The changing role of it security in an internet world
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

The Changing Role of IT Security in an Internet World PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

The Changing Role of IT Security in an Internet World. A Business Perspective (and a request for help) Hannes Lubich Bank Julius Baer, Zurich. Outline. IT Security Properties and Threats IT Security Building Blocks, Shortcomings and Further Research Requirements

Download Presentation

The Changing Role of IT Security in an Internet World

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

The changing role of it security in an internet world

The Changing Role of IT Security in an Internet World

A Business Perspective

(and a request for help)

Hannes Lubich

Bank Julius Baer, Zurich



  • IT Security Properties and Threats

  • IT Security Building Blocks, Shortcomings and Further Research Requirements

  • The Changing Role of IT Security as a Management Discipline

Sources of it security threats

Operation and reputation of the firmas a whole

Sources of IT Security Threats

Government and private intelligence community

„Internal“ treats (dishonest employees, software failures etc.)

Business partners(customers,outsourcers, competitors,suppliers, etc.)

Hackers, pranksters,investigativereporters etc.

1998 computer crime and security survey

1998 Computer Crime and Security Survey


  • Joint Study by US Federal Bureau of Investigation (FBI) and Computer Security Institute (CSI)

  • 520 Companies surveyed

    Major Findings

  • 64% of companies have reported a security breach

  • Cumulated financial loss is over 136 million USD

  • Unauthorised insider access is the major threat

  • Theft of proprietary information is in 2’nd position

Financial losses by type of threat

Financial Losses by Type of Threat

Source: Cylink Document "The Need for Information Security"

Current it threats

Current IT Threats

Source: Icove/Seger/Von Storch, Computer Crime, O‘Reilly, 1995, p. 22

Technical risks

Technical Risks





Business risks

Business Risks

  • Delayed order processing

  • Processing of falsified orders

  • Disclosure of customer data or intentions

  • Financial consequences due to damage of customer data or systems

  • Damage to the reputation of the firm

Legal regulatory risks

Legal/Regulatory Risks

  • Disclosure of customer relationship

  • Damage claims

  • Taxation/Customs aspects

  • National/international restrictions of inter- and intra-business financial transactions

  • Rules imposed by regulators

Basic it security assets and solution technologies

Basic IT-Security Assets and Solution Technologies

Confidentiality Encryption


Digital signatures

Integrity Authentication

Availability Redundancy

Encryption status

Encryption: Status

  • Basic research has created sufficiently good encryption algorithms.

  • Vendors have integrated encryption into some of their products

  • As part of the Internet growth, encryption issues are gaining public attention

On breaking cryptography

On Breaking Cryptography

Type of Attacker

Budget for Computer

Time to Break 40-bit Key

Time to Break 56-bit Key

Time to Break 64-bit Key

Time to Break 128-bit Key

Hacker Using Spare Cycles






Pedestrian Engine






Small Business






Corporate Department






Big Companyor Internet






Intelligence Agency






Source: Blaze, Rivest, Diffie, Schneier, Shimomura, Thompson, Wiener; “Minimal Key Lengths for

Symmetric Cyphers, A Report By An Ad-Hoc Group of Cryptographers And Computer Scientists”

Cryptography open issues

Cryptography: Open Issues

  • Compatibility & Interworking

  • Integration with other security mechanisms (e.g. VPN’s and firewalls)

  • Exportability (“How many strings attached?”)

  • Trust (proprietary versus “open source”)

Authentication status

Authentication: Status

  • Algorithms of sufficient quality exist for different purposes

  • Many applications have become “authenti-cation-aware”

  • Legal framework for the formal relevance of authentication exist in some countries

Authentication open issues

Authentication: Open Issues

  • Weak embedding into “real life” application environments, interworking problems and lack of user friendliness

  • “Missing link” between authentication and (personal) identification

  • Applicability on advanced business issues such as digital watermarks still missing

Redundancy qos status

Redundancy / QoS: Status

  • Models for measurement and interpretation of key elements (delay, jitter etc.) exist

  • Research in the area of dynamically expres-sing QoS requirements by applications

  • Standard proposals for resource reservation and load balancing protocols exist

Redundancy qos open issues

Redundancy/QoS: Open Issues

  • No unique standard yet - currently solved on a vendor-by-vendor basis

  • Internet QoS (i.e. RSVP) standards are com-plex and too resource/investment-intensive

  • Integration in existing infrastructure and management frameworks (CA Unicenter, Tivoli etc.) completely unresolved

Obligation status

Obligation: Status

  • Models for the creation, administration and use of digital certificates exist

  • X.509 v3 has been widely accepted as the leading certificate format

  • Software to operate a Public Key Infra-structure (including CA’s, RA’s etc) exists

Obligation open issues

Obligation: Open Issues

  • PKI availability and interworking (especially inter-company or trans-border) insufficient, but would be prerequisite for wider use

  • Integration with existing B-2-B structures (especially EDI, S.W.I.F.T. etc) missing

  • Government regulation and legislation is slow and inconsistent

Other open issues

Other Open Issues

  • We are lacking the models and modelling tools to cope with complex security issues

  • University and continued education on “applied security” still is in it‘s infancy

  • There are too few operational “Networks of Excellence” including academia and business partners

It security as a management discipline

IT Security as a Management Discipline

  • IT Security has moved from technical deci-sion making to business decision contribu-ting, as part of operational risk management

  • IT Security cost perception has moved from an insurance premium to a business asset

  • IT Security has a wider scope of responsibility



  • More than ever, IT Security needs strong support from basic and applied research

  • Shortcomings in adapting research results to business/industry must be overcome

  • The demand for skilled, interdisciplinary IT Security experts is growing quickly

  • Login