely a technical problem.

Information security should be a dynamic process that requires constant supervision, not only by technical personnel, but from personnel in general.

Questions ?

http://www.sekiur.com Risk Management on the Internet For additional information: Jos é Vicente Ortega [email_address] 817-727-4530

Risk Management

on the Internet

For additional information:

Jos é Vicente Ortega

[email_address]

817-727-4530