Achieving the Optimal Level of Network Security

1

• Achieving the Optimal Level of Network Security
• June 5, 2003

2
History, Theory, Trends

• The Big Blue Era
• PCs
• Networks
• Internet
• Interconnected Networks

3
Evolving Risks
4
RISK CATEGORIES

• Financial
• Legal
• Reputational
• Career

5
RISK CATEGORIES

• Financial
• Contextual Type of Business
• Direct is easy (Days Sales)
• Indirect is more difficult
• Insurance
• Customer Assets
• Intellectual Property
• Preparation for Forensics

6
RISK CATEGORIES

• Legal
• Financial Services GLBA
• Health Care HIPAA
• Child Endangerment COPAA
• Patriot Act
• Et Al There's more coming
• Negligence in general
• Contract Terms

7
RISK CATEGORIES

• Reputational
• Trusted Advisor
• Private Relationship
• Vertical Network
• Walking the Talk
• No Insurance

8
Escalating Threats

Skill Level of intruders
9
Welcome to the Internet

• Every computer criminal knows your address and
  lives next door
• They rattle your doors and windows hundreds of
  times every day
• Advanced tools are available to hackers for
  freeto attack you
• Why you?

10
Physical Security

• Has institutionalized physical security knowledge
• Layers its physical security based upon
  experience, regulation and common sense not an
  ROI gap analysis
• Knows why someone would want to break in

11
Computer Security

• Has limited institutionalized network security
  knowledge
• Budgets for security based upon a growing
  awareness that escalates quickly with an event
• Relies too heavily on Point in Time regulatory
  response initiatives
• Still asks the question . Why would anyone want
  to hack us?

12
Parallels

• Deterrence - Layers of security are designed to
  increase time and effort for attackers
• Practicality - Impregnability is physically and
  budgetary impossible
• Ownership For control purposes Security must be
  a specialization outside of functional
  disciplines

13
CERT Annual Statistics
Reported Incidents Double each year. Are
estimated to be only 10 of actual incidents.
2003 Extrapolated 1q statistics
14

• Questions?

15
Architecture and Design

• Many people have knowledge of how to architect
  and design for security.
• However, the hard parts are
• Who do I listen to?
• How do I effectively allocate available
  resources in my organization?

16
Everyone Wants to Help

• Outside Accountants
• Security Consultants
• Security Monitoring Firms
• Vulnerability Scanning Firms
• Security Alert Services
• Vendors
• Managed Network Companies
• Software Companies

17
Whos Right? Where to Start?

• They are all right.
• The challenge is
• What is right for you?

18
Funded security to an understood ROI risk level
Business Risk
ROI Based Mitigated Risk
19
Legal / Reputational Factors

• Every security decision is not directly ROI based
• Legal requirements are a cost of doing business
• Protecting the brand (reputation) is least tied
  to a direct ROI analysis
• How do you integrate these factors?

20
Legal / Reputational Factors

• The answer is you cant!
• Unless someone else does you own the liability.
• As the discipline holder, you can approach the
  issue from a ..
• If I owned this company, I would...

21
Do You

• Hire a translator/expert to help you..
• Redesign your network?
• Buy more and better firewalls?
• Install a better VPN solution?
• Install IDS and 24/7 monitoring
• Vulnerability and alert services
• Hire fresh eyes for assessments and attack and
  penetration tests?
• Enforce new policy on users?

22
The right thing to do GAP
23
Reality Check

• The GAP exists when Reality and Perception of
  risk are not aligned
• There are 2 methods of closing a GAP.
• Senior Management receiving extensive awareness
  Training on IT security as a business issue.
• Proving to Senior Management that the GAP exists
  typically by having something bad happen.

24
Your Reality

• What happens if you have a severe computer
  security event?
• 43 of our customers became customers with 30
  days of an event.
• Approximately 50 of those customers had a
  personnel change in their IT area in that period.
  (They owned the Gap)
• There is no insurance for legal or reputational
  events
• The Law may assist

25
(No Transcript)
26
Robert S. Mueller, III, Director, FBI October
31, 2002

• We are working closely and cooperatively with
  the Secret Service, but it is important for the
  FBI as an institution to recognize that five, ten
  years down the road, we must have the expertise
  to address cyber-attacks on our infrastructure
  and to address cyber-crime in all of its
  iterations. We must prepare and get that
  expertise now. That is why, when we sent out our
  list of priorities in the wake of September 11,
  cyber crime was one of our top three priorities.

27
Questions?
28
Application and UseTop 10 Security Concerns

• 1. Lack of an Appropriate Security Roadmap
• 2. Unfunded Mandates Walking the talk
• 3. Watching the Watchers
• 4. User Behavior and Education
• 5. Vulnerability Management
• 6. Frequency Lack of
• 7. Culture and Coordination of Disciplines
• 8. Technology vs. security spending
• 9. Partner / External Connectivity
• 10. Event vs. Process Driven

29
Common Security Mistakes

• 1. Firewall and annual audit panacea
• 2. Not Watching the Watchers (Internal vs.
  External)
• 3. Reliance on Point in Time Tactics
• 4. RD activities
• 5. Reactive Design
• 6. HR and IT coordination
• 7. (Lack of) Change Management
• 8. Remote location coordination
• 9. Remote access to network devices
• 10. Publicly Accessible Information

30
Where to Start?

• Access Control
• Network Design and Segmentation
• Authentication
• Policy and Procedure Alignment / Audit
• Effective Coordination and Reporting
• Documented and Tested Incident Response
• Senior Management Involvement
• Security as a Business Issue
• Bridge the ROI Gap
• Proactive Monitoring for Violations
• Reality Check Audit or Penetration Test

31
Take-A-Ways

• 1. Bad things happen to good networks.
• 2. Just because your IT staff is paranoid doesnt
  mean that people arent really out to hack into
  your systems.
• 3. IT security is much less expensive on a
  proactive basis vs. reactive remediation.
• 4. You are probably doing many of the right
  things now figure out how to do them more
  frequently and under a coordinated cross
  functional process.

32
Questions?