Howard A. Schmidt Chief Security Officer Microsoft Corporation
-
Upload
jackson-gonzalez -
Category
Documents
-
view
27 -
download
0
description
Transcript of Howard A. Schmidt Chief Security Officer Microsoft Corporation
Howard A. SchmidtHoward A. SchmidtChief Security OfficerChief Security OfficerMicrosoft CorporationMicrosoft Corporation
Security@MicrosoftMAY 2001
TopicsTopics
Microsoft Information Assurance Program (MIAP)Microsoft Information Assurance Program (MIAP) Information Security Teams and RolesInformation Security Teams and Roles IA Technology and TrendsIA Technology and Trends Community LeadershipCommunity Leadership Q&AQ&A
Microsoft Information Assurance ProgramMicrosoft Information Assurance Program
Securing the Digital Nervous SystemSecuring the Digital Nervous SystemSecuring the Digital Nervous SystemSecuring the Digital Nervous System
NetworkNetworkNetworkNetwork
Data CenterData CenterData CenterData Center
PCsPCsPCsPCs
Information & Information & CommunicationsCommunications
Information & Information & CommunicationsCommunications
400+ worldwide IT locations
4 M + e-mail messages per day 9 million voice calls per month
145 video conference sites
12,000 + servers
Over 150,000 PCs
Over 600 line of business applications
Pillars of IA Program
Dis
aste
r R
ecov
ery
Bac
kup
Str
ateg
y
Tel
ecom
m
Sec
uri
ty
Ph
ysic
al S
ecu
rity
App
licat
ion
Sec
uri
ty
Tel
ecom
m
Sec
uri
ty
Info
rmat
ion
Sec
uri
ty
Information Assurance ProgramInformation Assurance Program
Cla
ss a
nd
Ret
entio
n
IAP ObjectivesIAP Objectives Right information, to the right person at the Right information, to the right person at the
right time, ANYWHERE, ANYTIME, ANY right time, ANYWHERE, ANYTIME, ANY DEVICE DEVICE
Authorized un-compromised accessAuthorized un-compromised access
Reliable/AvailableReliable/Available
What you sent is what they get What you sent is what they get (WYSIWTG)(WYSIWTG)
Consist of programs, processes & Consist of programs, processes & proceduresprocedures
Corporate wide programCorporate wide program IA program should be an “umbrella” for all IA program should be an “umbrella” for all
Information Assurance activitiesInformation Assurance activities
Telecommunications SecurityTelecommunications Security PBX SecurityPBX Security
AuditsAudits““Phreaking tools”Phreaking tools”
RAS SecurityRAS SecurityConcerns of non-encrypted RAS use in some Concerns of non-encrypted RAS use in some
locationslocations Analog LinesAnalog Lines
Desktop ModemsDesktop Modems Mobile PhonesMobile Phones
More secureMore secure
GSMGSM
CDMA/TDMACDMA/TDMA
IAP Application SecurityIAP Application Security
As InfoSec professionals, work with As InfoSec professionals, work with developer and product security developer and product security groups groups
Part of the design review from outset Part of the design review from outset of product life cycleof product life cycle
Review potential vulnerabilities in 3rd Review potential vulnerabilities in 3rd party appsparty apps
Coordinate with external peer IS Coordinate with external peer IS shops to evangelize our successes shops to evangelize our successes and get feedback on how we can do and get feedback on how we can do betterbetter
IAP Physical SecurityIAP Physical Security Relationship to information Relationship to information
assurance programassurance program Not just gates & guardsNot just gates & guards
Controlled access systemControlled access system
Securing network taps in Securing network taps in public areaspublic areas
Securing phone/wiring Securing phone/wiring closetsclosets
BP,JV & new acquisition BP,JV & new acquisition reviewsreviews
UnauthorizedAccess
Threats to Information SecurityThreats to Information Security
InternetInternet
CDCs, RDCsTail Sites
InternetData CentersCorpNet
PSS EVN3rd Party
Connections
Labs
E-mail gateways
Proxies
Home LANs
PPTP/RAS Servers
Direct Taps
Remote Users
Intrusions
Denial ofService
SPAM
IntellectualProperty Theft
Virus
Phreaking
Malicious Code
Criminal /CI Use ofOnline Services
Building Blocks of Robust SecurityBuilding Blocks of Robust Security
Engineer it securelyEngineer it securely• Secure it before you deploy itSecure it before you deploy it
Administer it securelyAdminister it securely Test it’s defensesTest it’s defenses Respond to it’s Respond to it’s
weakness/exploitsweakness/exploits Investigate the threatsInvestigate the threats Education and awarenessEducation and awareness
Security Structure Security Structure World-Wide Security Operations (Phys)World-Wide Security Operations (Phys)
Campus Security GuardsCampus Security Guards Facilities Security Design & Access ControlsFacilities Security Design & Access Controls Executive/Employee Security ServicesExecutive/Employee Security Services
World-Wide IT Security World-Wide IT Security Vulnerability assessment team (Red Team)Vulnerability assessment team (Red Team) Crypto Mgt./PKICrypto Mgt./PKI Security ConsultingSecurity Consulting Network Incident Response TeamNetwork Incident Response Team Project Management officeProject Management office
Security Communications & Tools DevelopmentSecurity Communications & Tools Development Business Support OfficeBusiness Support Office Investigations and Financial RecoveryInvestigations and Financial Recovery
Enterprise Directory ManagementEnterprise Directory Management
Professional system administrators (First line Professional system administrators (First line of defense)of defense)
Account/machine permissionsAccount/machine permissions
Add, remove, change, create sharesAdd, remove, change, create shares
TroubleshootingTroubleshooting
Create local/global groups on shares and Create local/global groups on shares and domainsdomains
Domain and trust Domain and trust
Approvals, creation, removal and supportApprovals, creation, removal and support 11stst Tier Account Auditing Tier Account Auditing Site support for the Intranet environmentSite support for the Intranet environment
Vulnerability Assessment Team (Red Team)Vulnerability Assessment Team (Red Team)
Audit Corporate nets to find vulnerabilities Audit Corporate nets to find vulnerabilities before hackers dobefore hackers do
Develop comprehensive catalog of attack Develop comprehensive catalog of attack techniquestechniques
Reverse engineer hacker tools (BO/BO2K)Reverse engineer hacker tools (BO/BO2K) Assess & verify compliance to CERT advisories, Assess & verify compliance to CERT advisories,
worldwideworldwide Monitor hacker activities on the internet (irc, Monitor hacker activities on the internet (irc,
newsgroups etc.)newsgroups etc.) Improve security by iterative penetration testingImprove security by iterative penetration testing
Emergency Response Function (MS-CERT)Emergency Response Function (MS-CERT)
Responds to Security IncidentsResponds to Security Incidents Provides real time intrusion detection MonitoringProvides real time intrusion detection Monitoring Interfaces with engineering teams.Interfaces with engineering teams. Database & Disseminate Security AdvisoriesDatabase & Disseminate Security Advisories
Security Bulletins (internal)Security Bulletins (internal)VirusVirus
Provide “hot fixes” for Red TeamProvide “hot fixes” for Red Team De-conflicts Red Team actions.De-conflicts Red Team actions. Co-ordinates with other CERTSCo-ordinates with other CERTS Handles SPAM issues Handles SPAM issues Anti-VirusAnti-Virus
DesktopDesktopInternet Mail connectorsInternet Mail connectorsProxiesProxiesExchange AVExchange AV
Product Security Response Center (MSRC)Product Security Response Center (MSRC)(Part of Product Group)(Part of Product Group)
Interface to Microsoft customersInterface to Microsoft customers
Suspected/reported vulnerabilitiesSuspected/reported vulnerabilities
Dissemination of patches and bulletinsDissemination of patches and bulletins
Proactive security information and best Proactive security information and best practicespractices
Interface to MS-CERT and Red TeamInterface to MS-CERT and Red Team
Internally detected vulnerabilities and attacksInternally detected vulnerabilities and attacks
Warning of externally reported vulnerabilitiesWarning of externally reported vulnerabilities Coordinate product team responseCoordinate product team response
Product Teams (SE and Dev)Product Teams (SE and Dev)
Sustaining engineering (SE teams)Sustaining engineering (SE teams)
Evaluate reported vulnerabilitiesEvaluate reported vulnerabilities
Search for related problems on valid reportSearch for related problems on valid report
Produce, test, package patchProduce, test, package patch Product teams (program management, Product teams (program management,
development, test)development, test)
Back up SE teams Back up SE teams
Incorporate lessons learned in new productsIncorporate lessons learned in new products
Improve processes and productsImprove processes and products New security features and standardsNew security features and standards Reduced vulnerabilitiesReduced vulnerabilities
Investigations TeamInvestigations Team Internal HR related.Internal HR related. Attacks against networks/systemsAttacks against networks/systems
HacksHacks
Denial Of Service attacksDenial Of Service attacks
““Criminal” SPAM Criminal” SPAM Impersonation of Employees/ExecutivesImpersonation of Employees/Executives Criminal InvestigationsCriminal Investigations
Obtain evidence for Law Enforcement/DefenseObtain evidence for Law Enforcement/Defense
Computer Forensic assistanceComputer Forensic assistance
Technology and TrendsTechnology and Trends
IA Strategic Technology and Consulting IA Strategic Technology and Consulting team focuses on new technologies team focuses on new technologies
EvaluationEvaluation
PilotsPilots
Early applicationsEarly applications Microsoft products and betasMicrosoft products and betas
““Dogfooding” securityDogfooding” security Third party tools and technologiesThird party tools and technologies
Key Technology TrendsKey Technology Trends
Secure managementSecure managementActive directoryActive directorySecurity configuration toolsetSecurity configuration toolsetGroup policyGroup policy
Authentication Authentication Kerberos (strong distributed authentication)Kerberos (strong distributed authentication)Smart cardsSmart cardsBiometricsBiometricsPKIPKI
Network SecurityNetwork SecurityIntegrated remote access and VPNIntegrated remote access and VPNIPsec VPNIPsec VPNCable and DSLCable and DSL
Key Technology TrendsKey Technology Trends
FirewallsFirewallsIntegrated management (ISA Server)Integrated management (ISA Server)HTTP as universal transportHTTP as universal transportFirewall appliancesFirewall appliancesPersonal firewallsPersonal firewalls
Intrusion detectionIntrusion detectionStill an evolving technologyStill an evolving technologyVolume of reportsVolume of reportsFalse positives, missed eventsFalse positives, missed events
Vulnerability scanningVulnerability scanningMany productsMany productsUseful but labor intensiveUseful but labor intensive
Community LeadershipCommunity Leadership
Infrastructure protectionInfrastructure protection Cyber crime and law enforcementCyber crime and law enforcement Computer Security and Privacy Computer Security and Privacy
Advisory BoardAdvisory Board Chief Information Security Chief Information Security
Officers’ ForumOfficers’ Forum Security SummitSecurity Summit
Public/Private PartnershipsPublic/Private Partnerships Critical Infrastructure Assurance Office (CIAO)Critical Infrastructure Assurance Office (CIAO) President’s Committee of Advisors on Science and President’s Committee of Advisors on Science and
Technology (PCAST)Technology (PCAST)Institute for Information Infrastructure Protection (IInstitute for Information Infrastructure Protection (I33P) P)
NATO/Lathe GambitNATO/Lathe Gambit Information Sharing and Analysis Centers (ISACs) Information Sharing and Analysis Centers (ISACs) National White Collar Crime Center (NWCCC)National White Collar Crime Center (NWCCC) National/Regional CyberCrime Summits (DoJ)National/Regional CyberCrime Summits (DoJ) National CyberCrime Training Partnership (NCTP)National CyberCrime Training Partnership (NCTP) NIST/NIJ Computer Crime PamphletsNIST/NIJ Computer Crime Pamphlets G8 Cyber-Crime Sub CommitteeG8 Cyber-Crime Sub Committee National Security Telecommunications Advisory National Security Telecommunications Advisory
Council (NSTAC)Council (NSTAC)
Questions?Howard A. Schmidt
425-936-3890