1 / 29

Trends in Information Security: Threats, Vulnerabilities and Mitigation Strategies

Trends in Information Security: Threats, Vulnerabilities and Mitigation Strategies. Presented By: Tina LaCroix & Jason Witty. Presentation Overview. Introduction and Benefits of InfoSec Trends and Statistics Hacking Tools Discussion / Demonstration

humphrey-askew
Télécharger la présentation

Trends in Information Security: Threats, Vulnerabilities and Mitigation Strategies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trends in Information Security:Threats, Vulnerabilities and Mitigation Strategies Presented By: Tina LaCroix & Jason Witty

  2. Presentation Overview • Introduction and Benefits of InfoSec • Trends and Statistics • Hacking Tools Discussion / Demonstration • Proactive Threat and Vulnerability Management • Security Lifecycle • Recommendations • Wrap-up / Questions

  3. Q: In Today’s Down Market, What Can: • Give your company a competitive advantage? • Improve your reputation in the eyes of your customer? • Demonstrate compliance to international and federal privacy laws? • Improve system uptime and employee productivity? • Ensure viable eCommerce? • Answer: Information Security.

  4. What’s the Problem? • Your security people have to protect against • thousands of security problems. • Hackers only need one thing to be missed. • But with appropriate attention given to • security, companies can be • reasonably well protected.

  5. Some InfoSec Statistics • General Internet attack trends are showing a 64% annual rate of growth – Riptech • The average [security conscious] company experienced 32 attacks per week over the past 6 months – Riptech • The average cost of a serious security incident in Q1/Q2 2002 was approximately $50,000 - UK Dept of Trade & Industry • Several companies experienced single incident losses in excess of $825,000 - UK Dept of Trade & Industry

  6. Computer Incident Statistics • In 1988 there were only 6 computer incidents reported to CERT/CC. • There were 52,658 reported and handled last year.

  7. General Trends in Attack Sophistication

  8. Information Security Threats: Attackers • Bored IT guys…… • “Hacktivists” • Competitors • Ex-employees • Terrorists • Disgruntled employees • Real system crackers (Hackers) • The infamous “script kiddie”

  9. Hacker Tools: Web Hacking

  10. More Web Hacking Tools

  11. Password Cracking Tools

  12. Password Cracking: Windows

  13. Need More Tools? http://www.packetstormsecurity.org has tens of thousands of free hacker tools available for download

  14. Full Disclosure: What’s That? • When a vulnerability is discovered, all details of that vulnerability are reported to the vendor • Vendor then works on a patch for a “reasonable” amount of time • Discoverer of the vulnerability then releases full details of the problem found, and typically, a tool to prove it can be exploited • Hopefully the vendor has a patch available

  15. Hacker Techniques: The Scary Reality • Growing trend by some hackers NOT to report vulnerabilities to vendors – KEEP EXPLOITS UNPUBLISHED AND KNOWN ONLY TO THE HACKER COMMUNITY • Exploit services that HAVE to be allowed for business purposes (HTTP, E-Mail, etc.) • Initiate attacks from *inside* the network • It’s much easier to destroy than protect!

  16. So How Do We Protect Against All of This?

  17. Start by Acknowledging the Problem… (No More of This)

  18. Security Risk Management Principles • Information Security is a business problem, not just an IT problem • Information Security risks need to be properly managed just like any other business risk • Lifecycle management is essential – there are always new threats and new vulnerabilities to manage (and new systems, technologies, etc., etc.)

  19. Proactive Threat and Vulnerability Management • Internal Security Risk Management Program • User Education • Selective Outsourcing / Partnerships

  20. Security Risk Management: IT Control Evolution

  21. InfoSec Risk Examples

  22. Security Risk Management Program • Should include (not an exhaustive list): • Governance and sponsorship by senior management • Staff and leadership education • Implementation of appropriate technical controls • Written enterprise security policies & standards • Formal risk assessment processes • Incident response capabilities • Reporting and measuring processes • Compliance processes • Ties to legal, HR, audit, and privacy teams

  23. Security Risk Management: Education • One of the largest security risks in your enterprise is untrained employees – this especially includes upper management • Who cares what technology you have if an employee will give their password over the phone to someone claiming to be from the help desk? • Are users aware of their roles and responsibilities as they relate to information security? • Are users aware of security policies and procedures? • Do users know who to call when there are security problems?

  24. Security Risk Management: IT Controls • The average enterprise needs Firewalls, Intrusion Detection, Authentication Systems, Proxies, URL Screening, Anti-Virus, and a slew of other things. • A major reason we need all of this technology is because systems continue to be shipped / built insecurely!!! • Every one of us needs to push vendors to ship secure software, and to include security testing in their QA processes

  25. Security Risk Management: Selective Outsourcing • Things you might consider outsourcing: • The cyber risk itself (Insurance, Re-insurance) • Email filtering and sanitization • 24 x 7 security monitoring • 1st level incident response (viruses, etc.) • Password resets • Others?

  26. Wrap Up: What Can You Do Going Forward? • Urge (contractually obligate if possible) vendors to build, QA test, and ship secure products!!!!!!! • Remember that security is not a “thing” or a one time event, it is a continual process…….. • Manage security risks like other business risks • Conduct periodic security risk assessments that recommend appropriate security controls • Ensure security is inserted early in project lifecycles • Support your internal InfoSec team – they have a tough job managing threats and vulnerabilities

  27. Credits • CERT/CC – http://www.cert.org/present/cert-overview-trends/ • Internet Security Alliance – http://www.isalliance.org • Riptech – http://www.riptech.com • UK Department of Trade and Industry – • https://www.security-survey.gov.uk/View2002SurveyResults.htm

  28. Questions?

More Related