Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Vulnerabilities Trend

advertisement 
CAPSTONE – IT 4444
Threats to Information
A Study of SANS and Educause
Brady Martin, Thomas Graham, Kezron Caines
4/13/2011
This paper discusses the trends and lifecycles of “threats” to information and systems over the past 10
years, with an eye towards analyzing” where we came from”, ”where we are”, and “where we are
going”. Using data recorded by SANS and Educause correlated with statistics, the analysis will compare
what threats were, and are, when and why they became important, when they were downgraded, and
why. This paper will pay primary attention to the factors that pushed each of these threats to the top of
the lists making them noteworthy.
Contents
Introduction ......................................................................................................................... 3
Where we came from .......................................................................................................... 7
Where we are ...................................................................................................................... 9
Where we are Going ......................................................................................................... 12
Conclusion ........................................................................................................................ 16
References ......................................................................................................................... 19
Table of Figures
Figure 1 Web Excerpt ......................................................................................................... 5
Figure 2 - Web Excerpt ....................................................................................................... 6
Figure 3 - Major Computer Developments ......................................................................... 8
Figure 4 - Population Growth Trend ................................................................................... 9
Figure 5 -Users in the United States ................................................................................... 9
Figure 6 -World vs. United States Complete Comparison -2010 ....................................... 9
Figure 7 - Incident Tracking -2000-2007.......................................................................... 11
Figure 8 - Dell Inc. Financials .......................................................................................... 13
Figure 9 - Educause It Security Challenges – 2001 .......................................................... 14
Figure 10 - Educause It Security Challenges – 2010 ........................................................ 15
Figure 12 - Attacks on Critical Microsoft Vulnerabilities (last 6 months) ....................... 18
Figure 11 - Number of Vulnerabilities in Network, OS, and Applications ...................... 18
1
2
Introduction
This paper discusses the trends and lifecycles of “threats” to information and systems
over the past 10 years. Using data recorded by SANS, Educause, and Internet World Stats, our
analysis will show past threats, current threats, their importance to the security community, and
the why they fade in and out of sight. Where trends are moving towards in respect to the future,
and advances in Information Technology will also be discussed. This paper will pay primary
attention to the factors with an eye towards analyzing” where we came from”, ”where we are”,
and “where we are going”, and attempting to answer what pushes these factors to the forefront
making them noteworthy.
Over the past 10 years, Threats to Information and Systems have been evolving. As
the number of systems and users increases, so too does the number of targets available for
exploitation. Something interesting to note is that although, the types of targets and attacks
change, categories remain the same; exploiting human weaknesses, hardware resources, and
software weaknesses.
Ten years ago, the threats were as different as the attackers. Attacks on information
systems were driven by ideology and curiosity, now as the world becomes more connected the
motive of profitability is added. In the past, the attacks were not sophisticated or stealthy.
Today, in alignment with emerging technology, the attacks are both sophisticated and stealthy.
The “Social” network phenomenon has given attackers completely new avenues of attack
through improved “social engineering.”
3
The charts below illustrate that the categories of reported attacks in 2001 are very general
in nature. As data collection progresses through 2007, the numbers increase and become more
specific.
Table 2 - SANS 2001 Platform Comparison
(Phil Benchoff, 2001)
Table 1 - SANS 2007 Platform Comparison
(Rohit Dhamankar, 2007)
Some of the old attacks have fallen by the wayside as technology and education systems
improve. Exploitable targets have become numerous and profitable as the world continues to
move towards being more interconnected. As new devices are developed that connect us further,
we are also left more vulnerable. As technology continues evolving, the problems created are
overwhelming the IT community’s ability to solve them.
Even with all the changes, much of
the previous and current problems remain the same. Attackers exploiting the bad habits of users:
leaving servers and workstations unsecured, operating systems and software left unpatched, and
4
routers, firewalls, and switches left in autonomous states largely unmonitored. Until these and
other hurdles are overcome, the attacks will continue unabated. We began this project with the
purpose of identifying the top threats to information and quickly discovered that there were no
“all-inclusive” sources that clearly identified what those threats were. We also found widespread
disagreement between what educators, governmental agencies, and corporate leaders considered
their top threats. These realizations forced our team to reshape our premise to make use of the
data collected. The sheer volume of data available referencing threats to data and information
system is overwhelming until you look at the underlying metrics with a much simpler premise.
To illustrate the disagreement:
Figure 1 Web Excerpt
(Infosec Island, LLC.)
5
Figure 2 - Web Excerpt
(Dennis Publishing Limited, 2010)
The two excerpts above come from the business side of threat analysis and clearly show
different priorities and focus surrounding the same problem of Information Security.
6
Where we came from
The beginnings of threats to information began with a need to communicate and
collaborate for the purpose of speeding and simplifying research. On October 29, 1969 the first
message was sent over the Arpanet. The intended message was “login” to SRI from UCLA
however after the first two letters were transmitted, the system crashed. (Leonard Kleinrock,
2009) Up until this time, the cost of computers was so high that only the government and major
corporations could afford them. Those that needed them for research were often geographically
dislocated. Arpanet was developed to overcome this problem. As with any problem, when one is
solved, potentially another is created, as is the case here. The phenomena now called the
“Internet,” very unexpectedly, began here.
Up until this stage, the computer resources were few and controlled by a select group of
researchers. To access these devices, one had to go to where the resource was located and be
granted access for a specific purpose. Once interconnectivity of these resources was established,
it wasn’t long before remote access was possible. It was at this point that centralized physical
control shifted toward decentralized control ceded to many. This was the first window of
opportunity provided for any “outsider” to manipulate system resources without the need to be
sitting physically at a co-located terminal.
It wasn’t long after the creation of Arpanet that businesses realized a real profit potential
in the development of smaller, more powerful computer systems and innovative ways to
interconnect them. The period between 1969 and 1985 was marked with several major
developments that contributed substantially toward this goal as illustrated on the following page:
7
Figure 3 - Major Computer Developments
(Bellis, 1997)
All of this activity was primarily profit driven but benefitted educators, researchers,
government, business, and consumers. These developments had finally brought the per unit
price within reach of the common man’s budget and served as the second push towards decentralized control. There were now computer resources in the hands of general consumers and
they were demanding utility and connectivity to services. Businesses were only too happy to
oblige and services such as CompuServe® and AOL® filled that need. CompuServe® being the
defacto leader from 1977 through the mid 1980’s (The Gale Group, 2011). CompuServe® had
all but disappeared with the introduction of AOL® in 1989 (Admin, 2010).
8
Where we are
Fast forwarding past other major developments and the introduction of cellular
technology for the masses, we come to the beginning of the 21st Century. By this time the
majority of American households contained at least one computing device and a mobile phone of
some kind. The charts below were generated with data obtained from Internet World Stats:
Millions
Market Pentration
300
250
200
150
100
50
0
Users
Figure 5 -Users in the United States
(Miniwatts Marketing Group, 2004 - 2011)
Figure 4 - Population Growth Trend
(Miniwatts Marketing Group, 2004 - 2011)
Data collected from Internet World Stats indicate that technology has proliferated into
most countries regardless of economic status as a direct result of the previous 15 years spent
globalizing the “Internet” and creating vast communications network.
Figure 6 -World vs. United States Complete Comparison -2010
(Miniwatts Marketing Group, 2004 - 2011)
9
During this period, many avenues of electronic intrusion were encountered. Both
hardware and software had provided ample targets. Hackers, motivated either by curiosity,
ideology, malevolence, or simple greed, enjoyed relative anonymity. The explosion of
computing devices connected to the “Internet” here and abroad and the relative lack of laws
available to prosecute electronic intrusions, work stoppage, theft, or destruction made the
“Internet” the “Wild, Wild West” of the Information Age. The Internet is considered the major
threat to organizations because access valuable information in criminal’s hands can be
disastrous. Many “weaknesses in operating systems (OS), network operating systems (NOS),
default configuration of network devices and firewalls, encryption, and poorly written
applications are the cause.” As security threats continue to evolve and become more complex,
organizations must take steps to prevent losses caused by these threats. Removing threat and
eliminating vulnerability is nearly impossible as long as organizations are connected to the
internet and hackers are breathing.” (Alshboul, 2010)
The North America population data we collected when compared to market saturation of
the same, establishes a Pearson’s linear correlation coefficient of 0.972. We attempted, and were
unable to calculate a correlation coefficient between user penetration and growth of incidents due
to unavailability of data to provide scale. Based on the data we collected and extensive reading
on the subject, we believe a correlation does exist between the trends. As more users become
connected, the simple fact that more doors are being opened and exploited supports this
assertion. When the data is compared with incident reports collected from Educause and SANS,
they don’t follow the same trend lines as seen graphed on the following page:
10
Figure 7 - Incident Tracking -2000-2007
(Phil Benchoff, 2001) (Rohit Dhamankar, 2007)
11
Where we are Going
It is a well-accepted fact that our world is becoming more and more globalized. As our
economies and cultures merge, there is an ever increasing need to connect to one another.
Competition for finite resources has become intense. Competition between corporations for
market share and profitability is also fierce. New markets are opening in areas once considered
to be Third World. This explosive market expansion is accompanied by new consumers, hungry
to enter the world stage.
In simplest terms, globalization can be defined as the blending of economies, cultures,
and traditions across the globe. It is evidenced by increased communication and the
intermingling and exchange of ideas between various countries across the world. It is a
continuous socio economic process; a major step towards the development of a country. The
primary aspect of globalization is the mutually beneficial establishment of business and trade
links between countries that has given rise to the globalization of markets. (MapsOfIndia.com,
2004)
The business of providing consumer electronics in these emerging markets has become
big business. Companies producing devices capable of Internet connectivity are tapping into
these emerging markets. Of note is Dell Inc. with numbers listed on the next page:
12
Figure 8 - Dell Inc. Financials
(Dell: Information from Answers.com, 2011)
As populations around the world continue to grow, businesses like Dell Inc. will continue
to compete in these new markets for customers. This trend shows no signs of abating as noted in
the Market Penetration graph previously cited in this document. The difficulty comes as these
companies rush product to market to meet customer demand. With each wave of supply, new
users are created, often under educated, often un-sophisticated. Each new user becomes a
potential threat or an un-witting accomplice by providing another attack pathway that can be
exploited. As mentioned earlier, as long as there is a hacker breathing, organizations will have to
secure their networks. Simply stated, there aren’t enough IT professionals to keep up with all the
potential threats created by pace at which the business cycle operates. It generally takes four
years of higher education to train an IT professional and a lifetime of continuous learning to be
effective in the field. With a two to three year life cycle for mobile devices and three to four
years for desktop, replacing old technology with new happens faster than the education system
can produce newly trained professionals to manage and secure them.
13
“According
to Rich Cheston, an executive director and distinguished engineer at Lenovo,
the most accurate method for choosing an effective life cycle involves dividing the company into
a set of user groups. For example, the fact that other enterprises choose company-wide desktop
life cycles of four years doesn’t make the same strategy right for other companies, such as
financial services companies, where seconds of performance difference between PCs could
represents millions of dollars of lost profits to bonds traders. For those companies, the desktop
life cycle might be every six months, as long as processing power continues to ramp upward.
“The net result is [that] many factors drive life cycle rates, and each corporation is unique, but
on average, the life cycle of a mobile device is two to three years—driven heavily by the
introduction of new technologies over time—whereas desktops are three to four years because
they are used inherently differently than notebooks,” Cheston says. (Perry, 2006)
A look at Educause data collected supports the assertion that education is not
Figure 9 - Educause It Security Challenges – 2001
Implemented numbers used to illustrate proper ratings. Raw data was not available.
(Roberta L. Lembke, 2001)
14
Figure 10 - Educause It Security Challenges – 2010
Implemented numbers used to illustrate proper ratings. Raw data was not available.
(Bret L. Ingerman, 2010)
There hasn’t been much change in the focus of Educators over the past 10 years. The
majority of their assessment centers on funding strategy, personnel, and the management of both.
Therefore, it is a fair assumption that this trend will not abate and the insufficient numbers of IT
professional will not be able to keep up with the globalization process. We believe that this will
continue into the foreseeable future because the education system simply cannot keep pace with
the business cycle producing devices and software.
Barring any changes to the current climate or some new breakthrough in computer
security, managing threats to information will continue to be a tenuous process of maintaining a
balance priorities and assumption of risk. With limited resources, IT professionals will continue
to be called upon to provide management with the capability to make informed decisions about
which assets require heightened vigilance.
15
Conclusion
In this paper we looked at SANS, Educause, Internet Usage world statistics to chart and
find trends prevailing in the Information Technology industry. For research purposes, we
maintained the simple premise that the desires of consumer far outpace the abilities of IT
professionals to deliver and secure the internet and associated products. We paid special attention
paid to “where we were”, “where we are”, and “where we are going”. Looking at the type of
attacks starting in 2000 (Table 1) to 2007 (Table 2) and evaluating the most current data
available in similar, useable formats, we noticed the breakdown and classifications of the
problem had grown increasingly complex. This is what we face as IT professionals in today’s
market. Continuing on, we took a snapshot of two different websites claiming top 10 issues in
information technology (Figure 1 Web Excerpt and Figure 2 - Web Excerpt to illustrate the lack
of standardization. We wrap up our introduction by showing that even organization of a similar
purpose cannot agree on a list of top threats to information and systems.
The “where we came from” section is based on a mini timeline of significant
developments to illustrate what that we believe helped shape a lot of the issues today (Figure 3 Major Computer Developments). Without the creation of connectivity and affordable equipment,
there would be no discussion about information security.
The “where we are” section looks at past trends showing how population data (Figure 4 Population Growth Trend) and market penetration (Figure 5) for North America compare. We
demonstrated that these trends have a Pearson’s correlation coefficient of 0.972 which supports a
strongly positive correlation, and therefore, are directly related to each other. This explosive,
continued growth of users has outpaced the IT communities’ ability to fix the issues. In Figure 6,
16
we assert that the disproportionate population of users in the United States as opposed to the rest
of the world has created an environment where the U.S. has become a target of both access and
opportunity. In simplest terms we are outnumbered. In Figure 7 we attempt chart the actual
number of Common Vulnerabilities and Exposures (CVE) and Candidates for CVE (CAN) from
2000 to 2007. We do not actually address the number of specific attacks, instead choosing to
represent them as the number of issues found in each heading.
The “where we are going section,” globalization is addressed. Globalization coupled with
the vast profits companies are posting (Figure 8), provide opportunity and motivation to threaten
information and the trend is ever increasing.
Figure 9 and Figure 10 addresses the education side of the house to balance out the
government and business interest previously shown and we see is that very little has changed in
the way of thinking about how best to attack the problem of securing information assets in
respect to how the education community views things. All in all, the data collected for this
project reflect problems that have been with us for a very long time. Overall the issues addressed
within have enjoyed little in the way of progress towards solution. The individual communities
(Government, Educators, and Business) seem stuck in the defining stage of problem solving with
little progress towards real solutions. We conclude that there is no real interface between all the
parties and the problems will remain until real communication between them is realized.
As a final illustration we offer Figure 11 and Figure 12 gathered from the 2009 Sans
report to reinforce the point that both vulnerabilities and frequency of attacks are on the rise.
17
Figure 12 - Number of Vulnerabilities in Network, OS, and Applications
(SANS Institute, 2009)
Figure 11 - Attacks on Critical Microsoft Vulnerabilities (last 6 months)
(SANS Institute, 2009)
18
References
Timeline of Microcomputers(1977-1980). (2002, 03 05). Retrieved 04 13, 2011, from Timeline of
Microcomputers(1977-1980): http://pcmuseum.tripod.com/comphis3.html
Dell: Information from Answers.com. (2011). Retrieved April 3, 2011, from Answers.com:
http://www.answers.com/topic/dell-technology
Admin. (2010, 09 26). America Online (AOL) ENGLISH ARTICLES. Retrieved 04 13, 2011, from America
Online (AOL) ENGLISH ARTICLES: http://www.englisharticles.info/2010/09/26/america-onlineaol/
Alshboul, A. (2010). Information Systems Security Measures and Countermeasures: Protecting
Organizational Assests from Malicious Attacks. IBIMA Publishing, 2010(Article ID 486878), 9.
Bellis, M. (1997). The History of Computers - Computer History Timeline. Retrieved March 15, 2011, from
About.com, Inventors: http://inventors.about.com/library/blcoindex.htm
Bret L. Ingerman, C. Y. (2010, June). Top 10 IT Issues - 2010. Retrieved February 15, 2011, from Educause
Review: http://net.educause.edu/ir/library/pdf/ERM1032.pdf
Dennis Publishing Limited. (2010). Top 10 Threats for IT Security - 2011. Retrieved April 13, 2011, from IT
PRO - Fit for Business: http://www.itpro.co.uk/613333/top-10-threats-for-it-security-in-2011
Infosec Island, LLC. (n.d.). Imperva Releases Top 10 Security Threats for 2011. Retrieved April 13, 2011,
from Infosec Island: https://www.infosecisland.com/blogview/9613-Imperva-Releases-Top-10Security-Threats-for-2011.html
Leonard Kleinrock. (2009). Leonard Kleinrock's Home Page - History. Retrieved Apr 1, 2011, from
University of California Los Angeles: http://www.lk.cs.ucla.edu/internet_first_words.html
MapsOfIndia.com. (2004). Globalization of Markets. Retrieved April 3, 2011, from MapsOfIndia.com:
http://business.mapsofindia.com/globalization/market.html
Matteo. (2009, 10 14). Brief History of AOL and its Instant Messenger Program. Retrieved 04 13, 2011,
from Brief History of AOL and its Instant Messenger Program:
http://www.brighthub.com/office/collaboration/articles/4107.aspx
Miniwatts Marketing Group. (2004 - 2011). North America Internet Usage, Population and
Telecommunication Report. Retrieved March 27, 2011, from Internet World Stats:
http://www.internetworldstats.com/stats14.htm
Nelson B. Heller & Associates. (2001, August). bNet - The CBS interactive business network. Retrieved
February 15, 2011, from EDUCAUSE identifies campus IT challenges:
http://findarticles.com/p/articles/mi_m0BTY/is_2_7/ai_77378640/
19
Perry, C. (2006, October 13). Processor Editorial Article - Hardware Life Cycles Enter a New Era. Retrieved
March 13, 2011, from Processor - Products, News & Information Data Centers Can Trust:
http://www.processor.com/editorial/article.asp?article=articles/P2841/23p41/23p41.asp
Phil Benchoff, e. a. (2001, October 1). The Top 20 Most Critical Internet Security Vulnerabilities - 20012002 Archive. Retrieved February 10, 2011, from SANS: http://www.sans.org/top20/2001
Roberta L. Lembke, J. A. (2001). Top Campus IT Challenges for 2001. Retrieved February 15, 2011, from
Educause: http://net.educause.edu/ir/library/pdf/eqm01211.pdf
Rohit Dhamankar, e. a. (2007, November 28). Top 2o Internet Security Problems, Threats and Risks.
Retrieved February 10, 2011, from SANS: http://www.sans.org/top20/2007/
SANS Institute. (2009, September). SANS: Top Cyber Security Risks - Vulnerability Exploitation Trends.
Retrieved April 10, 2011, from SANS: The most trusted site for computer security training,
certification and research: http://www.sans.org/top-cyber-security-risks/trends.php
The Gale Group, I. (2011, 04 13). H & R Block, Incorporated -- Company History. Retrieved 04 13, 2011,
from H & R Block, Incorporated -- Company History:
http://www.fundinguniverse.com/company-histories/H-amp;-R-Block-Incorporated-CompanyHistory.html
20
Related documents
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
Lecture 3
Lecture 3
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
SWOT-Analysis-Worksheet
SWOT-Analysis-Worksheet
Introduction to Cybercrime and Security - IGRE
Introduction to Cybercrime and Security - IGRE
The concept of Human Security
The concept of Human Security
A. Go through your course outline which is online. B. Choose a topic
A. Go through your course outline which is online. B. Choose a topic
Managing Threats in a Changing World
Managing Threats in a Changing World
Download
advertisement