2003 10 00 Dave McCurdy Risk Management and Insurance Presentation to Manufacturers

7/31/2019 2003 10 00 Dave McCurdy Risk Management and Insurance Presentation to Manufacturers

1/35

Dave McCurdyExecutive Director

Internet Security AlliancePresident Electronics Industry [email protected]

703-907-7508


2/35

The Internet Security Alliance

The Internet Security Alliance is a collaborative effort between

Carnegie Mellon UniversitysSoftware Engineering Institute (SEI)

and its CERT Coordination Center (CERT/CC) and the Electronic

Industries Alliance (EIA), a federation of trade associations with

over 2,500 members.


3/35

Sponsors


4/35

The Past


5/35

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Present


6/35

Human Agents

Hackers Disgruntled employees White collar criminals Organized crime Terrorists

Methods of Attack

Brute force Denial of Service Viruses & worms Back door taps &

misappropriation,

Information Warfare (IW)techniques

Exposures

Information theft, loss &corruption

Monetary theft & embezzlement

Critical infrastructure failure Hacker adventures, e-graffiti/

defacement

Business disruption

Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-Toys

Hactivist campaign,

Love Bug, Melissa Viruses

The Threats The Risks


7/35

Growth in Incidents Reported

to the CERT/CC

1988 1989 1990 1991 1992 1993 1994 19951996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


8/35

The Dilemma: Growth in Number ofVulnerabilities Reported to CERT/CC

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


9/35


10/35

Computer Virus Costs (in

billions)

0

30

60

90

120

150

'96 '97 '98 '99 '00 '01 '02 '03

Ran e

(Through Oct 7)

$

billion


11/35

Attacks are Inevitable

According to the US Intelligence community Americannetworks will be increasingly targeted by malicious actors

both for the data and the power they possess. National

Strategy to Secure Cyberspace, 2/14/02

The significance of the NIMDA attack was not in the amountof damage it caused but it foreshadows what we could

face in the future CIPB

Things are getting worse not better. NYT 1/30/03


12/35

The Private Sector and

National CyberSecurity

US government is holding companiesresponsible for their security

Fiduciary and oversight responsibility isbeing enforced

Corporate governance, vision and goalsreside at the executive level


13/35

ISAlliance/CERT

Knowledgebase Examples


14/35

Benefits of Information Sharing

Organizations

May lesson the likelihood of attackOrganizations that share information about computer break ins are less

attractive targets for malicious attackers. NYT 2003

Participants in information sharing have theability to better prepare for attacks


15/35

Benefits of Information Sharing

Organizations

SNMP vulnerability CERT notified Alliance members Oct. 2001 Publicly disclosed Feb. 2002

Slammer worm CERT notified Alliance members May 2002 Worm exploited Jan. 2003


16/35

Why ISA Info Sharing

Works Carnigie Mellon/CERT leadership and credibility History, and regularity build up trust

Enforce the rules builds trust Cross-sector/international model lessens

competitive concerns

Success breeds greater success


17/35

A Risk Management

Approach is Needed

Installing a network security device is not asubstitute for a constant focus andkeeping our defenses up to date There

is no special technology that can make anenterprise completely secure.

National Plan to Secure Cyberspace, 2/14/03


18/35

Risk Management and IIA

Private Industry is encouraged to performperiodic, quantitative risk assessments of their

information systemsThe IIA definition of internal

auditing emphasizes a systematic, disciplinedapproach to risk management in contributing to the

value of an organization.

---Charles Le Grand, AVP IIA. in Information Security

Governance and Assurance


19/35

Risk Mitigation/Cyber

Insurance

ISAlliance Establishes Cyber Insurance

Incentive Program 2001

ISAlliance Established Risk ManagementCommittee, November 2002

Risk Manager Survey Begins 2003


20/35

Chief Technology OfficersKnowledge of their Cyber Insurance

34% Incorrectlythought they werecovered

36% Did not haveInsurance

23% Did not know ifthey had insurance

7% Knew that theywere insured by aspecific policy


21/35

ISAlliance Cyber-Insurance

Program

Coverage for members

Free Assessment through AIG

Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance

Best Practices (July 2002)


22/35

Step 4. Adopt and

Implement Best Practices

Cited in US National DraftStrategy to Protect Cyber

Space (September 2002)

Endorsed by TechNet for CEOSecurity Initiative (April 2003)

Endorsed US India BusinessCouncil (April 2003)


23/35

Common Sense Guide

Top Ten Practice Topics

Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster Recovery


24/35

Other ISAlliance Best

Practice Publications Common Sense Guide for Home Users and

Traveling Executives (February 2003)

Common Sense Guide to Cyber Security for SmallBusinesses (Commissioned by National Cyber

Security Summit Meeting 11/03)


25/35

Cooperative work on

assessment/certification TechNet CEO Self-

Assessment Program

Bring cyber security to theC-level based on ISA BestPractices

Create a baseline ofsecurity even CEOs can

understand

American SecurityConsortium 3-Party

Assessment program

Risk Preparedness Indexfor assessment and

certification

Develop quantitativeindependent ROI for cybersecurity


26/35

ISAlliance Qualification

Program No Standardized Certification Program Exists or

will exist soon

ISAlliance in cooperation with big 4 and insuranceindustry create quantitative measurement forqualification for ISA discounts as proxy forcertification

ISA works with CMU CyLab on Certification


27/35

ISAlliance/CERT Training

Concepts and Trends In Information Security Information Security for Technical Staff OCTAVE Method Training Workshop Overview of Managing Computer Security Incident

Response Teams

Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective


28/35

Public Policy

Policy Must Address Internet as a new Technology No one owns the Internet It is Constantly Evolving International Operation makes regulation difficult Mandates will Truncate innovation and the

economy


29/35

Putnam Legislation

Risk Assessment Risk Mitigation Incident Response Program Tested Continuity plan Updated Patch management program Putnam has said it wont work.


30/35

ISAlliance Incentive

Model Model Programs for market Incentives---AIG ----Nortel

---Visa ----Verizon

SemaTech Program

Tax Incentives

Liability Carrots

Procurement Model

Research and Development


31/35

A Coherent 10 step

Program of Cyber Security

1. Members and CERT create best practices

2. Members and CERT share information

3. Cooperate with industry and government todevelop new models and products consistent with

best practices


32/35

A Coherent Program of

Cyber Security

4. Provide Education and Training programs based

on coherent theory and measured compliance

5. Coordinate across sectors

6. Coordinate across boarders


33/35

A coherent program

7. Develop the business case (ROI) for improvedcyber security

8. Develop market incentives and tools for consistent

maintenance of cyber security

9. Integrate sound theory and practice and

evaluation into public policy

10. Constantly expand the perimeter of cybersecurity by adding new members


34/35

Benefits

Share critical information across industries andacross national boarders

Provide secure setting to work on commonproblems

Provide economic incentive programs Develop model industry evaluation and training

programs


35/35

For Additional Information

Dave McCurdy [email protected]

Larry Clinton [email protected]

David Peyton 202-637-3147

[email protected]

Documents

2003 10 00 Dave McCurdy Risk Management and Insurance Presentation to Manufacturers