the big picture on security frank o’keeffe regional information security manager microsoft...
TRANSCRIPT
The Big Picture on Security
Frank O’KeeffeRegional Information Security ManagerMicrosoft Corporation
Agenda
• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions
Volunteers for extra assignmentsWorks late hoursTakes work homeNever takes a vacationInterested in what co-workers are doing
The ideal employee“Potential Spy”- NSA
Why do we need securityIrish bank's stolen laptops contain 10,000 customer files
Agence France-Presse Posted date: April 22, 2008
DUBLIN--Four laptop computers stolen from one of Ireland's largest commercial banks contain the unencrypted details of some 10,000 customers, the bank said on Tuesday.
UK health agency loses 31,000 patients records
Monday, June 23, 2008
Unencrypted laptops containing 31,000 patient records have been lost by two NHS trusts.
A laptop containing 11,000 patient records was stolen from a GP’s home in Wolverhampton. And St George’s Hospital in London has admitted that six laptops were stolen from its filing cabinets at the start of the month, containing the records of 20,000 patients.
Sixteen NI government laptops lost
BBC News
May 23, 2008
“A total of 16 laptop computers have disappeared from executive departments in the past year.
They were among a total of 38 electronic devices that were listed as lost or stolen since the start of May 2007.”
Opposition party press release:
October 1, 2008
“"I find it incredible to discover that 19 laptops, 3 desktops, at least 9 Blackberry mobile phones and 4 portable storage devices have been lost across the Departments in 2008. On average, a device that could contain sensitive information about people is lost nearly every week.”
Agenda
• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions
What is Information Security
People
Processes
Technology
Awareness and Training
Employee exit
Reference Checks
Employee On boarding
Access based on business need
Vulnerability Management
Network segmentation
Intrusion detection
Encryption
Anti-malware
Policies and Standards
Incident Response Separation of Duties
Systems Development Lifecycle
Agenda
• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions
Evolving Threat Landscape
Local Area NetworksFirst PC virusBoot sector virusesCreate notorietyor cause havocSlow propagation16-bit DOS
1986–1995
Internet EraMacro virusesScript virusesCreate notorietyor cause havocFaster propagation32-bit Windows
1995–2000
BroadbandprevalentSpyware, SpamPhishingBotnetsRootkits Financial motivationInternet wide impact32-bit Windows
2000–2005
Hyper jackingPeer to PeerSocial engineeringApplication attacksFinancial motivationTargeted attacks64-bit Windows
2006+
Evolving Threat Landscape
National Interest
Personal Gain
Personal Fame
Curiosity
Amateur Expert Specialist
Largest area by volume
Largest area by $ lost
Script-Kiddy
Largest segment by
$ spent on defense
Fastest growing segment
AuthorVandal
Thief
Spy
Trespasser
Crime On The Rise
Hardware
O/S
Drivers
Applications
GUI
User
Physical
Examples:• Spyware• Rootkits• Application
attacks• Phishing/Social
engineering• Decreasing patch
window• Zero-day attacks
Attacks Getting More SophisticatedTraditional defenses are inadequate
Troj
an
Downl
oade
r/Dro
pper
Expl
oit
Wor
m
Keylog
gers
&c
Back
door
Viru
s
Root
kit
0
40,000
80,000
120,000
160,000
Increasingly Sophisticated MalwareAnti-malware alone is not sufficient
Number of variants from over 7,000 malware families (1H07)
Source: Microsoft Security Intelligence Report (January – June 2007)
mainframeclient/server
Internet
mobility
C2CB2C
B2B
Pre-1980s 1980s 1990s 2000s
Nu
mb
er
of
Dig
ital ID
s
Exponential Growth of IDsIdentity and access management challenging
Agenda
• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions
DublinRedmond
• 3,000,000+ internal e-mail messages per day • 99.99% availability
• 106,000 end users• 98 countries/regions• 441 buildings• 132 Internet Connected Offices
• 360,000+ PCs and devices
• 1.9-terabyte database single instance SAP
• 42,000,000+ remote connections/month
• 116,000+ e-mail accounts
Singapore
Microsoft IT Environment
Information Security Drivers
Security of Information AssetsPrivacy ProtectionIndustry Mandates
Mobile DevicesCollaboration ToolsDogfooding
Global Business ModelCustomer RequirementsSupplier Requirements
Business
Regulations
Technology
Risk
Value
Microsoft Information Security Concerns
• Regulatory and statutory compliance• Mobility of data• Unauthorized access to data• Malicious software• Supporting an evolving client
Security Teams
Information Security Embedded in the
Business
Microsoft IT Information
Security
Trustworthy Computing
On Line Services Information
Security
Stakeholders
Risk Management
Policy
Compliance
Product Security
Forensics and investigationsNetwork monitoring
Hotmail
MSN
Windows Live
Security ChampionsPrivacy Champions
Security Policy: A Layered Approach
Microsoft Information Security Program (MISP)
Accountabilities that require Microsoft to operate a security program Establishes framework for a risk- & policy-based approach to protecting assets
Information Security Policy
Contains principles for protecting and properly using corporate resources Supports specific BU security standards, operating procedures, and guidelines
Information Security Standards
Provide requirements and prescriptive guidance that enables users to comply with the Information Security Policy
Information Security Challenges – Where’s the Data
Data
In Transit
In Databases
In Spreadshee
tsOn a
network share
On my phone
On my laptop
Through web applications
Outsourced to 3rd party
Case Study - BitLocker
Strategy and Preparation Deployment
Pilot to determine best deployment method
Focus on high-risk mobile users
Executive Support TPM + PIN preferred model (otherwise USB start-up key)
Policy requires personal presence BitLocker image developed
Multiple hardware types Install fairs to drive deployment
Helpdesk and support technicians trained
New laptops “BitLocker ready”
Scripts to monitor compliance Recovery enabled through Active Directory
Targeted user education Support materials for self-install
Technet – IT Showcase - Deployment Planning for BitLocker Drive Encryption for Windows Vista
Microsoft needed to reduce the likelihood of its intellectual property and personally identifiable information (PII) from being stolen from employees' computers. Additionally, Microsoft wanted to demonstrate for its customers how to protect against these threats.
Agenda
• Introduction• What is Information Security• Evolving Threat Landscape• Information Security at Microsoft• Conclusions• Questions
Conclusions
• Security must support business objectives
• Requires Leadership Visibility and Support
• Controls based on Risk• Combines People, Processes,
Technology• Focus on Vital Assets and Data
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.