Study Group 4 The State of Security

1
Study Group 4The State of Security

• Suraj Lalchandani
• Andrew Lieffring
• Thomas Litchfield
• Gordana Lozo
• Eric Medin
• Mark Nichols

2
Topics

• Past, present, and future trends
• Threat Analysis
• Response Analysis
• Corporate evaluations of returns on investments
  in information security
• The disparate perceptions of security between IT
  professionals and high-level executives
• Phishing Attacks
• The state of security as we see it

3
(No Transcript)
4
Trend AnalysisTypes of Attacks 2006 Estimates

• Notable Changes
• Laptop/Mobile theft increased
• Laptops are becoming more and more prevalent
• Business is becoming global (increased
  travelers)
• Wireless hot spots put more laptops out in the
  open
• Financial Fraud increased
• Due to recent examples of intrusions
• Bank of America
• Wachovia
• Credit Card Companies
• Wireless Network attacks increased
• WAN presence is becoming broader every year
• Home/SOHO users are not using adequate security
• WEP protocol cracking

5
(No Transcript)
6
Trend AnalysisManagement Response 2006
EstimatesThe Sarbanes-Oxley Effect

• 2006 Expenditure/Investment per Employee
  estimates were made based on The Impact of
  Sarbanes-Oxley on Information Security by
  Industry Sector
• It is assumed that industries which have an
  increased awareness and interest in information
  security because of Sarbanes-Oxley will spend
  more money per employee in the future

• Industries with the most growth
• Utility
• High-Tech
• Manufacturing
• Medical
• Telecom
• Educational
• Financial

• Industries with the least growth
• Federal Government
• Local Government
• Legal
• Retail
• State Government
• Transportation

7
Evaluating ROI for Security

• Analyzing potential economic consequences
• E-business intensity
• Cost of Security
• Generic ROI for security

8
Steps to evaluate ROI for security

• Analyzing potential economic consequences
• How much do intrusions affect the company
  economically.
• Immediate damages -gt cost of repairing, replacing
  systems damaged by intrusion.
• Short term damage -gt system downtime, negative
  impact on reputation and loss in contractual
  obligations.
• Long term damage -gt decline in company stock
  prices and market valuation.

9
Steps to evaluate ROI for security

• E-business intensity
• How much the company depends on web based
  services for revenue generation.
• This basically means that if a company depends to
  a high extent on the web for revenue generation
  it, would invest more in security as intrusions
  would greatly affect revenue generation.
• If the company does not do much web/internet
  related stuff that affects its revenue, it might
  not want to invest a lot in high-tech security.

10
Steps to evaluate ROI for security

• Cost of Security
• In situations where system availability, data
  integrity, and confidentiality are extremely
  important, organizations spend as much as five
  percent of their IT budget on security.
• Other than that, recent studies show that most
  organizations spend less that 2 of their IT
  budget on security.

11
Steps to evaluate ROI for security

• Generic ROI for security
• To calculate a generic ROI for security, the
  existing expenditures on security as well as the
  extra expenditure after reevaluating threat
  levels have to be taken into consideration.
• A consistent pattern on breach of security should
  be established and evaluated.
• Certain types of organizations that deal with
  sensitive data are by law required to have a
  certain level of protection. Such organizations
  may have to spend even beyond a break even point
  in order to achieve legal, regulatory, or
  contractual compliance.

12
Perceptions of Information Security

• Ninety-four percent (94) of IT executives were
  very or somewhat confident in their
  organization's security compared to 87 of
  business executives.
• 77 of IT executives were very or somewhat
  concerned about a list of possible security
  breaches. Likewise, 80 of business executives
  were very or somewhat concerned about the same
  list of issues.
• IT executives select more "hack-proof" passwords.
  75 of IT executives use a combination of letters
  and numbers in their personal PC passwords
  compared to 62 of business executives.
• IT executives are more cautious about opening
  email file attachments. 55 of IT executives open
  only files that they are expecting from someone
  compared to 40 of business executives. 13 of
  business executives open all files that are of
  interest to them compared to 8 of IT executives.
• Business executives seem to be more frightened
  about what could happen to their systems than IT
  executives.  IT executives may be more informed
  on how to prevent breaches of security.  This
  would explain why business executives seem to be
  more careless with security, yet more concerned
  about it.

13
Phishing Attacks Get More Sophisticated

• In March, the total number reported was 13,353
  two-percent increase from February.
• The volume of phishing e-mails increased
  dramatically last year Since February and March
  2005, the number has tapered off noticeably and
  could have peaked for the time being.
• There appears to be an increase in the breadth
  and sophistication of attacks being undertaken.
  During March, the number of unique phishing sites
  increased 6.9 percent to 2,870, while the number
  of brands being hijacked went up to 78 from 64
  percent in the previous month.
• Most of the scamming was directed at customers of
  a few select brands, with eight percent making up
  80 percent of all activity.

14
Phishing Attacks Get More Sophisticated

• Analysts see rise in Trojan-based key-loggers
  launched via e-mail and instant messaging.
• Attacks invite recipients to click on a link that
  leads to a Trojan-infected site
• During November and December 2004, the number of
  new key-loggers appearing on the Internet was
  around one to two new variants per week, hosted
  on between 10 to 15 new Web sites per week.
• By February and March 2005, this had risen to 8
  to 10 key-loggers per week from around 100 Web
  sites.

15
Phishing Attacks Get More Sophisticated

• Vulnerabilities in Internet Explorer Phishers
  can run code on a remote PC without permission.
• Microsoft recently released a pair of add-ins to
  its MSN Search Toolbar with Windows Desktop
  Search, including one that detects Web sites that
  cyber criminals may be using to carry out
  phishing scams.
• The add-in determines whether a site is
  suspicious by analyzing site characteristics to
  see if they match those commonly found on
  phishing sites.

16
In conclusion

• Analysis of trends
• Threat Analysis
• Emerging technologies are most vulnerable to
  attack
• Existing technologies have evolved to deal with
  the threats, but are not impervious to attack
• Response analysis
• Spending on security will continue to increase as
  threats increase.
• Governments will still be the biggest spenders
• Economic Metrics
• Reduced use of economic metrics to justify
  security expenses
• Return on Investment analysis is most popular as
  well as most limited.

• Perception Differences
• Higher ups generally underestimate risks
• IT executives more aware of problems than others.
• Phishing
• Security breeches are not just a technological
  problem, but also a social problem.

17
In conclusion

• Overall significant advances have been made in
  security, but as always they are countered by
  advances in counter-security. One of the most
  important such advances is the realization that
  the best weapon against security failures is
  knowledge the strongest encryption in the world
  is worthless if bad human practices allow the
  password to be given out.

18
References

• http//i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2005
  .pdf
• http//www.infoworld.com/reports/30SRsecurityrr.ht
  ml
• http//www2.cio.com/research/cyberthreat_es.cfm
• http//www.cisco.com/en/US/netsol/ns340/ns394/ns17
  1/networking_solutions_audience_business_benefit09
  186a008010e490.html
• Microsoft Adds Antiphishing to IE Toolbar Add-ins
  to MSN Search Toolbar with Windows Desktop Search
  are available now.
• Juan Carlos Perez, IDG News Service
• Phishing Attacks Get More Sophisticated Analysts
  see rise in Trojan-based key-loggers launched via
  e-mail and instant messaging.
• John E. Dunn, Techworld.com