2008 12 08 larry clinton dcr presentation

7/31/2019 2008 12 08 Larry Clinton DCR Presentation

1/37

Larry Clinton

President

Internet Security [email protected]

703-907-7028 (O) 202-236-0001 (C)


2/37

Founders


3/37

ISA Board of Directors

Ty Sagalow, Esq. ChairPresident Product Development, AIGMarc-Anthony Signorino, NationalAssociation of Manufacturers

Ken Silva, CSO VeriSignTim McKnight, CSO, Northrop GrummanJeff Brown, CISO/Director IT Infrastructure, RaytheonEric Guerrino, SVP/CIO, bank of New York/Mellon FinancialLawrence Dobranski, Chief Strategic Security, NortelPradeep Khosla, Dean Carnegie Mellon School of ComputerSciences

Joe Buonomo, President, DCRLt. Gen. Charles Croom (Ret.), VP Cyber Security StrategyLockheed Martin

J. Michael Hickey, 2nd Vice ChairVP Government Affairs, Verizon

Dr. M. Sagar Vidyasagar, TreasurerExec VP, Tata Consulting Services


4/37

Our Partners


5/37

The Old Web


6/37

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Web Today


7/37

The Web is Inherently Insecure---

and getting more so

The problems we see in cyber security are aboutto get much worse because we continue to

deploy base technologies that were developed

30 years ago when security was not anissue.TCP/IP was not designed to control

power grids, financial networks and critical

infrastructure. It will be used in future networks

(particularly wireless) but it lacks the basicsecurity controls to properly protect the network.

Source: Hancock, Cutter Technology Journal 06


8/37

The Earlier Threat:Growth in vulnerabilities (CERT/cc)

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


9/37

The Earlier Threat:Cyber incidents

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


10/37

The Changing ThreatA fast-moving virus or worm pandemic is not

the threat it was...

2002-2004 almost 100 medium-to-high riskattacks (Slammer; SoBig).

2005, there were only 6 2006 and 2007..Zero


11/37

Faces of Attackers Then

Chen-Ing Hau

CIH Virus

Joseph McElroy

Hacked US Dept of Energy

Jeffrey Lee Parson

Blaster-B Copycat


12/37

Faces of Attackers Now

Andrew Schwarmkoff

Russian Mob Phisher

Jay Echouafni

Competitive DDoS

Jeremy Jaynes

$24M SPAM KING


13/37

The Threat Landscape is Changing

New Era Attacks

Organized criminals, corporate

spies, disgruntled employees,

terroristsWho: Kids, researchers,hackers, isolatedcriminals

Early Attacks

Why: Seeking fame & glory,use widespread attacks for

maximum publicity

Seeking profits, revenge, use

targeted stealth attacks to avoid

detection

Risk Exposure: Downtime,business disruption,

information loss, defacement

Direct financial loss via theft and/or

embezzlement, breach disclosure, IP

compromised, business disruption,

infrastructure failure


14/37

Characteristics of the New Attackers

Shift to profit motive Zero day exploits Increased investment and

innovation in malcode

Increased use of stealthtechniques


15/37

Digital Growth?

Companies have built into their businessmodels the efficiencies of digital technologies

such as real time tracking of supply lines,inventory management and on-line

commerce. The continued expansion of the

digital lifestyle is already built into almostevery companys assumptions for growth.

---Stanford University Study, July 2006

Sure


16/37

Digital Defense?

29% of Senior Executives acknowledged that they did notknow how many negative security events they had in the

past year

50% of Senior Executives said they did not know how muchmoney was lost due to attacks

Maybe Not

Source: PricewaterhouseCoopers survey of 7,000 companies 9/06


17/37

Digital Defense

23% of CTOs did not know if cyber losseswere covered by insurance.

34% of CTOs thought cyber losses would becovered by insurance----and were wrong.

The biggest network vulnerability inAmerican corporations are extra connectionsadded for senior executives without propersecurity.

---Source: DHS Chief Economist Scott Borg

Not So Much


18/37

Economic Effects of Attacks 25% of our wealth---$3 trillion---is transmitted over

the Internet daily

FBI: Cyber crime cost business$26 billion (probably LOW estimate)

Financial Institutions are generally considered thesafest---their losses were up 450% in the last year

There are more electronic financial transfers thanpaper checks now: Only 1% of cyber crooks arecaught.


19/37

Why Doesnt Everyone Invest inCyber Security?

Many organizations have found it difficult to provide

a business case to justify security investments andare reluctant to invest beyond the minimum. One ofthe main reasons for this reluctance is thatcompanies have been largely focused on directexpenses related to security and not thecollateral benefits that can be realized

---Stanford University 06


20/37

Management is

Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness product development

(30%)

WRONG

A Stanford Global Supply ChainManagement Forum Study clearly

demonstrated that investments insecurity can provide business value and

significant ROI through:


21/37

Security, like Digital Technology, mustbe Integrated in the Business Plan

Security is still viewed as a cost, not as something

that could add strategic value and translate intorevenue and savings. But if one digs into the resultsthere is evidence that aligning security with enterprise

business strategy reduces the number of successful

attacks and financial loses as well as creates value as

part of the business plan.

PricewaterhoseCoopers, September 2006


22/37


23/37

C-SPAN Interview ISA Chairman2007


24/37

CERT KnowledgebaseExamples


25/37

Senior Managers Best Practices

Cited in US National Draft Strategyto Protect Cyber Space

Endorsed by TechNet for CEOSecurity Initiative

Endorsed US India BusinessCouncil

Currently Being Updated


26/37

Best Practices

Model Contracts

Volume II: published June 2007with

ANSI gives greater emphasis to

standards-based information securitycontrols. (www.isalliance.org)

Model Contract Clauses for Information

Security Standards. This new book

provides guidance on the contracting side

of implementing prevailing international

information security standards, notably

ISO 17799, BS 7799 and ISO 27001.

Volume I


27/37

Securing The IT Supply ChainIn The Age of Globalization

November, 2007


28/37

Financial Impact of Cyber RiskOctober, 2008


29/37

Developing SCAP Automated Security &Assurance for VoIP & Converged Networks

September, 2008


30/37

Industry Affairs/Government Relations


31/37

Releasing the Cyber Security Social ContractNovember, 2008


32/37

CNN InterviewJuly, 2008


33/37

Congressional TestimonyOctober, 2007


34/37

What to Tell President Obama?

1. We need to increase our emphasis andinvestment on cyber security

2. Cyber Security must be recognized ascritical infrastructure maintenance

3. Cyber Security is not a IT problem.4. Cyber security is a enterprise wide risk

management problem

5. Government and Industry need newrelationship


35/37

Obama: Inconvenient truths

1. All security is reliant on cyber systems

2. Cyber systems are inherently in theprivate sectors hands

3. US cannot tackle the cyber securityissues unilaterally


36/37

Cyber Social Contract

Similar to the agreement that led to publicutility infrastructure dissemination in 20th

century

Infrastructure development through marketincentives Consumer protection through regulation Gov role to motive is more creative

harder

Industry role is to develop practices andstandards and implement them


37/37

Larry Clinton

President

Internet Security [email protected]

703-907-7028 (O) 202-236-0001 (C)

2008 12 08 larry clinton dcr presentation

Documents