Information Security Trends

bubblesradiographerServers

Dec 4, 2013 (3 years and 8 months ago)

93 views

Information
Security Tr
ends

The Information Security Process

Information Security Trends

Emiliano Kargieman

ek@corest.com

Information
Security Tr
ends

Agenda


The briefest introduction to IS you’ve ever seen


Cybercrime indicators, threats and trends


Where is this going?


What do we do about it?

Information
Security Tr
ends

Information Security


The Context:

The information Age







The Fundamentals


Privacy


Authenticity and Integrity


Disponibility


Non
-
Repudiation



The Purpose


Dissuasion


Prevention


Auditing

IT

Transport/Logistics.

Production

Sales

Admin.

IT

Production

Log./ Trans.

Sales.

Admin.

Intro

Information
Security Tr
ends

Current Scenario: “if it ain’t broken, don’t fix it”.


Complexity and flexibility of information systems increases,
security decreases.


Legacy systems are not maintained or audited


Low level of awareness in decision makers


Lack of security focus from Software/HW vendors and Integrators.


Lack of a global framework to analyze and understand security


Lack of Security “Best Practices”


And Then…



Unforseen vulnerabilities


High risk, high level of exposure


High administrative efforts


Risk is managed reactively, it’s all damage control.

Intro

Information
Security Tr
ends

“Cybercrime”: Indicators and Trends

Information
Security Tr
ends

Indicators


Indicators of cybercrime are historically
hard to find
.


Incidents are not usually reported


Most common reasons for not reporting a security incident

according to a survey by the FBI/CSI

90

75

0

20

40

60

80

100

Negative

Publicity

It could

be useful for

competitors

1996

1997

1998

1999

2000

2001

Cybercrime

Information
Security Tr
ends

Indicators


To be reported, attacks need to be detected first!


A 1996 Survey of the Defense Information Systems Agency,
showed the following results on a systematic attack against
government targets:













This is still true:
Most attacks go undetected!


Attacks

38.000

Success.

24,700

(65%)

Detected

988 (4%)


Reported

267 (0,7%)


NOT DETECTED

23.712

(96%)

Cybercrime

Information
Security Tr
ends

Sources of information


2001/2002 CSI/FBI Computer Crime and Security Survey

www.gocsi.com



Information Security Magazine 2001 Industry Survey

www.infosecuritymag.com



GAO/AIMD
-
96
-
84 (DISA)

www.gao.gov
,
www.disa.mil



Honeynet project

www.project.honeynet.org



Bugtraq mailing list

www.securityfocus.com



ARIS

www.securityfocus.com



CERT

www.cert.org



SANS Incidents

www.incidents.org



Dshield project

www.dshield.org


Information
Security Tr
ends

CSI/FBI Survey 2002

Recent
Indicators



2002 CSI/FBI Computer Crime and Security
Survey



Performed by


Computer Security Institute


San Francisco FBI’s Computer Intrusion
Squad



Results for the years 1996


2002 are
analized



Information
Security Tr
ends


538 surveyed



USA



Public and Private

sectors



24% 10000+

employes



37% $1 000 000 000+
revenues


Others
32%
Financ.
19%
Hi Tech
19%
Govern.
19%
Manuf.
11%
Recent
Indicators

CSI/FBI Survey 2002 (cont.)

Information
Security Tr
ends

CSI/FBI Survey 2002 (cont.)


Recent
Indicators

Information
Security Tr
ends

Recent
Indicators

CSI/FBI Survey 2002 (cont.)

Quantifiable loss in the last 12 months

100

137

124

266

369

0

100

200

300

400

1997

1998

1999

2000

2001

Millions


2001: 78% admited loss, but only 37%
could quantify it


2002: 80% admitted loss, 44%

could quantify it

455

2002

Information
Security Tr
ends

Recent
Indicators

CSI/FBI Survey 2002 (cont.)

Information
Security Tr
ends

Recent
Indicators

CSI/FBI Survey 2002 (cont.)

Information
Security Tr
ends

The Honeynet project

Recent
Indicators


“Know your enemy...”



Decoy network of 8 computers running


Linux


Solaris


Windows



No efforts to atract attackers



Monitored from april 2000 to february 2001

Information
Security Tr
ends

The Honeynet project

Some Results


The estimated lifetime for a Linux RedHat default
install is less than 72 hours.



Some systems were compromised less than 15
minutes after being pluged to the network.



The estimated lifetime for a default install of
windows 98 is less than 24 hours.



During february 2001, 206 complete port
-
scans
were registered.


Recent
Indicators

Information
Security Tr
ends

Top Ten Attacks Q1 2002

1.
Code Red
-

MS Indexing Server/Indexing Services ISAPI Buffer
Overflow Attack

2.

Nimda


Microsoft IIS 4.0/5.0 Extended UNICODE Directory
Traversal Attack

3.
Matt Wright Formmail attack


4.

WU
-
FTPD File Globbing Heap Corruption Attack

5.

SSH CRC32 Compenation Detection Attack

6.

Generic CDE dtspcd Buffer Overflow Attack

7.

Generic System V Derived Login Buffer Overflow Attack

8.

Generic SNMP PROTOS Test Suite Attacks

9.

Shaft DDoS Client To Handler Attack

10.

PHP Post File Upload Buffer Overflow Attack

Information
Security Tr
ends

Example worm spread (Code Red / Nimda)

Information
Security Tr
ends

Attack technology evolution


Attack frameworks


Easy to use malicious code


Reduces knowledge needed to attack


Allows for coordinated multiparty attacks



Attack automation


Distributed DOS / Very complex worms /
Directed Virus


Faster target acquisition


Large scale attacks with low resources


Brute
-
force attack paths

Information
Security Tr
ends

The “War Games” Scenario


Fully automated attack tools



Fully automated responsive tools



A zero
-
sum game?

Information
Security Tr
ends

Where do we go from here?

Information
Security Tr
ends

The perception of risk


There is no real security.



Security is only the perception of risk.



Security management
is

risk management.



To increase security, risk needs to be:


Modeled


Quantified


Minimized over time

Defense
Strategy

Information
Security Tr
ends

Information Flow


Model the flow of information in an organization, where
players communicate, process and store information.

Modeling

Risk

Information
Security Tr
ends

Entry points


Each of these actions and interactions possesses its
own risk.

Modeling

Risk

R
i
R
i
R
i
R
i
R
i
R
i
R
i
R
i
R
i
R
i
Information
Security Tr
ends

Risk quantification

Modeling

Risk

Risk =
Threats
x
Vulnerabilities
x
Impact

Countermeasures

Attacker profile,

Resources available

Software flaws,

Biased Policies,

Bad Protocols,

Etc.

Loss,

Atractiveness

Practices and

technologies

R
i
Information
Security Tr
ends

A risky game

Modeling

Risk

Risk =



R
i
I.F.

T

<<
mT

Information
Security Tr
ends

There are no recipes


The Information infrastructure and the information flow
are unique to each organization.



Threats, vulnerabilities, impact, they all depend on the
process we are trying to protect.



All these variables and factors evolve over time, so
does risk.



Security emerges from the unique qualities of an
information system.



There are no silver bullets.

Information
Security Tr
ends

Security is a process

Security

Policy

Risk

Modeling

Security

Architecture

Visibility and

Control

The role of
the policy

Information
Security Tr
ends

Inside the Corporations

Information
Security Tr
ends

Industry Context


Several years of technological legacy


Increasing dependency on IT for business


Need to accelerate the adoption of new technology in
order to compete


Heterogeneous IT infrastructure


Difficulty in understanding the secondary effects
of new technologies


Risk is managed reactively


Lack of a global framework to analyze and solve
security problems


Unforessen vulnerabilities, more risk and more
administrative efforts

Information
Security Tr
ends

The way for Industry


Understanding


Risk Modeling and managing


Cultural paradigm shift


Security in terms of business processes


Strategic vision



Interaction


To cope with the “holistic” security view and address the
emerging vulnerabilities.



Enforceability and Manageability


Not only tools: frameworks


Information
Security Tr
ends

A product mapping

Firewalls

PKI

File system restrictions

App. Security

Risk Modeling

Network discovery

Pen testing

Information
Security Tr
ends

Product Implementations

Information
Security Tr
ends

Integration


Point products solve punctual problems.



To address the emerging security problems, we need the
modules managing different security areas to
communicate.



Integration will reduce the administrative effort and the
implementation effort.



Integration is not just a cosmetic resemblance.



The security modules should be able to change the
behavior of all the security system.


Information
Security Tr
ends

DAC, MAC, RBAC

RBAC

Role
-
Based

access control

MAC

Mandatory

access control

DAC

Discretionary

access control

Manageability

Flexibility

+

+

-

-

Information
Security Tr
ends

Roles


A player attains a function in the organization by
participating in a series of processes.



In each of these processes, the player has a
specific, well defined role.



To perform a role in a process, a player needs
access to a well
-
defined set of resources in the
organization.

RBAC

Information
Security Tr
ends

Managing the security policy graph


The relationship between players, functions, roles and
resources can be represented as a directed graph.

Player
Function
Role
Resource
Role
Role
Role
Resource
Resource
RBAC

Information
Security Tr
ends

Granularity


The detail we obtain in the definition and control of the resources
needed for performing a specific role gives us a measure of the
granularity

of the security policy.


Granularity allows us to address emerging vulnerabilities.


Granularity allows us to close the gap between security and
flexibility.

Resource
Role
Resource
Resource

Servers/services


Applications


Communications


Files


Devices


Transactions


Registry/configuration


etc.

RBAC

Information
Security Tr
ends

Accuracy


The resources needed to perform each role are distinct.


The same player, should or shouldn’t be allowed access to a
given resource depending on the process she is participating in.


Failing to accomplish this will render our security policy inaccurate

Resource
Role A
Resource
Resource
Role B
Resource
Resource
RBAC

Information
Security Tr
ends

Outside Corporations

Information
Security Tr
ends

Government Context


As an information system, the government shares the problematic
with the industry.



It sets and negotiates a local framework


Standards


Regulations


Commercial/Penal Legislation


Export/Import Restrictions


Subsidies



It creates and manages local security infrastructure


Like PKI, ERT, Legal advice, Law enforcement



It negotiates international agreements

Information
Security Tr
ends

Some developments on the US


Two historic failures


Export crypto regulations


Clipper Chip



Two alarming examples


Digital Millenium Copyright Act


Anti
-
Terrorism Act



Two interesting developments to follow


Pentest regulations for federal agencies


GovNet


Information
Security Tr
ends

IT/IS professionals and scientists


IS is in a very early phase of development. Mainly an information
gathering / experiment definition stage.


We need to start asking certain fundamental questions.


What does the world look like?


What are the fundamental entities that make up this world?


What questions can be asked about them?


Modeling, formalizing, experimenting, generalizing, theorizing…



The industry had, has and will have a very influential position


How are the technologies that are being implemented
reducing risk?


To what extent does this technology protect our critical
resources and processes?


Does this reduction of risk justify the money spent? The effort
to implement and manage it?

Information
Security Tr
ends

Rua do Rócio 288
|

7º andar
|

Conj. 73 e 74

Vila Olímpia

São Paulo/SP

CEP 04552
-
000

Tel: (55 11) 3054
-
2534 / 35


info.brasil@corest.com

Florida 141
|

2º cuerpo
|

7º piso

(C1005AAC) Buenos Aires


Tel/Fax: (54 11) 4878
-
CORE (2673)


info.argentina@corest.com

44 Wall Street

New York, NY 10005 | USA

Tel: (212) 461
-
2345

Fax: (212) 461
-
2346


info.usa@corest.com

USA

Argentina

Brasil

Thank you!

(If you ask a question you get a copy of the
presentation!)

Information
Security Tr
ends

Threats


Quantified by attacker profile, knowledge, financial
resources, human resources, reach, interests:


Amateur


Hacker


Hacker group


Unsatisfied employee


Competition


Organized Crime


Intelligence Agency


Terrorist organizations

Modeling

Risk

Information
Security Tr
ends

Threats evolve

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1985

1988

1992

1996

2000

2005

2010

Terrorist groups

Intelligence agencies

Organized Crime

Competing companies

Groups of individuals

Individuals

Example of projected evolution of threat share by
attacker profile

Modeling

Risk

Information
Security Tr
ends

Vulnerabilities


Design flaws


Critical Information systems


Networks


Security Architecture


Implementation flaws


Operating system vulnerabilities


Application vulnerabilities


Hardware vulnerabilities


Misuse or misconfiguration


Policy weaknesses


Unclear responsibilities

Modeling

Risk

Information
Security Tr
ends

Impact


Attack consequences, quantified by Financial loss,
Negative publicity, etc.



Loss of proprietary information


Corruption of critical information


Financial Fraud


Interruption of critical processes


Sabotage


Telecommunication fraud


Modeling

Risk

Information
Security Tr
ends

Countermeasures


Security tools, software and mechanisms


Network devices


Crypto


Access control


Etc.


Procedures


Emergency response


Auditing capabilities


Visibility


Training


(We’ll go into more detail)



Modeling

Risk

Information
Security Tr
ends

Risk Modeling


Define scope


Identify critical
processes


Identify critical
resources


Points of failure


Set Milestones


Test the policy

Security

Policy

Risk

Modeling

Security

Architecture

Visibility and

Control

The role of
the policy

Information
Security Tr
ends

Security Architecture


Define policies based on
your CURRENT
capabilities


Manage


Enforce

Security

Policy

Risk

Modeling

Security

Architecture

Visibility and

Control

The role of
the policy

Information
Security Tr
ends

Visibility and Control


Define policies you CAN control


See your policy at work


Provide feedback for tuning


Identify next steps


Security

Policy

Risk

Modeling

Security

Architecture

Visibility and

Control

The role of
the policy