Or, How to Spend Your Weekends… Fall 2007

Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey – CISO, UW Ernie Hayden – CISO, Port of Seattle Q & A

Technology Security Information Security Firewalls Intrusion Detection Network Security Viruses, Worms, Crimeware System Hardening Encryption Engineering Technology Problems Risk Management Business Continuity / Disaster Planning Intellectual Property Business / Financial Integrity Regulatory Compliance Industrial Espionage Privacy Forensics & Investigations Business Problems Chart Based on Forrester, April 2005 And Enhanced/Modified by Kirk Bailey and Ernie Hayden Critical Security Problems Strategic Security SECURITY PROFESSION EXPERTISE LEVELS R E S E A R C H Terrorism & CyberCrime Regional Interests (Including Cyber and Natural Disasters) Nation State Interests Intelligence Professional Alliances Politics Strategies and Tactics

WHY “STRATEGIC SECURITY” It is not pretty out there…

,000,000 of ‘em out there! “In the world of networked computers every sociopath is you neighbor.” Troubling Realities Dan Geer Chief Scientist Verdasys

High Low password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Technical Skills Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Cross site scripting Staged attack Cyber Attack Sophistication Continues To Evolve bots Source: CERT 2004

RESISTANCE IS FUTILE. PREPARE TO BE ASSIMULATED? Species 8472

Cybercrime and Money… McAfee CEO: “Cybercrime has become a $105B business that now surpasses the value of the illegal drug trade worldwide”

Symantec Internet Security Threat Report Threat landscape is more dynamic than ever Attackers rapidly adapting new techniques and strategies to circumvent new security measures Today’s Threat Landscape.. Increased professionalism and commercialization of malicious activities Threats tailored for specific regions Increasing numbers of multi-staged attacks Attackers targeting victims by first exploiting trusted entities Convergence of attack methods

Kirk Bailey, CISSP, CISM Objectives (Confidentiality, Availability, Integrity) Intelligence Trusted Alliances Innovative Thinking Risk Management (Liability Protection) Compliance Challenges Contractual Statutory & Regulatory Industry Standards

Ernie Hayden, CISSP Key Functions: Information & Computer Security Business Continuity/Continuity of Operations (COOP)/ Disaster Recovery Planning Privacy Critical Infrastructure Protection Policy Emergency Communications

A Sampling of Projects Administration Budgets Audits (e.g., Deloitte/State) Policies & Procedures Appropriate Use – Update/Revision Security Policy - General Cell Phone Disposal RCW Response Security Management Security Strategy Top 10 List Metrics, Dashboard Security Governance Security Domain Architecture Committees Architecture Management Board Corporate Security Council Change Management Board Technology Issues VOIP Security Web Application Security Employee Awareness Monthly Brownbags Secure Coding – Web Development Home PC Security Training BCP/DRP Incident Response Procedure IT Disaster Recovery Policy Drills, Tabletops NIMS & ICS Emergency Communications SendWordNow WebEOC - Emergency Operations Center Visualization Tool

Strategic Security Plan Elements Organization & Authority Controls Policy Risk Management Program Intelligence Program Audit & Compliance Program Privacy Program Incident Management Education & Awareness Program Operational Management Technical Security & Access Controls Monitoring, Measurement & Reporting Physical & Environmental Security Asset Identification & Classification Employee & Related Account Management Practices

What Do You Think? Prioritize this task/response list: Key Application Vendor Contract Review 100’s of Incoming Spam Complaints Forensic Report on New Rootkit Compromises (30 machines) Patch Management Process Concerns Service Interruptions New Credit Card Processing System for Husky Stadium Requires CISO Approval Electronic Harassment of an Employee

Thoughts… The CISO of the future is the one who can run the risk-management organization. The days of security being handled by the 'network person' who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience and business school qualifications stepping into the security space. Quotes by Paul Proctor

Technology Security Information Security Firewalls Intrusion Detection Network Security Viruses, Worms, Crimeware System Hardening Encryption Engineering Technology Problems Risk Management Business Continuity / Disaster Planning Intellectual Property Business / Financial Integrity Regulatory Compliance Industrial Espionage Privacy Forensics & Investigations Business Problems Chart Based on Forrester, April 2005 And Enhanced/Modified by Kirk Bailey and Ernie Hayden Critical Security Problems Strategic Security SECURITY PROFESSION EXPERTISE LEVELS R E S E A R C H Terrorism & CyberCrime Regional Interests (Including Cyber and Natural Disasters) Nation State Interests Intelligence Professional Alliances Politics Strategies and Tactics

THANKS!! Kirk Bailey, CISSP, CISM CISO, University of Washington Ernie Hayden, CISSP CISO / Manager Enterprise Information Security Port of Seattle 2711 Alaskan Way Seattle, WA