Professional Documents
Culture Documents
Management
Information Security
Trends and Issues
Neil Cooper, CISSP, CISA
December 2, 2003
Philadelphia, PA
Agenda
Introduction
Current State of Security
What Have We Seen?
Risks and Threats
Conclusion
2 PricewaterhouseCoopers
Current State of
Security
Current State of Security
4 PricewaterhouseCoopers
Current State of Security
5 PricewaterhouseCoopers
The Risks are Real…
6 PricewaterhouseCoopers
Current State of Security
7 PricewaterhouseCoopers
Current State of Security
8 PricewaterhouseCoopers
Survey Demographics
12
“Enablement” “Protection”
PricewaterhouseCoopers
Challenges of Inclusion and Exclusion
Increased: Increased:
• Identities • Threats
• Control • Vulnerabilities
Requirements • Complexity
• Complexity
13 PricewaterhouseCoopers
New and Continuing Risks
• Financial –
– Return on Investments
Unclear
– Insecure Transactions
• Technology –
– Immature / Unstable
– Lack of Standards
– Limited Skilled workers
15 PricewaterhouseCoopers
Risk Categories
• Reputation
– Public Embarrassment
• Third Party –
– Legal & Regulatory
16 PricewaterhouseCoopers
Top Management Errors…
17 PricewaterhouseCoopers
Top Management Errors…
18 PricewaterhouseCoopers
The Threat is multifaceted…
Insiders Outsiders
• Current employees • “Freelance” or “Mercenary”
crackers
• Former employees
• Professional Cybercriminals
• Business partners
• Thrill Seekers & Kids
• Contractors / consultants
• Competitors
• Temporary employees
19 PricewaterhouseCoopers
Attack Trends
Reliability
Availability Scalability
Capacity
21 PricewaterhouseCoopers
Abilities
• Security
– Ability to Prevent, Detect, & React to Unauthorized
Access
– Ability to specifically identify users
– Ability to specifically authorize access to
technology & data
22 PricewaterhouseCoopers
Controls
Security Controls
• Protective - Authentication, Authorization, Firewalls,
SSL, Locks, Guards, Security Testing
• Detective - Logging, Firewalls, Network IDS, Host
IDS, Security testing
23 PricewaterhouseCoopers
Controls
24 PricewaterhouseCoopers
What Have We
Seen?
What Have We Seen?
27 PricewaterhouseCoopers
Risks and
Threats
Risks and Threats - Internal
30 PricewaterhouseCoopers
Risks and Threats - Technology
Camera Phones
Flash Disks
Wireless Networks
Instant Messaging Tools
Modems and Cable Modems
31 PricewaterhouseCoopers
Camera Phones
New Technology
sweeping the country and
world
Easy to use
No Controls
Attach and send picture in
e-mail
32 PricewaterhouseCoopers
Flash Disks
Small Devices
• Connect to USB Ports
• Large Capacity
• Easy to Use
• Circumvent all Controls
on Computers
33 PricewaterhouseCoopers
Wireless LANS
Benefits:
Mobility for internal users
34 PricewaterhouseCoopers
Wireless LANS
Disadvantages:
Weak or no Encryption
Extends your network perimeter
Ease of eavesdropping
Denial of Service
Easy to setup and install
Not as easy to detect
35 PricewaterhouseCoopers
Wireless LANS
36 PricewaterhouseCoopers
Wireless LANS – Is this your network?
PricewaterhouseCoopers
37
http://www.worldwidewardrive.org/wwwd1/baltimore.jpg
Instant Messaging
38 PricewaterhouseCoopers
Instant Messaging
39 PricewaterhouseCoopers
Instant Messaging
40 PricewaterhouseCoopers
Instant Messaging
41 PricewaterhouseCoopers
Instant Messaging
42 PricewaterhouseCoopers
Modems and Cable Modems
43 PricewaterhouseCoopers
Incident Response and Forensics
44 PricewaterhouseCoopers
Emergency Response Considerations
45 PricewaterhouseCoopers
Reducing Internal Risk within an
Organization
Security Policies and Procedures
Virtual Private Networks
Incident Response Procedures
46 PricewaterhouseCoopers
[Toolbox Map]
Questions?
Contact Information
48 PricewaterhouseCoopers
Your worlds Our people
49 PricewaterhouseCoopers