Larry Clinton President lclinton@isalliance.

org 703-907-7028 202-236-0001

Barry Foer
Director of Policy & Membership

bfoer@isalliance.org 703-907-7799

ISA Board of Directors

Ty Sagalow, Esq., Chairman
President Product Development, AIG

J. Michael Hickey, 1st Vice Chair

VP Government Affairs, Verizon

Dr. Sagar Vidyasagar, 2nd Vice Chair Marc-Anthony Signorino, Treasurer Director Technology Policy, National Exec VP, Tata Consulting Services
Association of Manufacturers

Tim McKnight, CSO, Northrop Grumman Jeff Brown, CISO/Director IT Infrastructure, Raytheon Eric Guerrino, SVP/CIO, Bank of New York Ken Silva, Chief Technology Officer, VeriSign Lawrence Dobranski, Chief Strategic Security, Nortel Charles Croom, Vice President, Cyber Security Strategy, Lockheed Martin Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences Joe Buonomo, CEO DCR Software Inc.

Our Partners

The Web is Inherently Insecure---and getting more so

The problems we see in cyber security are about to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue.TCP/IP was not designed to control power grids, financial networks and critical infrastructure. It will be used in future networks (particularly wireless) but it lacks the basic security controls to properly protect the network.
Source: Hancock, Cutter Technology Journal 06

The Changing Threat Faces of Attackers Then

Joseph McElroy Hacked US Dept of Energy Chen-Ing Hau CIH Virus Jeffrey Lee Parson Blaster-B Copycat

Faces of Attackers Now

Jay Echouafni Competitive DDoS

Jeremy Jaynes $24M SPAM KING

Andrew Schwarmkoff Russian Mob Phisher

The Changing Threat

Today, attackers perpetrate fraud, gather intelligence, or conduct blackmail Vulnerabilities are on client-side applications word, spreadsheets, printers, etc. The problem is much more severe than the release of personal data, modern attackers are stealing source code, corporate intellectual property, entire business operations systems are being vacuumed and transplanted Our physical security is reliant on our cyber security

Newer Threats
Designer malware: Malware designed for a specific target or small set of targets Spear Phishing: Combines Phishing and social engineering Ransomware: Malcode packs important files into encrypted archive & deletes original then ransom is demanded RootKits: shielding technology to make malcode invisible to the op system

Characteristics of the New Attackers

Shift to profit motive Zero day exploits Increased investment and innovation in malcode Increased use of stealth techniques

Digital Growth?

Sure

Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and online commerce. The continued expansion of the digital lifestyle is already built into almost every companys assumptions for growth.
---Stanford University Study, July 2006

Digital Defense? Not so much

Only 56% of respondents employ a security executive at the C-level---down 4% from the previous survey Only 43% audit or monitor compliance with security policies (if they have them) Just over half of companies (55%) use encryption 1/3 of respondents dont even use firewalls Only 22% of companies keep an inventory of all outside parties use of their data

Digital Defense? Not so much

23% of CTOs did not know if cyber losses were covered by insurance. 34% of CTOs thought cyber losses would be covered by insurance----and were wrong. The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security.
---Source: DHS Chief Economist Scott Borg

CSO Magazine Study 10/08 7,000 companies world wide

Only 59% of respondents attest to even having an overall security policy Nearly half of all respondents said cant identify the source of information security incidents they have suffered in the past year Employees and former employees are the biggest source of security incidents accounting for half of the ones we can trace * Only half of respondents provide employees with security awareness training

The Good News: We know (mostly) what to do

2005 CIO/Priceaterhouse study of 7,000 organizations world-wide found 20% best practices group (although attacked more) suffered less downtime, less financial lossnone at times. 2008 Verizon study 500 forensic cases and thousands of data points found following best practices could stop 90% of breaches CIA due diligence can stop 90% of attacks, implementation is the key.

How do we really protect ourselves?

1. Adopt an enterprise wide, risk management approach 2. Since this is an enterprise wide problem, you have to get all the critical silos at the table 3. Determine who really is involved (other than IT) 4. Determine what you are going to answer 5. THEN decide what to do (software? training? contracts w/affiliates? Insurance? outreach?)

Legal/Regulatory Issues
Have cyber liabilities been analyzed? What regulations apply to lines of business? Exposed to class action/shareholder suits? Is org protected from business interruptions? Org protected from fed/state govt. investigations? What jurisdictions does date move through? What is in our contracts? What does our privacy policy say?

Compliance/Regulatory
Have an inventory of what regs apply to us? Know what reg data is and where its located? Valid reasons for keeping this data? What have we done to protect the data? Incident response program/notification program? What is impact of possible data loss? Procedures in place for tracking compliance? How are we tracking vendors procedures?

External Rel & Comm.

Analyzed impact of events on reputation/ stakeholders/customers etc? Plan for communicating with stakeholders? Identified resources/budget needed for plan? Clear roles and responsibilities for comm? Thought through segmenting messages for different stakeholders? Legal requirements for notification? Tested it?

Risk transfer
What is exposure (brand/confidence/physical loss?how do we measure? Are you already covered? D&O? Do we need to bring in expertise? Who? Is insurance available? What is the ROI for insurance and other risk transfer approaches?

09 Securing the VOIP Platform

VOIP is the paradigm case for corporate economics overcoming security concerns Platform itself not a profitable as products sold to use it ISA/NIST program to use SCAP (Security Content Automation Protocol) and National Vulnerability Database to create a free customizable framework. Companies can build products on the more secure platform (ones that participate get to know the standards first) Better security and better markets

09 Securing the Global IT Supply Chain

IT supply chain is inherently global This immutable reality brings new risks If not addressed Congress will do it for us, probably through protectionism 07-08 ISA/CMU/industry 3-phase program to create a framework that takes into account market, business and policy reality New phase to begin first quarter 09

What to Tell President Obama?

1. We need to increase our emphasis and investment on cyber security 2. Cyber Security must be recognized as critical infrastructure maintenance 3. Cyber Security is not a IT problem. 4. Cyber security is a enterprise wide risk management problem 5. Government and Industry need new relationship

Obama: Inconvenient truths

1. All security is reliant on cyber systems 2. Cyber systems are inherently in the private sectors hands 3. US cannot tackle the cyber security issues unilaterally

Cyber Social Contract

Similar to the agreement that led to public utility infrastructure dissemination in 20th century Infrastructure development through market incentives Consumer protection through regulation Gov role to motivate is more creativeharder Industry role is to develop practices and standards and implement them

Member Communications Loop

Content Sources
Critical Infrastructure Partnership Advisory Council (CIPAC) Cross-Sector Cyber Security Working Group (CSCSWG) Daily Open Source Infrastructure Report Homeland Security Information Network (HSIN) United States Computer Emergency Readiness Team (USCERT) National Infrastructure Partnership Plan (NIPP) Partnership for Critical Infrastructure Security (PCIS) Protective Programs and Research and Development (PPRD)

Content Sources
Software Assurance Working Group DHS Business Opportunities Newsletter Cyber Security Monitor Joint Homeland Security Notes (HSN) Critical Infrastructure Information Notice (CIIN) National Telecommunications and Information Administration (NTIA) Economic Security Work Group (ESWG) InfraGard Information Technology Sector Coordinating Council (IT-SCC) Critical Functions and Information Sharing (CFIS) Group Plans Working Group Communications Sector Coordinating Council Carnegie Mellon University CyLab (CMU) ISAlliance

Content Examples
DHS Business Opportunities Newsletter

Content Examples
Homeland Security Note Critical Infrastructure Information Notice

Content Examples
IT-SCC Calendar

Content Examples
DHS Daily Open Source Infrastructure Report

Content Channels

World Wide Web GovDelivery Digital Subscription Management Excel Electronic Mail Merge Outlook Distribution Lists & Outlook Calendar Invitations US-CERT Portal Secure Communication Direct Mail Outlook Email Telephone

ISAlliance Web Site

ISAlliance Web Site

Used primarily to generate prospective member interest in ISAlliance and provide members with information and archives that generate interaction, integration and reinforce the value of membership.

Member/Prospect Examples
Calendar of Events ISAlliance News Project Information & Updates Public GovDelivery Subscription Common Sense Guides ISAlliance Services

Member Only Examples

Calendar of Events Missed It Archives Complete GovDelivery Subscription Self Assessment Tools Papers & Reports Detailed Project Information & Updates Enterprise Integration Perspectives CMU Webinar Archive

GovDelivery
Digital Subscription Management
Total Subscription Items hosted by GovDelivery: 47 Average item subscriptions per subscriber: 9 Total Subscribers: 4021 New Subscribers 2008: 714 (+ 17%) Total bulletins sent 2008: 364,977 Total hits to RSS feeds 2008: 23,783

GovDelivery
Digital Subscription Management
Used for delivery of targeted messages to broad groups with interest in specific subject matter.
Examples
Notice for the Private Sector Preparedness Accreditation and Certification Program Biometric Identification Small Business Issues US-CERT Alerts Meeting Notices & Reminders ISAlliance Calendar of Events ISAlliance Daily Brief Access Control Technical, Operations, Public Policy and/or Legal Perspective - All of Above

Outlook Distribution Lists & Calendar Invitations

Outlook Distribution Lists & Calendar Invitations

Used to organize work groups involved in specific projects.

Examples
White House Cyber Security Initiative IT Sector Risk Assessment Securing the IT Supply Chain in the Age of Globalization Developing Automated VoIP and Converged Network Security The Financial Impact of Cyber Risk

US-CERT Portal Secure Communications

US-CERT Portal Secure Communications

Used by members and allies for secure messaging, often between groups, subgroups and various sector coordinating councils, ISACs & organizations.
Examples
Software Assurance Cross Sector Cyber Security Work Group Defense Security Information Exchange White House Cyber Security Initiative AeroSpace Industries Association

Closing the Loop

Gathering, processing and distributing information content to the right people at the right time is an important part of what ISAlliance does. It is often equally important that ISAlliance gather, process and aggregate private sector perspectives for delivery BACK to appropriate public agencies.

Closing the Loop

Example: White House Cyber Security Initiative Announced ISAlliance Notifies Membership and calls for input using GovDelivery System ISAlliance forms a work group ISAlliance serves as an intermediary communicating information in both directions using Outlook & the CERT Portal The public sector, members and ISAlliance all benefit

1. 2. 3. 4.

5.

Larry Clinton President lclinton@isalliance.org 703-907-7028 202-236-0001

Barry Foer
Director of Policy & Membership

bfoer@isalliance.org 703-907-7799