security 2 0 the next generation of security for the public sector n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security 2.0: The Next Generation of Security for the Public Sector PowerPoint Presentation
Download Presentation
Security 2.0: The Next Generation of Security for the Public Sector

Loading in 2 Seconds...

play fullscreen
1 / 39

Security 2.0: The Next Generation of Security for the Public Sector - PowerPoint PPT Presentation


  • 156 Views
  • Uploaded on

Security 2.0: The Next Generation of Security for the Public Sector. John McCumber, Strategic Programs Manager. Security Perceptions. 1. Critical Connections Survey Results . 2. Security 1.0. 3. Security 2.0. 4. Bridging the Gap – Preparing for a 2.0 World. 5. Agenda.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security 2.0: The Next Generation of Security for the Public Sector' - henrik


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security 2 0 the next generation of security for the public sector

Security 2.0:The Next Generation of Security for the Public Sector

John McCumber, Strategic Programs Manager

agenda

Security Perceptions

1

Critical Connections Survey Results

2

Security 1.0

3

Security 2.0

4

Bridging the Gap – Preparing for a 2.0 World

5

Agenda

Symantec Vision 2007

critical connections
Critical Connections

About the Study

  • Report Includes:
  • Connections: Common nightmares, barriers, and areas of progress
  • Disconnects: Public/private collaboration and preparedness
  • Critical Connections: Perspectives on the National Cyber Security Initiative

Symantec recently announced the results of the 2008 Critical Connections Study, which polled 600 IT executives across Federal, state and local government, as well as private sector organizations to identify information security connections, disconnects, and opportunities for improvement.

68%

59%

48%

Download Full Study:

www.symantec.com/symposium

critical connections1
Critical Connections

Agreement on Need For Collaboration

Is there a requirement for increased public/private collaboration in securing cyber space? Yes:

68%

59%

48%

Federal

State and Local

Private Sector

Take Away: It Takes Two to Tango – Increased Coordination Required

Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

disconnects
Disconnects

Diverse Preparedness Behaviors; Steps Needed to Improve Security

My organization has participated in cyber security preparedness exercises

My organization has automated cyber threat/vulnerability reporting

64%

63%

44%

39%

38%

32%

Take Away: Talk the Talk and Walk the Walk – Action Must Match Priority

Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

federal opportunity
Federal Opportunity

Federal Government Can Offer Best Practices Based on its Progress

78%

of private sector respondents want more information from the government on cyber threats

Take Away: Open Door for Feds to Improve National Cyber Security

Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

national cyber security initiative
National Cyber Security Initiative

Support Underscores Need for Cyber Security Leadership

State and Local

Private

Sector

Feds

Believe the National Cyber Security Initiative will have a positive impact

86% 70% 76%

When asked to name the most significant benefit of the National Cyber Security Initiative, few respondents picked, “Common cyber security operating picture,” the principle program objective

12% 11% 11%

Take Away: Strong Enthusiasm, but Education Needed

Based on an April 2008 study of 600 Federal, state and local government, and private sector executives. Download the full study at: www.symantec.com/symposium

security versus risk management
Security versus Risk Management
  • Security: something you feel
  • Risk: something you manage
risk in it systems
Risk in IT Systems

Find out the cause of this effect,

Or rather say, the cause of this defect,

For this effect defective comes by cause.

- William Shakespeare, Hamlet

the complete threat model
The Complete Threat Model

Destruction

  • Availability
  • Reliability

Disclosure

  • Data analysis
  • Traffic analysis

Delay

  • Denial of service
  • System degradation

Distortion

  • Data integrity
  • Accuracy
  • Outsider Malicious Threats
  • Insider Malicious Threats
  • Non-malicious Threats
  • Environmental
threat classifications
Threat Classifications

Threat

Environmental

Man-Made

Internal

External

Hostile

Non-Hostile

Structured

Unstructured

Structured

Unstructured

evolution from 1 0 to 2 0

1980s: GATES, GUNS & GUARDS

Physical vulnerabilities

Data confidentiality

Outsider threats

1990s: FIND & FIX

Electronic vulnerabilities

Data confidentiality, integrity & availability

Outsider & insider threats

2000s: ASSESS & MANAGE

Risk & vulnerability analysis

Active network monitoring

Network security accreditation

Incident response & recovery

Evolution from 1.0 to 2.0

Reactive

Vulnerability discovered, fix it and close the hole

Proactive

Mitigate the risk with technology, processes, or transfer it

find and fix security
Find-and-Fix Security
  • Technical issues only
  • Vulnerability-centric
  • Probes exterior boundaries
  • Little “analysis”
  • Recommends point solutions
    • tied to specific vulnerabilities
    • based on consultant’s experience
penetration and patch security
Penetration-and-Patch Security

}

vulnerability

gap

IT systems evolution

Technology

defensive capabilities

Time

compliance based security audit
Compliance-based Security Audit
  • Static
  • Subjective
  • Intuitive
  • Inconsistent results
  • Compliance-based
security objective
Security Objective

IT systems evolution

Technology

risk management/security 2.0

Time

it risk management
IT Risk Management

The process of designing, developing, sustaining, and modifying operational processes and systems in consideration of applicable risks* to asset confidentiality, integrity, and availability.

*Applicable risks are those reasonably expected to be realized and to cause an unacceptable impact.

it risk management1
IT Risk Management
  • Incorporates an analytical, systems approach into the entire operational and support cycle
  • Provides systems and operational leaders a reliable decision support process
  • Encourages protection of only that which requires protection
  • Manages cost while achieving significant performance benefits
it risk management principles
IT Risk Management Principles
  • Anti-hacking does not = security
  • Data does not = information
  • Systems security certification does not = risk management
  • Meeting the demands of risk management requires more than assessing and mandating security features.

/

managing risk
Managing Risk

"When you can measure what you are speaking about, and express it in numbers, you know something about it;

But when you cannot measure it, when you cannot express it in numbers, your knowledge is of a meager and unsatisfactory kind:

It may be the beginning of knowledge, but you have scarcely in your thoughts advanced to the stage of science."

William Thomson

1824 - 1907

assessing risk empirical objective
Assessing Risk: Empirical Objective

Cost

Performance

Risk

Applying Safeguards

essential elements of risk
Essential Elements of Risk
  • Threats
  • Assets
  • Vulnerabilities
  • Safeguards
    • Products
    • Procedures
    • People
mathematical relationship
Mathematical Relationship

T x V x A = R

1:

b

T x V x A

= R

2:

r

S

risk volume of a cube

Asset

Asset

RISK

RISK

RISK

RISK

RISK

RISK

Threat

Threat

Vulnerability

Vulnerability

Risk = Volume of a Cube

Residual Risk after Safeguards Applied

Baseline Risk

knowledge gathered from the symantec global intelligence network
Knowledge Gathered from the Symantec Global Intelligence Network

Vulnerability Database

  • 55,000+ technologies from over 8000 vendors
  • Capturing previously unseen threats and attack methods

Honeypot Network

  • 30+ Million Probe Messages a day
  • Generates statistics on 1+ Billion email messages a day
  • Geo-location capabilities on servers and zombies

Fraud: Spam

& Phishing

  • Managed devices in 70+ countries
  • 120 Million Threat/ Virus Submission Systems
  • Over 100,000 security alerts generated annually
  • 200,000 daily code submissions
  • 2 Billion+ events logged daily
  • 40,000+ Sensors in 200+ Countries
  • 25
  • 25
intelligence behind the global intelligence network
Intelligence Behind the Global Intelligence Network
  • 4 MSS Security Operations Centers
  • 29 Global Support
  • Centers
  • 11 Security Research Centers
  • Gotheburg, Sweden
  • Aschheim, Germany
  • Wiesbaden, Germany
  • Calgary, Alberta, CA
  • Ratingen, Germany
  • Dublin, Ireland
  • Warsaw, Poland
  • Roseville, MN
  • Shannon, Ireland
  • Seattle, WA
  • Bloomfield Hills, MI
  • Toronto, CA
  • Zaltbommel, NLD
  • Reading, Green Park, GBR
  • Milan, Italy
  • Springfield, OR
  • Brussels, Belgium
  • Englewood, CO
  • Newton/Waltham, MA
  • Seoul, South Korea
  • San Francisco, CA
  • Herndon, VA
  • Beijing, China
  • Madrid, Spain
  • Oak Brook, IL
  • Mountain View, CA
  • Tokyo, Japan
  • Orem, UT
  • Durham, NC
  • Cupertino, CA
  • Chengdu, China
  • Atlanta, Georgia
  • Shanghai, China
  • Dallas, TX
  • Santa Monica, CA
  • Dubai, UAE
  • Riyadh, Saudi Arabia
  • Heathrow, FL
  • Houston, TX
  • Alexandria, VA
  • San Luis Obispo, CA
  • Austin Texas
  • Miami, FL
  • Taipei, Taiwan
  • Culver City, CA
  • Mumbai, India
  • Hong Kong, China
  • Mexico City, Mexico
  • Pune, India
  • Singapore
  • Chennai, India
  • Brisbane, Aus
  • Sao Paola, Brazil
  • Sandton, South Africa
  • Buenos Aires, Argentina
  • Melbourne, Aus
  • Sydney, Aus
  • 26

26

threat evolution

Phishing

Explodes

Phishing

Crimeware

Zero Day Exploits

& Threats

Rootkits

On the Rise

Spyware & Adware Explode

Adware

Spyware

Paid Vulnerability

Research

Bots &

Botnets

DDoS

Attacks

Bots

Explode

Tracking

Cookies

Spam

Spam Explodes

Vulnerabilities

Openly Discussed

Mass Mailing Worms

Network

Worms

Virus

Destructive Virus

Macro Virus

Threat Evolution

Threat Evolution Timeline

crime

nation-states

individuals

curiosity

1988

2008

Symantec Vision 2007

slide28

Threat Landscape – Overarching Themes

  • The Web is quickly becoming the distribution point for malicious code and attacks
  • Malicious activity that targets end-users rather than computers
  • Consolidation and maturation in the Underground Economy
    • Specialized production and provisioning
    • Outsourcing
    • Multivariate pricing
    • Flexible business models
  • Rapid adaptability of attackers and attack activity

28

slide29

The Web as the Focal Point

  • Vulnerabilities in websites are more popular because they allow for more sophisticated and multi-staged attacks.
  • Site-specific vulnerabilities outnumber traditional vulnerabilities nearly 5 to 1 with much lower patch rates – only 473 of the site-specific vulnerabilities had been patched at the time of reporting.

Site-specific vulnerabilities

Vulnerabilities - Traditional

29

slide30

End-Users are the Primary Target

  • Social networking Web sites are easy for criminals to spoof and, because social networking pages are generally trusted by users, phishing attacks mimicking them may have a better chance of success.
  • Symantec measured the adoption rate of applications and found that out of 54,609 unique applications that were deployed on Microsoft Windows PCs, and 65 percent of those applications were malicious.

Top Phishing Countries and Targets

Phishing Web Site Hosts

30

slide31

Underground Economy Specialization

  • The significant increase in new threats over the past year is indicative of the work of specialized malicious code authors and the existence of organizations that employ programmers dedicated to the production of these threats.

31

slide32

Underground Economy -

Outsourcing, Pricing Flexibility

  • Romania was home to the third most phishing Web sites during this period and the most phishing Web sites in EMEA.
  • In order to take advantage of economic efficiencies and entice buyers, sellers will offer reduced prices on larger volumes of goods for sale.
  • A mature, consolidated economy is characterized by the development and implementation of specific business models that are suitable to the prevailing influences within the economy.

32

slide33

Rapid Adaptation – New Markets

  • Adaptability in the form of geographic mobility and new markets as attackers seek digital “safe-havens”.
  • Relocation to regions or countries in which security practices, legislation and/or infrastructure are not particularly well developed.

33

slide34

Vulnerability Trends - Additional Metrics

  • Symantec documented 2,134 vulnerabilities in the current reporting period, 13% fewer than the previous reporting period.
  • Severity classification: High severity 3%, Medium severity 61% and Low severity 36%.
  • Web applications constituted 58% of all documented vulnerabilities.
  • 73% of vulnerabilities documented this period were easily exploitable compared to 72% in the previous period.
  • The W.O.E. for enterprise vendors was 46 days, a decrease from the 55 day average in the first half of 2007.
  • Mozilla had the most vulnerabilities of any browser at 88 but Microsoft had the highest browser W.O.E. at 11 days.
  • From July 1st - December 31st 2007, Symantec documented 9 zero-day vulnerabilities, an increase over the previous reporting period. All affected 3rd party applications for the Windows platform.
  • 92 vulnerabilities were documented in security products this period, down from 113 in the previous period.

34

filling the policy gap
Filling the Policy Gap

Policy – what you can define/mandate

“policy gap”

Technology tools – what you can enforce

Symantec Vision 2007

slide37

Future Watch

  • Increasing use of whitelisting technologies
  • Portable media and shrink-wrapped devices
  • The decline of IRC controlled bot networks
  • Increase in threats attempting to influence US election results

37

managing security 2 0
Managing Security 2.0
  • If you can measure, you can:
    • justify
    • target
    • control
    • predict
  • If you can measure, you can actively MANAGE, and help security evolve from art to science.
slide39

&

QUESTIONS

ANSWERS

John McCumber

john_mccumber@symantec.com

Symantec Vision 2007