“ cfit telediscussion ” howard a. schmidt director, information security (ciso) microsoft...

““CFIT TelediscussionCFIT Telediscussion””

Howard A. SchmidtDirector, Information Security

(CISO)Microsoft Corporation

January 20th, 2000

IAP – Howard A. Schmidt

TopicsTopics

• Information Assurance Program Core Competencies

• Information Security Responsibilities/Structure

•Q & A


Information Assurance Information Assurance ProgramProgram


Pillars of IA Core Competencies

Dis

aste

r R

ecov

ery

Bac

kup

Str

ateg

y

Tel

ecom

m

Sec

uri

ty

Ph

ysic

al S

ecu

rity

App

licat

ion

Sec

uri

ty

Dat

a C

lass

/Ret

entio

n

Tel

ecom

m

Sec

uri

ty

Info

rmat

ion

Sec

uri

ty

Information Assurance ProgramInformation Assurance Program


IAP ObjectivesIAP Objectives

• Right information, to the right person at the right time

• Authorized un-compromised access– Reliable/Available– What you sent is what they get (WYSIWTG)

• Consist of programs, processes & procedures

• Corporate wide program– IAP project should be an “umbrella” for all

Information Assurance activities


Business Continuity Business Continuity PlanPlan• Disasters

• Virus• Fire• Natural• Sabotage• Y2K• Hacks

• 24-48 Hrs ramp up to minimum configuration

• How many Critical Apps exist (Including Infrastructure)?

• Enterprise Wide Data Centers• Does NOT create redundant data centers

•Expensive•Technology


Data Data Retention/ClassificationRetention/Classification

• ALL data is not the same.• Legal• Financial• Historical• Personal

• E-Mail & attachments comprised of information from routine to highly confidential.

• Various retention periods (by law)• Consolidation of group servers/shares (1st

Step)• Capability needs to be built into future

products


Backup Procedure & Backup Procedure & ProcessProcess

•Linked to Data Class/Retention Projects

•Reduce storage of non-critical data

•Efficient recovery of needed data

•Reduction of offsite storage costs

•Expedite Disaster Recovery


Telecommunications Telecommunications SecuritySecurity

•PBX Security– Audits– “Phreaking tools”

•RAS Security– Concerns of non-encrypted RAS use in some locations

•Analog Lines– Desktop Modems

•Mobile Phones– More secure– GSM– CDMA/TDMA


IAP Application IAP Application SecuritySecurity

•As InfoSec professionals, work with developer and product security groups – Part of the design review from

outset of product life cycle– Review potential vulnerabilities in

3rd party apps– Coordinate with external peer IS

shops to evangelize our successes and get feedback on how we can do better


IAP Physical SecurityIAP Physical Security

• Relationship to Information Security

• Not just Guns, gates & guards– Controlled access system– Securing network taps in public areas– Securing phone/wiring closets– BP,JV & New Acquisition reviews– Physical Security Investigations


UnauthorizedAccess

Threats to Information Threats to Information SecuritySecurity

InternetInternet

CDCs, RDCsTail Sites

InternetData CentersCorpNet

PSS EVN3rd Party

Connections

Labs

E-mail gateways

Proxies

Home LANs

PPTP/RAS Servers

Direct Taps

Remote Users

Intrusions

Denial ofService

SPAM

IntellectualProperty Theft

Virus

Phreaking

Malicious Code

Criminal /CI Use ofOnline Services


Strategic Technology & Strategic Technology & Security ConsultingSecurity Consulting

• Test implementation new Technologies– IPsec, IPv6, Kerberos, Certificates,

Smartcards, Encryption,Biometrics • Test new Connectivity

Technology– xDSL, Cable Modem, Wireless

• Evaluate Security Technology– Firewalls, Monitors, Scanners

• Apply Technology to Security– Home LAN, Business Partners, Joint

Ventures, Security Consulting


Red Team MissionRed Team Mission• Attack Corporate nets to find

vulnerabilities before hackers do• Develop comprehensive catalog

of attack techniques– Reverse engineer hacker tools (BO/BO2K)

• Assess & verify compliance to CERT advisories, worldwide

• Monitor hacker activities on the internet (irc, newsgroups etc.)

• Improve security by iterative penetration testing


CERT FunctionCERT Function• Responds to Security Incidents• Provides real time Intrusion Detection Monitoring• Interfaces with engineering teams.• Database & Disseminate Security Advisories

– Security Bulletins– Virus

• Provide “hot fixes” for RED Team• De-Conflicts RED Team actions.• Co-ordinates with other CERTS• Handles SPAM issues • Anti-Virus

– Desktop– Internet Mail connectors– Proxies

Computer Emergency Response TeamComputer Emergency Response Team


Investigations TeamInvestigations Team • Internal HR investigations• Attacks against networks/systems

– Hacks– Denial Of Service attacks– Criminal SPAM

• Impersonation of Employees/Executives

• Criminal Investigations– Obtain evidence for Law Enforcement/Defense– Computer Forensic assistance


User Education & User Education & AwarenessAwareness


Info.SafeInfo.Safe

• A global program• Protect the most precious assets:

Your ideas, plans, specifications, and code

• Not about the what is bad - focus on risk awareness, and the propagation and reinforcement of good practices

““Information Security Awareness for Information Security Awareness for Everyone”Everyone”


Info.SafeInfo.Safe

• Objectives:– Drive information

and raise awareness• Risks and

opportunities

– Enable behavior change• Reinforce and

recognize good practices

• Audiences: • EVERYONE!

– Management (All levels)

– Technical staff– Administrative

Communication & LearningCommunication & Learning


• Channels:– Electronic:

• Intranet

– Live venues•Classroom,

brownbag lunches, staff mtgs.

– Print•Newsletters,

brochures, posters

• Initiatives:– Website updates,

security channel, publicity

– Multipurpose slide deck, presenters kit

– Briefing series– Info assurance

recognition

Info.Safe Info.Safe

Communication & LearningCommunication & Learning

Questions?Howard A. Schmidt

425-936-3890

[email protected]

“ cfit telediscussion ” howard a. schmidt director, information security (ciso) microsoft...

Documents