Threats to Information Security An Update

Document Sample
Threats to Information Security An Update Powered By Docstoc
					Threats to Information
Security: An Update
Michael E. Whitman, Ph.D.
Computer Science and Information Systems Dept
Kennesaw State University
       2002 CSI/FBI
        90% detected computer security breaches within the last twelve
            months.
           80% acknowledged financial losses due to computer breaches.
           44% reported $455,848,000 in financial losses. (Up from
            $377,828,700 in 2001)
           Most serious financial losses occurred through theft of
            proprietary information ($170,827,000) & financial fraud
            ($115,753,000).
           74% cited their Internet connection as a frequent point of attack
            vs 33% internal systems
           34% of respondents reported the intrusions to law enforcement.



Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       2002 CSI/FBI
       Respondents detected a wide range of attacks and
         abuses:
        40% detected system penetration from the
         outside.
        40% detected denial of service attacks.
        78% detected employee abuse of Internet access
         privileges.
        85% detected computer viruses.

Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       2002 CSI/FBI
       Exposure:
        98% of respondents have WWW sites.
        52% conduct electronic commerce on their sites.
        38% suffered unauthorized access or misuse within the
         last twelve months.
        21% said that they didn't know if there had been
         unauthorized access or misuse.
        70% of those attacked reported vandalism.
        55% reported denial of service
        12% reported theft of transaction information .
        6% reported financial fraud.
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Sun Tzu
  “Know the enemy and know
     yourself; in a hundred battles
     you will never be in peril.
  When you are ignorant of the
     enemy but know yourself,
     your chances of winning or
     losing are equal.
  If ignorant both of your enemy
     and yourself, you are certain
     in every battle to be in peril.”

Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Know Your Enemy
       One of the fundamental problems is that many
        administrators attempting to protect an
        organization’s information resources are
        unaware of the breadth and depth of the threats
        facing their systems.




Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Purpose
       This study sought to identify and rank current
          threats to information security, and to present
          current perceptions of the level of severity these
          threats present.
       It also sought to provide information on the
          frequency of the attacks from these threats and
          the prioritization for expenditures organizations
          place on these threats.

Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Computer Ethics
       Several studies have examined national and
         international perspectives on computer ethics.
       Most found that ethics were not as clearly defined
         as previously believed.
       The international studies reinforced the pre-
         conception that individuals from differing
         origins had fundamentally different perspectives
         with regard to computer use ethics.

Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Computer Abuse
       Some studies have documented actual and potential
         system losses.
       Institutional sponsors of high profile studies include: the
         U.S. Government, Ernst & Young,
         PricewaterhouseCoopers and the Annual Computer
         Security Institute/Federal Bureau of Investigation’s
         Computer Crime and Security Study.
       Baskerville also notes studies of computer abuse,
         computer viruses, and illegitimate computer hacking or
         cracking.


Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Study Methodology
       1. Review existing studies and articles on
                information security.
       2.       Identify potential threats to information
                security.
       3.       Categorize threats.
       4.       Develop online survey.
       5.       Select and invite candidate participants.
       6.       Collect and analyze results.
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Identify & Categorize Threats
       Based on a comprehensive literature review we
        were able to identify over 214 individual threats
        to information security.
       Through an iterative categorization process, these
        were distilled into 12 categories of threats.




Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Threats to Information Security
        Act of Human Error or Failure
             (accidents, employee mistakes)
        Compromises to Intellectual Property
             (piracy, copyright infringement)
        Deliberate Acts of Espionage or Trespass
             (unauthorized access and/or data collection)
        Deliberate Acts of Information Extortion
             (blackmail of information disclosure)
        Deliberate Acts of Sabotage or Vandalism
             (destruction of systems or information)
        Deliberate Acts of Theft
             (illegal confiscation of equipment or information)
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Threats to Information Security
        Deliberate Software Attacks
             (viruses, worms, macros, denial of service)
        Forces of Nature
             (fire, flood, earthquake, lightning)
        Quality of Service Deviations from Service Providers
             (power & WAN Quality of Service issues)
        Technical Hardware Failures or Errors
             (equipment failure)
        Technical Software Failures or Errors
             (bugs, code problems)
        Technological Obsolescence
             (antiquated or outdated technology)
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Online Instrument
       The Online survey was developed asking respondents to
         rank each of the categories of threats on a scale of
         “extremely serious” to “not a threat”.
       They were then asked:
       (1) to identify the top 5 threats to their information.
       (2) to identify the number of attacks they have
             identified.
       (3) to rank the top 5 expenditures based on the threats.
       Additional information collected included basic
         demographics, protection mechanisms, and use of the
         Web.
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Target Respondents
       250 Top Computing Executives were identified in
         the greater metropolitan Atlanta area for the
         pilot test.
       Over 2950 IS managers were randomly selected
         from the Directory of Top Computing
         Executives for the full survey.
       Each was mailed a letter with the URL of the
         survey inviting them to participate.
       Approximately one month later, a postcard was
         mailed with the alternate URL as a reminder.
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Responses
       The study produced 192 total usable responses
         representing a response rate of 7 %.
       Of these 15 % were generated by the pilot test,
         43 % were generated by the initial initiations,
         and 33 % by the follow-ups.
       Lesson learned: Always follow up.




Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Respondents by Position
                                    6%                                                  IS/IT directors,
                   8%                                                                   managers or
                                                                                        supervisors

                                                                                        Executive IS
                                                                                        managers (CIOs,
                                                                                        CTO, or Exec VP)

                                                                                        Technology VPs
                                                                                        (Corporate
         23%                                                                            Mgmt)

                                                                        60%             IS/IT Staff

Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Respondents’ Organizational Size
                                              6%
                                                                                               >5000
                                                                                   21%         2501-5000
                   28%                                                                         1001-2500
                                                                                               501-1000
                                                                                               101-500
                                                                                               < 100

                                                                                          8%



                               20%                                                      17%
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Respondents by Industry
                 Education                                                              28 %
                 Manufacturing - not computer                                           18 %
                 Government/Military                                                    13 %
                 Business/Professional Services                                          7%
                 Finance/Banking/Insurance/Real                                          4%
                 Health Care/Hospital/Medical                                            4%
                 Media/Marketing/Advertisement                                           4%
                 Processing: Mining/Oil/Construction                                     4%
                 Transportation/Aerospace                                                3%
                 Legal                                                                   2%
                 Retail/Wholesale                                                        2%
                 Service/Communications Provider                                         1%
                 Utility                                                                 1%
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Uses of the Internet and World Wide Web
                  To provide information                                                95 %
                  To collect information                                                81 %
                  To advertise                                                          60 %
                  To provide customer service                                           55 %
                  To support internal operations                                        46 %
                  To order goods and services                                           45 %
                  To provide technical support                                          38 %
                  To connect remote sites                                               37 %
                  To conduct online commerce                                            32 %
                  To extend internal networks                                           32 %
                  To integrate value chain partners                                     27 %
                  To collect orders                                                     18 %
                  Does not use Internet                                                  1%
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Threat Protection Mechanisms Employed
                Use of Passwords                                                        100 %
                Media backup                                                            98 %
                Virus protection software                                               98 %
                Employee education                                                      90 %
                Audit procedures                                                        66 %
                Consistent security policy                                              63 %
                Firewall                                                                62 %
                Encourage violations reporting                                          51 %
                Auto account logoff                                                     50 %
                Monitor computer usage                                                  46 %
                Publish formal standards                                                44 %
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Threat Protection Mechanisms Employed
           Control of workstations                                                      41 %
           Network intrusion detection                                                  33 %
           Host intrusion detection                                                     31 %
           Ethics training                                                              30 %
           No outside dialup connections                                                10 %
           Use shrink-wrap software only                                                 9%
           No internal Internet connections                                              6%
           Use internally developed software only                                        4%
           No outside network connections                                                4%
           No outside web connections                                                    2%
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Threats Rankings
                    Threat                                                              Weighted Rank
     1. Deliberate Software Attacks                                                           2178
     2. Technical Software Failures or Errors                                                 1130
     3. Act of Human Error or Failure                                                         1101
     4. Deliberate Acts of Espionage or Trespass                                              1044
     5. Deliberate Acts of Sabotage or Vandalism 963
     6. Technical Hardware Failures or Errors                                                  942
     7. Deliberate Acts of Theft                                                               695
     8. Forces of Nature                                                                       611
     9. Compromises to Intellectual Property                                                   495
     10. Quality of Service Deviations …                                                       434
     11. Technological Obsolescence               428
     12. Deliberate Acts of Information Extortion                                              225
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       CSI/FBI Survey Results for Types
       of Attack or Misuse
Types of attack or misuse2002                          2001          2000          1999   1998   1997

1 Virus                                                85%           94%           85%    90%    83%    82%
2 Insider abuse of net access                          79%           91%           79%    97%    77%    68%
3 Laptop                                               55%           64%           60%    69%    64%    58%
4 Unauthorized access by insiders                      38%           49%           71%    55%    44%    40%
5 System penetration                                   40%           40%           25%    30%    23%    20%
6 Denial of Service                                    40%           36%           27%    31%    24%     ---
7 Theft of proprietary info                            20%           26%           20%    25%    18%    20%
8 Sabotage                                              9%           18%           17%    13%    14%    14%
9 Financial fraud                                      12%           12%           11%    14%    14%    12%
10 Telecom fraud                                        9%           10%           11%    17%    16%    27%
11 Telecom eavesdropping                                6%           10%           7%     14%    9%     11%
12 Active wiretap                                       1%           2%            1%     2%     1%     3%
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Numbers of Attacks Per Month                                                                 (no 2002 info)



Number of attacks per month              None                                      < 10   10-50   51-100    >100
1 Act of Human Error or Failure          24%                                       42%    15%     2%        5%
2 Compromises to Intellectual Property 62%                                         25%    3%      2%        1%
3 Del. Acts of Espionage or Trespass 69%                                           21%    3%      3%        4%
4 Del. Acts of Information Extortion     91%                                       8%     1%      ---       ---
5 Del. Acts of Sabotage or Vandalism 65%                                           31%    3%      ---       1%
6 Del. Acts of Theft                     54%                                       39%    7%      ---       ---
7 Deliberate Software Attacks            17%                                       48%    15%     9%        12%
8 Forces of Nature                       63%                                       34%    2%      ---       1%
9 Quality of Service Deviations …        47%                                       44%    8%      1%        ---
10 Tech. Hardware Failures or Errors     34%                                       51%    12%     3%        ---
11 Technical Software Failures or Errors 30%                                       46%    19%     5%        ---
12 Technological Obsolescence            60%                                       22%    16%     1%        ---
Average Responses:                       51%                                       35%    8%      2%        2%

Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
   CSI/FBI Report of Incidents                                                                 (2002 data sliced differently)




    Number     2002                            2001          2000          1999         1998    1997          1996
    1 to 5     52%                             33%           33%           34%          61%     48%           46%
    6 to 10    ?                               24%           23%           22%          31%     23%           21%
    11 to 30   ?                               5%            5%            7%           6%      3%            12%
    31 to 60   ?                               1%            2%            2%           1%      n/a           n/a
    Over 60    ?                               5%            6%            5%           2%      n/a           n/a
    Don't Know                                 31%           31%           29%          n/a     27%           21%
    # Respondents                              348           392           327          234     271           179


Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
    Top Threat-Driven Expenses
Threat Expense                                     Weighted Rank
1. Deliberate Software Attacks                           560
2. Act of Human Error or Failure                         334
3. Technical Software Failures or Errors                 306
4. Technical Hardware Failures or Errors                 264
5. Quality of Service Deviations from Service Providers 216
6. Deliberate Acts of Espionage or Trespass              208
7. Deliberate Acts of Theft                              182
8. Deliberate Acts of Sabotage or Vandalism              176
9. Technological Obsolescence                            144
10. Forces of Nature                                     134
11. Compromises to Intellectual Property                  96
12. Deliberate Acts of Information Extortion              44
Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       How Can We Use This Information?
       Development of “control spreadsheets”
       (1) Prioritize Threats
       (2) Prioritize Assets/Vulnerabilities
       (3) Develop Controls to address threats to
           assets/vulnerabilities




Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Control Spreadsheet
                                  Asset 1                   Asset 2                     Asset 3     …

         Threat 1                 Controls                  Controls                    Controls
                                  for (1,1)                 for (1,2)                   for (1,3)
         Threat 2                 Controls
                                  for (2,1)
         Threat 3                 Controls
                                  for (3,1)
         …


Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Conclusions
       As the evidence supports, the
         threats to information security
         are real.
       The results of this study, as supported by the CSI/FBI
         Survey clearly illustrate the need for increased levels of
         awareness, education and policy in information
         security.
       These findings also support the findings of Loch et al.
         “respondents seemed well aware of the threats… but
         viewed their neighbors to be at more risk than they.”


Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
         Need for Policy
       Security advocates emphasize that any security
         profile begin first with valid security policy.
       “If you ask a computer security professional what
         the single most important thing you can do to
         protect your network is, they will                                             Security Policy

         unhesitatingly say that it is to
          write a good security policy.”



Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Need for Awareness
       Once the policy is developed, it must be
        disseminated, understood, and agreed to.
       There is an obvious need for increased awareness
        of the threats to information security not only
        among security and systems administrators, but
        also among the users of information in
        organizations.



Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Need for Education
       Education is needed to prepare future employees
        to work in a secure and ethical computing
        environment, and in preparing technologists in
        the recognition of threats and vulnerabilities.




Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       People




Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       2001 CSI/FBI
       “The survey results over the years offer compelling
         evidence that neither technologies nor policies alone
         really offer an effective defense for your organization.
       Organizations that want to survive in the coming years
         need to develop a comprehensive approach to
         information security, embracing both the human and
         technical dimensions.
       They also need to properly fund, train, staff and empower
         those tasked with enterprise-wide information
         security."
       http://www.gocsi.com/prelea/000321.html



Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University
       Conclusions
       “Management needs to
       (1) become more informed of the potential for
         security breaches …
       (2) increase their awareness in key areas, … and
       (3) recognize that their overall level of concern for
         security may underestimate the potential risk
         inherent in the highly connected environment in
         which they operate.”

Threats to Information Security – Michael E. Whitman, Ph.D. Kennesaw State University

				
DOCUMENT INFO