Vous êtes sur la page 1sur 48
Dave McCurdy Executive Director, Internet Security Alliance President, Electronic Industries Alliance
Dave McCurdy Executive Director, Internet Security Alliance President, Electronic Industries Alliance

Dave McCurdy Executive Director, Internet Security Alliance President, Electronic Industries Alliance

Electronic Industries Alliance “The Whole is Greater Than the Sum of the Individual Parts” Telecommunications

Electronic Industries Alliance

“The Whole is Greater Than the Sum of the Individual Parts”

Telecommunications Industry Association (TIA)

Consumer

Electronics

Association (CEA) Government Electronics & Information Technology Association (GEIA) Affiliates Electronic
Association
(CEA)
Government Electronics
& Information
Technology Association
(GEIA)
Affiliates
Electronic Components,
Assemblies & Materials
Association (ECA)
Electronic
Representative
Association (ERA)
Internet Security
Alliance (ISAlliance)
National Association of
Relay Manufactures
(NARM)
Solid State and Semiconductor Technology (JEDEC)
Solid State and
Semiconductor
Technology
(JEDEC)

NSTEP National Science & Technology Education Partnership (Foundation)

Electronic Industries Alliance Mission •   EIA the Alliance –   “Promote market development and

Electronic Industries Alliance Mission

EIA the Alliance

“Promote market development and competitiveness of the high- tech industry through domestic and international policy efforts.”

EIA the Entity

Serves as a common voice for industry to educate policymakers and public

Addresses sustained and critical issues important to the constituent industry

Mobilizes the industry on critical issues

Coordinates policies and strategies with all allied associations

Promotes standards that serve the industry

Electronic Industries Alliance •   Brings together top-level government officials and corporate leaders. •  

Electronic Industries Alliance

Electronic Industries Alliance •   Brings together top-level government officials and corporate leaders. •  
Electronic Industries Alliance •   Brings together top-level government officials and corporate leaders. •  
Electronic Industries Alliance •   Brings together top-level government officials and corporate leaders. •  
Electronic Industries Alliance •   Brings together top-level government officials and corporate leaders. •  

Brings together top-level government officials and corporate leaders.

Each of the past four U.S. presidents and other major policy makers meet with EIA.

EIA provides major US tech link to international organizations

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon

The Internet Security Alliance

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon
The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon
The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon
The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon
The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon

The Internet Security Alliance is a collaborative effort between Carnegie Mellon University’s Software Engineering Institute (SEI) and its CERT Coordination Center (CERT/CC) and the Electronic Industries Alliance (EIA), a federation of trade associations with over 2,500 members.

Sponsors

Sponsors

Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
Sponsors
ISAlliance = Power-Synergy •   Draws on the political muscle of EIA and its 80

ISAlliance = Power-Synergy

Draws on the political muscle of EIA and its 80 year history in technology policy, market development and standards creation.

Draws on the internet security expertise of the CERT at Carnegie Mellon

Draws on an international membership to bring cohesion and focus to issues

ISAlliance International--- India--Participation •   ISAlliance has active members on 4 continents •   20%

ISAlliance International--- India--Participation

ISAlliance has active members on 4 continents

20% of ISAlliance Board are non-US based companies, Board Chair is from CW of England

TCS is the ISAlliance Founding Sponsor from India

TCS has offered to become the first “ISAlliance Security Anchor”

Outline of Today’s Presentation •   The substance and politics of outsourcing in the United

Outline of Today’s Presentation

The substance and politics of outsourcing in the United States today

The relationship between security issues and outsourcing and its potential effect on public policy and international business cooperation.

A proposal for NASSCOM and its member companies to formally join/work together

Economics of Offshore Outsourcing for the US •   The U.S. is now facing a

Economics of Offshore Outsourcing for the US

The U.S. is now facing a third consecutive year of job losses. • Last summer the US lost a quarter million jobs, while US firms shipped 30,000 new service jobs to India. • Estimates are that during the next 15 years the US will lose 3.3 million jobs to foreign companies along with $136 billion dollars in lost wages.

Positive Aspects of Outsourcing to India •   India provides significant assets for high-tech companies:

Positive Aspects of Outsourcing to India

India provides significant assets for high-tech companies: a highly-educated workforce well- versed in math and science and possessing engineering degrees comparable to U.S. colleges and universities. • India is becoming an increasingly important member of the international economic community. This strength could also bring better relations between the U.S. and India, and a vested interest in international security.

The US Politics of Outsourcing to India •   The U.S. face a “job loss”

The US Politics of Outsourcing to India

The U.S. face a “job loss” economic recovery. • Homeland security-including cyber security- continues to have strong political appeal. • “The AFL-CIO (the largest union in the US) has mobilized support around the country for legislation that calls for an outright ban on overseas contracting” (Wash Post 1/31/04)

Results of Political Pressure in US •   In November the state of Indiana canceled

Results of Political Pressure in US

In November the state of Indiana canceled a $15 million contract with an Indian company due to public outcry over outsourcing. • Last year 8 states considered legislation to ban contracts using overseas workers----none passed but more pressure is expected • On Jan 23 2004 President Bush signed into law a provision prohibiting certain government contracts to companies performing the work overseas.

New US law is tip of the Iceberg THE LAW IS LIMITED •   1.

New US law is tip of the Iceberg

THE LAW IS LIMITED

1. It pertains to only a narrow range of mostly transportation contracts. 2. It is already set to expire in September 3. Very few contracts are likely to be affected

THE LAW IS A WARNING 1. State bills defeated last year have a better chance now 2. Congress and the Administration are now on record as willing to take aggressive action

What Drives the Outsourcing Politics ? •   Speaking of the new US federal law

What Drives the Outsourcing Politics ?

Speaking of the new US federal law in Saturday’s Washington Post Stan Soloway (Pres. US Professional Service Council) is quoted as saying:

“he knows of no such competitions that have resulted in jobs going overseas. (It is) security restrictions that keep government contractors from using foreign workers.” (Wash. Post 1/31/04)

A Security Focus may be a good approach for India •   India is considered

A Security Focus may be a good approach for India

India is considered to have a much better cultural and legal climate for IP protection than many other nations offering offshore coding. Poorer nations often don't have laws protecting foreign companies and rarely enforce whatever laws may exist.

India’s membership in WTO and adherence to TRIPS will help reduce fear.

US also needs a focus on Internet Security 1.   Concerns about offshore-related security is

US also needs a focus on Internet Security

1. Concerns about offshore-related security is on the rise. 2. Shift to higher-level outsourcing will put security more in spotlight. Database testing offers higher level of risk than application development and maintenance.

3. US industry develop cooperative policies, or high-tech companies will be penalized by those who are not as familiar with the issues or who wish to capitalize on the misfortunes of voters.

Growth in Incidents Reported to the CERT/CC 120000 100000 80000 60000 40000 20000 0 110,000

Growth in Incidents Reported to the CERT/CC

120000

100000

80000

60000

40000

20000

0

110,000 55,100 21,756 9,859 6 132 252 2,340 2,412 2,573 2,134 3,734 406 773 1,334
110,000
55,100
21,756
9,859
6
132
252
2,340 2,412 2,573 2,134 3,734
406
773
1,334

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

The Dilemma: Growth in Number of Vulnerabilities Reported to CERT/CC 4,500 4,129 4,000 3,500 3,000

The Dilemma: Growth in Number of Vulnerabilities Reported to CERT/CC

4,500 4,129 4,000 3,500 3,000 2,437 2,500 2,000 1,090 1,500 1,000 417 345 500 311
4,500
4,129
4,000
3,500
3,000
2,437
2,500
2,000
1,090
1,500
1,000
417
345
500
311
262
171
0
1995
2002
The Threats – The Risks Human Agents •   Hackers •   Disgruntled employees •

The Threats – The Risks

Human Agents Hackers • Disgruntled employees • White collar criminals • Organized crime • Terrorists

Exposures Information theft, loss & corruption Monetary theft & embezzlement Critical infrastructure failure Hacker adventures, e-graffiti/ defacement Business disruption

•   •   •   •   •   •  
•  
•  

Methods of Attack Brute force Denial of Service Viruses & worms Back door taps & misappropriation, Information Warfare (IW) techniques

Representative Incidents Code Red, Nimda, Sircam CD Universe extortion, e-Toys “Hactivist” campaign, Love Bug, Melissa Viruses

Attack Sophistication v. Intruder Technical Knowledge High Intruder Knowledge Attack Sophistication Low

Attack Sophistication v. Intruder Technical Knowledge

High

Intruder

Knowledge

Attack

Sophistication

Low

“stealth” / advanced scanning techniques Tools denial of service packet spoofing sniffers sweepers DDOS
“stealth” / advanced
scanning techniques
Tools
denial of service
packet spoofing
sniffers
sweepers
DDOS
attacks
www attacks
automated probes/scans
GUI
back doors
disabling audits
network mgmt. diagnostics
hijacking
burglaries
sessions
exploiting known vulnerabilities
password cracking
self-replicating code
Attackers
password guessing
1980
1985
1990
1995
2000
Discovered Virus Threats Per Day 70 60 50 40 30 20 10 0 1991 1992

Discovered Virus Threats Per Day

70

60

50

40

30

20

10

0

1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 Est
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003 Est
The Speed of Attacks Accelerates Slammer (January 2003) Blended threat exploits known vulnerability Global in

The Speed of Attacks Accelerates

Slammer (January 2003)

Blended threat exploits known vulnerability

Global in 3 minutes

Enterprises scramble to restore business availability

MYDOOM (January 2004) Even Faster

Machines Infected per Hour at Peak 100,000 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000

Machines Infected per Hour at Peak

100,000

90,000

80,000

70,000

60,000

50,000

40,000

30,000

20,000

10,000

0

Code Red Nimda Goner Slammer
Code Red
Nimda
Goner
Slammer
Computer Virus Costs (in billions) $ 150 billion Range 120 90 60 30 0 '96

Computer Virus Costs (in billions)

$ 150 billion Range 120 90 60 30 0
$
150
billion
Range
120
90
60
30
0

'96 '97 '98 '99 '00 '01 '02 '03

ISA Security Anchor Proposal Go beyond isolated conferences to •   Full service trade association

ISA Security Anchor Proposal

Go beyond isolated conferences to • Full service trade association for cyber security providing on-going services in:

Information sharing on threats and incidents • Best practices/standards/assessment development • Locally-based education and training • Domestic & international policy development • Develop market incentives for cyber security

What Indian Partners Can Do: •   Become Security Anchors in India •   TCS

What Indian Partners Can Do:

Become Security Anchors in India • TCS will be a Security Anchor in India —other companies or Associations may also apply • Join ISAlliance, be a conduit for ISAlliance services • Work jointly on projects of mutual benefit • Work jointly on increasing confidence in free market policies in the Internet age • Work jointly on developing Return on Investment programs in cyber-security

ISAlliance/CERT Knowledgebase Examples

ISAlliance/CERT Knowledgebase Examples

ISAlliance/CERT Knowledgebase Examples
Benefits of Information Sharing Organizations •   May lesson the likelihood of attack “Organizations that

Benefits of Information Sharing Organizations

May lesson the likelihood of attack

“Organizations that share information about computer break- ins are less attractive targets for malicious attackers.” – NYT 2003

Participants in information sharing have the ability to better prepare for attacks

Benefits of Information Sharing Organizations •   SNMP vulnerability –   CERT notified Alliance members

Benefits of Information Sharing Organizations

SNMP vulnerability

CERT notified Alliance members Oct. 2001

Publicly disclosed Feb. 2002

Slammer worm

CERT notified Alliance members May 2002

Worm exploited Jan. 2003

Why ISA Info Sharing Works •   Carnegie Mellon/CERT leadership and credibility •   History

Why ISA Info Sharing Works

Carnegie Mellon/CERT leadership and credibility • History and regularity build up trust • Enforcing the rules builds trust • Cross-sector/international model lessens competitive concerns • Success breeds greater success

A Risk Management Approach is Needed “Installing a network security device is not a substitute

A Risk Management Approach is Needed

“Installing a network security device is not a substitute for a constant focus and keeping our defenses up to date… There is no special technology that can make an enterprise completely secure.”

National Plan to Secure Cyberspace, 2/14/03

Chief Technology Officers’ Knowledge of their Cyber Insurance 34% Incorrectly thought they were covered 36%

Chief Technology Officers’ Knowledge of their Cyber Insurance

Technology Officers’ Knowledge of their Cyber Insurance 34% Incorrectly thought they were covered 36% Did not

34% Incorrectly thought they were covered36% Did not have Insurance 23% Did not know if they had insurance 7% Knew

36% Did not have Insurance34% Incorrectly thought they were covered 23% Did not know if they had insurance 7% Knew

23% Did not know if they had insurance34% Incorrectly thought they were covered 36% Did not have Insurance 7% Knew that they were

7% Knew that they were insured by a specific policy34% Incorrectly thought they were covered 36% Did not have Insurance 23% Did not know if

ISAlliance Cyber- Insurance Program •   Coverage for members •   Free Assessment through AIG

ISAlliance Cyber- Insurance Program

Coverage for members

Free Assessment through AIG

Market incentive for increased security practices

10% discount off best prices from AIG

Additional 5% discount for implementing ISAlliance Best Practices (July 2002)

Adopt and Implement Best Practices •   Cited in US National Draft Strategy to Protect

Adopt and Implement Best Practices

Cited in US National Draft Strategy to Protect Cyber Space (September

2002)

Endorsed by TechNet for CEO Security Initiative (April 2003) • Endorsed by US India Business Council (April

2003)

Endorsed by TechNet for CEO Security Initiative (April 2003) •   Endorsed by US India Business
Common Sense Guide Top Ten Practice Topics •   Practice #1: •   Practice #2:

Common Sense Guide Top Ten Practice Topics

Practice #1:

Practice #2:

Practice #3:

Practice #4:

Practice #5:

Practice #6:

Practice #7:

Practice #8:

Practice #9:

Practice #10: Continuity Planning & Disaster Recovery

General Management Policy Risk Management Security Architecture & Design User Issues System & Network Management Authentication & Authorization Monitor & Audit Physical Security

Other ISAlliance Best Practice Publications •   Common Sense Guide for Home Users and Traveling

Other ISAlliance Best Practice Publications

Common Sense Guide for Home Users and Traveling Executives (February 2003)

Common Sense Guide to Cyber Security for Small Businesses (Commissioned by National Cyber Security Summit Meeting 11/03)

Cooperative work on assessment/certification •   TechNet CEO Self- Assessment Program •   Bring cyber

Cooperative work on assessment/certification

TechNet CEO Self- Assessment Program

Bring cyber security to the C-level based on ISA Best Practices

Create a baseline of security even CEOs can understand

Global Security Consortium 3-Party Assessment program

Risk Preparedness Index for assessment as “Qualified Member”

Develop quantitative independent ROI for cyber security

ISAlliance Qualification Program •   No Standardized Certification Program Exists or will exist soon •

ISAlliance Qualification Program

No Standardized Certification Program Exists or will exist soon

ISAlliance in cooperation with big 4 accounting firms and insurance industry create quantitative measurement for “qualification” for ISA discounts as proxy for certification

ISA works with CMU CyLab on Certification

ISAlliance/CERT Training •   Concepts and Trends In Information Security •   Information Security for

ISAlliance/CERT Training

Concepts and Trends In Information Security • Information Security for Technical Staff • OCTAVE Method Training Workshop • Overview of Managing Computer Security Incident Response Teams • Fundamentals of Incident Handling • Advanced Incident Handling for Technical Staff • Information Survivability an Executive Perspective

Public Policy •   Policy must address Internet as a new technology •   No

Public Policy

Policy must address Internet as a new technology • No one “owns” the Internet • It is constantly evolving • International operation makes regulation difficult • Mandates will truncate innovation and the economy

Putnam Legislation •   Risk assessment •   Risk mitigation •   Incident response program

Putnam Legislation

Risk assessment • Risk mitigation • Incident response program • Tested continuity plan • Updated patch management program • Putnam has said “industry led Internet Security efforts won’t work.”

ISAlliance Incentive Model •   Model Programs for market Incentives ---AIG ---Visa SemaTech Program Tax

ISAlliance Incentive Model

Model Programs for market Incentives

---AIG ---Visa SemaTech Program Tax Incentives Liability Carrots Procurement Model Research and Development

----Nortel

----Verizon

A Coherent 10 step Program of Cyber Security 1. Members and CERT create best practices

A Coherent 10 step Program of Cyber Security

1. Members and CERT create best practices

2. Members and CERT share information

3. Cooperate with industry and government to develop new models and products consistent with best practices

A Coherent Program of Cyber Security 4. Provide Education and Training programs based on coherent

A Coherent Program of Cyber Security

4. Provide Education and Training programs based on coherent theory and measured compliance

5. Coordinate across sectors

6. Coordinate across borders

A coherent program 7. Develop the business case (ROI) for improved cyber security 8. Develop

A coherent program

7. Develop the business case (ROI) for improved cyber security

8. Develop market incentives and tools for consistent maintenance of cyber security

9. Integrate sound theory and practice and evaluation into public policy

10. Constantly expand the perimeter of cyber security by adding new members

Benefits •   Share critical information across industries and across national borders •   Provide

Benefits

Share critical information across industries and across national borders • Provide secure setting to work on common problems • Provide economic incentive programs • Develop model industry evaluation and training programs

For Additional Information •   Dave McCurdy 703-907-7508 Dmccurdy@eia.org •   Larry Clinton 703-907-7028

For Additional Information

Dave McCurdy 703-907-7508 Dmccurdy@eia.org

Larry Clinton 703-907-7028 lclinton@isalliance.org