“ cfit telediscussion ” howard a. schmidt director, information security (ciso) microsoft...
TRANSCRIPT
““CFIT TelediscussionCFIT Telediscussion””
Howard A. SchmidtDirector, Information Security
(CISO)Microsoft Corporation
January 20th, 2000
IAP – Howard A. Schmidt
TopicsTopics
• Information Assurance Program Core Competencies
• Information Security Responsibilities/Structure
•Q & A
IAP – Howard A. Schmidt
Information Assurance Information Assurance ProgramProgram
IAP – Howard A. Schmidt
Pillars of IA Core Competencies
Dis
aste
r R
ecov
ery
Bac
kup
Str
ateg
y
Tel
ecom
m
Sec
uri
ty
Ph
ysic
al S
ecu
rity
App
licat
ion
Sec
uri
ty
Dat
a C
lass
/Ret
entio
n
Tel
ecom
m
Sec
uri
ty
Info
rmat
ion
Sec
uri
ty
Information Assurance ProgramInformation Assurance Program
IAP – Howard A. Schmidt
IAP ObjectivesIAP Objectives
• Right information, to the right person at the right time
• Authorized un-compromised access– Reliable/Available– What you sent is what they get (WYSIWTG)
• Consist of programs, processes & procedures
• Corporate wide program– IAP project should be an “umbrella” for all
Information Assurance activities
IAP – Howard A. Schmidt
Business Continuity Business Continuity PlanPlan• Disasters
• Virus• Fire• Natural• Sabotage• Y2K• Hacks
• 24-48 Hrs ramp up to minimum configuration
• How many Critical Apps exist (Including Infrastructure)?
• Enterprise Wide Data Centers• Does NOT create redundant data centers
•Expensive•Technology
IAP – Howard A. Schmidt
Data Data Retention/ClassificationRetention/Classification
• ALL data is not the same.• Legal• Financial• Historical• Personal
• E-Mail & attachments comprised of information from routine to highly confidential.
• Various retention periods (by law)• Consolidation of group servers/shares (1st
Step)• Capability needs to be built into future
products
IAP – Howard A. Schmidt
Backup Procedure & Backup Procedure & ProcessProcess
•Linked to Data Class/Retention Projects
•Reduce storage of non-critical data
•Efficient recovery of needed data
•Reduction of offsite storage costs
•Expedite Disaster Recovery
IAP – Howard A. Schmidt
Telecommunications Telecommunications SecuritySecurity
•PBX Security– Audits– “Phreaking tools”
•RAS Security– Concerns of non-encrypted RAS use in some locations
•Analog Lines– Desktop Modems
•Mobile Phones– More secure– GSM– CDMA/TDMA
IAP – Howard A. Schmidt
IAP Application IAP Application SecuritySecurity
•As InfoSec professionals, work with developer and product security groups – Part of the design review from
outset of product life cycle– Review potential vulnerabilities in
3rd party apps– Coordinate with external peer IS
shops to evangelize our successes and get feedback on how we can do better
IAP – Howard A. Schmidt
IAP Physical SecurityIAP Physical Security
• Relationship to Information Security
• Not just Guns, gates & guards– Controlled access system– Securing network taps in public areas– Securing phone/wiring closets– BP,JV & New Acquisition reviews– Physical Security Investigations
IAP – Howard A. Schmidt
UnauthorizedAccess
Threats to Information Threats to Information SecuritySecurity
InternetInternet
CDCs, RDCsTail Sites
InternetData CentersCorpNet
PSS EVN3rd Party
Connections
Labs
E-mail gateways
Proxies
Home LANs
PPTP/RAS Servers
Direct Taps
Remote Users
Intrusions
Denial ofService
SPAM
IntellectualProperty Theft
Virus
Phreaking
Malicious Code
Criminal /CI Use ofOnline Services
IAP – Howard A. Schmidt
Strategic Technology & Strategic Technology & Security ConsultingSecurity Consulting
• Test implementation new Technologies– IPsec, IPv6, Kerberos, Certificates,
Smartcards, Encryption,Biometrics • Test new Connectivity
Technology– xDSL, Cable Modem, Wireless
• Evaluate Security Technology– Firewalls, Monitors, Scanners
• Apply Technology to Security– Home LAN, Business Partners, Joint
Ventures, Security Consulting
IAP – Howard A. Schmidt
Red Team MissionRed Team Mission• Attack Corporate nets to find
vulnerabilities before hackers do• Develop comprehensive catalog
of attack techniques– Reverse engineer hacker tools (BO/BO2K)
• Assess & verify compliance to CERT advisories, worldwide
• Monitor hacker activities on the internet (irc, newsgroups etc.)
• Improve security by iterative penetration testing
IAP – Howard A. Schmidt
CERT FunctionCERT Function• Responds to Security Incidents• Provides real time Intrusion Detection Monitoring• Interfaces with engineering teams.• Database & Disseminate Security Advisories
– Security Bulletins– Virus
• Provide “hot fixes” for RED Team• De-Conflicts RED Team actions.• Co-ordinates with other CERTS• Handles SPAM issues • Anti-Virus
– Desktop– Internet Mail connectors– Proxies
Computer Emergency Response TeamComputer Emergency Response Team
IAP – Howard A. Schmidt
Investigations TeamInvestigations Team • Internal HR investigations• Attacks against networks/systems
– Hacks– Denial Of Service attacks– Criminal SPAM
• Impersonation of Employees/Executives
• Criminal Investigations– Obtain evidence for Law Enforcement/Defense– Computer Forensic assistance
IAP – Howard A. Schmidt
User Education & User Education & AwarenessAwareness
IAP – Howard A. Schmidt
Info.SafeInfo.Safe
• A global program• Protect the most precious assets:
Your ideas, plans, specifications, and code
• Not about the what is bad - focus on risk awareness, and the propagation and reinforcement of good practices
““Information Security Awareness for Information Security Awareness for Everyone”Everyone”
IAP – Howard A. Schmidt
Info.SafeInfo.Safe
• Objectives:– Drive information
and raise awareness• Risks and
opportunities
– Enable behavior change• Reinforce and
recognize good practices
• Audiences: • EVERYONE!
– Management (All levels)
– Technical staff– Administrative
Communication & LearningCommunication & Learning
IAP – Howard A. Schmidt
• Channels:– Electronic:
• Intranet
– Live venues•Classroom,
brownbag lunches, staff mtgs.
– Print•Newsletters,
brochures, posters
• Initiatives:– Website updates,
security channel, publicity
– Multipurpose slide deck, presenters kit
– Briefing series– Info assurance
recognition
Info.Safe Info.Safe
Communication & LearningCommunication & Learning