Cybercrime future perspectives
Upcoming SlideShare
Loading in...5
×
 

Cybercrime future perspectives

on

  • 682 views

Presentation by Charl van der Walt, Jaco van Graan and Roelof Temmingh at ISEC in 2000. ...

Presentation by Charl van der Walt, Jaco van Graan and Roelof Temmingh at ISEC in 2000.

The presentation begins with a discussion on commercial crime statics and trends. Security fundamentals such as encryption and the four pillars of information security are discussed. The presentation ends with a series of discussions on the seven steps of the security process.

Statistics

Views

Total Views
682
Views on SlideShare
660
Embed Views
22

Actions

Likes
0
Downloads
20
Comments
0

3 Embeds 22

http://research.sensepost.com 10
http://www.sensepost.com 9
http://localhost 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cybercrime future perspectives Cybercrime future perspectives Presentation Transcript

  • CYBERCRIME Future Perspectives charl van der walt www.sensepost.com
  • Commercial Crime
    • Commercial crime up 3.5% from last year
      • R 3.4 billion in the first half of '99 alone
    • 84.3% of cases involved fraud
      • 25,000 incidents
      • R 2.9 billion
    • Gauteng occupies a first position with regard to Commercial Crime
    • www.saps.org.za
    SECURITY TRENDS & STATISTICS
  • Computer Crime
    • 61% of the organizations surveyed have experienced losses due to unauthorized computer use.
    • The average loss resulting from security breaches in all categories was approximately $ 1,000,000
    • FBI / CSI Survey, 1999
    SECURITY TRENDS & STATISTICS
  • Crime Costs Money SECURITY TRENDS & STATISTICS “ Just ask Edgars, the clothing retail group, which lost more than R1m after a computer programmer brought down more than 600 stores for an entire day.” Financial Mail - April 2000
  • Computers & Commercial Crime
    • KPMG:
    • ‘ 63% of top-level managers in South Africa rate their company's dependence on IT for the successful running of business as "Extremely High” ’
    SECURITY TRENDS & STATISTICS
  • Did they have it coming?
    • access control 93%
    • biometrics 9%
    • encrypted files 61%
    • anti-virus software 98%
    • reusable passwords 61%
    • firewalls 91%
    • encrypted log-in/sessions 46%
    • physical security 91%
    • PCMCIA, smart cords, one-time tokens 39%
    • intrusion detection 42%
    • digital Ids, certificates 34%
    • FBI / CSI Survey, 1999
    SECURITY TRENDS & STATISTICS charl van der walt
  • Threat Distribution - USA
    • Theft of proprietary info 20%
    • Sabotage of data or networks 15%
    • Telecom eavesdropping 10%
    • System penetration by outsider 24%
    • Insider abuse of net access 76%
    • Financial fraud 11%
    • Denial of service 25%
    • Virus contamination 70%
    • Unauthorized access to info by insider 43%
    • Telecom fraud 13%
    • Active wiretapping 2%
    • Laptop theft 54%
    SECURITY TRENDS & STATISTICS charl van der walt
  • Threat Distribution - RSA SECURITY TRENDS & STATISTICS
      • Some form of breach 89%
      • Virus incident 87%
      • Theft of equipment 80%
      • E-mail intrusion 27%
      • Loss of company documents 12%
      • Breach of confidentiality 8%
      • External systems attack 8%
      • Internal systems attack 6%
  • The value of statistics
    • What we know:
      • There is a threat to our Information Resources
      • The threat has direct financial implications
      • The threat is growing
      • A large part of the threat is internal
      • There are a number of distinguishable trends
    • What we don’t know:
      • How accurate are the statistics?
      • Are international statistics relevant in SA?
      • Are international solutions relevant in SA?
      • What does this all mean to me?
    • You need to determine your own unique risk profile
    • What is Risk?
      • Valuable resources + exploitable technology
    • What is “Secure”?
      • When the financial losses incurred are at an acceptable level
    • Your “Risk-Profile”:
      • The value of your Information
      • The degree of technological vulnerability
      • A level of loss that is acceptable to you
        • Unique to your organisation. Today.
    Determining your own risk SECURITY TRENDS & STATISTICS charl van der walt
  • Trends in IT security
    • There is a continual phase shift security risks
    • And in security solutions
    • In the beginning
      • Physical Attacks
    • Yesterday
      • Network Attacks
    • Today
      • Application Attacks
    • The industry is typically technology driven , not problem driven.
    • Can we afford to follow the ‘solutions’ trend?
    SECURITY TRENDS & STATISTICS
  • Future Threats
    • Denial of Service
      • Distributed
      • Anonymous
      • Depends on 3 rd parties to solve
      • Directly impacts the “e” world
    • Trojans & Worms
      • Stealthy
      • Remote Controlled
      • Fetch Model
    • Corporate Backdoors
      • How will we ever know?
    • Semantic Attacks
    SECURITY TRENDS & STATISTICS
  • Determining your own risk SECURITY TRENDS & STATISTICS charl van der walt The magnitude of the risk is a product of the value of the information and the degree to which the vulnerability can be exploited.
  • Understanding the Internet
    • Host
    • Network
    • LAN
    • WAN
    • Internet
    • Protocol
    • IP
    • Packet
    • Server / Service
    • Port
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Four Pillars of Information Security
    • Access Control
      • Control who may and who may not access data
    • Confidentiality
      • Ensure data is viewed only by intended audience
    • Integrity
      • Ensure data is not changed by unauthorized parties
    • Authenticity
      • Ensure that data originated where you think
    • #5 - Availability
      • Ensure data is there when you need it
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Security Control Methods
    • Information Security Policy
    • Sound system design
    • Access Control
      • Physical
      • Network
      • Operating System
      • Application
    • Encryption
    • Audit and Review
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • More about Encryption
    • Encrypt
      • Convert information into unreadable format
        • Crypto-Text
    • Decrypt
      • Change data back to normal format
        • Clear-Text
    • Algorithm
      • Steps followed to encrypt or decrypt the information
    • Key
      • Secret shared between parties
    • Key Length
      • An indication of how hard the key is to guess
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Still more about Encryption
    • Public Key Cryptography
      • A special type of encryption using a key pair
    • Private Key
      • Kept strictly secret
    • Public Key
      • Published with a Certificate
    • Certificate
      • A way of linking your Key to your Identity
    • Certificate Authority (CA)
      • Responsible for verifying the Certificate
    • Public Key Infrastructure (PKI)
      • Structures needed to make the process work
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Security Technologies
    • Firewalls
      • Network Level
      • Application Level
      • Content Level
    • Authentication Systems
      • Something you know
      • Something you have
      • Something you are
    • Encryption Protocols
      • SSH
      • SSL
      • IPSec
    • Intrusion Detection Systems
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • Security Products
    • Firewalls
      • Check Point FW-1 (www.checkpoint.com)
      • NAI Gauntlet (www.nai.com)
      • Linux IPchains (www.linux.org)
    • Authentication Systems
      • RSA SecurID (www.rsa.com)
      • Alladin eToken (www.aks.com)
    • Encryption
      • Windows EFS -
      • Trispen IPGranite (www.trispen.com)
    • Intrusion Detection Systems
      • AXENT Netprowler (www.axent.com)
      • SNORT (www.snort.org)
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • .
    • Content removed
    INFORMATION SECURITY FUNDAMENTALS charl van der walt
  • SECURITY DEMONSTRATED
    • 1. A server is connected to the Internet.
    • 2. Passwords are used to restrict access to the MS file service.
    SECURITY DEMO roelof temmingh
  • SECURITY DEMONSTRATED
    • 3. An firewall is used to restrict server access to the web service port - 80.
    SECURITY DEMO roelof temmingh
  • SECURITY DEMONSTRATED
    • 4. An IDS system is used to detect and report on attempted attacks on the web server.
    SECURITY DEMO roelof temmingh
  • Proactive or Reactive?
    • Locate weaknesses
    • Controls in place
    • LT cost effective
    THE INFORMATION SECURITY PROCESS jaco van graan
    • No or weak controls
    • Try plug security holes
    • Least effective
    • Costly
  • The Process… THE INFORMATION SECURITY PROCESS jaco van graan Threat/Risk Analysis Security Policy Creation Planning Policy Enforcement/ Implementation Monitor & Manage Intrusion detection Security Audit 1 2 3 4 5 6 7
  • Threat/risk Analysis
    • Value you assets (information/reputation).
    • Determine the acceptable level of loss.
    • Some losses will inevitably occur.
      • Eliminating ALL loses would be either too costly or impossible.
    • Level of acceptable losses need to be set
      • dictates how much you are willing to spend on security.
    • Set time period for the acceptable losses.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Security Policy
    • Practical, understandable.
    • Control document.
    • Communicated.
    • Endorsed by management.
    • Applies to all users of infrastructure.
    • Gives security administrator a mandate
    THE INFORMATION SECURITY PROCESS jaco van graan A security policy helps to define what you consider to be valuable, and it specifies what steps should be taken to safeguard those assets.
  • Planning
    • Enforcement of controls - security policy
    • Select products to ensure compliance
    • Determine required implementation and maintenance skills
    • Evaluate impact on business
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Planning
    • Resources
      • People
      • Time
      • $$$
    • Evaluate possible security partner
      • Experience: references
      • Financial backing
      • Trust relationship
      • Support: training/skills transfer/SLA’s
      • Product range
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Implementation
    • Remember your exposure!
    • Security partner?
    • Schedule change control - security policy
    • Inform all users / business partners
    • Ensure skill level of implementers
    • Roll back plan
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Manage & Monitor
    • Physical audit of infrastructure
    • Responsibility handover
      • Security alerts, advisories, bug fixes
      • Equipment load
      • Configuration changes
    • Catch ‘em! (If you can…)
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Internal & External Audit
    • Collect and evaluate evidence to determine whether a computer system :
      • safeguards assets.
      • maintain data integrity.
      • allow the goals of an organisation to be achieved efficiently and effectively.
    • Security policy as control document.
    • International standards: SAS 70; Bs 7799.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Internal Audit
    • Compare to internal audit division.
    • Independence, thus not involved in implementation or operations.
    • Report to IT manager.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Organisation
      • Independence
      • References
      • Experience
      • Certification
      • Cost
      • Ethics
      • Services offered
      • Backing: subsidiary/insurance
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Methodology
      • Certification/benchmark
      • Audit plan
      • Execution according to plan
      • Report
      • Recommendations & resolution
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Resources
      • Business skills
      • Experience: qualification; Certifications; Bodies
      • Individual background
    • The brief… How; What; Where?
      • Type: logical; Physical or social
      • Restrictions / conditions
      • Internal /external
    THE INFORMATION SECURITY PROCESS jaco van graan
  • External Audit - Evaluation
    • Toolbox.
      • Tool combinations: wider vulnerability exposure.
      • Proprietary or off the shelf.
    • Confidentiality.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Intrusion Detection
    • If all else failed…
    • Regular updates.
    • Follow up of intrusion attempts.
    • Play it again, Sam.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Adjust Security Policy
    • Recommendations from internal & external audits.
    • New business requirements.
    THE INFORMATION SECURITY PROCESS jaco van graan
  • Definition INFORMATION SECURITY CERTIFICATION charl van der walt The evaluation of the security of a computer system by a recognised third party. If the system being tested meets all the criteria it receives certification (also called accreditation) which is an indication of the level of security of the system being tested.
  • Objective
    • To enforce structure on your security program
    • A means of assessing your own security
    • A means of measuring against best-of-breed
    • A means of convincing others of your security
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • BS 7799
      • British Standards Institute
      • Outlines 10 controls that must be addressed
      • Uses the c:cure program for accreditation
      • www.bsi.org.uk / www.bsi.org.za
      • www.c:cure.org
    • TCSEC
      • Trusted Computer System Evaluation Criteria
      • “ Orange Book”
      • Published by the US National Security Agency
      • Defines different ‘Levels’ of trust
        • Minimal -> Formally Proven
      • www.radium.ncsc.mil/tpep
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • ITSEC
      • Information Technology Security Evaluation Criteria
      • Recognised by most European countries
      • Concentrates on product evaluations
      • Defines different levels (E0 - E6)
      • www.itsec.gov.uk
    • CCITSE
      • Common Criteria for IT Security Evaluation
      • Joint American / European Evaluation Standard
      • Successor to TCSEC and ITSEC
      • Defines ‘levels’ similar to TCSEC, but more flexible
        • Protection Profiles
      • http://csrc.nist.gov/cc/
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • ISO / GMITS
      • Guidelines to the Management of IT Security
      • Published by the JTC
        • Joint Technical Committee of ISO and IEC
      • www.iso.ch
      • www.diffuse.org/secure.html
    • COBIT
      • Control Objectives for Information and Related Technologies
      • Information Systems Audit and Control Association
        • ISACA
      • ‘ Business Oriented & Practical’
      • www.isaca.org
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Leading Standards
    • ICSA
      • International Computer Security Association
      • Commercial Venture represented world-wide
      • Product certification and security assurance services
        • TrueSecure
      • Internet focused
      • www.icsa.net
    • Ernst & Young SAS70
      • Statement of Auditing Standards # 70
      • American version of a similar international standard
      • Specifically for the outsourced environment
      • Business focused
      • www.ey.com
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Is Certification for you?
    • Yes, if:
      • You’re a large corporation
      • You’re publicly owned
      • You offer IT-based services to clients
      • You have legal obligations
      • You’re comfortable with formal processes
    • No, if:
      • You have a small, manageable infrastructure
      • You’re only responsibility is to yourself
      • You have an informal culture and strong skills
      • You believe certification will make you secure
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • Choosing the right standard
    • Recognition
      • Respect in your target market
    • Focus
      • Support for your own security objectives
    • Local Presence
      • A program that can be certified in SA
    • Total cost
      • Good return on investment
    • Overhead
      • Reasonable implementation time and life-span
    • Impact
      • A tangible effect on your systems
    INFORMATION SECURITY CERTIFICATION charl van der walt
  • THE BOTTOM LINE
    • 1. Take security seriously
    • 2. Don’t panic!
    • 3. Value your information
    • 4. Evaluate your risk
    • 5. Be requirement driven, not technology driven
    • 6. Enable your business
    THE BOTTOM LINE jaco van graan
  • Like source of attacks
    • Foreign gov. 21%
    • Foreign corp. 30%
    • Independent Hackers 74%
    • US competitor 53%
    • Disgruntled employee 86%
    • FBI / CSI Survey, 1999
    SECURITY TRENDS & STATISTICS charl van der walt