The Changing Role of IT Security in an Internet World A Business Perspective (and a request for...
-
Upload
clement-hardy -
Category
Documents
-
view
213 -
download
0
Transcript of The Changing Role of IT Security in an Internet World A Business Perspective (and a request for...
The Changing Role of IT Security in an Internet World
A Business Perspective(and a request for help)
Hannes LubichBank Julius Baer, Zurich
Outline
IT Security Properties and Threats
IT Security Building Blocks, Shortcomings and Further Research Requirements
The Changing Role of IT Security as a Management Discipline
Sources of IT Security Threats
Operation and reputation of
the firmas a whole
Business partners(customers,outsourcers, competitors,suppliers, etc.)
Hackers, pranksters,investigative
reporters etc.
Government and private intelligence community
„Internal“ treats (dishonest employees, software failures etc.)
1998 Computer Crime and Security Survey
Background Joint Study by US Federal Bureau of Investigation
(FBI) and Computer Security Institute (CSI) 520 Companies surveyed
Major Findings 64% of companies have reported a security breach Cumulated financial loss is over 136 million USD Unauthorised insider access is the major threat Theft of proprietary information is in 2’nd position
Current IT Threats
Human Errors55%
Dishonest Employees10%
DisgruntledEmployees
9%
Physical Security Problem20%
Viruses4%
Outsider Attacks2%
Source: Icove/Seger/Von Storch, Computer Crime, O‘Reilly, 1995, p. 22
Business Risks
Delayed order processing
Processing of falsified orders
Disclosure of customer data or intentions
Financial consequences due to damage of customer data or systems
Damage to the reputation of the firm
Legal/Regulatory Risks
Disclosure of customer relationship
Damage claims
Taxation/Customs aspects
National/international restrictions of inter- and intra-business financial transactions
Rules imposed by regulators
Basic IT-Security Assets and Solution Technologies
Confidentiality Encryption
Integrity Authentication Availability Redundancy
Obligation
Digital signatures
Encryption: Status
Basic research has created sufficiently good encryption algorithms.
Vendors have integrated encryption into some of their products
As part of the Internet growth, encryption issues are gaining public attention
On Breaking Cryptography
Source: Blaze, Rivest, Diffie, Schneier, Shimomura, Thompson, Wiener; “Minimal Key Lengths forSymmetric Cyphers, A Report By An Ad-Hoc Group of Cryptographers And Computer Scientists”
Type of Attacker
Hacker Using Spare Cycles
Pedestrian Engine
Small Business
Corporate Department
Big Companyor Internet
Intelligence Agency
Budget for Computer
Time to Break 40-bit Key
1week
5hours
12minutes
24seconds
7seconds
0.0002seconds
Time to Break 56-bit Key
infeasible
38years
556days
19days
13hours
12seconds
Time to Break 64-bit Key
infeasible
304years
12years
3years
104hours
96seconds
Time to Break 128-bit Key
infeasible
infeasible
infeasible
infeasible
infeasible
infeasible
$0
$400
$10‘000
$300‘000
$10‘000‘000
$300‘000‘000
Cryptography: Open Issues
Compatibility & Interworking
Integration with other security mechanisms (e.g. VPN’s and firewalls)
Exportability (“How many strings attached?”)
Trust (proprietary versus “open source”)
Authentication: Status
Algorithms of sufficient quality exist for different purposes
Many applications have become “authenti-cation-aware”
Legal framework for the formal relevance of authentication exist in some countries
Authentication: Open Issues
Weak embedding into “real life” application environments, interworking problems and lack of user friendliness
“Missing link” between authentication and (personal) identification
Applicability on advanced business issues such as digital watermarks still missing
Redundancy / QoS: Status
Models for measurement and interpretation of key elements (delay, jitter etc.) exist
Research in the area of dynamically expres-sing QoS requirements by applications
Standard proposals for resource reservation and load balancing protocols exist
Redundancy/QoS: Open Issues
No unique standard yet - currently solved on a vendor-by-vendor basis
Internet QoS (i.e. RSVP) standards are com-plex and too resource/investment-intensive
Integration in existing infrastructure and management frameworks (CA Unicenter, Tivoli etc.) completely unresolved
Obligation: Status
Models for the creation, administration and use of digital certificates exist
X.509 v3 has been widely accepted as the leading certificate format
Software to operate a Public Key Infra-structure (including CA’s, RA’s etc) exists
Obligation: Open Issues
PKI availability and interworking (especially inter-company or trans-border) insufficient, but would be prerequisite for wider use
Integration with existing B-2-B structures (especially EDI, S.W.I.F.T. etc) missing
Government regulation and legislation is slow and inconsistent
Other Open Issues
We are lacking the models and modelling tools to cope with complex security issues
University and continued education on “applied security” still is in it‘s infancy
There are too few operational “Networks of Excellence” including academia and business partners
IT Security as a Management Discipline
IT Security has moved from technical deci-sion making to business decision contribu-ting, as part of operational risk management
IT Security cost perception has moved from an insurance premium to a business asset
IT Security has a wider scope of responsibility