| |
Home · About · A-Z Index · Search · Contacts · Press · Register · LoginPlenary - Boundaryless Information Flow: Keeping IT SecureDay 1: Monday 3rd February 2003 |
|
|
An International Perspective on Securing Information FlowIntroductionAllen Brown, President of The Open GroupAllen began the conference by welcoming the delegates to Burlingame, and introduced the theme of the day. In the first session, key government security speakers from the United States, Japan and the European Community would be addressing the evolving policies and issues in information security. Allen introduced the first speaker, Andy Purdy.
Andy began his presentation by reflecting on the troubled times in which we live - acts of terrorism by organizations and individuals, and problems caused by individual criminal activities. Information technology revolution has changed the way business is transacted, government functions, and national defense is conducted. Protection of a country's information systems is essential to its critical infrastructures: telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services. Accordingly, cyber security is essential to US national security; the nation's economic well-being, law enforcement/public safety; and privacy. The overall strategic goal is to empower all Americans to secure their portions of cyberspace. It is the policy of the United States to protect against disruptions of information systems for critical infrastructures, and to ensure that disruptions are infrequent, minimal duration, manageable, and cause least damage. Andy moved to considering the spectrum of sources of danger, varying from teenage joyriders, through individuals engaged in ID theft, fraud, extortion, and industrial espionage, nations engaged in espionage against U.S. companies and U.S. government, to, most seriously, nations building information warfare units. The aim is to not to focus on specific threats, but to focus instead on vulnerabilities: to have a strategy in which everyone is responsible for their portion of Cyberspace. The Strategy provides a roadmap by removing barriers, empowering people and organizations to do their part, and fostering a national partnership between government, industry and individuals. The guiding principles of the Strategy are:
Sector strategies in support of this overall approach are being documented at www.pcis.org The priorities in the strategy are: Short Term (1-3 yrs):
Medium Term (3-5 years)
Long Term (5-10 years)
For home users and small businesses, the strategy is to empower the home user and small business person to protect their cyberspace and prevent it from being used to attack others. In large enterprises the aim is to encourage and empower large enterprises to establish secure systems, with several key themes: raising the level of responsibility, creating corporate security councils for cyber security, where appropriate, implementing ACTIONS and best practices, and addressing the challenges of the borderless network. Several Sectors are preparing strategies with lead organizations, including:
Overall the priorities of the Critical Infrastructure Protection Board are:
Questions:Isn't there a fundamental problem, that enterprises are going to be able to do a certain amount to protect themselves, but there are threats that are beyond their power - such as a threat to elements of the infrastructure. A: The strategy will allow for areas of government intervention in areas where corporate response is not adequate. Q: Bob Blakely: Markets respond to financial incentives. How can a market-driven strategy work when it doesn't return value to the shareholders? A: The alternative can stifle technology and innovation; it's our belief that we are getting the right kind of movement and direction and the Government will be able to respond if the infrastructure owners are not able to respond appropriately. Q: Eliot Solomon: How can public protection be achieved without intruding on the rights of individuals? Is there some movement to separate public and private spaces? A: Many things that we have been accused of doing, like monitoring individual emails, we are not doing, and there is a great deal of sensitivity in the area of civil liberties. Q: (questioner not known) The paradigm of the President has been in the direction of Open Source, publicly available code, which gives the potential for malicious code being inserted. How can this be made secure? A: This problem is going to have to be addressed, and the experts in Government are aware of this. Q: Bob Blakely: How expensive is this going to be for US business? A: The business case is something that people in the private sector are trying to articulate, but companies are going to have to meet the best practices in the sector in which they operate.
Harada-san began his presentation by explaining that he intended to present Japanese Government Policies on Safety and Security, and by distinguishing between the two: safety - free from danger, and security - protected. He also commented on the increase in awareness of the issues in Japan, due to the threats from viruses and cyber crime. IPA, the Japanese Information-technology Promotion Agency, is a cross-governmental organization under the Ministry of Economy, Trade and Industry (METI), which was established in October 1970. Its mission is the promotion of information processing technology, and it has a personnel of about 170. It has four main missions: R&D and support for IT; Credit Guarantee; Education and Training; and IT Security enhancement. He presented a graph of the number of computer viruses reported to IPA/ISEC, which showed that after a fairly steady rise to 3,645 in 1999, the number had leapt to 24,261 in 2001 before falling slightly in 2002 (to 20,352). These numbers are only those reported, and are only the tip of the iceberg, but they give an idea of the trend. Although this is a dramatic increase, the level of damage caused by the viruses is actually falling because systems are better protected. In 1998 80% of the viruses reported had done real damage, but in 2002 that figure had fallen to 8%, a lower figure than in comparable countries. A similar trend showed itself in the number of unauthorized accesses reported to JPCERT/CC, which had been fairly steady at between 500 and 1000 before increasing to over 2000 in 2000 and nearly 3000 in 2001 before falling to just below 1500 in 2002 (although in that year home systems were excluded from the statistics). The figures for the current status of cyber crime showed that whereas before 1998 crimes committed over the internet had been less than a third of the total, the percentage had increased dramatically since then.
In the category of crimes committed over the internet, the largest number, sadly, relate to child prostitution and child pornography. However, increasingly crimes relate to internet commerce - in particular internet auctions. The police in Japan have received over 17000 reports of claims, over a quarter of which relate to internet auctions. Turning to preparations carried out by private companies, Harada-san reported that increasingly large companies have security policies, but small companies (with fewer than 300 employees) are much less well prepared. In a recent survey, 42.8% of large companies had established a security policy in the last year, and 20% had carried out a security audit in the same period. In small companies the comparable figures were 12.5% and 7.2%. Cryptographic techniques were similarly more in use in large companies than small. 33.1% of large companies are using cryptography, while 37.7% are planning to do so; in small companies the figures were 14.3% and 28.6%. Finally Harada-san summarized the Japanese Government Security Policies. The cabinet secretariat is the center for this activity, and coordinates activity among organizations such as the National Police Agency, Japanese Defense Agency, the Ministry of Public Management, Home Affairs, Posts and Telecommunications, the Ministry of Economy, Trade and Industry, and so on. The Action Plan for Information Systems Protection against Cyber-threats, released in January 2000, aims to protect Government IT infrastructure. Arising from this plan, the Guidelines for IT Security Policies were published in July 2000, and also a Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (December 2000). The IT Strategy headquarters established the 'e-Japan Priority Policy Program in March 2001' to be completed by 2005, which covered five aspects:
Harada-san then went on to review the policies and activities of METI itself, including:
Conclusions and next stepsJapanese Government Organizations are cooperating to establish the most advanced and secure Information technology oriented society and e-Government. In order to achieve this the government is Improving and enforcing laws relating to computer crimes. A Cyber-Police Force (National Police Agency) was established in 2001, and a National Incident Response Team set up in 2002. A Conformity Assessment Scheme for Information Security Management Systems was also established in 2002. There is still work to be done to secure the reliability of eGovernment, including improving and enforcing laws, enhancing human and technological resources, and international collaboration.
Mr Servida said that he intended to explain how the European Commission is planning initiatives on network security in Europe. He explained his role in planning the sponsorship by the Commission of R&D initiatives aimed at improving security levels in Europe. He also explained the differences between the administrative role of the Commission in Europe, compared with that of the Federal Government in the US. Fundamentally the Commission is trying to encourage member states to unify their policies and approaches in the vital area of security. The role of the Commission in Europe is different from that of the Federal Government in the US in that in Europe the aim is primarily to guide member states, and the Commission has no direct mandate to act. European Union Activities on Information and Network SecuritySince 1997 there has been the first agreement by member states on using electronic signatures, and the commission has agreed a number of initiatives; for example, to ensure that an attack would be regarded as such everywhere in Europe, and that there would be a coordinated response. Other initiatives have focused on ensuring better collaboration between police and security services, and in providing a legal framework that would ensure that an attack on an information system would be regarded as a crime anywhere in Europe and would be dealt with under the criminal system. In addition there have been a range of Research and Development activities which have been focused on enabling member states to deliver. In the previous Framework Program there was a focus on dependability. There have also been initiatives which have been looking at issues that have become more critical in recent years, for instance relating to secure visas, the use of biometrics and smart travel documents. Andrea moved on to describe three angles for actions on security policy: prevention, involving network and information security; prosecution, involving policies on cyber crime and terrorism; and protection, including policies for privacy and data protection. He described the 6th Framework Programme as a whole, integrating European Research over a range of issues from food safety and health risks to aeronautics and space. The entire budget of 16270 M€ is broken down as follows:
In order to provide a focus for R&D activities the commission is focusing on the vision of 'Ambient intelligence' - how a society would be different with the range of future technologies that will become available, with products and equipment at the service of individuals. Immediate issues center around pervasiveness, interdependencies and intrusiveness, influencing factors being the needs for attention to compatibility between technology and human systems, for thinking in terms of a privacy respecting Society, and for a coordinated effort to address the dependability of information and communication infrastructures. Future objectives center around the need to develop a “respectful”, productive, innovative and secure information society, by fostering a global dialogue on an IS respecting the personal sphere, safeguarding resilience of systems and infrastructures, encouraging innovation and enabling productivity, promoting the understanding of interdependencies, sharing a vision on how to depend on technology, and carrying out innovative research and development. These are ethical as well as technological issues, and we must not ignore human behavior as an essential component of an integrated society, and education and public debate are as important as technological development. These thought processes are resulting in a change in the paradigm for security, moving from 'security in obscurity' to 'security in openness', and there are three areas for consideration: securing the individual, securing communities, and securing critical infrastructures. Towards a global dependability and security frameworkThe objective is to strengthen security and enhance dependability of information and communication systems and infrastructures and to ensure trust and confidence in the use of IST by addressing new security and dependability challenges. These are resulting from higher complexity, ubiquity of computing and communications, mobility, and increased dynamicity of content. Integrated and comprehensive approaches involving all relevant stakeholders of the value chain should address security and dependability at different levels and from different perspectives. The focus is on:
This work cannot be done in isolation; it should link to Member State research initiatives and policies. Related to dependability and critical infrastructure protection, targeted international collaboration with complementary research communities and programmes should be fostered. The 6th Framework Programme is the framework for EU/US partnership on R&D. A detailed joint R&D agenda was drafted at a workshop in Leesburg in Sept 2002), and covers information assurance and survivability, secure networked embedded systems, and modelling and simulation of critical interdependent systems. Contacts with funding agencies have been established and co-ordination between the State Department and OSTP. He emphasized the importance of European and US cooperation, but stressed the need also to work with colleagues in Japan, Australia and other countries. Finally, Andrea referred the audience to several relevant web sites, of which the main one is www.cordis.lu. Allen Brown concluded first part of the morning proceedings by thanking the three speakers for their presentations, and spoke of the work going on within The Open Group, on Mobile Management, Active Loss Prevention and Security. Industry Strategies for Securing Boundaryless InformationIn the following sessions a group of key figures from IT and security industry consortia addressed the issue of securing the flow of information in the boundaryless enterprise. They outlined strategies for implementing policies, procedures and standards that will assist industry or government bodies in achieving a secure information environment
Pat began by describing recent troublesome email attacks. She referred to an article in Information Security Magazine, November 2002, which had published the results of a survey of the damage caused by viruses, worms, and similar attacks. Code Red (2001) was the most 'popular', with 300,000 corporate servers affected in less than 9 hours. Others included Nimda in 2001, of which there were estimated to be 11,000,000 instances within one month, Melissa (1999) and finally LoveLetter (2002), which cost businesses 8.75 Bn$. In 2000 there were several Distributed Denial of Service (DDoS) attacks, and organizations such as eBay came together to try to resist them. The article had gone on to speak of the future - The Coming Deluge, with:
So how can we prepare for inbound email attacks? Pro-active measures that can be taken include:
As well an inbound email, outbound traffic needs to be secured. Requirements and controls are needed to ensure email confidentiality. Customer privacy needs to be protected, as does Company proprietary information. Message controls might include use of obfuscation and strong encryption. Securing outbound email also requires message integrity controls to protect against data tampering and against falsified messages. These controls might include use of message authentication techniques, such as digital signatures, and these need to be put in place, because falsifying an email message is easy. Controls are also needed to ensure email availability by protecting network bandwidth, and traffic flow against attacks. This can be done by employing high availability systems, and capacity management - reserving capacity against such emergencies. Organizations should establish and test business resilience plans, including actions to be taken if email communications are disrupted. Physical security needs also to be checked - the danger of simultaneous physical and cyber attacks is considerable. Conclusion: sustaining the flow of your company's email makes the difference between business survival and failure.
Charles reflected briefly on the changes in auditing and accounting brought about by recent business losses, and the partnership that there must be be among all those involved in achieving financial and information security. Integrity begins at the top of any organization, and is part of the duty of care at Director level. It permeates the organization, and exists in a complex environment in which responsibility can be very difficult to identify. At board level there is responsibility to ask questions about topics such as information security, and to be able to understand the answers. Directors also carry a personal liability, and they may want to ensure that they are adequately insured against lawsuits brought, for example, by business partners whose business may be damaged by a failure in security. Many organizations have been damaged by various forms of attacks, and have suffered not only direct and tangible losses, but have had to cope with the loss of shareholder confidence resulting from a forced admission that their systems were not secure. Why did they not take steps to answer questions such as 'What percentage of our assets have been physically verified?' What everyone is seeking is assurance, provided through dual reporting, and independent sources, and derived from monitoring, analytics, and assessment, that an organization has an effective system of internal controls. The internal auditor has the responsibility for finding things that are not quite right, and shining a light on them. Often the manager responsible is naturally reluctant to encourage this, but the approach is essential. There should be a natural partnership between auditors and information security professionals because both are trying to ensure that the right controls are in place. Risk Management maintains risk within defined and acceptable boundaries. but how many organizations have a formal risk policy? How many decisions are taken within a company that place the organization at risk, without that risk being realized or understood at a senior management level. The problem with assessing risk is that it spans organizational boundaries, and is subject to complex interactions between the various functions within an organization.
Bill introduced the Internet Security Alliance as a Trusted and Reliable Public-Private Partnership for Information Sharing and E-Security Issues. He described the Distributed Denial of Service attacks that occurred on 9th February 2000, and the need that emerged for an organization that would tackle the standards issues raised, leading to the formation of the ISAlliance. Its goals are to:
Efforts in progress include the following activities, some of which are already having a real impact in areas such as new security legislation and the US National Security Plan:
CERT/CC and ISAlliance provides a security information sharing service. This includes receiving reports from ISA members, sharing analysis reports with ISA members, and allowing ISA members to share information with one another. In addition, ISA members have access to the CERT/CC's database of information through secure distribution channels, thereby enabling the CERT/CC to provide more information to the private sector, in a responsible way. Products from the ISA include a 'Common Sense Guide to Internet Security for Executives' and the 'Home PC User's Guide to Safe Computing'. The ISAlliance influences Governments on Information Security Issues by holding direct meetings with influential members of the U.S. Senate, U.S. Congress, and White House cybersecurity advisors and with other U.S. Government departments involved with security initiatives; also other international government groups who affect legislation of security. It also aims to influence industry-wide security improvement, by activities such as:
Laura began by introducing BITS, the sister organization to The Financial Services Roundtable. It was founded in 1996 to address areas in which there is need for collaborative industry action, and focuses on emerging technologies, payments and e-commerce. Members of BITS are drawn from the membership of the RoundTable. The imperative for collaborative action exists in a number of areas, such as payments and delivery channels, legal and public policy, communications research and education, security and risk management, eCommerce market development, business standards and practices, and industry infrastructure. The key is that most efforts span more than one of these issues. The strength of the organization consists in its ability to bring together key industry players to get things done. The BITS CEOs meet twice a year to set the direction for the organization, and below them is the BITS Advisory Group Council, made up of member CIOs and CEOs, which meets monthly. The organisation:
Examples of BITS Deliverables include:
Laura went on to describe some of BITS activities that relate to the area of security. Crisis ManagementThe BITS Crisis Management Working Group was formed to coordinate member crisis management activities to ensure we are prepared if a disaster were to occur today. Activities are focused in the following areas:
The current focus in crisis management relates to telecommunications, which is key to the flow of money in US commerce. BITS is setting out to:
IT Service ProvidersMany organizations have increasingly used outsourcing as an approach to their IT needs, creating the need to assess the risks associated with this decision. BITS has produced a Framework for Managing Technology Risk for ITSPs, which is intended for use as a guiding document and set of criteria against which IT service provider relationships can be effectively evaluated and managed. It is also intended to complement regulatory guidance and requirements, and to set voluntary industry guidelines for risk-based management of IT service provider relationships. It includes the following elements:
ITSP Framework Phase II will include:
Security & Risk AssessmentThe Security & Risk Assessment Committee is a standing committee, made up of over 65 members. It has four main project areas: BITS Product Certification Program. This sets out to improve the baseline security of products that are used in the financial services industry, to provide an opportunity to leverage independent testing efforts including common criteria testing, and to provide an outward facing seal to visibly identify products that meet the criteria. Criteria have been developed for 6 product categories, and certification programs are in place to evaluate products from vendors. Critical Infrastructure Assurance addresses the growing interdependencies between core sectors such as telecommunications, transportation, electric power and financial services in e-commerce and requires a partnership between providers, customers and intermediaries to ensure a secure environment. In the area of Operational Risk Management, the SRA Committee is looking at legislation that is expected later in 2003. It sets out to develop a common body of high risk factors for the industry related to information security that influence operational risk models, to establish metrics and measurement methodologies, and to provide sound practices for preventing the likelihood of occurrence and/or diminishing the resulting damage for information security risk events. Finally, the SRA looks at regulation and compliance. Analysis involves the SRA in sharing experiences on how regulators are interpreting the new cybersecurity and other security requirements, as well as the institutional impact of implementing these regulations.
Candy began by referring to the impact that internet security is having on our society. She referred to a headline from the front page of the previous New Hampshire Sunday News: “SQ hell Virus attacks Net - Infection slows thousands of computer systems, hampers ATMs, other services". The reason for this publicity is that the virus touched the lives of ordinary people by, for instance, slowing ATM machines and the response of home computers. In order to reduce this challenge, it is essential to "spread" the word and to persuade users to adopt techniques such as:
The new challenge in today's world is provided by the expanded on-line community. Like it or not, our community has grown to include non-technical people that do not fully understand the laws regarding electronic information and do not realize that they have an obligation to secure their environment - let alone how to do so. Security has to be made easy, by providing more secure applications and 'out of the box' security solutions. The ISSA is working to help provide security. In contributing to the support of securing boundaryless information for the traditional challenge, the following list includes some of the important ways that ISSA members work toward achieving these goals:
The ISSA is also working with committees to help identify resources in areas such as: Community Outreach, International Development, Standards, Professional Ethics, Privacy and Security Education. It is also working in partnership with other security consortia such as ITAA - Community Outreach, ICS2 - Certifications.
Deb began by pointing out that risks are unavoidable, and a coherent approach to managing risk is key. She made the distinction between risk and exposure, which she defined as 'risk minus controls'. The Board of Directors wants to reduce exposure, they want accountability in the organization and they want to leverage cost. Risk is driven by many factors, and organizations are concerned about issues such as:
Assessment and measurement of risk needs a framework, and the CobiT (Control Objectives for Information and related Technology) can be highly successful, and is understood by all levels from the Board to technologists. CobiT starts with business processes, and breaks the IT environment into understandable units. It then matches the business requirements with technology that meets those requirements. The Risk Assessment Process should not be a guessing game. It should mirror the organization's IT Governance, and risks should be given a ranking which relates risks to each other. Management input is key, and there need to be mutually agreed high risk areas. Audit Execution identifies high risk areas. Its findings are correlated with CobiT objectives and risk ranking, and there is then a need for corrective action tracking.
Allen Brown began the session by suggesting the potential for consortia such as those assembled today to adopt and promote each other's work. Candy Alexander expressed support for this idea and referred to cooperative relationships that the ISSA has formed with other organizations working in similar fields. Bill Hancock referred to a list of high level practices that home users should have. Home users whose computer might be involved in a terrorist attack can become liable for their part in the activity if they have failed to do due diligence. The problem is not trivial to come back with a consensus view on adopting documents from other consortia. Charles Le Grand raised the issue of identifying the correct tools for any organization, when a standard might work for one but not for another. Laura Lundin expressed the view that her organization would support the cross-promotion of specifications and work from other consortia. Mike Jerbic asked: When the worm hit last week, Systems Administrators that should have patched their systems and hadn't were called into question. Could you address the issue of the responsibility that Systems Administrators should face in such situations? Bill described the steps that his company had taken that had provided effective defenses against this worm - in particular a strategy that was based on denying all services except those that were specifically allowed. Pat Gilmore - there should be a business process with regard to patch management; there's a business process that should be implemented, from the CIO down.
This workshop was staged in two Acts, with nine players providing the action, and each member of the audience as a Board Director bearing ultimate responsibility for the attacked corporation. Act 1 played out a sequence of response scenarios to the discovery of an intrusion, illustrating the various priorities a business must reconcile when facing such situations, and bringing out the need for well-prepared and regularly updated response procedures to manage it well. Act 2, on Tuesday morning used the outcomes from Act 1, to indicate what considerations well-prepared response procedures need to include. It reviews the business and legal consequences of the intrusion, liability to third parties and defence for any enforcement procedures (under data protection/ privacy laws), and steps to be taken to minimize their own potential losses, and to bring the hacker to justice (or not). It also considers whether to provide details of the intrusion to clients, law enforcement or to an ISAC or other organization, and the possible consequences of doing so, or not doing so. The cast
SynopsisAt 09.35, StarCorp's online order-processing application goes down. The initial word from IT operations was that it was a hacker attack. Getting the system back on line was the company's highest priority. A SWAT team headed by IT Operations Manager Rocky Wardrop tried to identify and fix the problem. StarCorp CEO Brenda Star was determined that the offender would not go unpunished. Brenda was rather busy being interviewed by the press, and so Rocky was asked to put together a team to address the problem. The team consisted of:
Meeting 1The team began by discussing the implications of the problem that the application was down. The company had contractual commitments which after 8 hours would result in financial penalties. Nothing like this had happened before. 'Johnny' was missing. Meeting 2Initial diagnostics showed a long series of mis-formatted orders, which suggested that some sort of attack had occurred. Kelly claimed that he had been warning for months that something like this would happen if nothing were done. He produced a very thick security plan and insisted that it should be followed to the letter. Rocky asked him to begin implementing the plan. Customers needed to be informed that StarCorp were on top of the problem and would be solving the problem within the 8 hour period. Anna Williamson instructed that only accurate information should be communicated. 'Johnny' was still missing. Meeting 3The source IP addresses of the mysterious packets was o.36.25.36, an internal system, which suggested that the problem was being caused by a member of staff. Traffic was going to e.112.57.5, a Nebula Systems address - StarCorp had a non-standard cooperative processing contract with Nebula Networks. The intrusion response plan required that a full back-up be taken, which would take three hours. Lucinda Walls argued that at this time the application should be restarted. Anna Williamson pointed out that failing to follow the plan could make StarCorp liable. Kelly objected to this but went ahead anyway, and the application was restarted before the backup was complete. It was confirmed that the source of the attack was Johnny's machine. It seemed that Johnny had penetrated Nebula's system, before traveling to Rio de Janeiro. If Johnny's employment had not been managed properly, StarCorp could be liable for his behavior. Anna Williamson advised that there was no non-disclosure agreement with Nebula. At this point Tim “the Terrier” Malone – Independent Daily Tabloid - entered, and then had a meeting with David Auric, who told him that there had been a brief system problem but now everything was running well. He promised to phone Tim as soon as he knew the source of the problem. Lucinda drafted a letter to Nebular Networks summarizing what had happened and pointing out that StarCorp had met the terms of their contract. Meeting 4Tim Malone had written an article in the Daily Tabloid pointing out that StarCorp 'faced disaster' following an attack by a hacker. David Auric wanted to send out a press release responding to this, but was advised not to. At this point Johnny was discovered. The possibility of pressing charges was discussed, but no decision was taken. Anna agreed to summarize the company's liabilities. At this point the San Mateo deputy sheriff appeared with a Brendan “Blowtorch” Boylan, retained counsel to Nebular Networks, who had an order entitling him to take away any computer that might contain information stolen from Nebula Networks. QuestionsThe cast assembled on stage to answer questions from the audience. Q: The last scene portrays the execution of a seizure order. Could that happen in the real world?
Q: When they come in for a bank seizure, they do come in and grab everything.
Q: In the production there was a lot of effort to preserve evidence. Would that happen in real life? If in the course of restoring service the team had lost evidence, would that be a problem?
Q: It's interesting that when it came to the issue the Security plan was ignored. Are there circumstances where having a plan and not following it is worse than not having one?
Q: You said in the script that using PKI would have avoided this problem. Do you think that is the case?
Q: There's an HR issue relating to the management of staff, so this shows that security is an architectural issue that runs through every aspect of the business. This could be written up as a case study.
Q: We saw some examples of SLAs, etc. What is the default that would happen if agreements were silent on these points.
Q (of the audience): How many of you have been aware of an exercise in your company to simulate an attack in your company?
Q: I wasn't convinced by the realism of the relationship with the reporter. What does StarCorp stand to lose by the poor press coverage.
Q: I'm surprised that you say it was a civil offence. Surely the hacker had committed a criminal offence.
Q: Would the fact that a criminal offence had been committed provide any defense on the civil side.
Q: I understand why you would backup a system before an attack, but why do so during it?
Q: Are states doing anything about problems like this?
Q: Since many networks cover multiple states, how is jurisdiction determined?
Q: Is there a burden for a company to take steps to preserve that might be useful in a prosecution of someone like Johnny?
Q: What would have been the situation if Johnny had acted as he did but without a system outage. How would StarCorp react? Would they tell Nebula?
Q: (of the audience) How many companies would involve the legal council from the start?
Cybersecurity from the Front LineDCS Len Hynds and Dr. Bill Hancock presented sessions from the cybersecurity front line. Dr. Bill shared his experience of dealing with 200-400 attacks a month on half a million online systems, and DCS Len Hynds warned of the growing international threat posed by IT organized crime.
DCS Hynds pointed out that his presentation was not about cyber-security, but about cyber-crime. Cyber-crime is crime. It hurts as much as any other sort of crime, and it's what is allowed to happen when we get IT security wrong. Governments around the world have for some time been trying to make IT an integral part of business, so it is hardly surprising when it becomes an integral part of crime. For many years the legal system has been trying to solve the problems of young people and crime; the internet allows kids to hang out on 'street corners' that nobody can reach. Cyber crime happens instantaneously, and it can happen across jurisdictions. It is a global problem and demands a global solution. Any tool can be adapted for a criminal use but the level of appeal that tool has relates to its attractiveness in a criminal context. The criminal can attack multiple victims, and because of these factors it is an aggravated version of its low-tech counterpart. The fundamental point is that hi-tech crime is just as serious as any form of crime. Len referred to three studies, carried out by the CBI in the UK, the FBI-CSI, and the UK Threat Assessment Agency. Trends in cyber-crime are difficult to track because information gathering is difficult and inconsistent. But even without authoritative data, the prediction is that it will increase.
The assessment is clear. If organized crime employs the risk v reward model, there is only one way - up. The cyber-criminals are not in the typical mould of criminals. Vladimir Levin transferred $12m into his own accounts, but received a punishment of only 3 years in prison; Onel de Guzman, the originator of the 'I love you' virus has never been charged because there is no relevant law in the Philippines. Organized crime has not yet fully realized the opportunity of internet crime, and we are not yet seeing the total figures for it because of incomplete reporting and detection. However, as crime syndicates begin to understand the opportunity, we can expect them to use all the techniques familiar in traditional crime. The decision was taken in the UK to create a multi-agency national hi-tech crime unit which would bring together a collaborative and nationally coordinated effort, with interagency collaboration and in partnership and cooperation with industry. The NHTCU was established in April 2001, with new funding of £25m, staffed by people from a range of disciplines. Its work is divided into four disciplines: Investigations, intelligence, collaboration and support (the interface with local law enforcement and industry). Operational success has come quickly, because of the multi-agency nature of the unit. To police cyber-space it is necessary to establish a presence within it, to establish policing by consent, to have an e-presence, act at e-speed, while maintaining standards. Much legislation has been put in place in the area of traditional policing, and its principles need to be applied in this area as well. International Collaboration is key. Interpol connects 179 countries through some well-established protocols. More importantly, the G8 24/7 agreement provides a commitment to emergency mutual support. Europol brings together 15 European states, and the heads of cyber crime policing meet regularly. The NHTCU has 22 partners on the ground in 22 countries. Industry Liaison is equally important - for both sides of the relationship, and confidentiality contracts can be agreed with industry in order to avoid problems of reluctance to report crime. The popular image of a detective ringing the crime scene with tape and seizing anything within it is pervasive, but it is founded on stereotypes that bear no relationship to reality. There is reliable intelligence showing that drug and arms traffickers are using the internet to support their activities and to store information on the servers of organizations who are unaware of what is going on.
Bill began this presentation by emphasizing the size of the internet - currently 655 million accounts. He described an event at his home, in which his 13-year old son had provided internet access to his friends through the wireless network. The point is that there is an almost infinite potential for intrusion into an almost infinite network. By contrast, security is very complex; it is currently where networking was 15 years ago. There are many complex components, and a general lack of expertise in the industry (60% vacancy with no qualified personnel). There are no common GUIs and a lack of standards. And the number of attacks is growing. At the same time, software is too complex. Bill illustrated this by the number of lines in successive versions of the Windows operating system.
It is not surprising if there are security bugs in such a vast collection of code! A recent version of windows shipped with 29,000 known bugs. He showed a graph illustrating the growth in the number of incidents reported to the CERT/CC, which had gone from less than 4000 in 1998 to around 86,000 in 2002. During the same period the number of vulnerabilities reported to the CERT/CC had grown from 262 to 3,222. And the internet continues to increase in size, with around 160 million hosts. The issue for all organizations is: as all these figures increase, what is happening to your security budget; to the numbers and skill levels of the staff who have security responsibilities? At the same time that systems are becoming more complex, attackers are becoming less mentally sophisticated, building on the work of the very smart people who originated attack technology. Classic current IT security risks arise from the well-known sources: DNS attacks, DDoS, DoS, Virii, worms, spoofs and redirects, and so on. But there are serious upcoming security threats that arise from:
Prime resources to be protected include: DNS, router tables, and DHCP. To stop a DNS attack, attack mitigation technology needs to be used, with the right firewalls, filters and switches; and you need to work closely with your ISP. Three concluding messages:
|
