Larry Clinton Barry Foer - Internet Security · PDF file · 2016-10-13Larry Clinton President [email protected] ... ISA Board of Directors Ty Sagalow, Esq., Chairman President

Larry Clinton President

[email protected] 703-907-7028 202-236-0001

Barry Foer Director of Policy & Membership

[email protected] 703-907-7799

ISA Board of Directors Ty Sagalow, Esq., Chairman President Product Development, AIG Dr. Sagar Vidyasagar, 2nd Vice Chair Exec VP, Tata Consulting Services

J. Michael Hickey, 1st Vice Chair VP Government Affairs, Verizon Marc-Anthony Signorino, Treasurer Director Technology Policy, National Association of Manufacturers

• Tim McKnight, CSO, Northrop Grumman • Jeff Brown, CISO/Director IT Infrastructure, Raytheon • Eric Guerrino, SVP/CIO, Bank of New York • Ken Silva, Chief Technology Officer, VeriSign • Lawrence Dobranski, Chief Strategic Security, Nortel • Charles Croom, Vice President, Cyber Security Strategy, Lockheed Martin • Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences • Joe Buonomo, CEO DCR Software Inc.

Our Partners

The Web is Inherently Insecure---and getting more so

The problems we see in cyber security are about to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue….TCP/IP was not designed to control power grids, financial networks and critical infrastructure. It will be used in future networks (particularly wireless) but it lacks the basic security controls to properly protect the network.”

Source: Hancock, Cutter Technology Journal 06

The Changing Threat Faces of Attackers… Then

Chen-Ing Hau CIH Virus

Joseph McElroy

Hacked US Dept of Energy

Jeffrey Lee Parson

Blaster-B Copycat

Faces of Attackers… Now

Andrew Schwarmkoff Russian Mob Phisher

Jay Echouafni

Competitive DDoS

Jeremy Jaynes

$24M SPAM KING

The Changing Threat

•  Today, attackers perpetrate fraud, gather intelligence, or conduct blackmail

•  Vulnerabilities are on client-side applications word, spreadsheets, printers, etc.

•  The problem is much more severe than the release of personal data, modern attackers are stealing source code, corporate intellectual property, entire business operations systems are being vacuumed and transplanted

•  Our physical security is reliant on our cyber security

Newer Threats

Designer malware: Malware designed for a specific target or small set of targets

Spear Phishing: Combines Phishing and social engineering Ransomware: Malcode packs important files into encrypted archive &

deletes original then ransom is demanded RootKits: shielding technology to make malcode invisible to the op

system

Characteristics of the New Attackers

Shift to profit motive Zero day exploits Increased investment and innovation in malcode Increased use of stealth techniques

Digital Growth?

“Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every company’s assumptions for growth.”

---Stanford University Study, July 2006

Sure

Not so much…

•  Only 56% of respondents employ a security executive at the C-level---down 4% from the previous survey

•  Only 43% audit or monitor compliance with security policies (if they have them)

•  Just over half of companies (55%) use encryption

•  1/3 of respondents don’t even use firewalls

•  Only 22% of companies keep an inventory of all outside parties use of their data

Digital Defense?

Not so much… 23% of CTOs did not know if cyber losses were covered by

insurance. 34% of CTOs thought cyber losses would be covered by

insurance----and were wrong. “The biggest network vulnerability in American corporations

are extra connections added for senior executives without proper security.”

---Source: DHS Chief Economist Scott Borg

Digital Defense?

CSO Magazine Study 10/08 7,000 companies world wide

•  Only 59% of respondents attest to even having an overall security policy

•  Nearly half of all respondents said can’t identify the source of information security incidents they have suffered in the past year

•  Employees and former employees are the biggest source of security incidents accounting for half of the ones we can trace

* Only half of respondents provide employees with security awareness training

The Good News: We know (mostly) what to do

•  2005 CIO/Priceaterhouse study of 7,000 organizations world-wide found 20% best practices group (although attacked more) suffered less downtime, less financial loss—none at times.

•  2008 Verizon study 500 forensic cases and thousands of data points found following best practices could stop 90% of breaches

•  CIA due diligence can stop 90% of attacks, implementation is the key.

How do we really protect ourselves?

1.  Adopt an enterprise wide, risk management approach

2.  Since this is an enterprise wide problem, you have to get all the critical “silos” at the table

3.  Determine who really is involved (other than IT) 4.  Determine what you are going to answer 5.  THEN decide what to do (software? training?

contracts w/affiliates? Insurance? outreach?)

Legal/Regulatory Issues

•  Have cyber liabilities been analyzed? •  What regulations apply to lines of business? •  Exposed to class action/shareholder suits? •  Is org protected from business interruptions? •  Org protected from fed/state govt. investigations? •  What jurisdictions does date move through? •  What is in our contracts? •  What does our privacy policy say?

Compliance/Regulatory

•  Have an inventory of what regs apply to us? •  Know what reg data is and where its located? •  Valid reasons for keeping this data? •  What have we done to protect the data? •  Incident response program/notification program? •  What is impact of possible data loss? •  Procedures in place for tracking compliance? •  How are we tracking vendors procedures?

External Rel & Comm.

•  Analyzed impact of events on reputation/stakeholders/customers etc?

•  Plan for communicating with stakeholders? •  Identified resources/budget needed for plan? •  Clear roles and responsibilities for comm? •  Thought through segmenting messages for different

stakeholders? •  Legal requirements for notification? Tested it?

Risk transfer

•  What is exposure (brand/confidence/physical loss?—how do we measure?

•  Are you already covered? D&O? •  Do we need to bring in expertise? Who? •  Is insurance available? •  What is the ROI for insurance and other risk

transfer approaches?

09 Securing the VOIP Platform

•  VOIP is the paradigm case for corporate economics overcoming security concerns

•  Platform itself not a profitable as products sold to use it •  ISA/NIST program to use SCAP (Security Content

Automation Protocol) and National Vulnerability Database to create a free customizable framework.

•  Companies can build products on the more secure platform (ones that participate get to know the standards first)

•  Better security and better markets

09 Securing the Global IT Supply Chain

•  IT supply chain is inherently global •  This immutable reality brings new risks •  If not addressed Congress will do it for us,

probably through protectionism •  07-08 ISA/CMU/industry 3-phase program to

create a framework that takes into account market, business and policy reality

•  New phase to begin first quarter 09

What to Tell President Obama?

1.  We need to increase our emphasis and investment on cyber security

2.  Cyber Security must be recognized as critical infrastructure maintenance

3.  Cyber Security is not a “IT” problem. 4.  Cyber security is a enterprise wide risk

management problem 5.  Government and Industry need new relationship

Obama: Inconvenient truths

1. All security is reliant on cyber systems 2. Cyber systems are inherently in the private sectors

hands 3. US cannot tackle the cyber security issues

unilaterally

Cyber Social Contract

•  Similar to the agreement that led to public utility infrastructure dissemination in 20th century

•  Infrastructure development through market incentives

•  Consumer protection through regulation •  Gov role to motivate is more creative—harder •  Industry role is to develop practices and standards

and implement them

Member Communications Loop

Content Sources

•  Critical Infrastructure Partnership Advisory Council (CIPAC) •  Cross-Sector Cyber Security Working Group (CSCSWG) •  Daily Open Source Infrastructure Report •  Homeland Security Information Network (HSIN) •  United States Computer Emergency Readiness Team (US-

CERT) •  National Infrastructure Partnership Plan (NIPP) •  Partnership for Critical Infrastructure Security (PCIS) •  Protective Programs and Research and Development

(PPRD)

Content Sources

•  Software Assurance Working Group •  DHS Business Opportunities Newsletter •  Cyber Security Monitor •  Joint Homeland Security Notes (HSN) •  Critical Infrastructure Information Notice (CIIN) •  National Telecommunications and Information Administration (NTIA)

Economic Security Work Group (ESWG) •  InfraGard •  Information Technology Sector Coordinating Council (IT-SCC) •  Critical Functions and Information Sharing (CFIS) Group •  Plans Working Group •  Communications Sector Coordinating Council •  Carnegie Mellon University CyLab (CMU) •  ISAlliance

Content Examples

DHS Business Opportunities Newsletter

Content Examples Critical Infrastructure Information Notice

Homeland Security Note

Content Examples IT-SCC Calendar

Content Examples DHS Daily Open Source Infrastructure Report

Content Channels

• World Wide Web • GovDelivery Digital Subscription Management • Excel Electronic Mail Merge • Outlook Distribution Lists & Outlook Calendar Invitations • US-CERT Portal Secure Communication • Direct Mail • Outlook Email • Telephone

ISAlliance Web Site

ISAlliance Web Site

Member/Prospect Examples • Calendar of Events • ISAlliance News • Project Information & Updates • Public GovDelivery Subscription • Common Sense Guides • ISAlliance Services

Member Only Examples • Calendar of Events • “Missed It” Archives • Complete GovDelivery Subscription • Self Assessment Tools • Papers & Reports • Detailed Project Information & Updates • Enterprise Integration Perspectives • CMU Webinar Archive

Used primarily to generate prospective member interest in ISAlliance and provide members with information and archives that generate interaction, integration and reinforce the value of membership.

GovDelivery Digital Subscription Management

• Total Subscription Items hosted by GovDelivery: 47

• Average item subscriptions per subscriber: 9

• Total Subscribers: 4021

• New Subscribers 2008: 714 (+ 17%)

• Total bulletins sent 2008: 364,977

• Total hits to RSS feeds 2008: 23,783

Examples • Notice for the Private Sector Preparedness Accreditation and Certification Program

• Biometric Identification

• Small Business Issues

• US-CERT Alerts

• Meeting Notices & Reminders

• ISAlliance Calendar of Events

• ISAlliance Daily Brief

• Access Control

• Technical, Operations, Public Policy and/or Legal Perspective - All of Above

Used for delivery of targeted messages to broad groups with interest in specific subject matter.

GovDelivery Digital Subscription Management

Outlook Distribution Lists & Calendar Invitations

Used to organize work groups involved in specific projects.

Examples • White House Cyber Security Initiative • IT Sector Risk Assessment • Securing the IT Supply Chain in the Age of Globalization • Developing Automated VoIP and Converged Network Security • The Financial Impact of Cyber Risk

Outlook Distribution Lists & Calendar Invitations

US-CERT Portal Secure Communications

US-CERT Portal Secure Communications

Used by members and allies for secure messaging, often between groups, subgroups and various sector coordinating councils, ISAC’s & organizations.

Examples • Software Assurance • Cross Sector Cyber Security Work Group • Defense Security Information Exchange • White House Cyber Security Initiative • AeroSpace Industries Association

Closing the Loop

Gathering, processing and distributing information content to the right people at the right time is an important part of what ISAlliance does.

It is often equally important that ISAlliance gather,

process and aggregate private sector perspectives for delivery BACK to appropriate public agencies.

Closing the Loop

Example: 1.  White House Cyber Security Initiative Announced 2.  ISAlliance Notifies Membership and calls for input using

GovDelivery System 3.  ISAlliance forms a work group 4.  ISAlliance serves as an intermediary communicating

information in both directions using Outlook & the CERT Portal

5.  The public sector, members and ISAlliance all benefit

Larry Clinton President

[email protected] 703-907-7028 202-236-0001

Barry Foer Director of Policy & Membership

[email protected] 703-907-7799