Your SlideShare is downloading. ×
Major global information security trends - a  summary
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Major global information security trends - a summary

922
views

Published on

Presentation by Luc de Graeve at internetix in 2004. …

Presentation by Luc de Graeve at internetix in 2004.

This presentation is a summery of global information security trends in the business environment .The presentation begins with an introduction to major global trends. Legal Issues, threats, technologies and solutions are discussed

Published in: Technology, News & Politics

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
922
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. “ Major Global Information Security Trends – a Summary” Luc de Graeve SensePost and RedPay
  • 2. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
      • Information Security – a problem definition
      • Statistics, suitable statistics and perceptions
    • Major Global Trends:
      • The Business Environment
      • Regulatory and Legal Issues
      • Threats
      • Technologies and Solutions
    • A final thought
    • References, Contact details and Questions
  • 3. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
  • 4. SETTING THE SCENE - INTRODUCTION
    • A summary – an oxymoron
      • Huge environment
      • Complex environment
      • Fast-moving environment
      • Interactions with multiple areas
    • Each area – subject matter of its own
      • A whirlwind 45-minute tour
      • Subset….no time for exhaustive areas
    Non Technical…….as much as possible.
  • 5. SETTING THE SCENE - INTRODUCTION
    • Source Background
      • Sell no products
      • Clients all over the world
      • Spend huge amounts of time researching the space
      • Consult to International Private, Public and Government
      • Involvement in Information gathering – CSI to DefCon
      • Provide some references later
  • 6. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
      • Information Security – a problem definition
  • 7. SETTING THE SCENE – A PROBLEM CHRONOLOGY
    • Obscurity Phase
      • Predominantly cryptographic culture
      • Time of Line, data, voice, PIN crypto
    • Access Phase
      • The company network and database effect
      • Time of Access control
      • Start of sharing of information across companies
    • Interconnected Phase
      • The Internet effect
      • Time of Firewalls, AVS, IDS/IPS and many others
    • Fear and control Phase
      • The Terrorist and Fraudster effect
      • Time of Legal and Regulatory controls
      • … ..possibly the beginning of end-to-end security?
    • Wood for the trees
      • Different companies in different phases
  • 8. SETTING THE SCENE – A PROBLEM DEFINITION
    • Information Security – present definition
      • Often hype driven
      • Regularly perception driven
      • Threat event driven
      • Supplier driven
      • Interconnected companies
      • Diffuse responsibilities………….
    • ……… Many things to many people
    • Today’s summary – cover a number of aspects
    • Keep the definition broad-based
  • 9. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
      • Information Security – a problem definition
      • Statistics, suitable statistics and perceptions
  • 10. SETTING THE SCENE – STATISTICS
    • Terri Curran – respected security consultant in USA…Analysis of following sources Nov 2003 – June 2004:
      • Multiple Information Security mail-lists
      • Computer Security Institute poll
      • CISSP forum analysis
      • META Group Research on Trends 2003
      • Yankee Group 2003 Enterprise Security Spending Survey
      • Kenneth Knapp survey – Auburn University (CISSP)
      • Peter Gregory, Computer World December 2003
      • Independent Security Practitioner’s Poll
    • 2004 CSI/FBI Computer Crime and Security Survey
    • March 2004 Symantec Internet Security Threat Report
    • … ..Too many sources to mention
  • 11. SETTING THE SCENE – STATISTICS
    • CISSP Forum analysis – a summary*
      • ROI & Information Security Metrics
      • SPAM
      • Malware
      • Legislation, Regulation (SOX)
      • Cyberterrorism
      • Perimeter security
      • Product Selection issues
      • Firewall deployment
      • Security Certification
      • Best Practices
      • * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
  • 12. SETTING THE SCENE – STATISTICS
    • META Group Research on Trends – a summary*
      • Security strategy
      • Confidentiality
      • Organization/Governance/Budget
      • Identity
      • Threat and Vulnerability
      • Physical Security
      • Content Security
      • Application Security
      • Isolation
      • Strategic Processes
      • * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
  • 13. SETTING THE SCENE – STATISTICS
    • The Yankee Group 2003 Enterprise Security Spending Survey – a summary*
      • Top 4 product areas budgeted for 2004
        • Antivirus
        • IDS and IPS
        • Firewalls
        • Web Application Security
      • Other items on top 10 product list:
        • VPN
        • Access Control
        • Storage Security
        • Antispam
        • Authentication
        • Wireless Security
      • * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
  • 14. SETTING THE SCENE – STATISTICS
    • The Yankee Group 2003 Enterprise Security Spending Survey – a summary*
      • Top service area budgeted for 2004:
        • Firewalls
      • Four important service areas budgeted for 2004:
        • IDS
        • Vulnerability Management
        • User Identity Administration
        • Security Assessments
      • Other service areas budgeted for 2004:
        • Strategic Consulting
        • Regulatory Compliance
      • * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
  • 15. SETTING THE SCENE – STATISTICS
    • The Yankee Group 2003 Enterprise Security Spending Survey – a summary*
      • Security incidents experienced in 2003:
        • Virus/Worms (83%)
        • Denial of Service attacks (40%)
        • Unauthorised data access (34%)
        • Misconfiguration (32%)
        • Web Site penetration (29%)
        • Theft of customer data (13%)
        • Disclosure of customer data (8%)
      • * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
  • 16. SETTING THE SCENE – STATISTICS
    • Kenneth Knapp CISSP survey – a summary*
      • Greatest Security Concerns;
        • Top Management support
        • Patch Management
        • Malware
        • Legal and regulatory issues
        • Internal threats
        • Access control and identity management
        • SDLC support for Information Security
        • Privacy
        • Business Continuity and Disaster Recovery
        • SPAM
        • Firewall and IDS Configurations
        • External Connectivity to other organisations
      • * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
  • 17. SETTING THE SCENE – STATISTICS
    • Peter Gregory, Computerworld survey – a summary*
      • Greatest Security Concerns/Hype for 2004;
        • SPAM
        • Internet access filtering
        • Desktop management
        • Personal Firewalls
        • Leaky Metadata
        • Wi-Fi break in
        • Bluetooth
        • Mobile phone hacking
        • Instant Messaging incident
        • Organised Crime
        • Shorter time to exploitation
      • * Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June)
  • 18. SETTING THE SCENE – STATISTICS
    • CSI/FBI June 2004 survey – highlights
      • Decline in reported unauthorised use
      • Decrease in reported dollar loss from security breaches
      • Denial of Service most expensive computer crime
      • Percentage companies reporting incidents declining
      • Economic evaluation of security expenditures:
        • ROI – 55% of companies
        • IRR – 28% of companies
        • NPV – 25% of companies
      • Most companies conduct security audits (>80%)
      • Outsourcing – most companies do not (63%)
        • When done – selective areas (25% …less than 20% of function)
      • Not enough security awareness focus in organisations
      • Sarbanes-Oxley Act beginning to have an impact
  • 19. SETTING THE SCENE – STATISTICS
    • CSI/FBI June 2004 survey – highlights
      • Action taken after experiencing computer intrusion:
        • Patched holes (91%)
        • Did not report (48%)
        • Reported to law enforcement (20%)
        • Reported to legal council (16%)
      • Prime reasons cited for not going to authorities:
        • Negative publicity – hurt stock/image (51%)
        • Competitors could use to their advantage (35%)
  • 20. SETTING THE SCENE – STATISTICS?
    • The problem with these statistics:
      • Each survey has different respondent profile
      • Each survey questions posed differently
      • Survey questions have to change from year to year
      • Surveys not quoted entirely in context
        • Purveyors of news
        • Purveyors of information
        • Vendors
        • Recipients of information
      • Access to surveys is often restricted
        • Closed/special user communities
        • Some surveys are only for paid up members
      • Analysing only one (or parts of one) survey can be fatal
  • 21. SETTING THE SCENE – STATISTICS?
    • How does one obtain value?
      • Have to be actively involved in the industry
        • Globally
        • Multiple clients
        • Multiple industries
      • Constantly evaluate new technologies
      • Do trending from industry knowledge sharing lists
      • Analysis of multiple sources is absolutely essential
      • Correlation study of threats, solutions and environment
      • Share knowledge
        • share knowledge
          • share knowledge...
  • 22. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
      • Information Security – a problem definition
      • Statistics, suitable statistics and perceptions
    • Major Global Trends:
      • The Business Environment
  • 23. MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT
    • Increased online availability of information
      • More sophisticated information systems
      • Increased need for communication with others
      • Increased need for sharing information with others
      • Improved transport mechanisms for information
      • Multiple client channels to service providers
      • Multiple partner channels between organisations
      • ERP systems – company information repositories.
      • Increased use of standard computing delivery platforms
      • Ubiquitous Internet and Web
    GT - Complexity is the number one enemy of Information Security
  • 24. MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT
    • Increased business model sophistication
      • Larger, more complex organisations
      • Mix of centralisation and de-centralisation
      • Diffuse and ill defined responsibilities, accountabilities and authorities in organisations
      • Complex, interlinked internal processes
      • Complex relationships with other entities
      • Multitude of legacy, current and futuristic computing platforms in organisations
      • Incomplete understanding of asset and risk classification
    GT - Complexity is the number one enemy of Information Security
  • 25. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
      • Information Security – a problem definition
      • Statistics, suitable statistics and perceptions
    • Major Global Trends:
      • The Business Environment
      • Regulatory and Legal Issues
        • … or in layman’s terms “When can I sue?”
  • 26. MAJOR GLOBAL TRENDS – REGULATORY AND LEGAL ISSUES
    • A large number of “new” Laws, Regulations and Standards
      • NERC Cyber Security Standard 1200 (USA)
      • BS7799, ISO17799, FISMA (USA), ISG (USA)
      • ISF, COBIT
      • King II Report
      • Health Insurance Portability and Accountability Act (HIPAA)
      • Sarbanes-Oxley (SOX)
      • Gramm, Leach, Bliley Act (GLBA)
      • ECT Act, Commsec Act
      • …… and many, many more!.....to be tested in the courts!!
    GT: New legal landscape will force enhanced security!
  • 27. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
      • Information Security – a problem definition
      • Statistics, suitable statistics and perceptions
    • Major Global Trends:
      • The Business Environment
      • Regulatory and Legal Issues
      • Threats
    *Note* Do not be scared – be aware!
  • 28. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
        • 21 May 2001 – approximately 100 website defacements per day (Attrition.org)
        • 9 January 2003, 15h30 - 177 defacements
        • 2 March 2004, 18h30 - 403 defacements
        • 18 July 2004, 14h30 – 1096 defacements
    GT: A continued increase in website defacements!
  • 29. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
  • 30. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
  • 31. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
  • 32. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
  • 33. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
  • 34. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
  • 35. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
    Just in case you missed out on the whole ordeal last week, we were hacked 4 times by an elite group called r 139. So we thought we would help the hackers out by hacking our own page to save them some time...
  • 36. MAJOR GLOBAL TRENDS - THREATS
    • HACKERS …..and other (bigger?) beasts.
      • Website defacements:
  • 37. MAJOR GLOBAL TRENDS - THREATS
    • MALWARE – Viruses, Worms and Horses
    Usual Suspects - Code Red Initiation: 19-07-2001 @ 00.00 Completion: 19-07-2001 @ 19.50
  • 38. MAJOR GLOBAL TRENDS - THREATS
    • MALWARE – Viruses, Worms and Horses
    Usual Suspects – Saphire/SQL Initiation: 25-01-2003 @ 05:29 Completion: 25-01-2003 @ 06:00 GT: A continued increase in speed of infections!
  • 39. MAJOR GLOBAL TRENDS - THREATS
    • Characteristics of attack profile trends
      • Speed of attack generation increasing
      • Sophistication levels of attacks increasing
      • Time from Vulnerability to Exploit decreasing
      • Coordination levels of attacks increasing
        • From DOS to DDOS to GDOS
      • Attacks utilise ever larger number of combined techniques
      • Definite increase in Application Level Attacks
        • … in addition to simpler Network Level Attacks
    GT: A continued increase in Attack Sophistication!
  • 40. MAJOR GLOBAL TRENDS - THREATS
    • IDENTITY THEFT - Definition:
      • When an entity pretends to be another entity, without any authorisation, with the aim of gain.
    • “ It is not only the most difficult thing to know oneself, but the most inconvenient, too.” H.W. Shaw
    • “ Why steal from someone if you can just become that person?” Bruce Schneier
    • Considered the fastest growing crime globally
      • Figures ranging between 46% and 58% ACGR
    • Consists of personal and corporate ID theft.
    GT: ID theft – the fastest growing crime globally!
  • 41. MAJOR GLOBAL TRENDS - THREATS
    • IDENTITY THEFT and PHISHING
      • Mechanisms and components in online world
        • SPAM – using spoofed e-mails
        • Social Engineering
        • Corporate Website Spoofing
      • SPAM – in excess of 50% of Internet traffic
      • PHISHING
        • Obtaining personal financial information online.
        • Hijacking of trusted brands
        • 419 Scams
        • List making for further SPAM
        • Malware Distribution
  • 42. MAJOR GLOBAL TRENDS - THREATS
    • IDENTITY THEFT and PHISHING
    It is a complex problem: Show me all the domains on the Internet that look and sound like my company, but that do not belong to me…
  • 43. MAJOR GLOBAL TRENDS - THREATS
    • IDENTITY THEFT and PHISHING
    GT: Phishing attack trend points to huge IDtheft attack increase on the Web!
  • 44. MAJOR GLOBAL TRENDS - THREATS
    • In Summary:
      • All information points to increase in attack vectors on the Internet.
      • Sophistication and speed of attacks increase
      • The Internet environment is increasingly used by criminal elements.
    However – this by no means implies that one does not use the environment……which brings us to trends in the Technologies and Solutions space…
  • 45. TOPICS TO COVER
    • Setting the Scene:
      • Introduction – Major Global trends
      • Information Security – a problem definition
      • Statistics, suitable statistics and perceptions
    • Major Global Trends:
      • The Business Environment
      • Regulatory and Legal Issues
      • Threats
      • Technologies and Solutions
  • 46. MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS
    • What are most companies spending their security efforts on?
      • Anti Virus Systems
      • Firewalls
      • IDS/IPS solutions
      • Patch Management
    • These assist in reducing effects of intrusion attacks and malware attacks
      • Reduces potential financial and reputational loss
      • Improves Quality of Service….but….
      • Insufficient to combat fraud and reduce criminal element
    GT: Most companies still focused on Perimeter Security
  • 47. MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS
    • Additionally - what are leading companies spending their security efforts on?
      • Substantial User Awareness Programs
      • Improvement of processes that have security implication
      • Classification of user base and risk profiling
      • Classification of Information
      • Gearing up legal and forensics department
      • Ongoing Security Assessments
      • Multi-layering of security environments
      • Implementing and monitoring Security Baselining standards
    GT: Leading Companies are starting to look at Information Security using business principles!
  • 48. MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS
    • Additionally - what are leading companies spending their security efforts on?
      • Multi-factor authentication for selected applications
      • Securing selected Web Applications
      • Incorporating security in the I.T. System development Life Cycle (SDLC)
      • Identity Management for complex environments
      • Analysing end-to-end security for selected applications
      • Clearer understanding of Acceptable Residual Risk
    GT: Leading Companies are looking after the basics! GT: Leading Companies are viewing Information Security as an important part of doing business! GT: Some Leading Companies are viewing Information Security as a Competitive differentiator!
  • 49. MAJOR GLOBAL TRENDS – A FINAL THOUGHT
    • “ Information security will continue to be a catch-up game….
      • the complex environment and the criminal nature of the lunatic fringe will force organisations to do the best they can within their given constraints.
      • One hundred percent security is not the aim. Trade as safely as your risk profile will allow and keep a look out for the trends.”
    • “ THE TREND IS YOUR FRIEND!”
  • 50. SELECTED REFERENCES
    • Curran, Terri. “ Security trends from a practitioner’s perspective.” CSI NetSec04 paper.
    • Marc R. Menninger, Fiora Stevens. “Deriving Privacy Due Care practices from HIPAA and GLBA.”
    • Ninth Annual (2004) CSI/FBI Computer Crime and Security Survey
    • Symantec Internet Security Threat Report, Volume V, Published March 2004
    • Peltier and Associates. “Mapping Policies to the Enterprise.”
    • David Lynas. “Return on Investment from Information Security.”
    • www.antiphishing.org
    • www.attrition.org
    • www.cio.com
    • www.csoonline.com
    • www.dshield.org
    • www.ftc.gov
    • www.gocsi.com
    • www.metagroup.com
    • www.redpay.com
    • www.searchsecurity.com
    • www.schneier.com
    • www.sensepost.com
    • www.siia.net
    • www.zone-h.org
  • 51. Contact Details and Questions
    • Luc de Graeve
      • [email_address]
      • [email_address]
      • +27 (012) 667 4737
    • QUESTIONS?
    • THANK YOU!
  • 52.