The Future of Security

4/27/2011

1

The Futureof Security

David SmithCEO [email protected]/in/davidsmithaustin

Why is Security Hard?No system can be 100% secure

– Reality is risk mitigation, not risk avoidance

Difficult to prove good security– Bad security gets proven for us!

Good security and no security can look the same– How does one know how secure they are?

Many things to secure– People, equipment, OS, network, Application Servers,

applications, phones, and databases

4/27/2011

2

Balancing the Business

Usability

x

PerformanceSecurity

4/27/2011

3

KnowledgeEconomy

InformationExplosion

Challenges in the 21st century

Safety & Security

Finite

InternationalPartnerships

GlobalizationAccelerating Change

ComplexTechnologies

DiverseWorkforce

SustainableDevelopment

Resources

Life-LongLearning Citizen

Engagement

Copyright, 2008 © HBMG, Inc.

4/27/2011

4

The Growth Of Complexity

DOD

HigherTechnical

Complexity

LowerManagementComplexity

HigherManagementComplexity

weaponsystem

National AirTraffic ControlSystem

Telecom switch

Large-scalesimulation

DODmanagementinformation

Enterpriseinformationsystems

Enterpriseapplication

Smallscientificsimulation

Embeddedautomotiveapplication Commercial

compiler

HBMG Inc. Copyright 2009

informationsystemBusiness

spreadsheetLower

TechnicalComplexity

Mega Trends to Consider…• Digitization of all content (listening = getting!)• Distribution is the default (just having a network

won’t be enough)• Virtualization (location matters less and less)• Niche-ization of content & lifestyles• Mass-Personalization of media will become

standard• Democratization of creation, & peer productionDemocratization of creation, & peer production• Amateurization of the entire value chain (but

NOT to the detriment of experts)• “Godzilla-zation” of users/consumers


4/27/2011

5

Major Trends for Software Process

• System of systems is becoming more complex• Increasing software criticality and need for

dependability• Increasing emphasis on end users – both

inside and outside the enterprise• Decreasing value of IT• Geography doesn’t matter• The fabric of software and computing is

evolvingevolving• Continuous integration - continuous delivery – group mind• Increasing software autonomy• Combination of biology and computing


The Limits of Technology

The laws of physics

The laws of software

Fundamental

The challenge of algorithms

The difficulty of distribution

The problems of design

The importance of organization

The impact of economics

The influence of politics

The limits of human imaginationHBMG Inc. Copyright 2009

Human

4/27/2011

6

Vertical Convergence with an Industry

Technology:• Computers &

Peripherals

Telecom:• Communication

Equipment

Network:• Networking / IP

Networking

Content:

• Media & New

Entertainment:

• Broadcastingp

• Semi-conductors

• Internet apps

• Software

• Internet devices

q p

• Service Providers:

Telephone/ Voice & Data

Mobile Wireless/ Voice & Data

g

• Service Providers:

Internet Service Providers

Broadband

Satellite

Broadcast Cable

• Media

• Advertising

• Printing, Publishing and Newspapers

• Film

• Music

• Gaming

• Sports


Design

Technology:

Computers & Computers & PeripheralsPeripherals

Telecom: Communication Communication EquipmentEquipment

Network:Networking/Networking/IP NetworkingIP Networking

Content:Media & Media & New MediaNew Media

EntertainmentBroadcastingBroadcastingFilmFilm

Horizontally Across Different Industry Sectors:

Manufacturing

Infrastructure

Services

Content

PeripheralsPeripherals

SemiconductorsSemiconductors

Internet appsInternet apps

SoftwareSoftware

Internet devicesInternet devices

Service Service Providers:Providers:

Telephone/Telephone/Voice & DataVoice & Data

Mobile Wireless/Mobile Wireless/Voice & DataVoice & Data

Service Service Providers:Providers:

ISP(s)ISP(s)

BroadbandBroadband

SatelliteSatellite

AdvertisingAdvertising

Printing, Publishing Printing, Publishing & Newspapers& Newspapers

MusicMusic

GamingGaming

SportsSports

Devices

Software

Distribution

Broadcast CableBroadcast Cable


4/27/2011

7

Convergence reduces costs and risks

SecurityInformation &

Events Systems

ComprehensiveSecurity &

Compliance

Identity & Access Privileges

4/27/2011

8

Change, Uncertainty, and Complexity

Technology Acceleration

Intangible

Virtual WorldsEconomic & Financial

Russia - ChinaCyber Warfare

K-12 Science& Math Crisis

IntangibleCapital

Offshore Competition

Global TalentExplosion

English as 2nd

Terrorism

Pandemic

3 Billion New Capitalists

Demographics

p

Regional EconomicDislocation

English as 2nd

Economic Unions

Flat Wages End of Moore’s Law

New Economic Superpowers in 2050?

4/27/2011

9

Innovation is Accelerating

The “Fat Pipe”

4/27/2011

10

Growth of Broadband Users

3,500

4,000

500

1,000

1,500

2,000

2,500

3,000M

illio

ns o

f Use

rsW

orld Broadband 20

CellularSubscribers

InternetUsers

BroadbandUsers

01990 1995 2000 2005 2010 2015 2020

Year

Source: Technology Futures, Inc.

005

Historical Data Source: ITU

Users


Regional Forecasts—Broadband

350

400

450

500

Sub

scrib

ers

AP

Broadband

70%

80%

90%

100%

useh

olds

Europe

Broadband

Korea

0

50

100

150

200

250

300

1995 2000 2005 2010 2015 2020 2025Year

Mill

ions

of B

road

band


World B

roadband 2006


Europe

NA

SA MA

Korea

0%

10%

20%

30%

40%

50%

60%

1995 2000 2005 2010 2015 2020 2025Year

Perc

enta

ge o

f Hou


World B

roadband 2005


AP

EuropeNASA

MA

The first looking at millions of broadband subscribers, and the second looking at the penetration.

4/27/2011

11

Fixed Mobile Convergence

The latest buzzword in the collaborative industry is fixed

bil (FMC) thmobile convergence (FMC), the integration of wire line and wireless technologies to provide users with a seamless communication environment.

4/27/2011

12

Wireless Broadband Changes Everything….

Habits and behaviors sometimes change quickly: Once you had a great (and affordable) experience with new technology, you usually don’t want to miss it anymore. See: Blackberry iPod Skype in flight Wi Fi HD radioSee: Blackberry, iPod, Skype, in-flight Wi-Fi, HD radio…

Wireless enables two-way, personalized media (as opposed to mass media)

Mobile content access will dwarf desktop-based access 10:1

In wireless broadband, interaction takes on a whole new meaning:– “Sharing” will become a default standard– Multimedia communications will abound (messages, video, photo, sound)– Games become all-pervasive (posing other problems)– Shared content creation is now “on the fly” (contributing, remixing, mashing, etc.)– Location-based CONTENT services will explode

Receivers become senders tooCopyright, 2008 © HBMG, Inc.

“Mobile phones are more than a billion smart computers we can’t ignore that may create a software spiral like that of PC over the next 10software spiral like that of PC over the next 10 years.”

—Paul Otellini, CEO, Intel

“We really believe we are on the cusp of a whole new era of mobile computing ”whole new era of mobile computing.

—Steve Ballmer, CEO, Microsoft


4/27/2011

13

Top Ten Attacks

• Trusted Website attacks• Effectiveness in Botnets

Data Loss Phishing• Data Loss – Phishing• Mobile phone threats (iphones)• Insider attacks• Identity Theft• Malicious Spyware• Web Application Security ExploitsWeb Application Security Exploits• VoIP event Phishing• Supply Chain Attacks

Pillars of Information Protection

Pillars of Information Protection

S In N PSecure S

ystems

nformation M

anagemen

Netw

ork Security

Physical S

ecurity

nt

4/27/2011

14

Threats and Vulnerabilities– What’s at Stake

• Critical Infrastructures• Key Resources• New Resources

– The Case for Action• Cyber Threats• Insider Threats• External Threats• Cyber Terrorism• Physical Attacks

27

Security Incident Trend, 1995–2003 (CERT/CC)

What kind of threats are there?

External threatsMalware

Internal threatsUser response to unsolicited– Malware

– Rootkits– Adware– Spam– Phishing– “Ransomware”

– User response to unsolicited email or instant messages

– May have a network that is difficult to maintain

– “The Enemy Within” – The code for malware isn’t particularly difficult to find p yand launch.

4/27/2011

15

Threat numbers - Malware

5500 new malicious software threats per month

Attack Trends Data Breaches Information on data breaches that could lead to identity theft. The Education sector accounted for the majority of data breaches with 30%, followed by Government (26%) and Healthcare (15%) - almost half of breaches (46%) were due to theft or loss with hacking only accounting for 16%16%.Hacking resulted in 73% of identities being exposed

30

4/27/2011

16

IT Trends

Ubiquitous

Cloud

Mainframe/

Client Server

Appliances

Punch

Network

InternetWEB

Virtualization

Grid

HBMG Inc. Copyright 2009

1960 1970 1980 1990 2000 2010 2020

Mainframe/Midrange

Punch Card

Top 10 Programming Languages

4/27/2011

17

Programming Trends

Source: Tiobe Software Aug. 2010

Programming Community Index for August 2010

4/27/2011

18

Entry points - email - social engineering

Security patchFamous person photop pAnti-virus programMp3,videoComputer game“Cracked” softwareSerial numbers file Electronic postcard

Digital Video Adapters

Satellite Radio Receivers

Digital CamerasPDAs

Wireless CamerasWireless TV Monitors

Digital Music Adapters

Networked Storage Centers

Game Consoles

Smart Displays

Smart Phones

Laptop PCs

Desktop PCs

Wireless Gaming Adapters

Movies-on-DemandReceivers

“Fourth Generation”Set-top Boxes

MP3 PlayersDigital Media Receivers Personal Video Recorders

Networked DVD Player Mobile Gaming Devices

802.11 Speakers


4/27/2011

19

Ubiquitous Computing

Peer-to-PeerMobile

Complexity

Punch Card

Mainframe/Midrange Computing

Client/Server Computing

Internet/Network Computing

1960 1970 1980 1990 2000 2010 2020 2025

Computing

Department Intra- Extra- Personal Anytime-Process Centered Enterprises Enterprises Anywhere


INFOSEC Research Council's“Hard Problems” list

1. Global-Scale Identity – Identification required to produce an infrastructure capable of andreliable for commercial and national security purposes2. Insider Threat – All security technologies and approaches rely practically on modeledbehavior of external bad actors. This runs contrary to a majority of the security data, whichshows damaged caused by insiders to be orders of magnitude more frequent and costly3. Availability of Time-Critical Systems – Implementing effective security for systems wheretimeliness, performance and availability are higher priority services than security (i.e. controlsystems)4. Scalable Secure Systems – The development of large-scale secure systems where individualcomponents or dependencies may be flawed or compromised5. Situational Understanding and Attack Attribution – Determining the current state of securityfor large scale and complex systems and being able to conduct assessments and provideattribution for security incidents6. Information Provenance – Developing systems and methods to determine and manage theintegrity of information and information systems7. Security with Privacy – Designing methods and processes to improve security whilepreserving or enhancing privacy through granularity of activities and systems improvements8. Enterprise-Level Security Metrics –Scalable methods to determine or represent security or riskare needed in order to optimize resource allocation and decision making.

4/27/2011

20

Security is a System

SECURITYSECURITY

Product Configuration Implementation

Policy and Process

SOA Reference ArchitectureSOA Reference Architecture

UsersUsersBrowsers Voice

Channel PC PDA Cell Phone IPhone IVRUser Interface

Se

Se

Policy, P

Portals / Websites User

ecurity, O

peratio

ns, &

Gov

ecurity, O

peratio

ns, &

Gov

rocess, M

onito

ring, R

eportin

g,

WebWeb Atomic Composite Business Federated

ServiceServiceManagementManagement

““Enterprise Enterprise Service BusService Bus””

““Service RegistryService Registry””

Orchestrated Web ServicesService Discovery

Service Transformations

Service Mediation, Routing, Logging, Auditing

Identity Policy Enforcement

Messaging

Management

AuthenticationSingle Sign-On

Business Process

Access PointsAccess PointsPortals / Websites

Web Applications ASP JSP HTML CSSUser

InteractionsVoice/XML

40

PlatformPlatform Mainframe UNIX Windows .NET Java J2EE COBOL CICS System Administration

NetworkNetwork Firewalls Routers XML Accelerators Proxy Servers TCP/IP Network Administration

vernan

cevern

ance

, Usag

e Tracking

WebWebServicesServices

Atomic CompositeData Access

Business Logic/Rules

Federated

4/27/2011

21

3,500

4,000

• Mobile • Device to Device

Growth at the Edge of the Network

1,000

1,500

2,000

2,500

3,000

Pet

abyt

es/D

ay G

loba

l • Device to Device • Sensors • Entertainment• Smart Home• Distributed Industrial• Autos/Trucks• Smart Toys

ConvergedContent

41

0

500

2003 2004 2005 2006 2007 2008 2009 2010 2011

Year

2012

Traditional Computation


Cloud Computing - a Disruptive New Paradigm

A “cloud” is an IT service delivered to users that provides:• Simple user interface that automatically provisions IT resources 2015

“Clouds will transform the information technology (IT) industry… profoundly change the way people work and companies operate.”

1990

p y p• Capacity on demand with massive scalability• New application service delivery models• Platform for next generation data centers• Development in the cloud, for the cloud

2015

Software as a Service

Utility Computing

Cloud Computing

Grid Computing

4/27/2011

22

A Riskier World?A Riskier World?

Risk Management – A changing framework

Value of Tangible assets

1970’s 2000+

Value of Intangible assets

KnowledgeReputationManagementImage

TraditionalAsset Protection

Knowledge based economy

12 Components of an Effective Information Security Program

– Risk Management– Policy Management– Organizing Information Security g g y– Asset Protection– Human Resource Security – Physical and Environmental Security– Communication and Operations Management– Access Control– Information Systems Acquisition, Development and

Maintenance– Incident Management– Disaster Recovery Management – Compliance

44

4/27/2011

23

Hierarchy of Needs


4/27/2011

24

Social Media


Collaboration Technologies


4/27/2011

25

A.I. Deep Search Intelligent Agents

Weak Signals

Inference Engines

XML

Knowledge Networks

Intelligent Marketplaces Group

Intelligence

Enterprise MindsSemantic Web

Knowledge

Reed’s -Self Formation

MetawebDi it l W ld

Virtual Worlds

Massive

Evolving—Self Forming

mat

iona

l

Ontologies

Taxonomics

Knowledge Bases

Knowledge Management

Life Casting

Life LogsGroup Minds

Emergent Groups

Market Places

Search Engines

Content Portals Websites

Enterprise Portals

G

Mobile Technologies

A ti

Wikis

SocialSOCIAL MEDIAP lWEB

Digital WorldMultiplayer Games

WeBlogs

d of

Con

nect

ivity

—In

form

Databases

File Servers

Groupware

PIMs

P2P File Sharing

Auctions

IM

Social Networks

Email

PeopleWEBInformation

Phone Calls

Conference Calls

Computer Conferencing Community

Portals

Speed of Connectivity — Social

Spe

ed


Along for the Ride⎯Security Element Is in the Infrastructure

The current and future working environment is one without perimeters or boundaries, so collaboration tools are a necessity. In the future collaborative environment, users will

l h th “li i i th

DataData,

no longer have the “living in the inbox” mentality, and will rely less on standard tools like e-mail and more on other collaborative tools and technology as a part of daily operations. The security element for such tools will be managed at the infrastructure level, using existing and new enterprise and network tools. The demand for security⎯managing identities data protection secure

Physical Security

Perimeter

Internal Network

Host

Application

Physical Security

Perimeter

Internal Network

Host

Application

identities, data protection, secure networks, and transactions and resiliency⎯will be handled by the infrastructure itself.

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

4/27/2011

26

Disruptors can be:

TechnologyRegulatoryRegulatoryEconomicCivilNatural DisastersNatural Disasters…

Risk“Risk is inherent in life. As it is the antithesis of security, we naturally strive to eliminate risk. As worthy as that goal is, however, we learn with each experience that complete security ishowever, we learn with each experience that complete security is never possible. Even if it were possible to eliminate all risk, the cost of achieving that total risk avoidance would have to be compared against the cost of the possible losses resulting from having accepted rather than having eliminated risk. The results of such an analysis could include pragmatic decisions as to whether achieving risk avoidance at such cost was reasonable. Applying reason in choosing how much risk we can accept and, hence, how much security we can afford is risk management. “Julie H. RyanBooz‐Allen & Hamilton

4/27/2011

27

Risk Model Example ‘PEST’ model

IT/Systems BreakdownContamination

Industrial Accidents Government Crisis

Technical Economic

ContaminationIndustrial Accident

On‐site product tamperingMalicious acts

Organisational failure

Government CrisisUtilities failure

SabotageTerrorism

Labour strikesOff‐site product tamperingOff site product tampering

People Social

4/27/2011

28

Elements of the Web of TrustAll solutions to Identity Management must provide a solution for each of these seven elements.

Risk Management And Needed Security

Unacceptable RiskUnacceptable Risk

HighHigh

mpa

ctm

pact

Acceptable RiskAcceptable Risk

Impa

ct to

bus

ines

s

Bus

ines

s de

fines

imB

usin

ess

defin

es im

Risk management drives risk to an acceptable level

Security engineering defines probabilitySecurity engineering defines probability

Probability of exploitLowLow HighHigh

4/27/2011

29

Risk Formula

Risk is a statement of probability. It is the probability that a given threat will exploit a given vulnerability and cause

Threat agent: Any person or thing that can do harm

Threat: Anything that could harm an asset

Vulnerability: A deficiency that leaves an asset open to harm

Asset: Anything with value—what we want to protect

E

Threat Modeling & Risk Forecasting

Gives Rise To:Affects

Internal Operations(i.e. Insider Threats)

ExternalCustomers

ExternalCompetitors

ExternalNon-related Businesses

Business PartnersB2B

Business PartnersSuppliers

Internal Operations

(i.e. Financial) GlobalGovernments,

etc.ThreatSources

given vulnerability and cause harm.

Exposure: Harm caused when a threat becomes real

Countermeasure: Any protective measure we take to safeguard an asset. This is measured by reducing the probability of successful exploitation

Exploits

Mitigated B

y

OffsetsInternal

Technology

Internal Processes

External Physical(BC-type threats)

External Technology-driven

(threats)

Sources

58

4/27/2011

30

In Parting: Be Paranoid

“Sooner or later, something fundamental in your business“Sooner or later, something

fundamental in your businessfundamental in your business world will change.”

⎯ Andrew S. Grove, Founder, Intel“Only the Paranoid Survive”

fundamental in your business world will change.”


Copyright @2008 HBMG Inc.

In Parting: Be Paranoid

“Sooner or later, something fundamental in your business“Sooner or later, something

fundamental in your businessfundamental in your business world will change.”


fundamental in your business world will change.”


Copyright @2008 HBMG Inc.