Major global information security trends - a summary

1,357 views

Published on

Presentation by Luc de Graeve at internetix in 2004.

This presentation is a summery of global information security trends in the business environment .The presentation begins with an introduction to major global trends. Legal Issues, threats, technologies and solutions are discussed

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,357
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Major global information security trends - a summary

  1. 1. “ Major Global Information Security Trends – a Summary” Luc de Graeve SensePost and RedPay
  2. 2. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul><ul><ul><li>Information Security – a problem definition </li></ul></ul><ul><ul><li>Statistics, suitable statistics and perceptions </li></ul></ul><ul><li>Major Global Trends: </li></ul><ul><ul><li>The Business Environment </li></ul></ul><ul><ul><li>Regulatory and Legal Issues </li></ul></ul><ul><ul><li>Threats </li></ul></ul><ul><ul><li>Technologies and Solutions </li></ul></ul><ul><li>A final thought </li></ul><ul><li>References, Contact details and Questions </li></ul>
  3. 3. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul>
  4. 4. SETTING THE SCENE - INTRODUCTION <ul><li>A summary – an oxymoron </li></ul><ul><ul><li>Huge environment </li></ul></ul><ul><ul><li>Complex environment </li></ul></ul><ul><ul><li>Fast-moving environment </li></ul></ul><ul><ul><li>Interactions with multiple areas </li></ul></ul><ul><li>Each area – subject matter of its own </li></ul><ul><ul><li>A whirlwind 45-minute tour </li></ul></ul><ul><ul><li>Subset….no time for exhaustive areas </li></ul></ul>Non Technical…….as much as possible.
  5. 5. SETTING THE SCENE - INTRODUCTION <ul><li>Source Background </li></ul><ul><ul><li>Sell no products </li></ul></ul><ul><ul><li>Clients all over the world </li></ul></ul><ul><ul><li>Spend huge amounts of time researching the space </li></ul></ul><ul><ul><li>Consult to International Private, Public and Government </li></ul></ul><ul><ul><li>Involvement in Information gathering – CSI to DefCon </li></ul></ul><ul><ul><li>Provide some references later </li></ul></ul>
  6. 6. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul><ul><ul><li>Information Security – a problem definition </li></ul></ul>
  7. 7. SETTING THE SCENE – A PROBLEM CHRONOLOGY <ul><li>Obscurity Phase </li></ul><ul><ul><li>Predominantly cryptographic culture </li></ul></ul><ul><ul><li>Time of Line, data, voice, PIN crypto </li></ul></ul><ul><li>Access Phase </li></ul><ul><ul><li>The company network and database effect </li></ul></ul><ul><ul><li>Time of Access control </li></ul></ul><ul><ul><li>Start of sharing of information across companies </li></ul></ul><ul><li>Interconnected Phase </li></ul><ul><ul><li>The Internet effect </li></ul></ul><ul><ul><li>Time of Firewalls, AVS, IDS/IPS and many others </li></ul></ul><ul><li>Fear and control Phase </li></ul><ul><ul><li>The Terrorist and Fraudster effect </li></ul></ul><ul><ul><li>Time of Legal and Regulatory controls </li></ul></ul><ul><ul><li>… ..possibly the beginning of end-to-end security? </li></ul></ul><ul><li>Wood for the trees </li></ul><ul><ul><li>Different companies in different phases </li></ul></ul>
  8. 8. SETTING THE SCENE – A PROBLEM DEFINITION <ul><li>Information Security – present definition </li></ul><ul><ul><li>Often hype driven </li></ul></ul><ul><ul><li>Regularly perception driven </li></ul></ul><ul><ul><li>Threat event driven </li></ul></ul><ul><ul><li>Supplier driven </li></ul></ul><ul><ul><li>Interconnected companies </li></ul></ul><ul><ul><li>Diffuse responsibilities…………. </li></ul></ul><ul><li>……… Many things to many people </li></ul><ul><li>Today’s summary – cover a number of aspects </li></ul><ul><li>Keep the definition broad-based </li></ul>
  9. 9. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul><ul><ul><li>Information Security – a problem definition </li></ul></ul><ul><ul><li>Statistics, suitable statistics and perceptions </li></ul></ul>
  10. 10. SETTING THE SCENE – STATISTICS <ul><li>Terri Curran – respected security consultant in USA…Analysis of following sources Nov 2003 – June 2004: </li></ul><ul><ul><li>Multiple Information Security mail-lists </li></ul></ul><ul><ul><li>Computer Security Institute poll </li></ul></ul><ul><ul><li>CISSP forum analysis </li></ul></ul><ul><ul><li>META Group Research on Trends 2003 </li></ul></ul><ul><ul><li>Yankee Group 2003 Enterprise Security Spending Survey </li></ul></ul><ul><ul><li>Kenneth Knapp survey – Auburn University (CISSP) </li></ul></ul><ul><ul><li>Peter Gregory, Computer World December 2003 </li></ul></ul><ul><ul><li>Independent Security Practitioner’s Poll </li></ul></ul><ul><li>2004 CSI/FBI Computer Crime and Security Survey </li></ul><ul><li>March 2004 Symantec Internet Security Threat Report </li></ul><ul><li>… ..Too many sources to mention </li></ul>
  11. 11. SETTING THE SCENE – STATISTICS <ul><li>CISSP Forum analysis – a summary* </li></ul><ul><ul><li>ROI & Information Security Metrics </li></ul></ul><ul><ul><li>SPAM </li></ul></ul><ul><ul><li>Malware </li></ul></ul><ul><ul><li>Legislation, Regulation (SOX) </li></ul></ul><ul><ul><li>Cyberterrorism </li></ul></ul><ul><ul><li>Perimeter security </li></ul></ul><ul><ul><li>Product Selection issues </li></ul></ul><ul><ul><li>Firewall deployment </li></ul></ul><ul><ul><li>Security Certification </li></ul></ul><ul><ul><li>Best Practices </li></ul></ul><ul><ul><li>* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June) </li></ul></ul>
  12. 12. SETTING THE SCENE – STATISTICS <ul><li>META Group Research on Trends – a summary* </li></ul><ul><ul><li>Security strategy </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Organization/Governance/Budget </li></ul></ul><ul><ul><li>Identity </li></ul></ul><ul><ul><li>Threat and Vulnerability </li></ul></ul><ul><ul><li>Physical Security </li></ul></ul><ul><ul><li>Content Security </li></ul></ul><ul><ul><li>Application Security </li></ul></ul><ul><ul><li>Isolation </li></ul></ul><ul><ul><li>Strategic Processes </li></ul></ul><ul><ul><li>* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June) </li></ul></ul>
  13. 13. SETTING THE SCENE – STATISTICS <ul><li>The Yankee Group 2003 Enterprise Security Spending Survey – a summary* </li></ul><ul><ul><li>Top 4 product areas budgeted for 2004 </li></ul></ul><ul><ul><ul><li>Antivirus </li></ul></ul></ul><ul><ul><ul><li>IDS and IPS </li></ul></ul></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul><ul><ul><ul><li>Web Application Security </li></ul></ul></ul><ul><ul><li>Other items on top 10 product list: </li></ul></ul><ul><ul><ul><li>VPN </li></ul></ul></ul><ul><ul><ul><li>Access Control </li></ul></ul></ul><ul><ul><ul><li>Storage Security </li></ul></ul></ul><ul><ul><ul><li>Antispam </li></ul></ul></ul><ul><ul><ul><li>Authentication </li></ul></ul></ul><ul><ul><ul><li>Wireless Security </li></ul></ul></ul><ul><ul><li>* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June) </li></ul></ul>
  14. 14. SETTING THE SCENE – STATISTICS <ul><li>The Yankee Group 2003 Enterprise Security Spending Survey – a summary* </li></ul><ul><ul><li>Top service area budgeted for 2004: </li></ul></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul><ul><ul><li>Four important service areas budgeted for 2004: </li></ul></ul><ul><ul><ul><li>IDS </li></ul></ul></ul><ul><ul><ul><li>Vulnerability Management </li></ul></ul></ul><ul><ul><ul><li>User Identity Administration </li></ul></ul></ul><ul><ul><ul><li>Security Assessments </li></ul></ul></ul><ul><ul><li>Other service areas budgeted for 2004: </li></ul></ul><ul><ul><ul><li>Strategic Consulting </li></ul></ul></ul><ul><ul><ul><li>Regulatory Compliance </li></ul></ul></ul><ul><ul><li>* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June) </li></ul></ul>
  15. 15. SETTING THE SCENE – STATISTICS <ul><li>The Yankee Group 2003 Enterprise Security Spending Survey – a summary* </li></ul><ul><ul><li>Security incidents experienced in 2003: </li></ul></ul><ul><ul><ul><li>Virus/Worms (83%) </li></ul></ul></ul><ul><ul><ul><li>Denial of Service attacks (40%) </li></ul></ul></ul><ul><ul><ul><li>Unauthorised data access (34%) </li></ul></ul></ul><ul><ul><ul><li>Misconfiguration (32%) </li></ul></ul></ul><ul><ul><ul><li>Web Site penetration (29%) </li></ul></ul></ul><ul><ul><ul><li>Theft of customer data (13%) </li></ul></ul></ul><ul><ul><ul><li>Disclosure of customer data (8%) </li></ul></ul></ul><ul><ul><li>* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June) </li></ul></ul>
  16. 16. SETTING THE SCENE – STATISTICS <ul><li>Kenneth Knapp CISSP survey – a summary* </li></ul><ul><ul><li>Greatest Security Concerns; </li></ul></ul><ul><ul><ul><li>Top Management support </li></ul></ul></ul><ul><ul><ul><li>Patch Management </li></ul></ul></ul><ul><ul><ul><li>Malware </li></ul></ul></ul><ul><ul><ul><li>Legal and regulatory issues </li></ul></ul></ul><ul><ul><ul><li>Internal threats </li></ul></ul></ul><ul><ul><ul><li>Access control and identity management </li></ul></ul></ul><ul><ul><ul><li>SDLC support for Information Security </li></ul></ul></ul><ul><ul><ul><li>Privacy </li></ul></ul></ul><ul><ul><ul><li>Business Continuity and Disaster Recovery </li></ul></ul></ul><ul><ul><ul><li>SPAM </li></ul></ul></ul><ul><ul><ul><li>Firewall and IDS Configurations </li></ul></ul></ul><ul><ul><ul><li>External Connectivity to other organisations </li></ul></ul></ul><ul><ul><li>* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June) </li></ul></ul>
  17. 17. SETTING THE SCENE – STATISTICS <ul><li>Peter Gregory, Computerworld survey – a summary* </li></ul><ul><ul><li>Greatest Security Concerns/Hype for 2004; </li></ul></ul><ul><ul><ul><li>SPAM </li></ul></ul></ul><ul><ul><ul><li>Internet access filtering </li></ul></ul></ul><ul><ul><ul><li>Desktop management </li></ul></ul></ul><ul><ul><ul><li>Personal Firewalls </li></ul></ul></ul><ul><ul><ul><li>Leaky Metadata </li></ul></ul></ul><ul><ul><ul><li>Wi-Fi break in </li></ul></ul></ul><ul><ul><ul><li>Bluetooth </li></ul></ul></ul><ul><ul><ul><li>Mobile phone hacking </li></ul></ul></ul><ul><ul><ul><li>Instant Messaging incident </li></ul></ul></ul><ul><ul><ul><li>Organised Crime </li></ul></ul></ul><ul><ul><ul><li>Shorter time to exploitation </li></ul></ul></ul><ul><ul><li>* Collated from Terri Curran CISSP, CISM, CPP, MICAF research – Copyright 2004 (June) </li></ul></ul>
  18. 18. SETTING THE SCENE – STATISTICS <ul><li>CSI/FBI June 2004 survey – highlights </li></ul><ul><ul><li>Decline in reported unauthorised use </li></ul></ul><ul><ul><li>Decrease in reported dollar loss from security breaches </li></ul></ul><ul><ul><li>Denial of Service most expensive computer crime </li></ul></ul><ul><ul><li>Percentage companies reporting incidents declining </li></ul></ul><ul><ul><li>Economic evaluation of security expenditures: </li></ul></ul><ul><ul><ul><li>ROI – 55% of companies </li></ul></ul></ul><ul><ul><ul><li>IRR – 28% of companies </li></ul></ul></ul><ul><ul><ul><li>NPV – 25% of companies </li></ul></ul></ul><ul><ul><li>Most companies conduct security audits (>80%) </li></ul></ul><ul><ul><li>Outsourcing – most companies do not (63%) </li></ul></ul><ul><ul><ul><li>When done – selective areas (25% …less than 20% of function) </li></ul></ul></ul><ul><ul><li>Not enough security awareness focus in organisations </li></ul></ul><ul><ul><li>Sarbanes-Oxley Act beginning to have an impact </li></ul></ul>
  19. 19. SETTING THE SCENE – STATISTICS <ul><li>CSI/FBI June 2004 survey – highlights </li></ul><ul><ul><li>Action taken after experiencing computer intrusion: </li></ul></ul><ul><ul><ul><li>Patched holes (91%) </li></ul></ul></ul><ul><ul><ul><li>Did not report (48%) </li></ul></ul></ul><ul><ul><ul><li>Reported to law enforcement (20%) </li></ul></ul></ul><ul><ul><ul><li>Reported to legal council (16%) </li></ul></ul></ul><ul><ul><li>Prime reasons cited for not going to authorities: </li></ul></ul><ul><ul><ul><li>Negative publicity – hurt stock/image (51%) </li></ul></ul></ul><ul><ul><ul><li>Competitors could use to their advantage (35%) </li></ul></ul></ul>
  20. 20. SETTING THE SCENE – STATISTICS? <ul><li>The problem with these statistics: </li></ul><ul><ul><li>Each survey has different respondent profile </li></ul></ul><ul><ul><li>Each survey questions posed differently </li></ul></ul><ul><ul><li>Survey questions have to change from year to year </li></ul></ul><ul><ul><li>Surveys not quoted entirely in context </li></ul></ul><ul><ul><ul><li>Purveyors of news </li></ul></ul></ul><ul><ul><ul><li>Purveyors of information </li></ul></ul></ul><ul><ul><ul><li>Vendors </li></ul></ul></ul><ul><ul><ul><li>Recipients of information </li></ul></ul></ul><ul><ul><li>Access to surveys is often restricted </li></ul></ul><ul><ul><ul><li>Closed/special user communities </li></ul></ul></ul><ul><ul><ul><li>Some surveys are only for paid up members </li></ul></ul></ul><ul><ul><li>Analysing only one (or parts of one) survey can be fatal </li></ul></ul>
  21. 21. SETTING THE SCENE – STATISTICS? <ul><li>How does one obtain value? </li></ul><ul><ul><li>Have to be actively involved in the industry </li></ul></ul><ul><ul><ul><li>Globally </li></ul></ul></ul><ul><ul><ul><li>Multiple clients </li></ul></ul></ul><ul><ul><ul><li>Multiple industries </li></ul></ul></ul><ul><ul><li>Constantly evaluate new technologies </li></ul></ul><ul><ul><li>Do trending from industry knowledge sharing lists </li></ul></ul><ul><ul><li>Analysis of multiple sources is absolutely essential </li></ul></ul><ul><ul><li>Correlation study of threats, solutions and environment </li></ul></ul><ul><ul><li>Share knowledge </li></ul></ul><ul><ul><ul><li>share knowledge </li></ul></ul></ul><ul><ul><ul><ul><li>share knowledge... </li></ul></ul></ul></ul>
  22. 22. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul><ul><ul><li>Information Security – a problem definition </li></ul></ul><ul><ul><li>Statistics, suitable statistics and perceptions </li></ul></ul><ul><li>Major Global Trends: </li></ul><ul><ul><li>The Business Environment </li></ul></ul>
  23. 23. MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT <ul><li>Increased online availability of information </li></ul><ul><ul><li>More sophisticated information systems </li></ul></ul><ul><ul><li>Increased need for communication with others </li></ul></ul><ul><ul><li>Increased need for sharing information with others </li></ul></ul><ul><ul><li>Improved transport mechanisms for information </li></ul></ul><ul><ul><li>Multiple client channels to service providers </li></ul></ul><ul><ul><li>Multiple partner channels between organisations </li></ul></ul><ul><ul><li>ERP systems – company information repositories. </li></ul></ul><ul><ul><li>Increased use of standard computing delivery platforms </li></ul></ul><ul><ul><li>Ubiquitous Internet and Web </li></ul></ul>GT - Complexity is the number one enemy of Information Security
  24. 24. MAJOR GLOBAL TRENDS – THE BUSINESS ENVIRONMENT <ul><li>Increased business model sophistication </li></ul><ul><ul><li>Larger, more complex organisations </li></ul></ul><ul><ul><li>Mix of centralisation and de-centralisation </li></ul></ul><ul><ul><li>Diffuse and ill defined responsibilities, accountabilities and authorities in organisations </li></ul></ul><ul><ul><li>Complex, interlinked internal processes </li></ul></ul><ul><ul><li>Complex relationships with other entities </li></ul></ul><ul><ul><li>Multitude of legacy, current and futuristic computing platforms in organisations </li></ul></ul><ul><ul><li>Incomplete understanding of asset and risk classification </li></ul></ul>GT - Complexity is the number one enemy of Information Security
  25. 25. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul><ul><ul><li>Information Security – a problem definition </li></ul></ul><ul><ul><li>Statistics, suitable statistics and perceptions </li></ul></ul><ul><li>Major Global Trends: </li></ul><ul><ul><li>The Business Environment </li></ul></ul><ul><ul><li>Regulatory and Legal Issues </li></ul></ul><ul><ul><ul><li>… or in layman’s terms “When can I sue?” </li></ul></ul></ul>
  26. 26. MAJOR GLOBAL TRENDS – REGULATORY AND LEGAL ISSUES <ul><li>A large number of “new” Laws, Regulations and Standards </li></ul><ul><ul><li>NERC Cyber Security Standard 1200 (USA) </li></ul></ul><ul><ul><li>BS7799, ISO17799, FISMA (USA), ISG (USA) </li></ul></ul><ul><ul><li>ISF, COBIT </li></ul></ul><ul><ul><li>King II Report </li></ul></ul><ul><ul><li>Health Insurance Portability and Accountability Act (HIPAA) </li></ul></ul><ul><ul><li>Sarbanes-Oxley (SOX) </li></ul></ul><ul><ul><li>Gramm, Leach, Bliley Act (GLBA) </li></ul></ul><ul><ul><li>ECT Act, Commsec Act </li></ul></ul><ul><ul><li>…… and many, many more!.....to be tested in the courts!! </li></ul></ul>GT: New legal landscape will force enhanced security!
  27. 27. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul><ul><ul><li>Information Security – a problem definition </li></ul></ul><ul><ul><li>Statistics, suitable statistics and perceptions </li></ul></ul><ul><li>Major Global Trends: </li></ul><ul><ul><li>The Business Environment </li></ul></ul><ul><ul><li>Regulatory and Legal Issues </li></ul></ul><ul><ul><li>Threats </li></ul></ul>*Note* Do not be scared – be aware!
  28. 28. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul><ul><ul><ul><li>21 May 2001 – approximately 100 website defacements per day (Attrition.org) </li></ul></ul></ul><ul><ul><ul><li>9 January 2003, 15h30 - 177 defacements </li></ul></ul></ul><ul><ul><ul><li>2 March 2004, 18h30 - 403 defacements </li></ul></ul></ul><ul><ul><ul><li>18 July 2004, 14h30 – 1096 defacements </li></ul></ul></ul>GT: A continued increase in website defacements!
  29. 29. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>
  30. 30. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>
  31. 31. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>
  32. 32. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>
  33. 33. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>
  34. 34. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>
  35. 35. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>Just in case you missed out on the whole ordeal last week, we were hacked 4 times by an elite group called r 139. So we thought we would help the hackers out by hacking our own page to save them some time...
  36. 36. MAJOR GLOBAL TRENDS - THREATS <ul><li>HACKERS …..and other (bigger?) beasts. </li></ul><ul><ul><li>Website defacements: </li></ul></ul>
  37. 37. MAJOR GLOBAL TRENDS - THREATS <ul><li>MALWARE – Viruses, Worms and Horses </li></ul>Usual Suspects - Code Red Initiation: 19-07-2001 @ 00.00 Completion: 19-07-2001 @ 19.50
  38. 38. MAJOR GLOBAL TRENDS - THREATS <ul><li>MALWARE – Viruses, Worms and Horses </li></ul>Usual Suspects – Saphire/SQL Initiation: 25-01-2003 @ 05:29 Completion: 25-01-2003 @ 06:00 GT: A continued increase in speed of infections!
  39. 39. MAJOR GLOBAL TRENDS - THREATS <ul><li>Characteristics of attack profile trends </li></ul><ul><ul><li>Speed of attack generation increasing </li></ul></ul><ul><ul><li>Sophistication levels of attacks increasing </li></ul></ul><ul><ul><li>Time from Vulnerability to Exploit decreasing </li></ul></ul><ul><ul><li>Coordination levels of attacks increasing </li></ul></ul><ul><ul><ul><li>From DOS to DDOS to GDOS </li></ul></ul></ul><ul><ul><li>Attacks utilise ever larger number of combined techniques </li></ul></ul><ul><ul><li>Definite increase in Application Level Attacks </li></ul></ul><ul><ul><ul><li>… in addition to simpler Network Level Attacks </li></ul></ul></ul>GT: A continued increase in Attack Sophistication!
  40. 40. MAJOR GLOBAL TRENDS - THREATS <ul><li>IDENTITY THEFT - Definition: </li></ul><ul><ul><li>When an entity pretends to be another entity, without any authorisation, with the aim of gain. </li></ul></ul><ul><li>“ It is not only the most difficult thing to know oneself, but the most inconvenient, too.” H.W. Shaw </li></ul><ul><li>“ Why steal from someone if you can just become that person?” Bruce Schneier </li></ul><ul><li>Considered the fastest growing crime globally </li></ul><ul><ul><li>Figures ranging between 46% and 58% ACGR </li></ul></ul><ul><li>Consists of personal and corporate ID theft. </li></ul>GT: ID theft – the fastest growing crime globally!
  41. 41. MAJOR GLOBAL TRENDS - THREATS <ul><li>IDENTITY THEFT and PHISHING </li></ul><ul><ul><li>Mechanisms and components in online world </li></ul></ul><ul><ul><ul><li>SPAM – using spoofed e-mails </li></ul></ul></ul><ul><ul><ul><li>Social Engineering </li></ul></ul></ul><ul><ul><ul><li>Corporate Website Spoofing </li></ul></ul></ul><ul><ul><li>SPAM – in excess of 50% of Internet traffic </li></ul></ul><ul><ul><li>PHISHING </li></ul></ul><ul><ul><ul><li>Obtaining personal financial information online. </li></ul></ul></ul><ul><ul><ul><li>Hijacking of trusted brands </li></ul></ul></ul><ul><ul><ul><li>419 Scams </li></ul></ul></ul><ul><ul><ul><li>List making for further SPAM </li></ul></ul></ul><ul><ul><ul><li>Malware Distribution </li></ul></ul></ul>
  42. 42. MAJOR GLOBAL TRENDS - THREATS <ul><li>IDENTITY THEFT and PHISHING </li></ul>It is a complex problem: Show me all the domains on the Internet that look and sound like my company, but that do not belong to me…
  43. 43. MAJOR GLOBAL TRENDS - THREATS <ul><li>IDENTITY THEFT and PHISHING </li></ul>GT: Phishing attack trend points to huge IDtheft attack increase on the Web!
  44. 44. MAJOR GLOBAL TRENDS - THREATS <ul><li>In Summary: </li></ul><ul><ul><li>All information points to increase in attack vectors on the Internet. </li></ul></ul><ul><ul><li>Sophistication and speed of attacks increase </li></ul></ul><ul><ul><li>The Internet environment is increasingly used by criminal elements. </li></ul></ul>However – this by no means implies that one does not use the environment……which brings us to trends in the Technologies and Solutions space…
  45. 45. TOPICS TO COVER <ul><li>Setting the Scene: </li></ul><ul><ul><li>Introduction – Major Global trends </li></ul></ul><ul><ul><li>Information Security – a problem definition </li></ul></ul><ul><ul><li>Statistics, suitable statistics and perceptions </li></ul></ul><ul><li>Major Global Trends: </li></ul><ul><ul><li>The Business Environment </li></ul></ul><ul><ul><li>Regulatory and Legal Issues </li></ul></ul><ul><ul><li>Threats </li></ul></ul><ul><ul><li>Technologies and Solutions </li></ul></ul>
  46. 46. MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS <ul><li>What are most companies spending their security efforts on? </li></ul><ul><ul><li>Anti Virus Systems </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>IDS/IPS solutions </li></ul></ul><ul><ul><li>Patch Management </li></ul></ul><ul><li>These assist in reducing effects of intrusion attacks and malware attacks </li></ul><ul><ul><li>Reduces potential financial and reputational loss </li></ul></ul><ul><ul><li>Improves Quality of Service….but…. </li></ul></ul><ul><ul><li>Insufficient to combat fraud and reduce criminal element </li></ul></ul>GT: Most companies still focused on Perimeter Security
  47. 47. MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS <ul><li>Additionally - what are leading companies spending their security efforts on? </li></ul><ul><ul><li>Substantial User Awareness Programs </li></ul></ul><ul><ul><li>Improvement of processes that have security implication </li></ul></ul><ul><ul><li>Classification of user base and risk profiling </li></ul></ul><ul><ul><li>Classification of Information </li></ul></ul><ul><ul><li>Gearing up legal and forensics department </li></ul></ul><ul><ul><li>Ongoing Security Assessments </li></ul></ul><ul><ul><li>Multi-layering of security environments </li></ul></ul><ul><ul><li>Implementing and monitoring Security Baselining standards </li></ul></ul>GT: Leading Companies are starting to look at Information Security using business principles!
  48. 48. MAJOR GLOBAL TRENDS – TECHNOLOGIES AND SOLUTIONS <ul><li>Additionally - what are leading companies spending their security efforts on? </li></ul><ul><ul><li>Multi-factor authentication for selected applications </li></ul></ul><ul><ul><li>Securing selected Web Applications </li></ul></ul><ul><ul><li>Incorporating security in the I.T. System development Life Cycle (SDLC) </li></ul></ul><ul><ul><li>Identity Management for complex environments </li></ul></ul><ul><ul><li>Analysing end-to-end security for selected applications </li></ul></ul><ul><ul><li>Clearer understanding of Acceptable Residual Risk </li></ul></ul>GT: Leading Companies are looking after the basics! GT: Leading Companies are viewing Information Security as an important part of doing business! GT: Some Leading Companies are viewing Information Security as a Competitive differentiator!
  49. 49. MAJOR GLOBAL TRENDS – A FINAL THOUGHT <ul><li>“ Information security will continue to be a catch-up game…. </li></ul><ul><ul><li>the complex environment and the criminal nature of the lunatic fringe will force organisations to do the best they can within their given constraints. </li></ul></ul><ul><ul><li>One hundred percent security is not the aim. Trade as safely as your risk profile will allow and keep a look out for the trends.” </li></ul></ul><ul><li>“ THE TREND IS YOUR FRIEND!” </li></ul>
  50. 50. SELECTED REFERENCES <ul><li>Curran, Terri. “ Security trends from a practitioner’s perspective.” CSI NetSec04 paper. </li></ul><ul><li>Marc R. Menninger, Fiora Stevens. “Deriving Privacy Due Care practices from HIPAA and GLBA.” </li></ul><ul><li>Ninth Annual (2004) CSI/FBI Computer Crime and Security Survey </li></ul><ul><li>Symantec Internet Security Threat Report, Volume V, Published March 2004 </li></ul><ul><li>Peltier and Associates. “Mapping Policies to the Enterprise.” </li></ul><ul><li>David Lynas. “Return on Investment from Information Security.” </li></ul><ul><li>www.antiphishing.org </li></ul><ul><li>www.attrition.org </li></ul><ul><li>www.cio.com </li></ul><ul><li>www.csoonline.com </li></ul><ul><li>www.dshield.org </li></ul><ul><li>www.ftc.gov </li></ul><ul><li>www.gocsi.com </li></ul><ul><li>www.metagroup.com </li></ul><ul><li>www.redpay.com </li></ul><ul><li>www.searchsecurity.com </li></ul><ul><li>www.schneier.com </li></ul><ul><li>www.sensepost.com </li></ul><ul><li>www.siia.net </li></ul><ul><li>www.zone-h.org </li></ul>
  51. 51. Contact Details and Questions <ul><li>Luc de Graeve </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>+27 (012) 667 4737 </li></ul></ul><ul><li> QUESTIONS? </li></ul><ul><li>THANK YOU! </li></ul>

×