The Changing Role of IT Security in an Internet World

A Business Perspective(and a request for help)

Hannes LubichBank Julius Baer, Zurich

Outline

IT Security Properties and Threats

IT Security Building Blocks, Shortcomings and Further Research Requirements

The Changing Role of IT Security as a Management Discipline

Sources of IT Security Threats

Operation and reputation of

the firmas a whole

Business partners(customers,outsourcers, competitors,suppliers, etc.)

Hackers, pranksters,investigative

reporters etc.

Government and private intelligence community

„Internal“ treats (dishonest employees, software failures etc.)

1998 Computer Crime and Security Survey

Background Joint Study by US Federal Bureau of Investigation

(FBI) and Computer Security Institute (CSI) 520 Companies surveyed

Major Findings 64% of companies have reported a security breach Cumulated financial loss is over 136 million USD Unauthorised insider access is the major threat Theft of proprietary information is in 2’nd position

Financial Losses by Type of Threat

Source: Cylink Document "The Need for Information Security"

Current IT Threats

Human Errors55%

Dishonest Employees10%

DisgruntledEmployees

9%

Physical Security Problem20%

Viruses4%

Outsider Attacks2%

Source: Icove/Seger/Von Storch, Computer Crime, O‘Reilly, 1995, p. 22

Technical Risks

Disruption Eavesdropping

Modification Fabrication

Business Risks

Delayed order processing

Processing of falsified orders

Disclosure of customer data or intentions

Financial consequences due to damage of customer data or systems

Damage to the reputation of the firm

Legal/Regulatory Risks

Disclosure of customer relationship

Damage claims

Taxation/Customs aspects

National/international restrictions of inter- and intra-business financial transactions

Rules imposed by regulators

Basic IT-Security Assets and Solution Technologies

Confidentiality Encryption

Integrity Authentication Availability Redundancy

Obligation

Digital signatures

Encryption: Status

Basic research has created sufficiently good encryption algorithms.

Vendors have integrated encryption into some of their products

As part of the Internet growth, encryption issues are gaining public attention

On Breaking Cryptography

Source: Blaze, Rivest, Diffie, Schneier, Shimomura, Thompson, Wiener; “Minimal Key Lengths forSymmetric Cyphers, A Report By An Ad-Hoc Group of Cryptographers And Computer Scientists”

Type of Attacker

Hacker Using Spare Cycles

Pedestrian Engine

Small Business

Corporate Department

Big Companyor Internet

Intelligence Agency

Budget for Computer

Time to Break 40-bit Key

1week

5hours

12minutes

24seconds

7seconds

0.0002seconds

Time to Break 56-bit Key

infeasible

38years

556days

19days

13hours

12seconds

Time to Break 64-bit Key

infeasible

304years

12years

3years

104hours

96seconds

Time to Break 128-bit Key

infeasible

infeasible

infeasible

infeasible

infeasible

infeasible

$0

$400

$10‘000

$300‘000

$10‘000‘000

$300‘000‘000

Cryptography: Open Issues

Compatibility & Interworking

Integration with other security mechanisms (e.g. VPN’s and firewalls)

Exportability (“How many strings attached?”)

Trust (proprietary versus “open source”)

Authentication: Status

Algorithms of sufficient quality exist for different purposes

Many applications have become “authenti-cation-aware”

Legal framework for the formal relevance of authentication exist in some countries

Authentication: Open Issues

Weak embedding into “real life” application environments, interworking problems and lack of user friendliness

“Missing link” between authentication and (personal) identification

Applicability on advanced business issues such as digital watermarks still missing

Redundancy / QoS: Status

Models for measurement and interpretation of key elements (delay, jitter etc.) exist

Research in the area of dynamically expres-sing QoS requirements by applications

Standard proposals for resource reservation and load balancing protocols exist

Redundancy/QoS: Open Issues

No unique standard yet - currently solved on a vendor-by-vendor basis

Internet QoS (i.e. RSVP) standards are com-plex and too resource/investment-intensive

Integration in existing infrastructure and management frameworks (CA Unicenter, Tivoli etc.) completely unresolved

Obligation: Status

Models for the creation, administration and use of digital certificates exist

X.509 v3 has been widely accepted as the leading certificate format

Software to operate a Public Key Infra-structure (including CA’s, RA’s etc) exists

Obligation: Open Issues

PKI availability and interworking (especially inter-company or trans-border) insufficient, but would be prerequisite for wider use

Integration with existing B-2-B structures (especially EDI, S.W.I.F.T. etc) missing

Government regulation and legislation is slow and inconsistent

Other Open Issues

We are lacking the models and modelling tools to cope with complex security issues

University and continued education on “applied security” still is in it‘s infancy

There are too few operational “Networks of Excellence” including academia and business partners

IT Security as a Management Discipline

IT Security has moved from technical deci-sion making to business decision contribu-ting, as part of operational risk management

IT Security cost perception has moved from an insurance premium to a business asset

IT Security has a wider scope of responsibility

Conclusions

More than ever, IT Security needs strong support from basic and applied research

Shortcomings in adapting research results to business/industry must be overcome

The demand for skilled, interdisciplinary IT Security experts is growing quickly