Upload
isalliance
View
219
Download
0
Embed Size (px)
Citation preview
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
1/35
Larry ClintonOperations Officer
Internet Security [email protected]
202-236-0001
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
2/35
Presentation Outline
The Growing Problem of Cyber Security
Traditional Solutions and Why They Wont Work
A New Paradigm (tools and incentives) Bringing it all Together
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
3/35
The Past
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
4/35
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Present
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
5/35
Human Agents
Hackers Disgruntled employees White collar criminals Organized crime Terrorists
Methods of Attack
Brute force Denial of Service Viruses & worms Back door taps &
misappropriation,
Information Warfare (IW)techniques
Exposures
Information theft, loss &corruption
Monetary theft & embezzlement
Critical infrastructure failure Hacker adventures, e-graffiti/
defacement
Business disruption
Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-Toys
Hactivist campaign,
Love Bug, Melissa Viruses
The Threats The Risks
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
6/35
The Threats The Risks
Terrorists may view cyber-attacks standing alone or witha coordinated physical attack
as a way to cause economic
harm.
Considering that criticalinfrastructures, upon which theAmerican economy depend, are
increasingly electronic andinterconnected, attacks in or
through cyberspace arguablysupport the terrorist modusoperandi
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
7/35
The Threats The RisksPipeline Disruption
SubmarineCable Lost
Bomb Threats atGovernmentBuildings
Threat toWater
Supply
Bridge Down
Oil Refinery Explosion
Telephone ServiceInterrupted Phones
Jammed
911Unavailable
ISPs Out ofService Near
Wall Street
Air Traffic Control
Tower & Radar
Down
Train Derailmentin Tunnel
Electricity
Outage
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
8/35
Growth in Incidents Reported
to the CERT/CC
1988 1989 1990 1991 1992 1993 1994 19951996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
9/35
The Dilemma: Growth in Number ofVulnerabilities Reported to CERT/CC
4,129
2,437
171345 311 262
417
1,090
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 2002
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
10/35
Attack Sophistication v. Intruder
Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijackingsessions
sweepers
sniffers
packet spoofing
GUI
automated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
stealth / advancedscanning techniques
burglaries
network mgmt. diagnostics
DDOSattacks
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
11/35
Computer Virus Costs (in
billions)
0
30
60
90
120
150
'96 '97 '98 '99 '00 '01 '02 '03
Ran e
(Through Oct 7)
$
billion
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
12/35
Traditional Solutions &
Why They Wont Work
Technology Solutions (its like Y2K) Government Regulation (just mandate security) Great Wall of China (Secure our boarders)
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
13/35
Cyber Security is not an IT
Problem
Y2K WAS:
Finite
Passive Not an attack Cyber Security requires people, processes,
procedures and management of the risk.
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
14/35
A Risk Management
Approach is Needed
Installing a network security device is nota substitute for a constant focus andkeeping our defenses up to date There
is no special technology that can make anenterprise completely secure.
National Plan to Secure Cyberspace, 2/14/03
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
15/35
You Cant Mandate Cyber
Security Policy must address the Internet as a new
technology
No one owns the Internet It is constantly evolving International operation makes regulation difficult Mandates will truncate innovation and the economy Beware the Roadmap for mischief
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
16/35
Putnam Legislation
Risk Assessment Risk Mitigation
Incident Response Program Tested Continuity plan Updated Patch management program Putnam has said it wont work.
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
17/35
Build a Great Wall around
your Organization The Internet has no walls, no boarders -- No one
actually owns it.
You are only as secure as the organizations youinterconnect with -- And thats pretty mucheveryone.
The Internet is Interdependent, and Security,therefore, is Interdependent
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
18/35
Attacks are Inevitable
According to the USIntelligence community,
American networks will be
increasingly targeted by
malicious actors both for thedata and the power they
possess.
National Strategy to SecureCyberspace, 2/14/02
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
19/35
A New paradigm:Tools
and IncentivesTOOLS
INCENTIVES NOT MANDATES
Information Sharing Best Practice Development Standards/Certification/Qualification Training Policy Development A Total Systems Approach
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
20/35
Benefits of Information Sharing
Organizations
May lesson the likelihood of attackOrganizations that share information about computer break ins areless attractive targets for malicious attackers. NYT 2003
Participants in information sharing have theability to better prepare for attacks andrespond to them.
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
21/35
Old and New Info Sharing
2002 ISAlliance informed its membership aboutSNMP event 6 months ahead of time---No
ISAlliance members affected
2003 ISAlliance informed Membership aboutSlammer Vulnerability 9 months ahead of time---NO ISA members effected
2004---Events move too fast Now we focus on forecasting not analysis
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
22/35
Adopt and Implement
Best Practices
Cited in U.S. NationalDraft Strategy to Protect
Cyber Space Endorsed by TechNet for
CEO Security Initiative
Small Bus. Best Pract.Endorsed:DHS;ABA;
NAM;EIA; NCSA etc.
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
23/35
Common Sense Guide
Top Ten Practice Topics
Practice #1: General ManagementPractice #2: PolicyPractice #3: Risk ManagementPractice #4: Security Architecture & DesignPractice #5: User IssuesPractice #6: System & Network ManagementPractice #7: Authentication & AuthorizationPractice #8: Monitor & AuditPractice #9: Physical SecurityPractice #10: Continuity Planning & Disaster
Recovery
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
24/35
Cooperative work on
assessment/certification TechNet CEO Self-
Assessment Program
Bring cyber security to theC-level based on ISA BestPractices
Create a baseline ofsecurity even CEOs can
understand
American SecurityConsortium 3-Party
Assessment program
Risk Preparedness Indexfor assessment and
certification
Develop quantitativeindependent ROI for cybersecurity
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
25/35
ISAlliance/CERT Training
Concepts and Trends In Information Security Information Security for Technical Staff OCTAVE Method Training Workshop Overview of Managing Computer Security Incident
Response Teams
Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
26/35
ISAlliance Incentive
Model Model Programs for market Incentives---AIG ----Nortel
---Visa ----Verizon
SemaTech Program
Tax Incentives
Liability Carrots
Procurement Model
Research and Development
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
27/35
Congress Appoints
CISWG INCENTIVES & LIABILITY GROUP FOUND
INCENTIVES FOR PUB & PRIVATE SECTOR
--Insurance Incentives
--Liability Incentives--Tax Incentives
--Expedited Permitting
--FEMA credits--Awards Programs
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
28/35
Chief Technology OfficersKnowledge of their Cyber Insurance
34% Incorrectlythought they werecovered
36% Did not haveInsurance
23% Did not know ifthey had insurance
7% Knew that theywere insured by aspecific policy
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
29/35
ISAlliance Cyber-Insurance
Program
Coverage for members
Free assessment through AIG Market incentive for increased security practices 10% discount off best prices from AIG Additional 5% discount for implementing ISAlliance
Best Practices (July 2002)
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
30/35
ISAlliance Qualification
Program No Standardized Certification Program exists or
will exist soon
ISAlliance, in cooperation with Big 4 and insuranceindustry, create quantitative measurement forqualification for ISA discounts as proxy forcertification
ISA works with CMU CyLab on Certification
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
31/35
A Coherent 10 step
Program of Cyber Security
1. Members and CERT create best practices
2. Members and CERT share information
3. Cooperate with industry and government todevelop new models and products consistent with
best practices
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
32/35
A Coherent Program of
Cyber Security
4. Provide Education and Training programs based
on coherent theory and measured compliance
5. Coordinate across sectors
6. Coordinate across boarders
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
33/35
A coherent program
7. Develop the business case (ROI) for improvedcyber security
8. Develop market incentives and tools for consistent
maintenance of cyber security
9. Integrate sound theory and practice and
evaluation into public policy
10. Constantly expand the perimeter of cybersecurity by adding new members
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
34/35
Sponsors
7/31/2019 2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
35/35
Larry ClintonOperations Officer
Internet Security Alliance
202-236-0001