2008 12 08 larry clinton dcr presentation
TRANSCRIPT
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
1/37
Larry Clinton
President
Internet Security [email protected]
703-907-7028 (O) 202-236-0001 (C)
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
2/37
Founders
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
3/37
ISA Board of Directors
Ty Sagalow, Esq. ChairPresident Product Development, AIGMarc-Anthony Signorino, NationalAssociation of Manufacturers
Ken Silva, CSO VeriSignTim McKnight, CSO, Northrop GrummanJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciences
Joe Buonomo, President, DCRLt. Gen. Charles Croom (Ret.), VP Cyber Security StrategyLockheed Martin
J. Michael Hickey, 2nd Vice ChairVP Government Affairs, Verizon
Dr. M. Sagar Vidyasagar, TreasurerExec VP, Tata Consulting Services
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
4/37
Our Partners
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
5/37
The Old Web
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
6/37
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
The Web Today
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
7/37
The Web is Inherently Insecure---
and getting more so
The problems we see in cyber security are aboutto get much worse because we continue to
deploy base technologies that were developed
30 years ago when security was not anissue.TCP/IP was not designed to control
power grids, financial networks and critical
infrastructure. It will be used in future networks
(particularly wireless) but it lacks the basicsecurity controls to properly protect the network.
Source: Hancock, Cutter Technology Journal 06
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
8/37
The Earlier Threat:Growth in vulnerabilities (CERT/cc)
4,129
2,437
171345 311 262
417
1,090
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 2002
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
9/37
The Earlier Threat:Cyber incidents
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002
132
110,000
55,100
21,756
9,8593,7342,1342,5732,4122,3401,3347734062526
0
20000
40000
60000
80000
100000
120000
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
10/37
The Changing ThreatA fast-moving virus or worm pandemic is not
the threat it was...
2002-2004 almost 100 medium-to-high riskattacks (Slammer; SoBig).
2005, there were only 6 2006 and 2007..Zero
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
11/37
Faces of Attackers Then
Chen-Ing Hau
CIH Virus
Joseph McElroy
Hacked US Dept of Energy
Jeffrey Lee Parson
Blaster-B Copycat
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
12/37
Faces of Attackers Now
Andrew Schwarmkoff
Russian Mob Phisher
Jay Echouafni
Competitive DDoS
Jeremy Jaynes
$24M SPAM KING
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
13/37
The Threat Landscape is Changing
New Era Attacks
Organized criminals, corporate
spies, disgruntled employees,
terroristsWho: Kids, researchers,hackers, isolatedcriminals
Early Attacks
Why: Seeking fame & glory,use widespread attacks for
maximum publicity
Seeking profits, revenge, use
targeted stealth attacks to avoid
detection
Risk Exposure: Downtime,business disruption,
information loss, defacement
Direct financial loss via theft and/or
embezzlement, breach disclosure, IP
compromised, business disruption,
infrastructure failure
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
14/37
Characteristics of the New Attackers
Shift to profit motive Zero day exploits Increased investment and
innovation in malcode
Increased use of stealthtechniques
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
15/37
Digital Growth?
Companies have built into their businessmodels the efficiencies of digital technologies
such as real time tracking of supply lines,inventory management and on-line
commerce. The continued expansion of the
digital lifestyle is already built into almostevery companys assumptions for growth.
---Stanford University Study, July 2006
Sure
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
16/37
Digital Defense?
29% of Senior Executives acknowledged that they did notknow how many negative security events they had in the
past year
50% of Senior Executives said they did not know how muchmoney was lost due to attacks
Maybe Not
Source: PricewaterhouseCoopers survey of 7,000 companies 9/06
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
17/37
Digital Defense
23% of CTOs did not know if cyber losseswere covered by insurance.
34% of CTOs thought cyber losses would becovered by insurance----and were wrong.
The biggest network vulnerability inAmerican corporations are extra connectionsadded for senior executives without propersecurity.
---Source: DHS Chief Economist Scott Borg
Not So Much
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
18/37
Economic Effects of Attacks 25% of our wealth---$3 trillion---is transmitted over
the Internet daily
FBI: Cyber crime cost business$26 billion (probably LOW estimate)
Financial Institutions are generally considered thesafest---their losses were up 450% in the last year
There are more electronic financial transfers thanpaper checks now: Only 1% of cyber crooks arecaught.
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
19/37
Why Doesnt Everyone Invest inCyber Security?
Many organizations have found it difficult to provide
a business case to justify security investments andare reluctant to invest beyond the minimum. One ofthe main reasons for this reluctance is thatcompanies have been largely focused on directexpenses related to security and not thecollateral benefits that can be realized
---Stanford University 06
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
20/37
Management is
Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness product development
(30%)
WRONG
A Stanford Global Supply ChainManagement Forum Study clearly
demonstrated that investments insecurity can provide business value and
significant ROI through:
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
21/37
Security, like Digital Technology, mustbe Integrated in the Business Plan
Security is still viewed as a cost, not as something
that could add strategic value and translate intorevenue and savings. But if one digs into the resultsthere is evidence that aligning security with enterprise
business strategy reduces the number of successful
attacks and financial loses as well as creates value as
part of the business plan.
PricewaterhoseCoopers, September 2006
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
22/37
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
23/37
C-SPAN Interview ISA Chairman2007
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
24/37
CERT KnowledgebaseExamples
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
25/37
Senior Managers Best Practices
Cited in US National Draft Strategyto Protect Cyber Space
Endorsed by TechNet for CEOSecurity Initiative
Endorsed US India BusinessCouncil
Currently Being Updated
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
26/37
Best Practices
Model Contracts
Volume II: published June 2007with
ANSI gives greater emphasis to
standards-based information securitycontrols. (www.isalliance.org)
Model Contract Clauses for Information
Security Standards. This new book
provides guidance on the contracting side
of implementing prevailing international
information security standards, notably
ISO 17799, BS 7799 and ISO 27001.
Volume I
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
27/37
Securing The IT Supply ChainIn The Age of Globalization
November, 2007
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
28/37
Financial Impact of Cyber RiskOctober, 2008
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
29/37
Developing SCAP Automated Security &Assurance for VoIP & Converged Networks
September, 2008
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
30/37
Industry Affairs/Government Relations
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
31/37
Releasing the Cyber Security Social ContractNovember, 2008
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
32/37
CNN InterviewJuly, 2008
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
33/37
Congressional TestimonyOctober, 2007
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
34/37
What to Tell President Obama?
1. We need to increase our emphasis andinvestment on cyber security
2. Cyber Security must be recognized ascritical infrastructure maintenance
3. Cyber Security is not a IT problem.4. Cyber security is a enterprise wide risk
management problem
5. Government and Industry need newrelationship
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
35/37
Obama: Inconvenient truths
1. All security is reliant on cyber systems
2. Cyber systems are inherently in theprivate sectors hands
3. US cannot tackle the cyber securityissues unilaterally
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
36/37
Cyber Social Contract
Similar to the agreement that led to publicutility infrastructure dissemination in 20th
century
Infrastructure development through marketincentives Consumer protection through regulation Gov role to motive is more creative
harder
Industry role is to develop practices andstandards and implement them
-
7/31/2019 2008 12 08 Larry Clinton DCR Presentation
37/37
Larry Clinton
President
Internet Security [email protected]
703-907-7028 (O) 202-236-0001 (C)