Security Alert: Latest Trends in Global Attacks, Sources and Impact Vince Steckler Vice President, Asia Pacific

2 © 2003 Symantec Corporation. New Technologies and Targets Broadband 120M subscribers worldwide by 2005 SCADA Used by oil and natural gas, controls electric power and water supplies Instant Messaging/P2P Over 500M users by 2005 Wireless 484M users worldwide by 2005 Grid Computing $4.1B market by 2005 Web Services Security $4.4B market by 2006

3 © 2003 Symantec Corporation. High Low Less Knowledge Required to Attack Intruder Knowledge Automated Tools & Attack Sophistication

4 © 2003 Symantec Corporation.  Flash threats?  Massive worm-driven DDoS?  Critical infrastructure attacks? Regional Scope Individual PCs Individual Orgs. Sector Global Impact  1 st gen. viruses  Individual DoS  Web defacement 1990s General Threat Evolution  worms  DDoS  Credit hacking  Blended threats  Limited Warhol threats  Worm-driven DDoS  National credit hacking  Infrastructure hacking Time

5 © 2003 Symantec Corporation. Hours Time Weeks or months Days Minutes Seconds Class II Human response: difficult/impossible Automated response: possible Early 1990sMid 1990sLate 1990s Class III Human response: impossible Automated response: unlikely Proactive blocking: possible Threat Evolution: Malicious Code Contagion Timeframe File Viruses Macro Viruses Worms Blended Threats “Warhol” Threats “Flash” Threats Class I Human response: possible

6 © 2003 Symantec Corporation. Vulnerabilities on the Rise New vulnerabilities per week Source: Bugtraq

7 © 2003 Symantec Corporation. Vulnerability-Threat Window Vulnerability Identified Threat Released Time Threat Evolution: Day-zero Threats A day-zero threat exploits a previously unknown, and therefore unprotected vulnerability.

8 © 2003 Symantec Corporation. Vulnerability identified Threat released Time Day-zero exploit Threat released Threat Evolution: Day-zero Threats A day-zero threat exploits a previously unknown, and therefore unprotected vulnerability. Months Days Hours “Day 0” Novice Programmer Sophisticated Programmer Organized Crime/ Terrorist Organization Nation/State Threat As attacker demographics shift, we expect a reduction in the vulnerability-threat window. Time Until Exploitation

9 © 2003 Symantec Corporation. Wireless InfrastructureWeb Services Internet Backbone/ Broadband Flash and Day-Zero Threats Warhol and Day-Zero Threats Blended Threats DDoS Targeted Hacking Threats Targets Major disruption of B2B services sector-level impact Major disruption to multiple networks Short-term disruption of individual networks Account theft/ corruption, DoS Global Internet Disruption Short-term/ localized Internet disruption Data theft/ corruption, DoS Threat Impact on Emerging Targets

10 © 2003 Symantec Corporation. Instant Messaging & Peer to Peer Grid Computing Physical Infrastructure/ SCADA Flash and Day-Zero Threats Warhol and Day-Zero Threats Blended Threats DDoS Targeted Hacking Threats Targets Potential disruption of all participating grid nodes. Possible major compromise of hosts. Potential disruption of millions of IM/P2P agents. Possible major compromise of hosts. Content eavesdropping, password theft Impact to:  Power  Comm  Hydro  Chemical  Other infra. Disruption of inter- networked SCADA Disruption of targeted infrastructures Data theft and corruption to grid and host Threat Impact on Emerging Targets Short-term disruption to grid computations. Short-term service disruption

11 © 2003 Symantec Corporation. Threat ClassSensing Strategies Reactive Protection Strategies Proactive Protection Strategies Class III threats (Flash threats, Day-Zero) Class II threats (Blended threats, Warhol, Day-Zero) Class I threats (Blended threats, worms, viruses) Distributed Sensor Networks Protocol Anomaly Detection Rule and Statistical Correlation Malicious Code Protection Strategies Generic Exploit Blocking Network Intrusion Prevention Host Intrusion Prevention Only useful after initial wave Manual Fingerprints Auto Fingerprint Generation Auto Fingerprint Generation (for slower Class II threats) Adaptive Security

Information Security Governance

13 © 2003 Symantec Corporation. IT Governance Part of overall enterprise governance, to ensure that IT is aligned to enable business objectives and deliver value IT resources are responsibly used IT risks are mitigated and managed appropriately Governance IT Governance

14 © 2003 Symantec Corporation. Information Security Governance Governance IT Governance Information Security Governance

15 © 2003 Symantec Corporation. Information Security Governance Specific value drivers for –Integrity of information –Continuity of service –Protection of information assets Outcomes: –Strategic Alignment –Value Delivery –Risk Management –Performance Measurement Source: IT Governance Institute

16 © 2003 Symantec Corporation. Security Performance Metrics Examples Summary and Trends Incidents Awareness Risk and Compliance Financial

17 © 2003 Symantec Corporation. Metrics Are a Challenge with Typical Information Security Solutions Fragmented functionality Little to no integration Lack of a cohesive security management capability Doesn’t provide an overall view of security posture Authen-tication Antivirus Firewall IntrusionDetection VulnAssess VPN Content Updates & SecurityResponse 24x7GlobalCustomerSupport AttackRecoveryServices ThreatManagement & Early Warning Honey Pot & Decoy Technology VulnMgmt PolicyMgmt Event & IncidentMgmt AccessControl & Auth IdentityMgmt Config.Mgmt CommonConsole SecurityServices

18 © 2003 Symantec Corporation. Conclusion – Critical Success Factors Information security reports to senior management / CIOs Information security audit is integral part of audit program Clearly defined roles, responsibilities and accountability Security policy in place and compliance monitored Scorecards to ensure common alignment with overall objectives and to provide transparency IT Audit, Control, Security and Assurance professionals play pivotal role in successful governance