Information Security is more than a Systems issue!

Proprietary

The term "proprietary economic information" means all forms and types of financial, business, scientific, technical, economic, or engineering information, including, but not limited to, data, plans, tools, mechanisms, compounds, formulas, designs, prototypes, processes, procedures, programs, codes, or commercial strategies, whether tangible or intangible, and however stored, compiled, or memorialized, IF--

• the owner has taken reasonable measures to keep such information confidential; and
  

the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable, acquired, or developed by legal means by the public

Imperatives

EDI Concerns

• Content Integrity
• Sequence Integrity
• Confidentiality
• Sender Authentication
• Recipient Authentication
• Timely Delivery
• Maintenance of Trustworthy Records
• General Systems Protection

EDI Issues

Standard of Care

In a negligence action, a service provider will be liable only if it breached the standard of care society expects of it. If it did not, it bears no liability - even though injury may have occurred.

• The defendant's standard of care increases as her skills increase
• A security professional is deemed to possess certain skills, even if he does not

What's Different

• The way information is used, its value, its importance
• The dependency placed on information and information systems (Imperatives)
• The expectations of:
  • your management
  • your clients, customers, agents, intermediaries
  • your business partners
  • your stockholders

What does this mean to you ?

• More interfaces and interconnections
• More opportunities for remote access
• Greater chance of finding unpatched holes and unknown vulnerabilities
• Cheaper access to faster, better, and easier intrusion tools
• Ability to inflict more damage through disruption
• Relatively low likelihood of being detected
• Even lower risk of being prosecuted

Assume it will Happen

Economics:

cost of impacts and opportunities for intrusions greatly outweigh costs of access and risk of detection or prosecution

• Complexity:
  
  number of connections and extent of interdependencies far outstretch the means for administration and analysis
  
• Attacker / Intruder demographics:
  
  increase in size and composition of population with sophisticated tools, skills, and motivation

What is being Targeted ?

• Financial systems
• Payroll systems
• Personnel Records
• Research and Development results
• Tax files

Some Examples ...

• NationsBank loses $320 million in loan fraud scheme
• Volkswagen AG loses $250 million
• Citibank loses $10 million to Russian hacker
• First National Bank of Chicago - wire transfer fraud in excess of $70 million
• Intruder stole 20,000 credit card numbers. Cost to the company : $50 million
• Union Bank of Switzerland fraud attempts of £27 million and SF 82 million

More Examples ...

• Intruders compromised Voice mail systems used to verify credit card information
• Intruders tripped alarms during an attempt to steal $70 million, then intercepted a telephone request for manual authorization
• Intruder stole $10.2 million using an phone, a code number and an assumed name
• Intruder obtained $5 million electronic transfer after breaking into an EFT network.
• Citibank ACH computer error caused duplicate transfers loses could have approach $2 billion

Even More Examples ...

• National Westminster Bank- £1 million transferred by 17 year old cashier
• Four students used computers to obtain credit card numbers then ran up $100, 000 in charges
• "Pentium" and 486 chip designs stolen from Intel estimated at $200 million

Imperatives

Develop Countermeasures

• Develop means to reduce the risk to critical information and systems
• Countermeasures specified in terms of cost/benefit
• Prioritize countermeasures on basis of maximum protection against the highest risks for the lowest resource expenditures

Security Management

• Develop and champion information protection philosophy
• Develop information protection policies
• Develop the enterprise security architecture
• Develop the protection technology integration plan
• Develop the information protection resource requirements and budgets
• Develop the control and reporting systems
• Design an incident response capability
• Develop "success" metrics

Fundamental Issues

• Absolute dependence on computers but they are viewed as tactical investments, not strategic
• Computers now in the hands of the lowest paid staff members (Empowered Workforce)
• Less human interaction - Oversight, Ownership, Responsibility
• Financial pressures reduce security's priority
• "Downsized" I/T organizations - reduced worker loyalty and
  disgruntled ex-employees
• Metrics to measure security cost/benefit
  analyses are not fully developed

Legal Issues

• No consistent definition of computer crime
• Law enforcement system bounded by jurisdictions
• No geographic boundaries for networks