2003 11 13 Larry Clinton India Security Anchor Proposal

7/31/2019 2003 11 13 Larry Clinton India Security Anchor Proposal

1/17

Larry ClintonOperations Officer

Internet Security [email protected]


2/17

Growth in Incidents Reported to the CERT/CC

1988 1989 1990 19911992

1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


3/17

The Dilemma: Growth in Number of Vulnerabilities Reported to CERT/CC

4,129

2,437

171345 311 262

417

1,090

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 2002


4/17

Attack Sophistication v. Intruder Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling auditsback doors

hijackingsessions

sweepers

sniffers

packet spoofing

GUI

automated probes/scans

denial of service

www attacks

Tools

Attackers

Intruder Knowledge

AttackSophistication

stealth / advancedscanning techniques

burglaries

ne

twork mgmt. diagnostics

DDOSattacks


5/17

Computer Virus Costs (inbillions)

0

30

60

90

120

150

'96 '97 '98 '99 '00 '01 '02 '03

Ran e

(Through Oct 7)

$billion


6/17

Implications for Indian

Companies Corporate Financial Implications

Legal Liability Could Effect Partnerships

Cyber Security Could be Written into TradeAgreements


7/17

Corporate Finances

Attacks are inevitable

You can mitigate risk, but not eliminate it.

Many Companies are not insured


8/17

Chief Technology Officers Knowledge of their Cyber Insurance

34% Incorrectlythought they werecovered

36% Did not haveInsurance

23% Did not know if they had insurance

7% Knew that theywere insured by aspecific policy


9/17

ISAlliance Cyber-InsuranceProgram

Coverage for members

Free Assessment through AIG Market incentive for increased security practices

10% discount off best prices from AIG

Additional 5% discount for implementing ISAllianceBest Practices (July 2002)


10/17

Legal Liability

US State law already specifies liability

Jones-Day review suggests companies must showthey are above the mean in cyber security

Partners will have to show security for its own sakeand to fend off liability


11/17

Regulatory/TradeImplications

Intensive Interest in US Congress on Cyber Security

Regulatory Proposals are being circulateddemanding audits for cyber security

Congressional Internet Committee 11/6/03

Should we write cyber security requirements into ourfuture trade agreements?


12/17

Sponsors


13/17

What ISAlliance Does

Successful Information Sharing Develops Widely Approved Best Practices and

standards Develops Tools for Assessment Creates/advocates market incentives to improve

cyber security

Education and Training Outreach e.g. Security Anchor Program+


14/17

Cooperative work onassessment/certification

TechNet CEO Self-Assessment Program

Bring cyber security to theC-level based on ISA BestPractices

Create a baseline ofsecurity even CEOs canunderstand

American SecurityConsortium 3-PartyAssessment program

Risk Preparedness Indexfor assessment andcertification

Develop quantitativeindependent ROI for cybersecurity


15/17

ISAlliance/CERT Training

Concepts and Trends In Information Security Information Security for Technical Staff

OCTAVE Method Training Workshop Overview of Managing Computer Security IncidentResponse Teams

Fundamentals of Incident Handling Advanced Incident Handling for Technical Staff Information Survivability an Executive Perspective


16/17

India Security Anchor Proposal

Security Anchors are organizations who:---Provide secure channel for receiving reports about

vulnerabilities and incidents---Provide assistance to members of its constituency

ion handling incidents---Disseminate incident related information

---License and provide CERT training---Expand the culture of security


17/17

Larry ClintonOperations Officer

Internet Security [email protected]

Documents

2003 11 13 Larry Clinton India Security Anchor Proposal