internet threats, u.s. strategy to secure cyberspace, & education: how do they all fit together?...
TRANSCRIPT
Internet Threats, U.S. Strategy to Secure Cyberspace, & Education: How do they all fit together?Tiffany JonesDirector, North and Latin American Government Relations
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Attack Trend Highlights from Symantec’s Internet Security Threat Report (March 2004)
• Financial services, healthcare and power & energy were among the hardest hit by severe events. Critical infrastructure and businesses with significant financial resources tend to experience a relatively high severe attack rate. Universities still largely being used as the launching pad for attacks.
7.8
6.2 6.1
5.45.1
3.02.7
2.5 2.4
1.9
0
3
6
9
FinancialServices
BusinessServices
Healthcare Power &Energy
Media/Ent. Nonprofit E-Commerce
Mfg High Tech Teleco
Industries
Se
ve
re e
ve
nts
Severe Events Experienced by Industries Per 10,000 Events
3
Vulnerability Trend Highlights
• Symantec documented 2,636 new vulnerabilities in 2003.
• This is an average of seven per day.
• This is a less than 2% increase over 2002, indicating that a plateau may have been reached.
• Perhaps more worrisome is the fact that the period of time between the announcement of a vulnerability and the release of an associated exploit is shrinking.
• Client-side vulnerabilities in Microsoft® Internet Explorer are on the rise. These may allow attackers to compromise the systems of client users who unwittingly visit malicious Web sites. In the past six months, researchers discovered 34 vulnerabilities in Internet Explorer.
4
Trend Highlights
• Backdoors: Attackers and blended threats increasingly targeted backdoors left by other attackers and worms. By leveraging existing backdoors to gain control of a target system, attackers can install their own backdoor, or use the compromised system to participate in a distributed denial of service attack (DDoS).
• Peer-to-Peer: A large number of attackers targeted common peer-to-peer file sharing ports, which occupy three out of ten positions in the ranking. This reflects on the increased popularity of peer-to-peer file sharing and the tendency for organizations to filter this traffic.
• Newly discovered vulnerabilities are increasingly severe. Accordingly, the number of low severity vulnerabilities is decreasing. High-severity vulnerabilities give increased privileges and access to more prominent targets.
• From 2002 to 2003, the volume of confidential data threats in the top 50 submissions increased 148%. Previously, 22% of Symantec’s top ten malicious code submissions were a threat to privacy and confidentiality of data. In the past six months, the volume of such submissions has risen to 78%.
5
Future Trends
• The decreasing time between vulnerability disclosure and widespread exploitation is discussed in this and previous reports. The likelihood of blended threats that exploit unpublished vulnerabilities (otherwise known as “zero-day” blended threats) is increasing. Symantec believes that “zero-day” threats are imminent. A “zero-day” blended threat could target such a vulnerability before that vulnerability is announced and a patch made available. If such an outbreak occurs, widespread damage could occur before users are able to effectively patch their systems.
• companies/entities that practice "good" cybersecurity do in fact receive less attacks and damage than others who don't?
6
New technologies fuel the fire
Projected by 2005:
Broadband
1/3 of all G7 households
Set-top Boxes
400M in use worldwide
Instant Messaging
1B users in the world
Wireless
2B Internet-enabled devices worldwide
7
White House Cover Letter Key Points
• “Securing cyberspace is an extraordinarily difficult strategic challenge that requires a coordinated and focused effort from our entire society – the federal government, state and local governments, the private sector and the American people.”
• “The cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership.”
8
National Strategy to Secure Cyberspace Objectives
1. Prevent cyber attacks against America’s critical infrastructures;
2. Reduce national vulnerability to cyber attacks; and
3. Minimize damage and recovery time from the cyber attacks that do occur.
9
National Strategy to Secure Cyberspace Priorities
• Priority I: A National Cyberspace Security Response System
• Priority II: A National Cyberspace Security Threat and Vulnerability Reduction Program
• Priority III: A National Cyberspace Security Awareness and Training Program
• Priority IV: Securing Governments’ Cyberspace
• Priority V: National Security and International Cyberspace Security Cooperation
10
Priority III:Awareness, Education & Training with four major actions/initiatives
• Promote a national awareness program to empower all levels of the American population to secure their own parts of cyberspace (home users, small businesses, enterprises, sectors, etc)
• Foster adequate training and education programs
• Increase the efficiency of existing federal cybersecurity training programs
• Promote private-sector support for well-coordinated, widely recognized professional cybersecurity certifications
11
Individual’s Actions Directly Impact Risks
Behavior
• Opening unsolicited email
• Not installing personal firewall
• Trusting all websites on the Internet
Risk
• Becoming infected with virus or worm – causing wide spread infections, etc.
• PC data is unsecured, including personal information, potentially financial information. PC may become accessible to unauthorized individuals
• Potential of unknowingly downloading malicious code, identity/credit theft, cyber-stalking
12
$0
$20
$40
$60
$80
$100
$120
$140
$160
$180
Mil
lio
ns 2000
2001
2002
Theft of proprietary information
Financial Fraud
Virus Attacks
Denial of Service Attacks
Laptop Theft
$171 M
$116 M
$50 M
$18 M$12 M
Source: 2002 CSI/FBI Computer Crime and Security Survey
Why Awareness and Education:Rising Costs to Businesses
13
Forces
14
Large Organizations - Employees Directly Impact Information Security Risks
– Poor password protection
– Fail to maintain positive control of laptops and PDAs
– Lax telephone security
– Unable to appropriately respond to social engineers or fraudulent actors
– Fail to update virus protection software and scan files
– Launch email attachments
– Surf web and download files from Internet
– More open to network attack
– Loss of proprietary information; costs to replace equipment
– High costs from telephone fraud
– Organization vulnerable to exploitation and attack
– High rate of virus infection; lost productivity due to down time
– High rate of virus re-infection
– Reduced network bandwidth;loss of worker productivity
Inappropriate Behavior Operational Impact
15
Security Awareness, Training and Education
• Awareness:
– Information given to people to be mindful or conscious of; change a behavior
– Designed for large numbers of people
• Training:
– To make or become proficient with specialized instruction and practice
– Designed for specific individuals
• Education
– Knowledge or skills obtained through training and practice
– Designed for specific individuals
16
Principles of a Security Awareness Program
• Designed for specific audience based on demographics; much like a marketing campaign
• Perceived as useful to audience
• Motivational – people must feel compelled or motivated to participate
– Fun, interesting, benefits, mandated, etc.
• Information “floods” the consciousness of audience
– Information is “pushed” to audience
– Initially little to no action is required of the audience to obtain information
17
Essentials of a GoodSecurity Awareness or Training Program
A successful security awareness program:
– Arouses interest and conveys the importance of information protection – the “Why”
– Informs people on information security essentials – the “How”
– Informs people of acceptable behaviors – the “What and Where”
– Evaluates message retention
– Ensures lasting change in peoples behavior
– A training program has the same essentials as an awareness program, with the addition of more detailed and in-depth information; Provides all or most information on a subject necessary for predefined competency (For example: passwords awareness vs. access management training)
18
Programs Available
• Public Programs
– Mainly designed for Children, Consumer and Small Business
– Excellent information – some provide “one stop shopping”
– Primarily “Awareness” focused
– Free
• Private Programs
– Awareness, Training and Education programs available through companies like Symantec
– Excellent: customized courses
– Nominal cost
19
National Cyber Security Alliance (NCSA) Objectives/Goals
– Unique partnership among the Federal government, leading private sector companies, trade associations, educational organizations (Educause) and others. Through the NCSA’s Web site, www.staysafeoneline.info, this NCSA aims to educate individuals and small businesses on the need for computer security and encourage all computer users to protect their home and small business systems.
– Foster a “culture of security” where every individual and organization recognize their responsibilities related to personal information and make its protection part of their day-to-day routine;
– Conduct national awareness campaign (PSA, tool-kits, surveys, etc)
– National Cybersecurity Awareness Day/Month
– Support the Department of Homeland Security and FTC campaign to implement a national cyberspace security awareness and training program;
20
Stay Safe Online: Top Ten Cybersecurity Tips
• 1. Use "anti-virus software" and keep it up to date.
• 2. Don't open email or attachments from unknown sources. Be suspicious of any unexpected email attachments even if it appears to be from someone you know.
• 3. Protect your computer from Internet intruders -- use "firewalls".
• 4. Regularly download security updates and “patches” for operating systems and other software.
• 5. Use hard-to-guess passwords. Mix upper case, lower case, numbers, or other characters not easy to find in a dictionary, and make sure they are at least eight characters long.
• 6. Back up your computer data on disks or CDs.
• 7. Don't share access to your computers with strangers. Learn about file sharing risks.
• 8. Disconnect from the Internet when not in use.
• 9. Check your security on a regular basis. When you change your clocks for daylight-savings time, reevaluate your computer security.
• 10. Make sure your family members and/or your employees know what to do if your computer becomes infected.
