The Changing Landscape: CyberSecurity in 2011

Jim Hietala VP, Security [email protected] 44 Montgomery Street Suite 960 San Francisco, CA 94104 USA Tel +1 303 495 3123 Cell +1 303 995 5387 www.opengroup.org

The Changing Landscape:

CyberSecurity in 2011

Agenda



Review of Cybersecurity current

state: changing threats,

vulnerabilities, attack types



Changing business requirements,

technological shifts



Work to be done

IT Security Challenges…



Insider threat



Symantec survey, 79%

take data upon leaving



External attacks



Mass indiscriminate attacks



Targeted attacks

Recent Cybersecurity Incidents



Successful compromise of Google and 30 other

companies



Compromises of numerous oil companies, London

Stock Exchange, NASDAQ



Stuxnet attack



Leveraged four “0 day” vulnerabilities



Ongoing Trojan attacks on online banking

customers

Threats & Attackers, Then and Now



1980’s:

Now:



Profit motivated criminals



Global, leverage freely

available tools



Sophisticated attackers and

attacks

Wikileaks Highlights Numerous

Fundamental Security Problems…



Insider privilege abuse

Poor access control



Ready availability of DDoS

toolkits, and attacks

against Amazon, PayPal

by sympathizers



Targeted hack attack

against security firm that

conducted Wikileaks

investigation, HBGary, by

“Anonymous” group

Website Attacks



Retail example: Heartland, TJX, 7-eleven, Hannaford,

Dave & Buster

’

s



Impact: 130M+ credit card records stolen, extensive credit

card fraud, massive costs to banks to reissue cards



Attack Methodology:

 They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.

 They use "xp_cmdshell", an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.

 They obtain valid Windows credentials by using fgdump or a similar tool.

 They install network "sniffers" to identify card data and systems involved

 They install backdoors that "beacon" periodically to their command and control servers, allowing surreptitious access to the compromised networks.

 They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.

 They use WinRAR to compress the information they pilfer from the compromised networks.

Infected Websites Doubled in 2010



Drive-by downloads

on legitimate Web

sites have become

the most popular

method for delivering

malicious programs



Overtaking the use of

spam and e-mail

Hacking for Profit



Black market

price per stolen

credit card has

dropped from

$10-16/card in

2007, to less

than .50/card

today, due to

over supply



Can also buy

site logins to

hacked sites

Monetizing Cybercrime, Malware

Trojan

malware(delivered via

spam, viruses,

websites) used to

capture login

credentials to bank

accounts

Funds transferred to

money mules

in-country, who transfer

$ to perpetrators in

originating country

Predicted ROI on Cybercrime

Techniques

How Real is the Threat?



CIA Director Leon Panetta:

"The potential for the next

Pearl Harbor could very well

be a cyber-attack”



Director of National

Intelligence James Clapper:

"This threat is increasing in

scope and scale, and its

impact is difficult to

overstate."

Discussion



What is the experience of Indian IT organizations

Threat Takeaways



Consumers, businesses doing online banking are targets

Anyone with high value information (IP, sensitive,

confidential, research, credit cards) is a target



Need to be on top of our security management games…



Regular patching is mandatory



Reducing attack surfaces through vulnerabilities



Relying on perimeter security (alone) is unwise



Checklist-based infosec management isn’t

enough-many ISO27001 certified companies have shown up in

headlines lately for breaches

Agenda



Review of Cybersecurity current state:

changing threats, vulnerabilities, attack

types



Changing business requirements,

technological shifts



Work to be done

New Technologies Causing Security Concerns



Web 2.0



Consumerization of IT, growth in mobile

devices



Virtualization

Business Requirements Affecting Security



Greater access for non-employees

E-commerce



Collaboration

Downsizing



Status quo is

location-centric security



Protection placed at the

edge or perimeter of the

network



New threats and threat

vectors = new security point

solutions



Consequence is that there

are now over 1,000

vendors of security point

solutions…

Perimeter Security Failures

Maginot Line and the Fall of France, 1940

US High Tech Border Fence w/ Mexico Abandoned as too costly, ineffective in

Full de-perimeterised working

Full Internet-based Collaboration

Consumerisation [Cheap IP based devices] Limited Internet-based Collaboration

External Working VPN based External collaboration [Private connections] Internet Connectivity

Web, e-Mail, Telnet, FTP Connectivity for

Internet e-Mail Connected LANs

interoperating protocols Local Area Networks

Islands by technology Stand-alone Computing

[Mainframe, Mini, PC’s] _Time

Connectivity

Drivers: Low cost and

feature rich devices

Drivers: B2B & B2C

integration, flexibility, M&A

Drivers: Cost, flexibility,

faster working

Toda y

Drivers: Outsourcing and

off-shoring

Effective breakdown of perimeter

Agenda



Review of Cybersecurity current state:

changing threats, vulnerabilities, attack

types



Changing business requirements,

technological shifts



Work to be done

IT Industry Issues



Incentives don

’

t favor secure software products



“

iterate quickly

”



One–sided software license agreements with little

buyer recourse



“

“

”

manufacturer to account for injuries, harm, damage, or loss

”

General Security Issues



Lack of independent information about controls

effectiveness



100+ security technology niches, which provide the

best ROSI, and provide best protection?



Debate over how to best manage information

security



Risk-based vs. best practices approach



Best practices/checklist methods (ISO27001) are

important, but insufficient

Specific Areas for Improvement

Secure Architecture:

 Build security into architectures vs. adding later

 Training software developers in secure coding, SDL

 Better guidance on developing secure architectures, how to use TOGAF and SABSA to do so, and how to develop secure web apps



Information Security Management:

 Prioritizing, selecting appropriate security controls

 Making information security management more scientific, with maturity models & metrics, tie security to business objectives

 Easing the burden of risk, compliance, and audit



Identity issues vis a vis cloud, enterprise identity stores

Better industry support for assuring that commercial

Agenda



Review of Cybersecurity current state:

changing threats, vulnerabilities, attack

types



Changing business requirements,

technological shifts



Work to be done

Security Forum Vision & Mission

 The Open Group: Boundaryless Information Flow, achieved through global interoperability in a secure, reliable and timely manner

 The Open Group Security Forum: To facilitate the rapid development of secure architectures supporting boundaryless information flow

through:

 Development of industry standards, either independently or through co-operation (adopt, adapt, publish)

 Developing guides, business rationales & scenarios, use cases

 Developing reference and common system architectures, and support services

Secure Architecture



Integrating security into enterprise

architectures, TOGAF



Revised Enterprise Security Architecture



SABSA/TOGAF integration project



Collaboration Oriented Architecture



Secure Mobile Architecture



Cloud Security Reference Architecture

Information Security Management

ISM3: Information Security Management Maturity Model

 New technical standard using metrics and a maturity model approach to managing information security

 Enhances ISO27001/2, adds business value context



Audit, compliance, risk

 Audit & Logging: Update to XDAS standard, aligning with MITRE CEE

 ACEML compliance standard, to automate compliance configuration and reporting

 Risk Management: Risk Taxonomy Standard, Risk Assessment Methodologies – Technical Guide, ISO Cookbook

Jericho Forum



Thought leadership around de-perimeterization, guidance

as to what to do about it



Publications:

 Commandments, position papers, Collaboration Oriented Architecture Framework, Cloud Cube Model



New Mission/Vision:

 Secure Collaboration in Cloud Computing



New projects:

 COA (Security) Reference Architecture for TOGAF, COA Framework standard, Cloud Use Cases: business scenarios

 “Commandments” Self Assessment Scheme

 Security requirements in Cloud Computing

 Identity & Access Management in de-perimeterized environments



New Liaison – Cloud Security Alliance

Some Members of Jericho

Real Time and Embedded Systems Forum



Secure Operating Systems



Multiple Independent Level of Security (MILS)



Significant MILS work ongoing in the Real Time

Forum to remove barriers to adoption, and accelerate

progress

Open Trusted Technology Forum

Overview (OTTF) v1.5

“

_{Build with Integrity}

Buy with Confidence

”

Need to Work Together to Develop Expectations

for a Trusted Commercial off the Shelf (COTS)

IT Product



“

Good Commercial Product

”

– Helpful information that

builds understanding of the product

 What’s in it ( source code and origin/pedigree)

 How was it built (development and manufacturing)

 How will it be sustained from an OEM perspective

 What management, process and quality controls were applied

 What are the meaningful supply chain considerations

 What variability, and volatility of sub-processes and supply should be expected (opportunistic component sourcing and contract fabrication)

 What other “measures of goodness” can be used or leveraged

 Not a substitute for CC, NIST, or ITU; Interoperability or protocol level compliance or certification

What are the Realistic, Consumable, Affordable Industry Best Practices?

The Technology Supply Chain Integrity

Challenge



Perceived increase in sophistication and severity of

cybersecurity attacks worldwide



Potential for vulnerabilities introduced by use of technology

provided through the global supply chain



Governments and organizations buy products from

companies they trust, but those companies usually do not

manufacture all the components of their products



The forum is being formed in response to the need to

establish industry best practices that will help understand

and reduce risks posed by the globalization of the

What Problems Are We Solving?

 _{Commercial technology comprises key components of our critical}

infrastructure

 It’s become necessary to understand;

 The potential integrity risks that may be inherited from supply chains, both for software and hardware, and how the original equipment manufacturer (OEM) assesses and manages these risks;

 Practices that can mitigate potential risks of significant supply chain attacks;

 Risks to confidentiality, integrity, and availability of a customer’s environment or critical infrastructure as a result of procurement by customers of counterfeit components and products;

 Which software or technology development or engineering practices can help reduce product security and integrity risks;

 How product assurance and risk is managed through the adoption of industry best practices and recognized international and

The OTTF will respond to these

industry challenges by…

 Reducing risks that may be introduced from global supply chain

providers

 _{Identifying manufacturing practices and checkpoints throughout the}

lifecycle that mitigate risk from uncontrolled, unprotected development methods and engineering procedures

 Develop conformance and accreditation criteria for trusted technology

providers that will instill trust and confidence in both providers and consumers

 Work with the global community to develop responsible and realistic

procurement policies that mitigate the risks introduced from supply chain vulnerabilities for all governments and vertical industries

O-TTPF Best Practice Categories

Trusted technology providers utilize and internalize the application of a well-formed and documented development (or manufacturing) method or process. Secure Engineering /

Development Method

Secure development methods include techniques such as secure code design reviews or threat modeling, risk assessment and tooling for detecting, fixing, and mitigating vulnerabilities in both software and hardware. They might also include run-time protection measures; or monitoring and corrective actions for third-party component vulnerabilities or risks. Product design may also employ ways to ensure authenticity and protection from counterfeit components and use run-time execution protection measures; for example, the use of code signing.

Supply Chain

Management Method

Trusted technology providers manage their supply chains through the application of defined, monitored, and validated supply chain processes. These practices seek to ensure the integrity of the supply chain throughout product design, sourcing, fabrication delivery, support, and end-of-life.

Product Evaluation Methods

A Trusted Supplier submits Information Assurance (IA) and IA-enabled products to one or more mutually recognized standards-based evaluation processes to determine the fulfilment of particular security properties, to levels of assurance appropriate to the application of the product depending on the needs of the market. (Common Criteria is an example of one such process).

Benefits of O-TTPF to Providers and

Consumers

 _{The ability to work collaboratively with peer organizations, suppliers}

and customers to define, review and approve the best approaches

developing a more trustworthy global technology supply chain

 Industry members of the TTF can directly interact with government

acquisition leaders through their participation in the forum and government members can interact with their suppliers in an open, neutral forum

 _{Market differentiation through the future accreditation program, and}

status as an organization that contributes to the Forum

 _{Members can network with their peers in similar organizations around}

the globe and help harmonize global technology supply chain initiatives

 The TTF is intended to benefit technology buyers across all industries

concerned with secure development practices and supply chain

Summary



IT security undergoing a profound transformation in threats,

business drivers, and in security architectures



Move from perimeter towards information-centric security



Customers, vendors need help in sorting out what this means

The Open Group has numerous forums and working groups

working on IT and Cybersecurity challenges



Work products include standards, frameworks, guides that

educate, inform, accelerate market for secure IT



From a supply-chain standpoint, Trusted Technology

Forum is a natural place for Indian companies to get

involved in Open Group security activities

Questions?

Jim Hietala, VP, Security, The Open Group

Http://www.opengroup.org/security

e-mail: [email protected]

Twitter: jim_hietala