6. 6
Spread of Worm in the Cloud
July 19 20:15:00 2001
Financial Cost: CodeRED Worm: $2.6 billion
7. SQL Slammer Worm: 30min
- Infections doubled every 8.5 seconds
- Spread 100X faster than Code Red
-At peak, scanned 55 million hosts per second.
-COST: $1.2 billion
8. Cloud Challenges
8
Dynamic threats
Limited IT resources
Pressure to demonstrate risk
reduction and compliance
Process complexity
Reduce operating costs
Must show value
Proactive versus reactive
10. Cloud Reliability
Enterprise are setting their SLAs uptimes at 99.99% or
higher, cloud providers are not fully ready
Amazon’s cloud outages receive a lot of exposure …
July 20, 2008 Failure due to stranded zombies, lasts 5 hours
Feb 15, 2008 Authentication overload leads to two-hour service outage
October 2007 Service failure lasts two days
October 2006 Security breach where users could see other users data
… and their current SLAs don’t match those of enterprises*
Amazon EC2 99.95% Amazon S3 99.9%
* SLAs expressed in Monthly Uptime Percentages; Source : McKinsey & Company
• Not clear that all applications require such high services
• IT shops do not always deliver on their SLAs but their
failures are less public and customers can’t switch easily
13. Network
Policy
Applications
Inside and outside groups
default deny
Hundreds of groups
default allow
Tens of applications
Web, mail, domain name
server (DNS)
Hundreds of applications
custom protocols,
payroll, trading
Tens of targets
Megabits of traffic
Thousands of targets
Gigabits of traffic
Past Present +
Cloud more challenges
17. Business Impacts and Risks
Employee &
customer
privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Image/Trust
Business
Risks
20. 20
Complexity: Increased Risk
“The Future of digital systems is
complexity, and complexity is the
worst enemy of security.”
Bruce Schneier
Crypto-Gram Newsletter, March 2000
21. 21
More complexity more Security Flaws
Complexity & Reliability Risk
1 – 10 Simple procedure, little risk
11- 20 More Complex, moderate risk
21 – 50 Complex , high risk
>50 Untestable, VERY HIGH RISK
Complexity & Bad Fix Probability
Essential Complexity (Un-structuredness) &
Maintainability (future Reliability) Risk
1 – 4 Structured, little risk
> 4 Unstructured, High Risk
Structural Analysis … Providing Actionable Metrics
Complexity and Risk
22. Framework must address Risk
Threats Vulnerabilities
Controls Risks Assets
Security
Requirements
Business
Impact
exploit
exposeincreaseincrease
increase have
protect against
met by indicate
reduce
25. End User Phishing
http://www.antiphishing.org/
• Target customers of banks
and online payment services
• Obtain sensitive data from
U.S. taxpayers by pretended
IRS- emails
• Identity theft for social
network sites, e.g.
myspace.com
• Recently more non-financial
brands were attacked
including social networking,
VOIP, and numerous large
web-based email providers.
Phishing only started in 2004, but in 2006 it cost the UK
£35m and the USA perhaps $200m
26. End User is biggest problem
Farce of the Facebook spy: MI6 chief
faces probe after wife exposes their
life on Net
“ MI6 faced calls for an inquiry last night after an
extraordinary lapse of judgment led to the new
head of MI6's personal detailsbeing plastered
over Facebook.
Millions of people could have gained access to
compromising photographs of Sir John Sawers
and his family on the social networking website.
...“
http://www.dailymail.co.uk/news/article-1197757/New-MI6-chief-
faces-probe-wife-exposes-life-Facebook.html
27. When all fails….are you ready?
Everybody’s got a plan until they get
hit! -- Mike Tyson
28. Business Continuity Management
Business Impact Analysis
Risk Analysis
Recovery Strategy
Group Plans
and Procedures
Business Continuity Planning Initiation
Risk
Reduction
Implement
Standby Facilities
Create Planning Organization
Testing
PROCESS
Change Management Education Testing Review
Policy ScopeResourcesOrganization
BCM
Ongoing
Process
BCM
Project
33. Response and Risk approach
Risk Management and Business Controls
Events
Incidents
Crises
Impact Monitor & resolve the
“critical few” with crisis
management team
Assess impact of events &
implement appropriate controls
Monitor & resolve at
appropriate level using
processesIncident Management
Process
Crisis Management
Process
34. Standardisation bodies
ISO/IEC - Wide scope of standardization. 27xxx and 13335
IETF – Focuses on Internet related technical Security requirements
NIST-CSRC (http://www.nist.gov/) – Wide scope of coverage for both
government and enterprise needs.
OASIS (http://www.oasis-open.org/) - Application Vulnerability
Description Language
OGSF (Open Group Security Forum,
http://www.opengroup.org/security/) - started Intrusion Attack and
Response Workshop
Best practices and recommendations
CERT/CC (http://www.cert.org/)
SANS (System Administration, Networking, and Security) Institute –
http://www.sans.org/
ISACA (http://www.isaca.org/) – Most noted for CoBIT framework fIT
Governance
ISSA (http://www.issa.org/) – GAISP (Generally Accepted Information
Security Principles)
35. Standards, Guidelines
ISMS family of standards (ISO/IEC 27xxx)
ISO/IEC 27001 – ISMS (BS 7799-2)
ISO/IEC 27002 – ISO/IEC 17799 (BS 7799-1)
ISO/IEC 27005 –Infosec risk management
ISO/IEC 27006 – Guide to ISMS certification process
ISO/IEC 27003 – ISMS implementation guide
ISO/IEC 27004 – Infosec Metrics
ISO/IEC 27007 - Guideline for ISMS auditing
ISO/IEC 27011 - ISMS implementation guideline for
the telecommunications industry
ISO/IEC 27034 - a guideline for application security
36. Standard provide Controls
So how do you implement security controls?
Technical controls:
Site implements a firewall to stop external attackers
but allow academic collaboration.
Education:
Explain to users why there is a firewall (to stop
attackers) and how to ask for exceptions (to allow
collaboration).
Administrative controls:
The Security Policy states that Internet services must
be used safely.
37. ISO 27004 : Metrics & Measurement
ISO/IEC has a new project to develop an
ISMS Metrics and Measurements Standard
This development is aimed at addressing
how to measure the effectiveness of ISMS
implementations (processes and controls)
Performance targets
What to measure
How to measure
When to measure
39. Infrastructure-Centric Metrics
Infrastructure-centric metric – measure of efficiency,
speed, and/or capacity of technology
Throughput – amount of information that can pass
through a system in a given amount of time
Transaction speed – speed at which a system can
process a transaction
System availability – measured inversely as downtime,
or the average amount of time a system is down or
unavailable
Response time – average time to respond to a user-
generated event like a mouse click
Scalability – conceptual metric related to how well a
system can be adapted to increased demands
7-39
40. IT Metrics and SLAs
Service level agreement (SLA) – formal,
contractually obligated agreement
SLAs must include IT success metrics
SLAs are between you and outsourcer
SLAs define how you will measure KPI
Measures are in service level specifications (SLS)
or service level objectives (SLO)
7-40
41. Incident Handling Life Cycle
Email
Hotline/
Phone
Analyze
Coordinate
Information
and
Response
Obtain
Contact
Information
Provide
Technical
Assistance
Incident
Report
Triage
Vulnerability
Report
Information
Request
IDS
Other
42. Incident Response Components
(from RFC 2350)
CSIRT’s
Organisational form depends on
type of organisation and
required level of support to community
Security Policy
Define what is required/allowed/acceptable
Incident Response Policy
What is provided, who receives it and who provides support
Incident Response Plan
Which incidents will be responded and how
44. Action Plan 1
Build resilience / Harden the infrastructure
Servers and links redundancy
Security of routing protocol / traffic exchange
Security of DNS service
Profiling attackers and understanding their objectives
(know your enemies)
Response preparedness
National contingency plan for the Internet
Cyber exercises on National/international level are crucial
Strengthen multinational cooperation for rapid response (formal
rather than informal)
Importance of CERTs/CSIRTs and their role for national and
international cooperation
Measurement - monitoring of traffic to understand what is
going on
45. Action Plan - 2
Technology will not be sufficient
Study the economics of security and cyber crime
Set-up Public Private Partnership (PPP)
Example www.antiphishing.org
Develop cross-sector and cross-organisational
cooperation on National, EU and international levels
Agree on responsibility’s allocation
Information and best practices sharing importance
of trust
Raising awareness and education of individuals, public
bodies, corporate users and service providers