Society for Information

Management
Information Security
Trends and Issues
Neil Cooper, CISSP, CISA
December 2, 2003
Philadelphia, PA
 Agenda

Introduction
Current State of Security
What Have We Seen?
Risks and Threats
Conclusion

2 PricewaterhouseCoopers
Current State of
Security
 Current State of Security

CSI/FBI 2002 Computer Crime and Security Survey

60% of respondents knew of unauthorized use of their computer

systems
Only 44% of the respondents could quantify the loss due to
unauthorized access
Total cost of theft of proprietary information in 2002: $170M
• Highest reported quantified amount was $50M, with the
average being more than $6M
• Total cost of financial fraud in 2002: $115M
• Reputation loss is difficult to quantify

4 PricewaterhouseCoopers
 Current State of Security

74% of respondents who were aware of an attack or security

incident sited the Internet as the attack point
Likely source of an attack: Independent Hackers
Only 34% of those respondents who experienced a computer
intrusion reported it to law enforcement

5 PricewaterhouseCoopers
 The Risks are Real…

• 78% Detected inappropriate Use of Computer Systems

within the last 12 months
• 74% Reported attacks from the Internet

• 33% Reported attacks from the inside

• 40% Detected a Denial of Service attack

• 85% Detected a virus attack

• 90% Detected computer security breaches

• 78% Detected Insider abuse of network access

6 PricewaterhouseCoopers
 Current State of Security

The State of Information Security 2003 from CIO Magazine &

PricewaterhouseCoopers

• 7500 respondents to the survey

• Survey results show that companies around the world (42% of total
respondents) are beginning to look at security from a strategic
perspective
• Fifty-four percent place raising awareness about security at the top of
their list for 2004.

7 PricewaterhouseCoopers
 Current State of Security

• Threat and vulnerability

management initiatives:
– blocking unauthorized
access (53%)
– detecting viruses (49%),
– security audits (44%) and
– security monitoring (49%)
– all rank high on the list of
priorities for next year

8 PricewaterhouseCoopers
 Survey Demographics

Across all industries in 54 countries, including financial services,

manufacturing, healthcare, telecommunications, government
Company sizes ranged from small to multinational:
• 51% = up to $500M
• 22% = $500M to $25B
• 3% = more than $25B
• Remainder either did not know revenue size or were
government/non-profits
Job titles largely IT and security related:
• VPs of IT, CSOs, Security Directors, Network or System
9 PricewaterhouseCoopers
Administrators
 Key Findings: Security Still a Reactive
Culture
Security initiatives are still driven in large part by external
factors (regulations and industry practices) and not from a
risk assessment perspective
Security policies are “blocking and tackling” and covering user
behavior, employee awareness and network and system
administration issues
One-third or less included monitoring standards, enforcing
standards, incident response or classifying value of data in
their security policy
Few companies are including partners and suppliers in their
policy planning
10 PricewaterhouseCoopers
 Top Security Initiatives for 2004
Leading security initiatives:
• Block unauthorized access (58%)
• Enhance network security (55%)
• Detect malicious programs -- viruses/hostile
code (54%)
• Conduct security audits (51%)
• Conduct security risk assessment (48%)
11 • Monitor user compliance with policy (45%)
PricewaterhouseCoopers
 An Increased Demand on Security

The Security of Inclusion The Security of Exclusion

12
“Enablement” “Protection”
PricewaterhouseCoopers
 Challenges of Inclusion and Exclusion

Increased: Increased:

• Identities • Threats

• Control • Vulnerabilities
Requirements • Complexity
• Complexity
13 PricewaterhouseCoopers
 New and Continuing Risks

• Intra and Extra-net content

• Malicious E-mail attachments
• Sensitive or misleading
Internet postings
• Pirate / counterfeit / diverted
products
• Cybercrime both Internal and
External
• Demands to produce relevant
electronic information
• Loss of control of key digital
assets
14 PricewaterhouseCoopers
 Security Risk Categories

• Financial –
– Return on Investments
Unclear
– Insecure Transactions

• Technology –
– Immature / Unstable
– Lack of Standards
– Limited Skilled workers

15 PricewaterhouseCoopers
 Risk Categories

• Reputation
– Public Embarrassment

• Third Party –
– Legal & Regulatory

16 PricewaterhouseCoopers
 Top Management Errors…

• Assign untrained people to maintain security and provide

neither the training nor the time to make it possible to do the
job.
• Fail to understand the relationship of information security to the
business problem -- they understand physical security but do
not see the consequences of poor information security.
• Fail to deal with the operational aspects of security: make a few
fixes and then not allow the follow through necessary to ensure
the problems stay fixed.

17 PricewaterhouseCoopers
 Top Management Errors…

Rely primarily on a firewall.

Too much trust of employees
Fail to realize how much money their information and
organizational reputations are worth.
Not identifying root cause issues. Authorize reactive, short-term
fixes so problems re-emerge rapidly.
“It won’t happen to us” attitude

18 PricewaterhouseCoopers
 The Threat is multifaceted…

Insiders
• Current employees
• Former employees
• Business partners
• Contractors / consultants
• Temporary employees
Outsiders
• “Freelance” or “Mercenary”
crackers
• Professional Cybercriminals
• Thrill Seekers & Kids
• Competitors

19 PricewaterhouseCoopers
 Attack Trends

• Both the nonprofit and financial services sectors experienced

higher rates of overall attack volume and severe event
incidence, respectively.
• 21% of companies in the sample set suffered at least one
severe event over the past six months
• Attacks from countries included on the Cyber Terrorist Watch
List accounted for less than 1% of all activity.
• Cases of internal misuse and abuse accounted for more than
50% of incident response engagements.

Source: Symantec Internet Threat Report Feb 2003

20 PricewaterhouseCoopers
 What Areas Require Focus?

Reliability

Availability Scalability

Key Area for

Key
Internal Security
Area
Confidentiality Integrity

Capacity

21 PricewaterhouseCoopers
 Abilities

• Security
– Ability to Prevent, Detect, & React to Unauthorized
Access
– Ability to specifically identify users
– Ability to specifically authorize access to
technology & data

22 PricewaterhouseCoopers
 Controls

Security Controls
• Protective - Authentication, Authorization, Firewalls,
SSL, Locks, Guards, Security Testing
• Detective - Logging, Firewalls, Network IDS, Host
IDS, Security testing

23 PricewaterhouseCoopers
 Controls

Reactive Controls - require detective controls first!

With Detective controls in place, you MUST have well planned &
tested reactive control processes to adequately address:
• Security Events
• Capacity Problems
• Component or Site Outages
• Performance Problems

24 PricewaterhouseCoopers
What Have We
Seen?
 What Have We Seen?

• Perimeter secured from the Internet but...

• Perimeter not secured from the Internet.
• Internal network insecure.
• Access to systems that contain sensitive information
not controlled.
• Proliferation of Wireless Networks.
• Unsecured laptop computers.
• Uncontrolled use of email and instant messaging
26 PricewaterhouseCoopers
 What are Companies Doing?

• Reading e-mail selectively

• Filtering out Internet access
• Filtering outbound and inbound e-mail
• Restricting employee access
• Imposing penalties on violations of security policy
– up to and including termination

27 PricewaterhouseCoopers
Risks and
Threats
 Risks and Threats - Internal

Source of Attacks and Security Incidents

• Current Employees – Authorized Access – 26%
• Current Employees – Unauthorized Access – 25%
• Former Employees – Unauthorized Access – 16%

The Risk is very High

Most companies grant too much access to their information
• Give Joe the same access as Sally had
• Trusted IT professionals
• Educated Users
29 PricewaterhouseCoopers
 Risks and Threats - Regulations

Many industries are regulated and must protect their

customers information from unauthorized access
• HIPAA
• GLBA and others in Financial Services
• CA 1386
• US Notification of Risk to Personal Information Act
(SB 1350)

30 PricewaterhouseCoopers
 Risks and Threats - Technology

Camera Phones
Flash Disks
Wireless Networks
Instant Messaging Tools
Modems and Cable Modems

31 PricewaterhouseCoopers
 Camera Phones

New Technology
sweeping the country and
world
Easy to use
No Controls
Attach and send picture in
e-mail

32 PricewaterhouseCoopers
 Flash Disks

Small Devices
• Connect to USB Ports
• Large Capacity
• Easy to Use
• Circumvent all Controls
on Computers

33 PricewaterhouseCoopers
 Wireless LANS

Benefits:
Mobility for internal users

34 PricewaterhouseCoopers
 Wireless LANS

Disadvantages:
Weak or no Encryption
Extends your network perimeter
Ease of eavesdropping
Denial of Service
Easy to setup and install
Not as easy to detect
35 PricewaterhouseCoopers
 Wireless LANS

Risk Mitigation Techniques

• Utilize strong encryption
• Isolate Wireless LANs
• Implement security policies
and procedures
• Don’t use
• Scan for existence

36 PricewaterhouseCoopers
 Wireless LANS – Is this your network?

PricewaterhouseCoopers
37
http://www.worldwidewardrive.org/wwwd1/baltimore.jpg
 Instant Messaging

According to Gartner Research, by the fourth Quarter of 2002

approximately 70% of enterprises used unmanaged consumer
instant messaging on their networks to conduct business.
As both legitimate and unauthorized usage rises, the threat of
malicious code that uses instant messaging clients for
propagation is becoming more significant.

38 PricewaterhouseCoopers
 Instant Messaging

Gartner survey - 58% of those surveyed said the careless use of

personal communications by their employees - especially e-mail
and instant messaging (IM) - poses the most dangerous security
risk to their networks.
In a study by INT Media Research, 70% of businesses surveyed
said they don't offer their employees guidelines on acceptable use
of IM technology.“

39 PricewaterhouseCoopers
 Instant Messaging

March 2001 – “ICQ logs spark corporate nightmare”

• hundreds of pages of ICQ logs posted to web
• allegedly unedited logs available in entirety at
http://www.echostation.com/efront/
• stolen from PC of CEO Sam Jain of eFront
• several senior management team members resigned

40 PricewaterhouseCoopers
 Instant Messaging

File transfer enables transfer of worms or other malicious code

Bypass of desktop and perimeter firewall implementations makes
harder to detect than other threats
Easier to find victims -- select from current lists of users versus
scanning blocks of addresses
All major IM networks support Person-person (p2p) file sharing,
leads to spread of infected files

41 PricewaterhouseCoopers
 Instant Messaging

Clients can specify ports to

defeat firewalls
New versions include file
transfer features
• Proprietary data
• Inappropriate Content
• Productivity

42 PricewaterhouseCoopers
 Modems and Cable Modems

May be connected to sensitive systems

Attempted penetration through war-dialing
Internal access to network should be restricted
Home Use and telecommuters

43 PricewaterhouseCoopers
 Incident Response and Forensics

• Incident response minimizes the impact of security failures.

Goal is to detect, isolate, and correct security lapses and
intrusions.
• Forensics increases the ability of a company to investigate,
remediate and recover in litigation or otherwise the damages
caused by a security incident

44 PricewaterhouseCoopers
 Emergency Response Considerations

• How Will You Define and Identify an Incident?

• Do You Have the Skill Sets to Respond?

• How Will You Respond?

– Ignore, Use to Misinform, or Prosecute?

• Cost vs. Response Time

45 PricewaterhouseCoopers
 Reducing Internal Risk within an
Organization
Security Policies and Procedures
Virtual Private Networks
Incident Response Procedures

46 PricewaterhouseCoopers

[Toolbox Map]
Questions?
 Contact Information

Neil Cooper, CISSP, CISA

• Director, Security and Privacy Practice
• Philadelphia, PA
• 267-330-2518
• neil.f.cooper@us.pwc.com

48 PricewaterhouseCoopers
 Your worlds Our people

49 PricewaterhouseCoopers