Unraveling Multimodality with Large Language Models.pdf
The Future of Security
1. 4/27/2011
The Future
of Security
David Smith
CEO HBMGInc.
dsmith@HBMGINC.com
linkedin.com/in/davidsmithaustin
Why is Security Hard?
No system can be 100% secure
– Reality is risk mitigation, not risk avoidance
Difficult to prove good security
– Bad security gets proven for us!
Good security and no security can look the same
– How does one know how secure they are?
Many things to secure
– People, equipment, OS, network, Application Servers,
applications, phones, and databases
1
2. 4/27/2011
Balancing the Business
Usability
x
Security Performance
2
7. 4/27/2011
Convergence reduces costs and risks
Security
Information &
Systems
Events
Comprehensive
Security &
Compliance
Identity & Access Privileges
7
8. 4/27/2011
Change, Uncertainty, and Complexity
Economic & Financial Virtual Worlds
Technology
Acceleration Cyber Warfare
Russia - China Intangible
K-12 Science Capital
& Math Crisis Pandemic
Terrorism Global Talent
Explosion
Offshore
Competition
p English as 2nd
3 Billion New Demographics
Capitalists
Economic Unions
Flat Wages Regional Economic End of Moore’s Law
Dislocation
New Economic Superpowers in 2050?
8
11. 4/27/2011
Fixed Mobile Convergence
The latest buzzword in the
collaborative industry is fixed
mobile convergence (FMC) the
bil (FMC), th
integration of wire line and wireless
technologies to provide users with
a seamless communication
environment.
11
13. 4/27/2011
Top Ten Attacks
• Trusted Website attacks
• Effectiveness in Botnets
• Data Loss – Phishing
• Mobile phone threats (iphones)
• Insider attacks
• Identity Theft
• Malicious Spyware
• Web Application Security Exploits
• VoIP event Phishing
• Supply Chain Attacks
Pillars of Information Protection
Pillars of Information Protection
Secure Systems
S
In
Network Security
N
Physical Security
P
nformation Managemen
nt
13
14. 4/27/2011
Threats and Vulnerabilities
– What’s at Stake
• Critical Infrastructures
• Key Resources
• New Resources
– The Case for Action
• Cyber Threats
• Insider Threats
• External Threats
• Cyber Terrorism
• Physical Attacks
Security Incident Trend, 1995–2003 (CERT/CC)
27
What kind of threats are there?
External threats Internal threats
– Malware – User response to unsolicited
– Rootkits email or instant messages
– Adware – May have a network that is
– Spam difficult to maintain
– Phishing – “The Enemy Within” – The
code for malware isn’t
– “Ransomware” p
particularly difficult to find
y
and launch.
14
15. 4/27/2011
Threat numbers - Malware
5500 new malicious software threats per month
Attack Trends Data Breaches
Information on data breaches that could lead to identity theft.
The Education sector accounted for the majority of data breaches with 30%,
followed by Government (26%) and Healthcare (15%) - almost half of
breaches (46%) were due to theft or loss with hacking only accounting for
16%.
16%
Hacking resulted in 73% of identities being exposed
30
15
16. 4/27/2011
IT Trends
Ubiquitous
Cloud
Virtualization
Grid Internet Appliances
WEB
Client
Server Network
Punch Mainframe/
Card Midrange
1960 1970 1980 1990 2000 2010 2020
HBMG Inc. Copyright
2009
Top 10 Programming Languages
16
20. 4/27/2011
Security is a System
SECURITY
Product Configuration Implementation
Policy and Process
SOA Reference Architecture
Browsers Voice User Interface
Policy, Process, Monitoring, Reporting, Usage Tracking
Users Channel PC PDA Cell Phone IPhone IVR
Se
Portals / Websites User
ecurity, Operations, & Gov
Access Points Web Applications ASP JSP HTML CSS Voice/XML Interactions
Orchestrated Web Services Business Process
Service Service Discovery
Management
Service Transformations Messaging
“Enterprise Service Mediation, Routing, Logging, Auditing Management
Service Bus”
Bus”
Identity Policy Enforcement
“Service Registry”
Registry” Authentication
Single Sign-On
Web Atomic Composite Federated Business
vernance
,
Services Data Access Logic/Rules
System
Platform Mainframe UNIX Windows .NET Java J2EE COBOL CICS
Administration
Network
Network Firewalls Routers XML Accelerators Proxy Servers TCP/IP
Administration
40
20
22. 4/27/2011
A Riskier World?
Risk Management – A changing framework
Value of Tangible assets Knowledge
Reputation
Management
Image
Value of Intangible assets Traditional
Asset
Protection
1970’s 2000+
Knowledge based
economy
12 Components of an Effective
Information Security Program
– Risk Management
– Policy Management
– Organizing Information Security
g g y
– Asset Protection
– Human Resource Security
– Physical and Environmental Security
– Communication and Operations Management
– Access Control
– Information Systems Acquisition, Development and
Maintenance
– Incident Management
– Disaster Recovery Management
– Compliance
44
22
26. 4/27/2011
Disruptors can be:
Technology
Regulatory
Economic
Civil
Natural Disasters
…
Risk
“Risk is inherent in life. As it is the antithesis of security, we
naturally strive to eliminate risk. As worthy as that goal is,
however, we learn with each experience that complete security is
however, we learn with each experience that complete security is
never possible. Even if it were possible to eliminate all risk, the
cost of achieving that total risk avoidance would have to be
compared against the cost of the possible losses resulting from
having accepted rather than having eliminated risk. The results of
such an analysis could include pragmatic decisions as to whether
achieving risk avoidance at such cost was reasonable. Applying
reason in choosing how much risk we can accept and, hence, how
much security we can afford is risk management. “
Julie H. Ryan
Booz‐Allen & Hamilton
26
27. 4/27/2011
Risk Model
Example ‘PEST’ model
Technical Economic
IT/Systems Breakdown Industrial Accidents
Contamination Government Crisis
Government Crisis
Industrial Accident Utilities failure
On‐site product tampering Sabotage
Malicious acts Terrorism
Organisational failure Labour strikes
Off‐site product tampering
Off site product tampering
People Social
27
28. 4/27/2011
Elements of the Web of Trust
All solutions to Identity Management must provide a solution for each of
these seven elements.
Risk Management And Needed
Security
High
mpact
Unacceptable Risk
Business defines im
Impact to business
Risk management
drives risk to an
acceptable level
Acceptable Risk
Probability of exploit
Low High
Security engineering defines probability
28
29. 4/27/2011
Risk Formula
Threat Modeling & Risk Forecasting
Threat agent: Any person or thing that can do harm
Threat: Anything that could harm an asset
Risk is a statement of
Vulnerability: A deficiency that leaves an asset open to harm probability. It is the probability
Asset: Anything with value—what we want to protect that a given threat will exploit a
Exposure: Harm caused when a threat becomes real
E given vulnerability and cause
Countermeasure: Any protective measure we take to harm.
safeguard an asset. This is measured by reducing the probability of
successful exploitation External External External
Customers Competitors Non-related
Businesses
Business Partners
Internal Operations
B2B
(i.e. Insider Threats)
Giv
cts es Business Partners
R
A ffe ise
To
Suppliers
: Internal
Operations
(i.e. Financial) Global
Threat Governments,
etc.
Sources
Mitigated By
Of
fs e
Exploits
Internal
ts Technology
External
Technology-driven
Internal
(threats)
Processes
External Physical
(BC-type threats)
58
29
30. 4/27/2011
In Parting: Be Paranoid
“Sooner or later, something
fundamental in your business
world will change.”
⎯ Andrew S. Grove, Founder, Intel
“Only the Paranoid Survive”
Copyright @2008 HBMG Inc.
In Parting: Be Paranoid
“Sooner or later, something
fundamental in your business
world will change.”
⎯ Andrew S. Grove, Founder, Intel
“Only the Paranoid Survive”
Copyright @2008 HBMG Inc.
30