the changing role of it security in an internet world
Skip this Video
Download Presentation
The Changing Role of IT Security in an Internet World

Loading in 2 Seconds...

play fullscreen
1 / 22

The Changing Role of IT Security in an Internet World - PowerPoint PPT Presentation

  • Uploaded on

The Changing Role of IT Security in an Internet World. A Business Perspective (and a request for help) Hannes Lubich Bank Julius Baer, Zurich. Outline. IT Security Properties and Threats IT Security Building Blocks, Shortcomings and Further Research Requirements

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Changing Role of IT Security in an Internet World' - zephania-gentry

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the changing role of it security in an internet world

The Changing Role of IT Security in an Internet World

A Business Perspective

(and a request for help)

Hannes Lubich

Bank Julius Baer, Zurich

  • IT Security Properties and Threats
  • IT Security Building Blocks, Shortcomings and Further Research Requirements
  • The Changing Role of IT Security as a Management Discipline
sources of it security threats
Operation and reputation of the firmas a wholeSources of IT Security Threats

Government and private intelligence community

„Internal“ treats (dishonest employees, software failures etc.)

Business partners(customers,outsourcers, competitors,suppliers, etc.)

Hackers, pranksters,investigativereporters etc.

1998 computer crime and security survey
1998 Computer Crime and Security Survey


  • Joint Study by US Federal Bureau of Investigation (FBI) and Computer Security Institute (CSI)
  • 520 Companies surveyed

Major Findings

  • 64% of companies have reported a security breach
  • Cumulated financial loss is over 136 million USD
  • Unauthorised insider access is the major threat
  • Theft of proprietary information is in 2’nd position
financial losses by type of threat
Financial Losses by Type of Threat

Source: Cylink Document "The Need for Information Security"

current it threats
Current IT Threats

Source: Icove/Seger/Von Storch, Computer Crime, O‘Reilly, 1995, p. 22

technical risks
Technical Risks





business risks
Business Risks
  • Delayed order processing
  • Processing of falsified orders
  • Disclosure of customer data or intentions
  • Financial consequences due to damage of customer data or systems
  • Damage to the reputation of the firm
legal regulatory risks
Legal/Regulatory Risks
  • Disclosure of customer relationship
  • Damage claims
  • Taxation/Customs aspects
  • National/international restrictions of inter- and intra-business financial transactions
  • Rules imposed by regulators
basic it security assets and solution technologies
Basic IT-Security Assets and Solution Technologies

Confidentiality Encryption


Digital signatures

Integrity Authentication

Availability Redundancy

encryption status
Encryption: Status
  • Basic research has created sufficiently good encryption algorithms.
  • Vendors have integrated encryption into some of their products
  • As part of the Internet growth, encryption issues are gaining public attention
on breaking cryptography
On Breaking Cryptography

Type of Attacker

Budget for Computer

Time to Break 40-bit Key

Time to Break 56-bit Key

Time to Break 64-bit Key

Time to Break 128-bit Key

Hacker Using Spare Cycles






Pedestrian Engine






Small Business






Corporate Department






Big Companyor Internet






Intelligence Agency






Source: Blaze, Rivest, Diffie, Schneier, Shimomura, Thompson, Wiener; “Minimal Key Lengths for

Symmetric Cyphers, A Report By An Ad-Hoc Group of Cryptographers And Computer Scientists”

cryptography open issues
Cryptography: Open Issues
  • Compatibility & Interworking
  • Integration with other security mechanisms (e.g. VPN’s and firewalls)
  • Exportability (“How many strings attached?”)
  • Trust (proprietary versus “open source”)
authentication status
Authentication: Status
  • Algorithms of sufficient quality exist for different purposes
  • Many applications have become “authenti-cation-aware”
  • Legal framework for the formal relevance of authentication exist in some countries
authentication open issues
Authentication: Open Issues
  • Weak embedding into “real life” application environments, interworking problems and lack of user friendliness
  • “Missing link” between authentication and (personal) identification
  • Applicability on advanced business issues such as digital watermarks still missing
redundancy qos status
Redundancy / QoS: Status
  • Models for measurement and interpretation of key elements (delay, jitter etc.) exist
  • Research in the area of dynamically expres-sing QoS requirements by applications
  • Standard proposals for resource reservation and load balancing protocols exist
redundancy qos open issues
Redundancy/QoS: Open Issues
  • No unique standard yet - currently solved on a vendor-by-vendor basis
  • Internet QoS (i.e. RSVP) standards are com-plex and too resource/investment-intensive
  • Integration in existing infrastructure and management frameworks (CA Unicenter, Tivoli etc.) completely unresolved
obligation status
Obligation: Status
  • Models for the creation, administration and use of digital certificates exist
  • X.509 v3 has been widely accepted as the leading certificate format
  • Software to operate a Public Key Infra-structure (including CA’s, RA’s etc) exists
obligation open issues
Obligation: Open Issues
  • PKI availability and interworking (especially inter-company or trans-border) insufficient, but would be prerequisite for wider use
  • Integration with existing B-2-B structures (especially EDI, S.W.I.F.T. etc) missing
  • Government regulation and legislation is slow and inconsistent
other open issues
Other Open Issues
  • We are lacking the models and modelling tools to cope with complex security issues
  • University and continued education on “applied security” still is in it‘s infancy
  • There are too few operational “Networks of Excellence” including academia and business partners
it security as a management discipline
IT Security as a Management Discipline
  • IT Security has moved from technical deci-sion making to business decision contribu-ting, as part of operational risk management
  • IT Security cost perception has moved from an insurance premium to a business asset
  • IT Security has a wider scope of responsibility
  • More than ever, IT Security needs strong support from basic and applied research
  • Shortcomings in adapting research results to business/industry must be overcome
  • The demand for skilled, interdisciplinary IT Security experts is growing quickly