* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download About EICTA - Baltic IT&T Review
Survey
Document related concepts
Cyberwarfare wikipedia , lookup
Information security wikipedia , lookup
Unix security wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Security printing wikipedia , lookup
Airport security wikipedia , lookup
Wireless security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Mobile security wikipedia , lookup
Cybercrime countermeasures wikipedia , lookup
International cybercrime wikipedia , lookup
Transcript
How the ICT Industry Addresses the Security Challenges Olivier Paridaens Head of Security Consulting and Business Development Northern Europe Alcatel Chair of EICTA Network and Information Security Cluster Who is EICTA? EICTA is... 35 national digital technology associations from 26 European countries over 50 direct company members; more than 10,000 enterprises in Europe; two million employees and revenues of over €1000 billion; The voice of the European digital technology industry… Austria: FEEI; Belgium: AGORIA; Bulgaria : BAIT; Czech Republic: SPIS; Denmark: ITEK, ITB; Estonia: ITL; Finland: SET, FFII; France: ALLIANCE TICS, SIMAVELEC; Germany: BITKOM, ZVEI; Greece: SEPE; Hungary: IVSZ; Italy: ANIE, ASSINFORM; Ireland: ICT Ireland; Latvia: LITTA; Lithuania: INFOBALT; Malta: ITTS; Netherlands: ICT-Office; Norway: ABELIA, IKT Norge; Poland: KIGEIT, PIIT; Slovakia: ITAS; Slovenia: GZS; Spain: AETIC; Sweden: IT Företagen; Switzerland: SWICO, SWISSMEM; United Kingdom: INTELLECT; Turkey: ECID, TESID. Accenture, Adobe, Agilent, Alcatel, Apple, Bang & Olufsen, BenQ, Blaupunkt, Brother, Bull, Canon, Cisco, Corning, Dell, EADS, Epson, Ericsson, Fujitsu, Hitachi, HP, IBM, Infineon, Intel, JVC, Kenwood, Kodak, Konica Minolta, Lexmark, LG Electronics, Loewe Opta, Lucent, Marconi, Microsoft, Motorola, NEC, Nokia, Nortel, Océ, Panasonic, Philips, Pioneer, Qualcomm, Samsung, Sanyo, SAP, Sharp, Siemens, Sony, Sun Microsystems, Symantec, Texas Instruments, Thales, Thomson, Toshiba, Xerox. Baltic IT&T Security Seminar Agenda What has changed Security challenges What the industry is doing about it Are we doing enough ? Conclusion Baltic IT&T Security Seminar What has changed The Advent of the e-Society Within 15 years: ► Early ’90s: narrowband dialup Internet access (e-mail, simple Web surfing) ► Today: broadband always-on Internet access with multiple applications More and more of our day-to-day life relies on networking infrastructures to deliver services ► B2C, B2B, G2C ► Networking infra, not necessarily the Internet Baltic IT&T Security Seminar What has changed … for enterprises Technological changes From closed to open environments •closed technologies •proprietary or “confidential” standard protocols •home-made softwares •closed/isolated networks •open technologies •IP everywhere •generic software modules •open/shared/multi-applications networks •E.g. voice and data over same IP network Organisational / Business changes Highly-mobile workforce with always-on connectivity Deeper interactions with partners, customers, suppliers Employees misbehaving still highest risk Enterprise border protection no longer sufficient Regulation & legislation EU Directive on privacy protection; Sarbanes-Oxley Act; California Security Breach Information Act (SB-1386); Basel II Company’s top management getting liable for security of business assets Baltic IT&T Security Seminar What has changed … for consumers Richness of multi-media services accessible from any device Mobile TV 3-Play ► Internet access, Voice/multimedia, TV over broadband connection Convergence of access via mobile and fixed networks ► My services from anywhere, anytime, anydevice Baltic IT&T Security Seminar Where are the security challenges ? Cybercrime spreading everywhere and in all forms Expansion of botnets ► Networks of 10/100 thousands of systems that can be remotely controlled by a “hacker” ► Typically used in (distributed) denial of service attacks ► ► E.g.: sustained dataflow @ 5 Gbps during days E.g.: peak dataflow @ 20 Gbps during 1.5 hour Identity fraud Phishing Spyware, adware, SPAM, … (Child) pornography First viruses with mobile devices Cybercrime getting professionalized Organised crime using hackers’s services to commit identity fraud, rackets, extortion, … Botnets for hire ! Baltic IT&T Security Seminar Where are the security challenges ? Vulnerability exploitation is getting faster More and more vulnerabilities get (publicly) disclosed Average time period between vulnerability discovery and release of exploit has decreased to 7 days Average time period between vulnerability discovery and release of patch has been 49 days Baltic IT&T Security Seminar When reality of cybercrime hits … NHTCU (National High tech Crime Unit) survey in UK. Total estimated losses in ‘04: 2,4B UKP for UK large (>1000) companies A federal grand jury has indicted a 20-year-old California man on charges that, in Jan’05, his botnet hijacked thousands of computers and crippled a hospital network, leaving intensive care systems paralysed and doctors' pagers useless, Associated Press reports.(Feb’06) The entire source code for a much-anticipated computer game, Half-Life 2, has been leaked to the Internet,… source code was stolen by hackers who systematically compromised the company´s computer systems. Security vulnerabilities at CardSystems (credit card payment processing company for Visa, MC, AMEX) left unencrypted credit card data - including customers names, card numbers and cvv (security) codes but not customer addresses - open to attack. Records "known to have been stolen" covered roughly 200,000 of the 40m potentially compromised credit card accounts. Visa cut relationship with CardSystems. (Jul’05) Intruders gained access to VISA computer network in the U.K. and later demanded ransom for data obtained in the virtual break-in; company received a ransom demand of £10 million. (Apr’01) A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees. Baltic IT&T Security Seminar What the industry is doing about it ICT vendors developing more intelligent security solutions to protect networks and end-users Increasing efforts by ICT vendors to deliver products & solutions that are “inherently” more secure Basic security integrated into standard architectures E.g. GSM and 3G standard networks and services Architecture and services subject to threat analysis ► Standard solution integrates security mechanisms protecting against identified threats ► Still does not cover all possible threats Security as a key part in requirements for solutions by operators, service providers and corporates ICT vendors responding to those security requirements Baltic IT&T Security Seminar Are we doing enough ? Well, given all that is already done, where is the problem then ? Pick up your favorite answer… “will never happen to me” “Security Is a Process Not a Product… Is Anyone Paying Attention?” (Bruce Schneier) Security has a Cost … but think of the costs once your weaknesses have been exploited ! Look for the weakest link in the chain… You, me , all of us Baltic IT&T Security Seminar Conclusion The Advent of e-Society brings numerous challenges Security is one such fundamental challenge for the success of the e-Society Meeting the challenge requires : ► Technologies ► Deployed Solutions ► And … Users’ participation Awareness is key ! Baltic IT&T Security Seminar