Presentation is loading. Please wait.

Presentation is loading. Please wait.

Howard A. Schmidt Chief Security Officer Microsoft Corporation MAY 2001.

Similar presentations


Presentation on theme: "Howard A. Schmidt Chief Security Officer Microsoft Corporation MAY 2001."— Presentation transcript:

1 Howard A. Schmidt Chief Security Officer Microsoft Corporation MAY 2001

2 Topics Microsoft Information Assurance Program (MIAP) Microsoft Information Assurance Program (MIAP) Information Security Teams and Roles Information Security Teams and Roles IA Technology and Trends IA Technology and Trends Community Leadership Community Leadership Q&A Q&A

3 Microsoft Information Assurance Program

4 Securing the Digital Nervous System NetworkNetwork Data Center PCsPCs Information & Communications   400+ worldwide IT locations   4 M + messages per day   9 million voice calls per month   145 video conference sites   12,000 + servers   Over 150,000 PCs   Over 600 line of business applications

5 Pillars of IA Program Disaster Recovery Backup Strategy Telecomm Security Physical Security Application Security Telecomm Security Information Security Information Assurance Program Class and Retention

6 IAP Objectives Right information, to the right person at the right time, ANYWHERE, ANYTIME, ANY DEVICE Right information, to the right person at the right time, ANYWHERE, ANYTIME, ANY DEVICE Authorized un-compromised access Authorized un-compromised accessReliable/Available What you sent is what they get (WYSIWTG) Consist of programs, processes & procedures Consist of programs, processes & procedures Corporate wide program Corporate wide program IA program should be an “umbrella” for all Information Assurance activities IA program should be an “umbrella” for all Information Assurance activities

7 Business Continuity Plan Disasters DisastersVirusFireNaturalSabotageHacks Hrs ramp up to minimum configuration Hrs ramp up to minimum configuration How many Critical Apps exist (Including Infrastructure)? How many Critical Apps exist (Including Infrastructure)? Enterprise Wide Data Centers Enterprise Wide Data Centers Does NOT create redundant data centers Does NOT create redundant data centersExpensiveTechnology

8 Data Retention/Classification ALL data is not the same. ALL data is not the same.LegalFinancialHistoricalPersonal & attachments composed of information from routine to highly confidential. & attachments composed of information from routine to highly confidential. Various retention periods (by law) Various retention periods (by law) Consolidation of group servers/shares Consolidation of group servers/shares

9 Backup Strategy Linked to data class/retention projects Linked to data class/retention projects Reduce storage of non-critical data Reduce storage of non-critical data Efficient recovery of needed data Efficient recovery of needed data Reduction of offsite storage costs Reduction of offsite storage costs Expedite disaster recovery Expedite disaster recovery

10 Telecommunications Security PBX Security PBX SecurityAudits “Phreaking tools” RAS Security RAS Security Concerns of non-encrypted RAS use in some locations Analog Lines Analog Lines Desktop Modems Mobile Phones Mobile Phones More secure  GSM  CDMA/TDMA

11 IAP Application Security As InfoSec professionals, work with developer and product security groups As InfoSec professionals, work with developer and product security groups Part of the design review from outset of product life cycle Part of the design review from outset of product life cycle Review potential vulnerabilities in 3rd party apps Review potential vulnerabilities in 3rd party apps Coordinate with external peer IS shops to evangelize our successes and get feedback on how we can do better Coordinate with external peer IS shops to evangelize our successes and get feedback on how we can do better

12 IAP Physical Security Relationship to information assurance program Relationship to information assurance program Not just gates & guards Not just gates & guards Controlled access system Securing network taps in public areas Securing phone/wiring closets BP,JV & new acquisition reviews

13 Unauthorized Access Threats to Information Security Internet CDCs, RDCs Tail Sites Internet Data Centers CorpNet PSSEVN 3rd Party Connections Labs gateways Proxies Home LANs PPTP/RAS Servers Direct Taps Remote Users Intrusions Denial of Service SPAM Intellectual Property Theft Virus Phreaking Malicious Code Criminal /CI Use of Online Services

14 Building Blocks of Robust Security Engineer it securely Engineer it securely Secure it before you deploy it Secure it before you deploy it Administer it securely Administer it securely Test it’s defenses Test it’s defenses Respond to it’s weakness/exploits Respond to it’s weakness/exploits Investigate the threats Investigate the threats Education and awareness Education and awareness

15 Security Structure  World-Wide Security Operations (Phys)  Campus Security Guards  Facilities Security Design & Access Controls  Executive/Employee Security Services  World-Wide IT Security  Vulnerability assessment team (Red Team)  Crypto Mgt./PKI  Security Consulting  Network Incident Response Team  Project Management office  Security Communications & Tools Development  Business Support Office  Investigations and Financial Recovery

16 Enterprise Directory Management Professional system administrators (First line of defense) Professional system administrators (First line of defense) Account/machine permissions Account/machine permissions Add, remove, change, create shares Troubleshooting Create local/global groups on shares and domains Domain and trust Domain and trust Approvals, creation, removal and support 1 st Tier Account Auditing 1 st Tier Account Auditing Site support for the Intranet environment Site support for the Intranet environment

17 Vulnerability Assessment Team (Red Team) Audit Corporate nets to find vulnerabilities before hackers do Audit Corporate nets to find vulnerabilities before hackers do Develop comprehensive catalog of attack techniques Develop comprehensive catalog of attack techniques Reverse engineer hacker tools (BO/BO2K) Assess & verify compliance to CERT advisories, worldwide Assess & verify compliance to CERT advisories, worldwide Monitor hacker activities on the internet (irc, newsgroups etc.) Monitor hacker activities on the internet (irc, newsgroups etc.) Improve security by iterative penetration testing Improve security by iterative penetration testing

18 Emergency Response Function (MS-CERT) Responds to Security Incidents Responds to Security Incidents Provides real time intrusion detection Monitoring Provides real time intrusion detection Monitoring Interfaces with engineering teams. Interfaces with engineering teams. Database & Disseminate Security Advisories Database & Disseminate Security Advisories Security Bulletins (internal) Virus Provide “hot fixes” for Red Team Provide “hot fixes” for Red Team De-conflicts Red Team actions. De-conflicts Red Team actions. Co-ordinates with other CERTS Co-ordinates with other CERTS Handles SPAM issues Handles SPAM issues Anti-Virus Anti-VirusDesktop Internet Mail connectors Proxies Exchange AV

19 Product Security Response Center (MSRC) (Part of Product Group) Interface to Microsoft customers Interface to Microsoft customers Suspected/reported vulnerabilities Dissemination of patches and bulletins Proactive security information and best practices Interface to MS-CERT and Red Team Interface to MS-CERT and Red Team Internally detected vulnerabilities and attacks Warning of externally reported vulnerabilities Coordinate product team response Coordinate product team response

20 Product Teams (SE and Dev) Sustaining engineering (SE teams) Sustaining engineering (SE teams) Evaluate reported vulnerabilities Search for related problems on valid report Produce, test, package patch Product teams (program management, development, test) Product teams (program management, development, test) Back up SE teams Incorporate lessons learned in new products Improve processes and products  New security features and standards  Reduced vulnerabilities

21 Investigations Team Internal HR related. Internal HR related. Attacks against networks/systems Attacks against networks/systemsHacks Denial Of Service attacks “Criminal” SPAM Impersonation of Employees/Executives Impersonation of Employees/Executives Criminal Investigations Criminal Investigations Obtain evidence for Law Enforcement/Defense Computer Forensic assistance

22 Technology and Trends IA Strategic Technology and Consulting team focuses on new technologies IA Strategic Technology and Consulting team focuses on new technologiesEvaluationPilots Early applications Microsoft products and betas Microsoft products and betas “Dogfooding” security Third party tools and technologies Third party tools and technologies

23 Key Technology Trends Secure management Secure management Active directory Security configuration toolset Group policy Authentication Authentication Kerberos (strong distributed authentication) Smart cards BiometricsPKI Network Security Network Security Integrated remote access and VPN IPsec VPN Cable and DSL

24 Key Technology Trends Firewalls Firewalls Integrated management (ISA Server) HTTP as universal transport Firewall appliances Personal firewalls Intrusion detection Intrusion detection Still an evolving technology Volume of reports False positives, missed events Vulnerability scanning Vulnerability scanning Many products Useful but labor intensive

25 Community Leadership Infrastructure protection Infrastructure protection Cyber crime and law enforcement Cyber crime and law enforcement Computer Security and Privacy Advisory Board Computer Security and Privacy Advisory Board Chief Information Security Officers’ Forum Chief Information Security Officers’ Forum Security Summit Security Summit

26 Public/Private Partnerships Critical Infrastructure Assurance Office (CIAO) Critical Infrastructure Assurance Office (CIAO) President’s Committee of Advisors on Science and Technology (PCAST) President’s Committee of Advisors on Science and Technology (PCAST) Institute for Information Infrastructure Protection (I 3 P) NATO/Lathe Gambit NATO/Lathe Gambit Information Sharing and Analysis Centers (ISACs) Information Sharing and Analysis Centers (ISACs) National White Collar Crime Center (NWCCC) National White Collar Crime Center (NWCCC) National/Regional CyberCrime Summits (DoJ) National/Regional CyberCrime Summits (DoJ) National CyberCrime Training Partnership (NCTP) National CyberCrime Training Partnership (NCTP) NIST/NIJ Computer Crime Pamphlets NIST/NIJ Computer Crime Pamphlets G8 Cyber-Crime Sub Committee G8 Cyber-Crime Sub Committee National Security Telecommunications Advisory Council (NSTAC) National Security Telecommunications Advisory Council (NSTAC)

27 Next Steps Partnership for Critical Infrastructure Security (PCIS) Over 250 Private Sector companies Over 250 Private Sector companies Federal, State, County and City Governments Federal, State, County and City GovernmentsInterdependencies Sharing and Best Practices Public policy and legislative activity R&D & Workforce Development Input to National Plan V 2.0

28 Questions? Howard A. Schmidt


Download ppt "Howard A. Schmidt Chief Security Officer Microsoft Corporation MAY 2001."

Similar presentations


Ads by Google