1 / 21

“ CFIT Telediscussion ”

“ CFIT Telediscussion ”. January 20 th , 2000. Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation. Topics. Information Assurance Program Core Competencies Information Security Responsibilities/Structure Q & A. Information Assurance Program.

chad
Download Presentation

“ CFIT Telediscussion ”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “CFIT Telediscussion” January 20th, 2000 Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation

  2. Topics • Information Assurance Program Core Competencies • Information Security Responsibilities/Structure • Q & A IAP – Howard A. Schmidt

  3. Information Assurance Program IAP – Howard A. Schmidt

  4. Information Assurance Program Pillars of IA Core Competencies Backup Strategy Information Security Data Class/Retention Telecomm Security Telecomm Security Application Security Physical Security Disaster Recovery IAP – Howard A. Schmidt

  5. IAP Objectives • Right information, to the right person at the right time • Authorized un-compromised access • Reliable/Available • What you sent is what they get (WYSIWTG) • Consist of programs, processes & procedures • Corporate wide program • IAP project should be an “umbrella” for all Information Assurance activities IAP – Howard A. Schmidt

  6. Business Continuity Plan • Disasters • Virus • Fire • Natural • Sabotage • Y2K • Hacks • 24-48 Hrs ramp up to minimum configuration • How many Critical Apps exist (Including Infrastructure)? • Enterprise Wide Data Centers • Does NOT create redundant data centers • Expensive • Technology IAP – Howard A. Schmidt

  7. Data Retention/Classification • ALL data is not the same. • Legal • Financial • Historical • Personal • E-Mail & attachments comprised of information from routine to highly confidential. • Various retention periods (by law) • Consolidation of group servers/shares (1st Step) • Capability needs to be built into future products IAP – Howard A. Schmidt

  8. Backup Procedure & Process • Linked to Data Class/Retention Projects • Reduce storage of non-critical data • Efficient recovery of needed data • Reduction of offsite storage costs • Expedite Disaster Recovery IAP – Howard A. Schmidt

  9. Telecommunications Security • PBX Security • Audits • “Phreaking tools” • RAS Security • Concerns of non-encrypted RAS use in some locations • Analog Lines • Desktop Modems • Mobile Phones • More secure • GSM • CDMA/TDMA IAP – Howard A. Schmidt

  10. IAP Application Security • As InfoSec professionals, work with developer and product security groups • Part of the design review from outset of product life cycle • Review potential vulnerabilities in 3rd party apps • Coordinate with external peer IS shops to evangelize our successes and get feedback on how we can do better IAP – Howard A. Schmidt

  11. IAP Physical Security • Relationship to Information Security • Not just Guns, gates & guards • Controlled access system • Securing network taps in public areas • Securing phone/wiring closets • BP,JV & New Acquisition reviews • Physical Security Investigations IAP – Howard A. Schmidt

  12. Threats to Information Security IntellectualProperty Theft UnauthorizedAccess Intrusions Internet Home LANs Criminal /CI Use ofOnline Services E-mail gateways PPTP/RAS Servers Remote Users Proxies DirectTaps Labs InternetData Centers CDCs, RDCsTail Sites CorpNet SPAM 3rd PartyConnections PSS EVN Virus Denial ofService Phreaking Malicious Code IAP – Howard A. Schmidt

  13. Strategic Technology & Security Consulting • Test implementation new Technologies • IPsec, IPv6, Kerberos, Certificates, Smartcards, Encryption,Biometrics • Test new Connectivity Technology • xDSL, Cable Modem, Wireless • Evaluate Security Technology • Firewalls, Monitors, Scanners • Apply Technology to Security • Home LAN, Business Partners, Joint Ventures, Security Consulting IAP – Howard A. Schmidt

  14. Red Team Mission • Attack Corporate nets to find vulnerabilities before hackers do • Develop comprehensive catalog of attack techniques • Reverse engineer hacker tools (BO/BO2K) • Assess & verify compliance to CERT advisories, worldwide • Monitor hacker activities on the internet (irc, newsgroups etc.) • Improve security by iterative penetration testing IAP – Howard A. Schmidt

  15. CERT Function Computer Emergency Response Team • Responds to Security Incidents • Provides real time Intrusion Detection Monitoring • Interfaces with engineering teams. • Database & Disseminate Security Advisories • Security Bulletins • Virus • Provide “hot fixes” for RED Team • De-Conflicts RED Team actions. • Co-ordinates with other CERTS • Handles SPAM issues • Anti-Virus • Desktop • Internet Mail connectors • Proxies IAP – Howard A. Schmidt

  16. Investigations Team • Internal HR investigations • Attacks against networks/systems • Hacks • Denial Of Service attacks • Criminal SPAM • Impersonation of Employees/Executives • Criminal Investigations • Obtain evidence for Law Enforcement/Defense • Computer Forensic assistance IAP – Howard A. Schmidt

  17. User Education & Awareness IAP – Howard A. Schmidt

  18. Info.Safe • A global program • Protect the most precious assets: Your ideas, plans, specifications, and code • Not about the what is bad - focus on risk awareness, and the propagation and reinforcement of good practices “Information Security Awareness for Everyone” IAP – Howard A. Schmidt

  19. Objectives: Drive information and raise awareness Risks and opportunities Enable behavior change Reinforce andrecognize good practices Audiences: EVERYONE! Management (All levels) Technical staff Administrative Info.Safe Communication & Learning IAP – Howard A. Schmidt

  20. Channels: Electronic: Intranet Live venues Classroom, brownbag lunches, staff mtgs. Print Newsletters, brochures, posters Initiatives: Website updates, security channel, publicity Multipurpose slide deck, presenters kit Briefing series Info assurance recognition Info.Safe Communication & Learning IAP – Howard A. Schmidt

  21. Questions? Howard A. Schmidt 425-936-3890 howards@microsoft.com

More Related