Transcript About EICTA - Baltic IT&T Review

How the ICT Industry Addresses the
Security Challenges
Olivier Paridaens
Head of Security Consulting and Business Development
Northern Europe
Alcatel
Chair of EICTA Network and Information Security Cluster
Who is EICTA?
EICTA is...
35 national digital technology associations from 26 European
countries
over 50 direct company members;
more than 10,000 enterprises in Europe;
two million employees and revenues of over €1000 billion;
The voice of the European digital technology industry…
Austria: FEEI; Belgium: AGORIA; Bulgaria : BAIT; Czech Republic: SPIS; Denmark: ITEK, ITB; Estonia: ITL; Finland: SET, FFII; France: ALLIANCE
TICS, SIMAVELEC; Germany: BITKOM, ZVEI; Greece: SEPE; Hungary: IVSZ; Italy: ANIE, ASSINFORM; Ireland: ICT Ireland; Latvia: LITTA; Lithuania:
INFOBALT; Malta: ITTS; Netherlands: ICT-Office; Norway: ABELIA, IKT Norge; Poland: KIGEIT, PIIT; Slovakia: ITAS; Slovenia: GZS; Spain: AETIC;
Sweden: IT Företagen; Switzerland: SWICO, SWISSMEM; United Kingdom: INTELLECT; Turkey: ECID, TESID.
Accenture, Adobe, Agilent, Alcatel, Apple, Bang & Olufsen, BenQ, Blaupunkt, Brother, Bull, Canon, Cisco, Corning, Dell, EADS, Epson, Ericsson, Fujitsu,
Hitachi, HP, IBM, Infineon, Intel, JVC, Kenwood, Kodak, Konica Minolta, Lexmark, LG Electronics, Loewe Opta, Lucent, Marconi, Microsoft, Motorola, NEC,
Nokia, Nortel, Océ, Panasonic, Philips, Pioneer, Qualcomm, Samsung, Sanyo, SAP, Sharp, Siemens, Sony, Sun Microsystems, Symantec, Texas
Instruments, Thales, Thomson, Toshiba, Xerox.
Baltic IT&T Security Seminar
Agenda
What has changed
Security challenges
What the industry is doing about it
Are we doing enough ?
Conclusion
Baltic IT&T Security Seminar
What has changed
The Advent of the e-Society
Within 15 years:
► Early ’90s: narrowband dialup Internet access (e-mail,
simple Web surfing)
► Today: broadband always-on Internet access with multiple
applications
More and more of our day-to-day life relies on networking
infrastructures to deliver services
► B2C, B2B, G2C
► Networking infra, not necessarily the Internet
Baltic IT&T Security Seminar
What has changed … for enterprises
Technological changes
From closed to open environments
•closed technologies
•proprietary or “confidential” standard
protocols
•home-made softwares
•closed/isolated networks
•open technologies
•IP everywhere
•generic software modules
•open/shared/multi-applications networks
•E.g. voice and data over same IP network
Organisational / Business changes
Highly-mobile workforce with always-on connectivity
Deeper interactions with partners, customers, suppliers
Employees misbehaving still highest risk
Enterprise border protection no longer sufficient
Regulation & legislation
EU Directive on privacy protection; Sarbanes-Oxley Act;
California Security Breach Information Act (SB-1386); Basel II
Company’s top management getting liable for security of
business assets
Baltic IT&T Security Seminar
What has changed … for consumers
Richness of multi-media services accessible from
any device
Mobile TV
3-Play
► Internet access, Voice/multimedia, TV over broadband
connection
Convergence of access via mobile and fixed networks
► My services from anywhere, anytime, anydevice
Baltic IT&T Security Seminar
Where are the security challenges ?
Cybercrime spreading everywhere and in all forms
Expansion of botnets
►
Networks of 10/100 thousands of systems that can be remotely
controlled by a “hacker”
► Typically used in (distributed) denial of service attacks
►
►
E.g.: sustained dataflow @ 5 Gbps during days
E.g.: peak dataflow @ 20 Gbps during 1.5 hour
Identity fraud
Phishing
Spyware, adware, SPAM, …
(Child) pornography
First viruses with mobile devices
Cybercrime getting professionalized
Organised crime using hackers’s services to commit identity
fraud, rackets, extortion, …
Botnets for hire !
Baltic IT&T Security Seminar
Where are the security challenges ?
Vulnerability exploitation is getting faster
More and more vulnerabilities get
(publicly) disclosed
Average time period between vulnerability
discovery and release of exploit has
decreased to 7 days
Average time period between vulnerability
discovery and release of patch has been 49
days
Baltic IT&T Security Seminar
When reality of cybercrime hits …
NHTCU (National High tech Crime Unit) survey in
UK.
Total estimated losses in ‘04: 2,4B UKP for UK large
(>1000) companies
A federal grand jury has indicted a 20-year-old California man on charges that, in Jan’05, his botnet hijacked thousands of
computers and crippled a hospital network, leaving intensive care systems paralysed and doctors' pagers useless,
Associated Press reports.(Feb’06)
The entire source code for a much-anticipated computer game, Half-Life 2, has been leaked to the Internet,… source code
was stolen by hackers who systematically compromised the company´s computer systems.
Security vulnerabilities at CardSystems (credit card payment processing company for Visa, MC, AMEX) left unencrypted
credit card data - including customers names, card numbers and cvv (security) codes but not customer addresses - open
to attack. Records "known to have been stolen" covered roughly 200,000 of the 40m potentially compromised credit card
accounts. Visa cut relationship with CardSystems. (Jul’05)
Intruders gained access to VISA computer network in the U.K. and later demanded ransom for data obtained in the virtual
break-in; company received a ransom demand of £10 million. (Apr’01)
A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network
he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on
a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the
system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously
planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The
company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees.
Baltic IT&T Security Seminar
What the industry is doing about it
ICT vendors developing more intelligent security
solutions to protect networks and end-users
Increasing efforts by ICT vendors to deliver products
& solutions that are “inherently” more secure
Basic security integrated into standard architectures
E.g. GSM and 3G standard networks and services
Architecture and services subject to threat analysis
► Standard solution integrates security mechanisms
protecting against identified threats
► Still does not cover all possible threats
Security as a key part in requirements for solutions
by operators, service providers and corporates
ICT vendors responding to those security requirements
Baltic IT&T Security Seminar
Are we doing enough ?
Well, given all that is already done, where is the
problem then ?
Pick up your favorite answer…
“will never happen to me”
“Security Is a Process Not a Product… Is Anyone
Paying Attention?” (Bruce Schneier)
Security has a Cost … but think of the costs once your
weaknesses have been exploited !
Look for the weakest link in the chain…
You, me , all of us
Baltic IT&T Security Seminar
Conclusion
The Advent of e-Society brings numerous challenges
Security is one such fundamental challenge for the
success of the e-Society
Meeting the challenge requires :
► Technologies
► Deployed Solutions
► And … Users’ participation
Awareness is key !
Baltic IT&T Security Seminar