Internet Security and You
The Problem
“With the Internet, You are Connected
to the Whole World.”
(and the whole world is connected to you).
2
Double-Edged Sword
+ Great Communication/Research Tool
- Tremendous Cost to Protect Against
Potential Threats
3
Security Issues
1.Viruses/Worms $ Time
2.Unauthorized Access to Private Data(Trojans) Customer Trust; Liability
3.Regulatory Compliance Poor Ratings; Liability
4.Productive Use $Time ; Liability
4
Security Trends
Did you know…
•Viruses cost US business in excess of $13 billion in 2001
(source: CSI/FBI)
• Number of reported security issues is increasing rapidly
(source: CERT)
• Reported incidents grew from 9,859 in 1999 to 52,568 in 2001
• Reported vulnerabilities grew from 417 in 1999 to 2437 in 2001
• 90% of companies surveyed detected computer security attacks
(source: CSI/FBI)
• 70% of attacks are external (source: CERT)
• Up from 50% IN 1999
• Internal attacks are increasing
• External attacks are increasing faster
5
Nimda
Introduced September 2001
First successful virus that can be propagated
through both email and browsing.
Current desktop anti-virus not designed to prevent
browsing viruses.
6
GLB - Requirements
1. Establish a security program to manage and
control risk.
2. System to detect and respond to intrusions into
customer data
3. Trained staff to implement security programs
4. Regular independent assessments
7
Board of Directors
• Board of Directors is Responsible for:
- Board must designate security committee
- Committee must be competent to address the issues
- Committee must provide clear reporting to board
- Board must adequately oversee committee
8
What is Adequate Security?
1. Technology (Multi-Layer; Redundancy; Upgrades)
2. Secure Data Center
3. Trained Staff ( 24x7 …. the internet does not sleep)
4. Documented Policies & Procedures
5. 3rd Party Validation
9
Multi Layer Math
1 out of 10 Vs. 1 out of 10,000
Probability Matrix
_________ Effectiveness of Each Layer________
Layers 50% 60% 70% 80% 90%
1 50.00% 60.00% 70.00% 80.00% 90.00%
2 -- -- -- -- --
3 -- -- -- -- --
4 -- -- -- -- --
5 -- -- -- -- --
6 98.44% 99.59% 99.93% 99.99% 99.99%
10
Multi Layer Approach
Accepted Practice In Physical Security
• Door Locks
• Alarms
• Cameras
• Vaults
• Guards
11
Basic Multi-Layer Security
1. Firewall Door Lock
2. Intrusion Detection Motion Sensor & Alarm
3. URL Reporting Camera
4. Content Filtering Access Control
5. Anti-Virus Fire Suppression Equipment
6. CISSPs Trained Guards
12
Minimum Cost to Play
Initial Investment Recurring Annual Costs
1 Firewall $10K • 1 Penetration Test $10K
1 Virus Scanning $ 5K 1 T1 $12K
1 Intrusion Detection $ 5K 2nd T1 $ 0K
1 URL Filtering $ 0K 1 Data Center $ 0K
1 Reporting $ 5K Training $10K
1 Integration $20K Personnel (25% network admin.) $15K
_________________________________
__________________________________
Total Investment: $45K
Total Recurring Cost $47K
Annual Cost(3 Year Life) $15K Annual Technology Cost $20K
Maintenance Contracts (20%) $ 5K
________________________________________________________________
Total Annual Cost $67K
Yearly Technology Investment $20K
TOTAL IN-HOUSE MONTHLY COST $ 5.5K+*
*Assumes the following:
•Lower end technology with no redundant systems
•No dedicated staff 24X7
•No Third Party certifications
•No redundant internet bandwidth
•No data center for secure hosting 13
•No redundant data center for disaster recovery
•No continuous upgrades.