MID/jpl 5/15/ © 1999 by James P. Litchko Total BS Security: Business-based Systems Security Jim Litchko (703) ext. 310
MID/jpl 5/15/ © 1999 by James P. Litchko Presentation An Approach –Business and Holistic Attitudes –Ours and Theirs Solutions –Case Studies Opinions –Mine Questions –Anytime
MID/jpl 5/15/ © 1999 by James P. Litchko Typical Evolving Network Internet or other Clients Partners Corporate System
MID/jpl 5/15/ © 1999 by James P. Litchko “Secure Brick” Theory OperationsSecurity Manager ProfitLoss DemandSupply
MID/jpl 5/15/ © 1999 by James P. Litchko Approach... talk about their business What is your business? –Services and products How do you operate? –Processes for selling and providing Who does what? –Responsibilities and information flow How do you measure success? –Customer satisfaction, profit, market share, etc. What is your system’s architecture? –Components, connections, capabilities, and cultures
MID/jpl 5/15/ © 1999 by James P. Litchko Promotional Web Server Transaction System Service System Integrity Availability Confidentiality Integrity Authentication Clients Partners Confidentiality Visibility Availability Browser Impatient Security Requirements Internet or other Business/ ? Productivity 82% required no additional security products
MID/jpl 5/15/ © 1999 by James P. Litchko Attitudes and Perceptions: Sailor-on-liberty Philosophy –I want it fast, free and friendly Security only costs money –True, but.... The most secure solution has –best GUI –largest market share –relationship and trust Transparent to the user –Accept when...
MID/jpl 5/15/ © 1999 by James P. Litchko Attitudes and Perceptions: Sailor-Proof –If it is to hard they will find away around it KISS Principle –Education is the best bang for the buck –Increases ownership for solving security problems SNMP is the standard –Not a smoking gun.... a bleeding wound is needed. What is the aspirin for security: –firewalls, VPN, PKI, IDS,......? –Technology will solve all of our problems! – monitoring problem solution was policy.
MID/jpl 5/15/ © 1999 by James P. Litchko Which Authentication is best? Password? Time-based? Challenge and Response? Event-based? Biometrics? Public Key? VPN? IDS?
MID/jpl 5/15/ © 1999 by James P. Litchko Problem Subscription Information Service Provider Web site distribution Computer illiterate users Sharing passwords $40,000 loss per month What is the solution?
MID/jpl 5/15/ © 1999 by James P. Litchko Security and Business Math Profit: Loss: Net: Before $ 50B $ 4.5B $ 46.5B After $ 50B $ 1.0B $ 49.0B Better Idea? $
MID/jpl 5/15/ © 1999 by James P. Litchko Internet or WAN Promotional Web Server Read Only Firewall Firms Clients Firewall Support Operations Transaction System
MID/jpl 5/15/ © 1999 by James P. Litchko Internet or WAN Promotional Web Server Read Only Firewall Firms Clients IP Encryption Support Operations Transaction System
MID/jpl 5/15/ © 1999 by James P. Litchko Internet or WAN Promotional Web Server Read Only Firewall Firms Clients IP Encryption SSL Encryption Support Operations Transaction System
MID/jpl 5/15/ © 1999 by James P. Litchko Internet or WAN Promotional Web Server Read Only Firewall Clients IP Encryption SSL Encryption Intrusion Detection Systems and Assurance Testing “In God we trust. Everyone else we monitor.”
MID/jpl 5/15/ © 1999 by James P. Litchko Internet or WAN Promotional Web Server Read Only Firewall Firms Clients IP Encryption SSL Encryption Backups Surf Web Filter Support Operations Transaction System What business is this?
MID/jpl 5/15/ © 1999 by James P. Litchko Summary Based security on business first Practical solutions, not just technical Security is a business risk