Combating Cyber Threats Secure Engineering

1
Combating Cyber ThreatsSecure Engineering

• Maya Srihari, IBM

2
Hacking has become a billion dollar industry

• Cybercrime proceeds in 2004 were 105 billion,
  greater than those of illegal drug sales,
  Valerie McNiven, Advisor to US Department of
  Treasury
• Identity fraud reached 52.6 billion in 2004,
  according to Javelin Strategy Research
• Dealing with viruses, spyware, PC theft and other
  computer-related crimes costs U.S. businesses a
  staggering 67.2 billion a year, according to the
  FBI.
• Over 130 major intrusions exposed more than 55
  million Americans to the growing variety of fraud
  as personal data like Social Security and credit
  card numbers were left unprotected, according to
  USA Today.

3
The trends are going the wrong way
More and More Vulnerabilities
Less and Less Time to Patch
4
Depending on Secrecy

• Three may keep a secret, if two of them are
  dead.
• Benjamin Franklin
• Benjamin was a hopeless optimist.
• Even individuals seem delighted to give away
  their secrets.
• Phishing/pharming
• One may keep a secret, if he doesn't know what
  it is.

5
Client System Risk is Dramatically Rising

• Gartner Report on Phishing, June 2005
• 400 increase in phishing email in last 6 months
• 15 click through
• 2.5 gave away sensitive data
• 924M losses directly from phishing in 12 months
• The number of attacks in the wild, and their
  lifetimes and impact are growing fast
• 80 of clients have spyware infestations
  (Symantec 2005)
• 30 of clients already have back doors (FSTC,
  Nov. 2004)
• Attacks are becoming much more sophisticated
• C2 level security no longer sufficient
• Passwords are no longer sufficient

6
A good, secure system is all-important in today's
scenario

• Our customers expect us to deliver products that
  are secured.
• Security vulnerabilities impact the business by
  jeopardizing product sales, exposing the company
  to liability and damaging the company's
  reputation in the market place.
• Certain customers like the US Federal Government
  are now mandating application security
  requirements.
• Even if its not contractually required, security
  is becoming a key differentiator in product
  selection.
• Even the best and most security-conscious
  programmers software has bugs.
• Several studies conclude that for every thousand
  lines of code there is a security bug--a real
  vulnerability a hacker could exploit.

7
Poor Security can mean Big

• Costs
• Cost to consumers and the companies from which
  secure information has been stolen.
• Cost to the company when a security bug is found
  and exploited
• But does it have to happen?

8
Secure EngineeringDesign it, Build it, Test it,
Document it and Ship it with security in mind.

• People think of security in terms of products,
  such as firewalls, intrusion detection systems,
  and auditors
• Security is often thought of in terms of patches
  for security gaps
• But its really part of the product development
  cycle. 
• SE seeks to ensure that security is properly
  architected, designed, and implemented in
  components, products, and service offerings in
  such a way that runtime execution is safe,
  secure, and satisfies threat/protection
  objectives.
• Security engineering is about making the product
  more robust.
• SE is not a separate development effort, but an
  aspect and quality of a development processany
  development processincluding waterfall/traditiona
  l, agile, iterative, and other methods.

9
(No Transcript)
10
The total customer experience
Loyalty

• Consumability is a customer-centric term that
  describes our clients' end to end experience

Offeringupgraded
Upgrade
Able to complete tasks
Use
Offering readyfor use
Set-Up
Offeringinstalled
Install
Evaluate
Buy
Obtain
Opportunity
Client goals
Offering(s) identified
Purchase completed
Offering delivered
11
Thank You