The Changing Role of IT Security in an Internet World

1. The Changing Role of IT Security in an Internet World A Business Perspective (and a request for help) Hannes Lubich Bank Julius Baer, Zurich

2. Outline • IT Security Properties and Threats • IT Security Building Blocks, Shortcomings and Further Research Requirements • The Changing Role of IT Security as a Management Discipline

3. Operation and reputation of the firmas a whole Sources of IT Security Threats Government and private intelligence community „Internal“ treats (dishonest employees, software failures etc.) Business partners(customers,outsourcers, competitors,suppliers, etc.) Hackers, pranksters,investigativereporters etc.

4. 1998 Computer Crime and Security Survey Background • Joint Study by US Federal Bureau of Investigation (FBI) and Computer Security Institute (CSI) • 520 Companies surveyed Major Findings • 64% of companies have reported a security breach • Cumulated financial loss is over 136 million USD • Unauthorised insider access is the major threat • Theft of proprietary information is in 2’nd position

5. Financial Losses by Type of Threat Source: Cylink Document "The Need for Information Security"

6. Current IT Threats Source: Icove/Seger/Von Storch, Computer Crime, O‘Reilly, 1995, p. 22

7. Technical Risks Disruption Eavesdropping Modification Fabrication

8. Business Risks • Delayed order processing • Processing of falsified orders • Disclosure of customer data or intentions • Financial consequences due to damage of customer data or systems • Damage to the reputation of the firm

9. Legal/Regulatory Risks • Disclosure of customer relationship • Damage claims • Taxation/Customs aspects • National/international restrictions of inter- and intra-business financial transactions • Rules imposed by regulators

10. Basic IT-Security Assets and Solution Technologies Confidentiality Encryption Obligation Digital signatures Integrity Authentication Availability Redundancy

11. Encryption: Status • Basic research has created sufficiently good encryption algorithms. • Vendors have integrated encryption into some of their products • As part of the Internet growth, encryption issues are gaining public attention

12. On Breaking Cryptography Type of Attacker Budget for Computer Time to Break 40-bit Key Time to Break 56-bit Key Time to Break 64-bit Key Time to Break 128-bit Key Hacker Using Spare Cycles $0 1week infeasible infeasible infeasible Pedestrian Engine $400 5hours 38years 304years infeasible Small Business $10‘000 12minutes 556days 12years infeasible Corporate Department $300‘000 24seconds 19days 3years infeasible Big Companyor Internet $10‘000‘000 7seconds 13hours 104hours infeasible Intelligence Agency $300‘000‘000 0.0002seconds 12seconds 96seconds infeasible Source: Blaze, Rivest, Diffie, Schneier, Shimomura, Thompson, Wiener; “Minimal Key Lengths for Symmetric Cyphers, A Report By An Ad-Hoc Group of Cryptographers And Computer Scientists”

13. Cryptography: Open Issues • Compatibility & Interworking • Integration with other security mechanisms (e.g. VPN’s and firewalls) • Exportability (“How many strings attached?”) • Trust (proprietary versus “open source”)

14. Authentication: Status • Algorithms of sufficient quality exist for different purposes • Many applications have become “authenti-cation-aware” • Legal framework for the formal relevance of authentication exist in some countries

15. Authentication: Open Issues • Weak embedding into “real life” application environments, interworking problems and lack of user friendliness • “Missing link” between authentication and (personal) identification • Applicability on advanced business issues such as digital watermarks still missing

16. Redundancy / QoS: Status • Models for measurement and interpretation of key elements (delay, jitter etc.) exist • Research in the area of dynamically expres-sing QoS requirements by applications • Standard proposals for resource reservation and load balancing protocols exist

17. Redundancy/QoS: Open Issues • No unique standard yet - currently solved on a vendor-by-vendor basis • Internet QoS (i.e. RSVP) standards are com-plex and too resource/investment-intensive • Integration in existing infrastructure and management frameworks (CA Unicenter, Tivoli etc.) completely unresolved

18. Obligation: Status • Models for the creation, administration and use of digital certificates exist • X.509 v3 has been widely accepted as the leading certificate format • Software to operate a Public Key Infra-structure (including CA’s, RA’s etc) exists

19. Obligation: Open Issues • PKI availability and interworking (especially inter-company or trans-border) insufficient, but would be prerequisite for wider use • Integration with existing B-2-B structures (especially EDI, S.W.I.F.T. etc) missing • Government regulation and legislation is slow and inconsistent

20. Other Open Issues • We are lacking the models and modelling tools to cope with complex security issues • University and continued education on “applied security” still is in it‘s infancy • There are too few operational “Networks of Excellence” including academia and business partners

21. IT Security as a Management Discipline • IT Security has moved from technical deci-sion making to business decision contribu-ting, as part of operational risk management • IT Security cost perception has moved from an insurance premium to a business asset • IT Security has a wider scope of responsibility

22. Conclusions • More than ever, IT Security needs strong support from basic and applied research • Shortcomings in adapting research results to business/industry must be overcome • The demand for skilled, interdisciplinary IT Security experts is growing quickly