“ Enterprise Security from a C-Level Perspective” Information Systems Security Association (ISSA) Space Coast Florida Chapter William H. Miller, Jr. Industry IT Executive & Independent Consultant Hosted at Florida Institute of Technology December, 2010 Feb 11, 2011
We are in the Right Profession Today! An engineer dies and reports to the pearly gates. St. Peter checks his dossier and says, " Ah, you're an engineer -- you're in the wrong place." So, the engineer reports to the gates of hell and is let in. Pretty soon, the engineer gets dissatisfied with the level of comfort in hell, and starts designing and building improvements. After awhile, they've got air conditioning and flush toilets and escalators, and the engineer is a pretty popular guy. One day, God calls Satan up on the telephone and says with a sneer, " So, how's it going down there in hell? " Satan replies, " Hey, things are going great. We've got air conditioning and flush toilets and escalators, and there's no telling what this engineer is going to come up with next." God replies, " What??? You've got an engineer? That's a mistake -- he should never have gotten down there; send him up here." Satan says, " No way. I like having an engineer on the staff, and I'm keeping him ." God says, " Send him back up here or I'll sue ."
We are in the Right Profession Today! Satan laughs uproariously and answers, "Yeah, right. And just where are YOU going to get a lawyer?"
Former Intelligence Chief Says A Cyber Attack Is Inevitable
By Brian Wingfield, Business in the Beltway, November 23, 2010
“ Admiral J. Michael McConnell, the former Director of National Intelligence now at Booz Allen Hamilton was interviewed recently by Forbes. He indicated that a cyber attack is inevitable. When he was asked, "Are we at a greater disadvantage than any of our adversaries?" He answered, “Yes, and there’s a very simple reason: We’re more vulnerable because we’re more dependent [on technology].“ Mr. McConnell said change will only come about through dialogue otherwise it will happen after a catastrophe. Mr. McConnell noted that intellectual capital is also at risk, not just information and money.”
New Cybersecurity Center planned for Univ. of MD
From Baltimore Examiner on line, October 20, 2010
“ The University of Maryland is launching a new cybersecurity initiative that aims to stimulate public-private partnerships and address national vulnerabilities, including those facing industry. The idea is to help "connect the dots" in the region's fast growing federal and private cyber sector. The focal point of the initiative, the new Maryland Cybersecurity Center (MC-squared, or MC2), will adopt a holistic approach to cybersecurity education, research and technology development, stressing comprehensive, interdisciplinary solutions.
First pan-European cyber security simulation
From European Commission - Joint Research Centre, April 11, 2010
“ Europe's cyber security experts are putting their skills to the test today in the first ever pan-European exercise. In "Cyber Europe 2010", experts will try counter simulated attempts by hackers to paralyse critical online services in several EU Member States. The event is organised by EU Member States with support from the European Network Security Agency (ENISA) and the JRC's Institute for the Protection and Security of the Citizen (IPSC).
Cyberspace has a completely different physics than any other domain . It is impossible to "take and hold" cyberspace. Cyberspace is a dynamical system that runs at super human speed.
A good offense is NOT a good defense. Instead, a good defense is the ONLY defense . Throwing a better, more accurate rock in a glass house is still throwing a rock. Our systems are so permeated with problems that even an untrained child can exploit them.
Divide and conquer will not work . Civilian, government, and military systems are so deeply entangled that they cannot be separated and protected distinctly. The nature of the entanglement is the people who interact with the systems.
Cyber crime and cyber espionage are more important than cyber war . The (very) bad news is that shiny new cyber weaponry will be repurposed for crime and spycraft — reason enough to take pause before charging ahead with offense. The good news is that fixing the broken stuff will help simultaneously combat crime, war, and espionage.
Public/private partnerships pander politically but they do no real good. As it turns out, security is not a game of ops centers, information sharing, and reacting when the broken stuff is exploited. Instead, it is about building our systems to be secure, resilient, survivable.
No security is perfect and problems will happen . Even if a large portion of taxpayer money and collective know-how is dedicated to the task of building better, more secure systems, mistakes will still be made and systems will still be attacked and compromised. Cyber security policy must be built on the assumption that risk cannot be completely avoided, meaning that systems must continue to function even in sub-optimal conditions.
If it sounds like BS or magic, it's probably not true.
Article By Gary McGraw and Ivan Arce , Nov 24, 2010 – “Software [In]security: Cyber Warmongering and Influence Peddling”
Some Thoughts on Cyber “Good Guys and Bad Guys”
Don’t confuse National Interest with Corporate Objectives
Suppliers to the U.S. DoD are global today and have very complex entity structures and ownership models
Our adversaries may have drastically different “value systems” and are not necessarily bad guys by the traditional definition
Cyber theft is less of an issue of ethics, and more a matter of law and governmental preservation
Offensive and Defensive Cyber Capabilities often grow in the same garden …………….
What are Some of Our Key Security Framework Components?
Comprehensive Security Architecture
Security Staffing Plan
Incident Response Plans & Ready Teams
Self Assessment Models
Secure NOC & 7/24 ‘Eyes on Target’
Appropriate Budgeting Models
Industry Partnering Agreements
Meaningful Metrics and KPI’s
Management Communications Plan
“ Best Practices ” Communiqués to Employees
Prioritized Strategy for Incremental Tool Investments
Application Vulnerabilities Exceed OS Vulnerabilities
During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems. As a result, more exploitation attempts are recorded on application programs. The most "popular" applications for exploitation tend to change over time since the rationale for targeting a particular application often depends on factors like prevalence or the inability to effectively patch. Due to the current trend of converting trusted web sites into malicious servers, browsers and client-side applications that can be invoked by browsers seem to be consistently targeted. (2009 Data)
Figure 1: Number of Vulnerabilities in Network, OS and Applications
Security Investment Evolution Measurement processes emerge Reactive Undefined policies, procedures Informal policies, procedures SOX – Initial control structure Enterprise control framework Continuous process improvements 2000 2004 2009 Compliance Proactive Optimized 2010 2012 Security Advisory Group Virus Script Kiddies Insider Threat APTs Nation State Attacks True Cyber Warfare Security Investment $ZM $YM $XM New threats may require additional Investments? 2015 2014
Security Tools are Expensive and Burdensome ….