Larry Clinton President

Internet Security Alliance

lclinton@isalliance.org 703-907-7028 (O) 202-236-0001 (C)

Founders

ISA Board of Directors

Ty Sagalow, Esq. Chair
President Product Development, AIG Marc-Anthony Signorino, National Association of Manufacturers Ken Silva, CSO VeriSign

J. Michael Hickey, 2nd Vice Chair

VP Government Affairs, Verizon

Dr. M. Sagar Vidyasagar, Treasurer

Exec VP, Tata Consulting Services

Tim McKnight, CSO, Northrop Grumman Jeff Brown, CISO/Director IT Infrastructure, Raytheon Eric Guerrino, SVP/CIO, bank of New York/Mellon Financial Lawrence Dobranski, Chief Strategic Security, Nortel Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences Joe Buonomo, President, DCR Lt. Gen. Charles Croom (Ret.), VP Cyber Security Strategy Lockheed Martin

Our Partners

The Old Web

The Web Today

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Web is Inherently Insecure--and getting more so

The problems we see in cyber security are about to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue.TCP/IP was not designed to control power grids, financial networks and critical infrastructure. It will be used in future networks (particularly wireless) but it lacks the basic security controls to properly protect the network.
Source: Hancock, Cutter Technology Journal 06

The Earlier Threat:

Growth in vulnerabilities (CERT/cc)
4,500 4,000 3,500 3,000 2,500 2,000 1,500 1,000 500 171 0
345 311 262 417 1,090 2,437 4,129

1995

2002

The Earlier Threat:

Cyber incidents
120000
110,000

100000 80000
55,100

60000 40000

21,756

20000
6 132 252 406 773 1,334 2,340 2,412 2,573 2,134 3,734 9,859

0 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

The Changing Threat

A fast-moving virus or worm pandemic is not the threat it was...

2002-2004 almost 100 medium-to-high risk attacks (Slammer; SoBig). 2005, there were only 6 2006 and 2007.. Zero

Faces of Attackers Then

Joseph McElroy Hacked US Dept of Energy Chen-Ing Hau CIH Virus Jeffrey Lee Parson Blaster-B Copycat

Faces of Attackers Now

Jay Echouafni Competitive DDoS

Jeremy Jaynes $24M SPAM KING

Andrew Schwarmkoff Russian Mob Phisher

The Threat Landscape is Changing

Early Attacks
Who: Kids, researchers, hackers, isolated criminals Why: Seeking fame & glory, use widespread attacks for maximum publicity Risk Exposure: Downtime, business disruption, information loss, defacement

New Era Attacks

Organized criminals, corporate spies, disgruntled employees, terrorists Seeking profits, revenge, use targeted stealth attacks to avoid detection Direct financial loss via theft and/or embezzlement, breach disclosure, IP compromised, business disruption, infrastructure failure

Characteristics of the New Attackers

Shift to profit motive Zero day exploits Increased investment and innovation in malcode Increased use of stealth techniques

Digital Growth? Sure

Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every companys assumptions for growth.
---Stanford University Study, July 2006

Digital Defense? Maybe Not

29% of Senior Executives acknowledged that they did not know how many negative security events they had in the past year 50% of Senior Executives said they did not know how much money was lost due to attacks

Source: PricewaterhouseCoopers survey of 7,000 companies 9/06

Digital Defense Not So Much

23% of CTOs did not know if cyber losses were covered by insurance. 34% of CTOs thought cyber losses would be covered by insurance----and were wrong. The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security.
---Source: DHS Chief Economist Scott Borg

Economic Effects of Attacks

25% of our wealth---$3 trillion---is transmitted over the Internet daily FBI: Cyber crime cost business $26 billion (probably LOW estimate) Financial Institutions are generally considered the safest---their losses were up 450% in the last year There are more electronic financial transfers than paper checks now: Only 1% of cyber crooks are caught.

Why Doesnt Everyone Invest in Cyber Security?

Many organizations have found it difficult to provide a business case to justify security investments and are reluctant to invest beyond the minimum. One of the main reasons for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realized
---Stanford University 06

Management is WRONG
A Stanford Global Supply Chain Management Forum Study clearly demonstrated that investments in security can provide business value and significant ROI through: Improved Product Safety (38%) Improved Inventory management (14%) Increase in timeliness product development (30%)

Security, like Digital Technology, must be Integrated in the Business Plan

Security is still viewed as a cost, not as something that could add strategic value and translate into revenue and savings. But if one digs into the results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan.
PricewaterhoseCoopers, September 2006

C-SPAN Interview ISA Chairman

2007

CERT Knowledgebase Examples

Senior Managers Best Practices

Cited in US National Draft Strategy to Protect Cyber Space Endorsed by TechNet for CEO Security Initiative Endorsed US India Business Council Currently Being Updated

Best Practices Model Contracts

Volume I
Volume II: published June 2007with ANSI gives greater emphasis to standards-based information security controls. (www.isalliance.org) Model Contract Clauses for Information Security Standards. This new book provides guidance on the contracting side of implementing prevailing international information security standards, notably ISO 17799, BS 7799 and ISO 27001.

Securing The IT Supply Chain In The Age of Globalization

November, 2007

Financial Impact of Cyber Risk

October, 2008

Developing SCAP Automated Security & Assurance for VoIP & Converged Networks
September, 2008

Industry Affairs/Government Relations

Releasing the Cyber Security Social Contract

November, 2008

CNN Interview
July, 2008

Congressional Testimony
October, 2007

What to Tell President Obama?

1. We need to increase our emphasis and investment on cyber security 2. Cyber Security must be recognized as critical infrastructure maintenance 3. Cyber Security is not a IT problem. 4. Cyber security is a enterprise wide risk management problem 5. Government and Industry need new relationship

Obama: Inconvenient truths

1. All security is reliant on cyber systems 2. Cyber systems are inherently in the private sectors hands 3. US cannot tackle the cyber security issues unilaterally

Cyber Social Contract

Similar to the agreement that led to public utility infrastructure dissemination in 20th century Infrastructure development through market incentives Consumer protection through regulation Gov role to motive is more creative harder Industry role is to develop practices and standards and implement them

Larry Clinton President

Internet Security Alliance

lclinton@isalliance.org 703-907-7028 (O) 202-236-0001 (C)