1 / 39

Security 2.0: The Next Generation of Security for the Public Sector

Security 2.0: The Next Generation of Security for the Public Sector. John McCumber, Strategic Programs Manager. Security Perceptions. 1. Critical Connections Survey Results . 2. Security 1.0. 3. Security 2.0. 4. Bridging the Gap – Preparing for a 2.0 World. 5. Agenda.

henrik
Download Presentation

Security 2.0: The Next Generation of Security for the Public Sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security 2.0:The Next Generation of Security for the Public Sector John McCumber, Strategic Programs Manager

  2. Security Perceptions 1 Critical Connections Survey Results 2 Security 1.0 3 Security 2.0 4 Bridging the Gap – Preparing for a 2.0 World 5 Agenda Symantec Vision 2007

  3. Critical Connections About the Study • Report Includes: • Connections: Common nightmares, barriers, and areas of progress • Disconnects: Public/private collaboration and preparedness • Critical Connections: Perspectives on the National Cyber Security Initiative Symantec recently announced the results of the 2008 Critical Connections Study, which polled 600 IT executives across Federal, state and local government, as well as private sector organizations to identify information security connections, disconnects, and opportunities for improvement. 68% 59% 48% Download Full Study: www.symantec.com/symposium

  4. Critical Connections Agreement on Need For Collaboration Is there a requirement for increased public/private collaboration in securing cyber space? Yes: 68% 59% 48% Federal State and Local Private Sector Take Away: It Takes Two to Tango – Increased Coordination Required Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

  5. Disconnects Diverse Preparedness Behaviors; Steps Needed to Improve Security My organization has participated in cyber security preparedness exercises My organization has automated cyber threat/vulnerability reporting 64% 63% 44% 39% 38% 32% Take Away: Talk the Talk and Walk the Walk – Action Must Match Priority Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

  6. Federal Opportunity Federal Government Can Offer Best Practices Based on its Progress 78% of private sector respondents want more information from the government on cyber threats Take Away: Open Door for Feds to Improve National Cyber Security Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

  7. National Cyber Security Initiative Support Underscores Need for Cyber Security Leadership State and Local Private Sector Feds Believe the National Cyber Security Initiative will have a positive impact 86% 70% 76% When asked to name the most significant benefit of the National Cyber Security Initiative, few respondents picked, “Common cyber security operating picture,” the principle program objective 12% 11% 11% Take Away: Strong Enthusiasm, but Education Needed Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

  8. Security versus Risk Management • Security: something you feel • Risk: something you manage

  9. Risk in IT Systems Find out the cause of this effect, Or rather say, the cause of this defect, For this effect defective comes by cause. - William Shakespeare, Hamlet

  10. The Complete Threat Model Destruction • Availability • Reliability Disclosure • Data analysis • Traffic analysis Delay • Denial of service • System degradation Distortion • Data integrity • Accuracy • Outsider Malicious Threats • Insider Malicious Threats • Non-malicious Threats • Environmental

  11. Threat Classifications Threat Environmental Man-Made Internal External Hostile Non-Hostile Structured Unstructured Structured Unstructured

  12. 1980s: GATES, GUNS & GUARDS Physical vulnerabilities Data confidentiality Outsider threats 1990s: FIND & FIX Electronic vulnerabilities Data confidentiality, integrity & availability Outsider & insider threats 2000s: ASSESS & MANAGE Risk & vulnerability analysis Active network monitoring Network security accreditation Incident response & recovery Evolution from 1.0 to 2.0 Reactive Vulnerability discovered, fix it and close the hole Proactive Mitigate the risk with technology, processes, or transfer it

  13. Find-and-Fix Security • Technical issues only • Vulnerability-centric • Probes exterior boundaries • Little “analysis” • Recommends point solutions • tied to specific vulnerabilities • based on consultant’s experience

  14. Penetration-and-Patch Security } vulnerability gap IT systems evolution Technology defensive capabilities Time

  15. Compliance-based Security Audit • Static • Subjective • Intuitive • Inconsistent results • Compliance-based

  16. Security Objective IT systems evolution Technology risk management/security 2.0 Time

  17. IT Risk Management The process of designing, developing, sustaining, and modifying operational processes and systems in consideration of applicable risks* to asset confidentiality, integrity, and availability. *Applicable risks are those reasonably expected to be realized and to cause an unacceptable impact.

  18. IT Risk Management • Incorporates an analytical, systems approach into the entire operational and support cycle • Provides systems and operational leaders a reliable decision support process • Encourages protection of only that which requires protection • Manages cost while achieving significant performance benefits

  19. IT Risk Management Principles • Anti-hacking does not = security • Data does not = information • Systems security certification does not = risk management • Meeting the demands of risk management requires more than assessing and mandating security features. /

  20. Managing Risk "When you can measure what you are speaking about, and express it in numbers, you know something about it; But when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind: It may be the beginning of knowledge, but you have scarcely in your thoughts advanced to the stage of science." William Thomson 1824 - 1907

  21. Assessing Risk: Empirical Objective Cost Performance Risk Applying Safeguards

  22. Essential Elements of Risk • Threats • Assets • Vulnerabilities • Safeguards • Products • Procedures • People

  23. Mathematical Relationship T x V x A = R 1: b T x V x A = R 2: r S

  24. Asset Asset RISK RISK RISK RISK RISK RISK Threat Threat Vulnerability Vulnerability Risk = Volume of a Cube Residual Risk after Safeguards Applied Baseline Risk

  25. Knowledge Gathered from the Symantec Global Intelligence Network Vulnerability Database • 55,000+ technologies from over 8000 vendors • Capturing previously unseen threats and attack methods Honeypot Network • 30+ Million Probe Messages a day • Generates statistics on 1+ Billion email messages a day • Geo-location capabilities on servers and zombies Fraud: Spam & Phishing • Managed devices in 70+ countries • 120 Million Threat/ Virus Submission Systems • Over 100,000 security alerts generated annually • 200,000 daily code submissions • 2 Billion+ events logged daily • 40,000+ Sensors in 200+ Countries • 25 • 25

  26. Intelligence Behind the Global Intelligence Network • 4 MSS Security Operations Centers • 29 Global Support • Centers • 11 Security Research Centers • Gotheburg, Sweden • Aschheim, Germany • Wiesbaden, Germany • Calgary, Alberta, CA • Ratingen, Germany • Dublin, Ireland • Warsaw, Poland • Roseville, MN • Shannon, Ireland • Seattle, WA • Bloomfield Hills, MI • Toronto, CA • Zaltbommel, NLD • Reading, Green Park, GBR • Milan, Italy • Springfield, OR • Brussels, Belgium • Englewood, CO • Newton/Waltham, MA • Seoul, South Korea • San Francisco, CA • Herndon, VA • Beijing, China • Madrid, Spain • Oak Brook, IL • Mountain View, CA • Tokyo, Japan • Orem, UT • Durham, NC • Cupertino, CA • Chengdu, China • Atlanta, Georgia • Shanghai, China • Dallas, TX • Santa Monica, CA • Dubai, UAE • Riyadh, Saudi Arabia • Heathrow, FL • Houston, TX • Alexandria, VA • San Luis Obispo, CA • Austin Texas • Miami, FL • Taipei, Taiwan • Culver City, CA • Mumbai, India • Hong Kong, China • Mexico City, Mexico • Pune, India • Singapore • Chennai, India • Brisbane, Aus • Sao Paola, Brazil • Sandton, South Africa • Buenos Aires, Argentina • Melbourne, Aus • Sydney, Aus • 26 26

  27. Phishing Explodes Phishing Crimeware Zero Day Exploits & Threats Rootkits On the Rise Spyware & Adware Explode Adware Spyware Paid Vulnerability Research Bots & Botnets DDoS Attacks Bots Explode Tracking Cookies Spam Spam Explodes Vulnerabilities Openly Discussed Mass Mailing Worms Network Worms Virus Destructive Virus Macro Virus Threat Evolution Threat Evolution Timeline crime nation-states individuals curiosity 1988 2008 Symantec Vision 2007

  28. Threat Landscape – Overarching Themes • The Web is quickly becoming the distribution point for malicious code and attacks • Malicious activity that targets end-users rather than computers • Consolidation and maturation in the Underground Economy • Specialized production and provisioning • Outsourcing • Multivariate pricing • Flexible business models • Rapid adaptability of attackers and attack activity 28

  29. The Web as the Focal Point • Vulnerabilities in websites are more popular because they allow for more sophisticated and multi-staged attacks. • Site-specific vulnerabilities outnumber traditional vulnerabilities nearly 5 to 1 with much lower patch rates – only 473 of the site-specific vulnerabilities had been patched at the time of reporting. Site-specific vulnerabilities Vulnerabilities - Traditional 29

  30. End-Users are the Primary Target • Social networking Web sites are easy for criminals to spoof and, because social networking pages are generally trusted by users, phishing attacks mimicking them may have a better chance of success. • Symantec measured the adoption rate of applications and found that out of 54,609 unique applications that were deployed on Microsoft Windows PCs, and 65 percent of those applications were malicious. Top Phishing Countries and Targets Phishing Web Site Hosts 30

  31. Underground Economy Specialization • The significant increase in new threats over the past year is indicative of the work of specialized malicious code authors and the existence of organizations that employ programmers dedicated to the production of these threats. 31

  32. Underground Economy - Outsourcing, Pricing Flexibility • Romania was home to the third most phishing Web sites during this period and the most phishing Web sites in EMEA. • In order to take advantage of economic efficiencies and entice buyers, sellers will offer reduced prices on larger volumes of goods for sale. • A mature, consolidated economy is characterized by the development and implementation of specific business models that are suitable to the prevailing influences within the economy. 32

  33. Rapid Adaptation – New Markets • Adaptability in the form of geographic mobility and new markets as attackers seek digital “safe-havens”. • Relocation to regions or countries in which security practices, legislation and/or infrastructure are not particularly well developed. 33

  34. Vulnerability Trends - Additional Metrics • Symantec documented 2,134 vulnerabilities in the current reporting period, 13% fewer than the previous reporting period. • Severity classification: High severity 3%, Medium severity 61% and Low severity 36%. • Web applications constituted 58% of all documented vulnerabilities. • 73% of vulnerabilities documented this period were easily exploitable compared to 72% in the previous period. • The W.O.E. for enterprise vendors was 46 days, a decrease from the 55 day average in the first half of 2007. • Mozilla had the most vulnerabilities of any browser at 88 but Microsoft had the highest browser W.O.E. at 11 days. • From July 1st - December 31st 2007, Symantec documented 9 zero-day vulnerabilities, an increase over the previous reporting period. All affected 3rd party applications for the Windows platform. • 92 vulnerabilities were documented in security products this period, down from 113 in the previous period. 34

  35. Filling the Policy Gap Policy – what you can define/mandate “policy gap” Technology tools – what you can enforce Symantec Vision 2007

  36. Predicting the Future

  37. Future Watch • Increasing use of whitelisting technologies • Portable media and shrink-wrapped devices • The decline of IRC controlled bot networks • Increase in threats attempting to influence US election results 37

  38. Managing Security 2.0 • If you can measure, you can: • justify • target • control • predict • If you can measure, you can actively MANAGE, and help security evolve from art to science.

  39. & QUESTIONS ANSWERS John McCumber john_mccumber@symantec.com Symantec Vision 2007

More Related