Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security for Privacy Professionals IAPP Privacy Futures Jeff Williams, MBA/TM CISSP IAM Privacy Officer, Microsoft Services.

Similar presentations

Presentation on theme: "Security for Privacy Professionals IAPP Privacy Futures Jeff Williams, MBA/TM CISSP IAM Privacy Officer, Microsoft Services."— Presentation transcript:

1 Security for Privacy Professionals IAPP Privacy Futures Jeff Williams, MBA/TM CISSP IAM Privacy Officer, Microsoft Services

2 You cannot ensure privacy if you don’t first have security Axiom

3 Security Operating Principles Corporate Security Mission and Vision Security Strategy Risk-Based Decision Model Tactical Prioritization

4 Mission Assess Risk Define Policy Monitor Audit Prevent malicious or unauthorized use that results in the loss of intellectual property or productivity by systematically assessing, communicating, and mitigating risks to digital assets

5 Vision Five Trustworthy Assurances –My identity is not compromised –Resources are secure and available –Data and communications are private –Roles and accountability are clearly defined –There is a timely response to risks and threats An IT environment comprised of services, applications, and infrastructure that implicitly provides availability, privacy, and security to any client

6 Operating Principles Management commitment –Manage risk according to business objectives –Define organizational roles and responsibilities Users and data –Manage to practice of least privilege –Strictly enforce privacy and privacy rules Application and system development –Build security into development life cycle –Create layered defense and reduce attack surface Operations and maintenance –Integrate security into operations framework –Align monitor, audit, and response functions to operational functions

7 Security Landscape

8 State of the Nation Security problems are growing Total financial losses double 2002 levels Most organizations are not yet equipped to deal with security threats Growth of the external threat New and evolving threats 95% of security issues could have been avoided if systems were properly configured and patched CERT 2003: Computer Crime Survey

9 What you may not have known… DDoS extortion can pay $50k+ per incident –Costs very little < $1000 The “Really Bad People” pay “ethically challenged” techies to do their dirty work –Execute DDoS, write bots, code exploits, provide ‘zero- day’ exploit information, compromise specific systems –Anonymous payments via Paypal etc. –No questions asked Spam pays too –AOL gave away the Porsche Boxster confiscated from a convicted Spammer –How much has been pocketed by how many? Who paid them?

10 Understanding the Landscape Author National Interest Personal Gain Personal Fame Curiosity Script-Kiddie Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser

11 An Evolving Threat National Interest Personal Gain Personal Fame Curiosity Hobbyist Hacker Expert Specialist Largest area by volume Largest area by $ lost Script-Kiddie Largest segment by $ spent on defense Fastestgrowingsegment AuthorVandal Thief Spy Trespasser

12 Security is nothing more than Managing Risk

13 Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk

14 Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accountsAccount Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets

15 Components of Risk Assessment AssetThreat Impact VulnerabilityMitigation Probability + + = = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and affect the asset?

16 Risk Management Process and Roles 34 Security Solutions & Initiatives Sustained Operations Cross-IT Teams Corporate Security Tactical Prioritization 1 Prioritize Risks 2 Security Policy 5 Compliance

17 Fundamental Tradeoff Secure Usable Cheap You get to pick any two!

18 Risk Assessment Can’t eliminate risk Three things we can do –Accept –Mitigate –Transfer Security policy helps determine which

19 Risk mitigation Preventing Detecting Responding Each builds on the previous…

20 Risk Computation Useful formula If any term is zero, risk is zero Balance cost of attack vs. cost to secure Remember your soft costs Don’t forget liability –Eve hacks Alice, uses Alice to hack Bob; Bob sues Alice for failure to maintain security. Civil only; whose laws apply? Factor in cost to repair reputation R = T × V × E

21 How to Compromise a System 1.Port scan—what’s listening 2.Sniff traffic—URLs, clear text passwords 3.Launch scripts to probe for vulnerabilities 4.Run a privilege escalation attack 5.Infect; leave backdoors 6.Cover tracks in the logs 7.Get out

22 Trojans, Viruses, Bots and Worms Multiple delivery mechanisms Run in context of logged on user Send personal data to attackers Send malicious data to attack others Open holes for access from Internet Backups won’t help if not clean

23 Document the threats Documenting threats to your systems is difficult –What kinds of things can go wrong? –How can an attacker take advantage of your network? You must think like an attacker –What are the juicy bits of data? –What do they want to do with your environment? Evaluate chains –If item A occurs then item B can occur…

24 Fault Trees Demonstrate logical paths through a system Used to highlight faults in a system Points out relationships between faults Allow us to estimate the interactions between faults

25 Defense in Depth Using a layered approach: –Increases an attacker’s risk of detection –Reduces an attacker’s chance of success Policies, Procedures, & Awareness OS hardening, patch management, authentication, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption, Rights Management User education Physical Security Perimeter Internal Network Host Application Data

26 Defenses Defense in depth –Networks –Hosts –Applications –Users

27 Network Defenses Border router –Ingress and egress filtering Firewalls –Is high availability a business requirement? Authentication –Check credentials before allowing through Encryption –VPNs, IPSec ESP tunnel mode Not just perimeter, though... –Can do all this between logical and business security zones, too

28 Host Defenses Updated anti-virus, hotfixes, service packs Control security settings and software distribution/installation with group policy Authenticated connections –IPSec AH, 802.1x Encrypted sessions –IPSec ESP transport mode Restricted connections, in and out –IPSec filtering, ICF File Integrity monitoring

29 The art of patching without patching Turn stuff off! …or don’t install it in the first place

30 Application Defenses Encrypted communications –SSL/TLS, S/MIME Signed communications –S/MIME, code signing Authorization –Fine for public services –Must do this if you need to know who Strong security development practices

31 Defense Against Users Principle of least privilege (POLP) –Users aren’t local administrators –Trust those who are admins, though –Configure trust relationships only where there is a business need –Appropriate access lists and rights, again following business needs Don’t read e-mail with admin account

32 Technologies Prevention –Internet Connection Firewall –IPSec (encryption, authentication, filtering) –ISA Server (rules and filters) –Distribution of current updates Group policy Corporate Windows Update Systems Management Server

33 Technologies Detection –Security logging and auditing –Port scanning –NetMon from SMS –Microsoft Operations Manager –ISA Server (IDS and honeypot)

34 Non-technologies Response –People and processes –You need a plan. Period

35 10 Things Attackers Don’t Want You To Do 1.Ensure everything is fully patched 2.Use strong pass phrases 3.Open only necessary holes in firewalls 4.Harden servers 5.Use properly hardened applications 6.Use least privilege 7.Restrict outbound traffic 8.Restrict internal traffic 9.Micro-manage service accounts 10.Maintain a healthy level of paranoia

36 This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, MSN, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

37 Appendix

38 Organizational: directed to management’s commitment to risk management and security awareness Manage risk according to business objectives Define organizational roles and responsibilities Invest in secure design Commit to secure operations Users and data: includes authentication, user privacy, and data authorization Manage to practice of least privilege Base decision on data classification and fair use Enforce privacy and privacy rules Ensure data integrity Monitor identity assurance Build in availability Application and system development: dedicated to the design and development of secure systems Build security into the life cycle Design defense in depth Reduce attack surface Keep it simple Operations and maintenance: people, processes, and technology to build, maintain, and operate secure systems Plan for system maintenance Enforce security configuration and hardening Monitor and audit Practice incident response Verify disaster recovery Security CategorySecurity Principle

39 Most Common Risks Poor password management Weak account management processes Unsecured and unmanaged remote computers Poorly configured and unpatched systems Weak auditing and monitoring processes Inadequately restricted access to critical information

40 Network Security Hardening Default OS configuration is acceptable for a trusted network –Windows 2000 is very open by default –Windows Server 2003 is much more secure Still room for improvement –Application hardening is critical Same rules apply as for platform Lemma: You cannot design an optimal security configuration without a thorough understanding of the usage pattern of a system

41 Threat Modeling Understanding and communicating the threats to your environment Commonly used in application design Writing Secure Code 2 nd Ed. Can also be applied to networks

42 Best Practices Document –Model applications and services –Environment dependent Segregate –Applications –Security requirements Restrict –Disable services –Close ports Use IPSec or RRAS filters –Use different passwords

43 Document Purpose is to communicate what the environment looks like Use well understood modeling techniques –Modified Data flow diagrams –Threat trees –Verbose documentation

44 Model The Network

45 Superimpose a DFD

46 Segregate Segregate systems by application and security requirements Should you trust systems that are not part of your application? –Which systems do they trust? –What are their security requirements? Less sensitive systems may depend on more sensitive systems More sensitive systems MUST NEVER depend on less sensitive systems

47 Network Segmentation

48 Documenting Segments

49 Restrict Policies allow nothing but… –Disable unnecessary services –Remove users –Restrict privileges –Turn on security tweaks –Remove permissions –Set very strong passwords Restrict communications –IPSec –RRAS filters

50 Trust Boundaries Systems and entities you trust are included within your trust boundary Should your trust boundary include databases? –It depends Who writes to them? Do you trust those systems? –If you trust the systems that write to the database you may still not want to trust the database Is it secure?

51 Trust Boundaries

52 Conclusion Prevention is less costly than reacting to incidents Enterprises should develop a system of security audits, system scans, and remediation steps and educate users about protecting their systems Impact to systems is reduced by having a detailed, well-rehearsed, and flexible incident response plan

53 Best Practices Upgrade from any unsupported OS Prioritize according to risk assessment Establish service management framework Start with a pilot project in a small, controlled area Anticipate evolutionary changes in technology Actively manage employee education and communication Consider network bandwidth constraints Train end users to identify virus behavior and proper response Stay secure and informed

54 Conclusion Network security is difficult Hardening networks requires understanding the environment –Optimal hardening requires deep understanding There is a fundamental tradeoff between security and usability Three-phase approach to network hardening –Document –Segregate –Restrict

55 Other Resources Technical information Microsoft Security Best Practices prac.asp MBSA /Tools/mbsahome.asp Attend a free chat or web cast efault.mspx asp List of newsgroups s/newsgroups/en-us/default.aspx Security Guidance And Training Windows 2000 Security Hardening Guide odtech/Windows/Win2kHG/default.asp Windows Server 2003 Security Guide Windows XP Security Guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP Microsoft Guide to Security Patch Management ics/patch/default.asp

Download ppt "Security for Privacy Professionals IAPP Privacy Futures Jeff Williams, MBA/TM CISSP IAM Privacy Officer, Microsoft Services."

Similar presentations

Ads by Google