Howard A. SchmidtHoward A. SchmidtChief Security OfficerChief Security OfficerMicrosoft CorporationMicrosoft Corporation

Security@MicrosoftMAY 2001

TopicsTopics

Microsoft Information Assurance Program (MIAP)Microsoft Information Assurance Program (MIAP) Information Security Teams and RolesInformation Security Teams and Roles IA Technology and TrendsIA Technology and Trends Community LeadershipCommunity Leadership Q&AQ&A

Microsoft Information Assurance ProgramMicrosoft Information Assurance Program

Securing the Digital Nervous SystemSecuring the Digital Nervous SystemSecuring the Digital Nervous SystemSecuring the Digital Nervous System

NetworkNetworkNetworkNetwork

Data CenterData CenterData CenterData Center

PCsPCsPCsPCs

Information & Information & CommunicationsCommunications

Information & Information & CommunicationsCommunications

400+ worldwide IT locations

4 M + e-mail messages per day 9 million voice calls per month

145 video conference sites

12,000 + servers

Over 150,000 PCs

Over 600 line of business applications

Pillars of IA Program

Dis

aste

r R

ecov

ery

Bac

kup

Str

ateg

y

Tel

ecom

m

Sec

uri

ty

Ph

ysic

al S

ecu

rity

App

licat

ion

Sec

uri

ty

Tel

ecom

m

Sec

uri

ty

Info

rmat

ion

Sec

uri

ty

Information Assurance ProgramInformation Assurance Program

Cla

ss a

nd

Ret

entio

n

IAP ObjectivesIAP Objectives Right information, to the right person at the Right information, to the right person at the

right time, ANYWHERE, ANYTIME, ANY right time, ANYWHERE, ANYTIME, ANY DEVICE DEVICE

Authorized un-compromised accessAuthorized un-compromised access

Reliable/AvailableReliable/Available

What you sent is what they get What you sent is what they get (WYSIWTG)(WYSIWTG)

Consist of programs, processes & Consist of programs, processes & proceduresprocedures

Corporate wide programCorporate wide program IA program should be an “umbrella” for all IA program should be an “umbrella” for all

Information Assurance activitiesInformation Assurance activities

Telecommunications SecurityTelecommunications Security PBX SecurityPBX Security

AuditsAudits““Phreaking tools”Phreaking tools”

RAS SecurityRAS SecurityConcerns of non-encrypted RAS use in some Concerns of non-encrypted RAS use in some

locationslocations Analog LinesAnalog Lines

Desktop ModemsDesktop Modems Mobile PhonesMobile Phones

More secureMore secure

GSMGSM

CDMA/TDMACDMA/TDMA

IAP Application SecurityIAP Application Security

As InfoSec professionals, work with As InfoSec professionals, work with developer and product security developer and product security groups groups

Part of the design review from outset Part of the design review from outset of product life cycleof product life cycle

Review potential vulnerabilities in 3rd Review potential vulnerabilities in 3rd party appsparty apps

Coordinate with external peer IS Coordinate with external peer IS shops to evangelize our successes shops to evangelize our successes and get feedback on how we can do and get feedback on how we can do betterbetter

IAP Physical SecurityIAP Physical Security Relationship to information Relationship to information

assurance programassurance program Not just gates & guardsNot just gates & guards

Controlled access systemControlled access system

Securing network taps in Securing network taps in public areaspublic areas

Securing phone/wiring Securing phone/wiring closetsclosets

BP,JV & new acquisition BP,JV & new acquisition reviewsreviews

UnauthorizedAccess

Threats to Information SecurityThreats to Information Security

InternetInternet

CDCs, RDCsTail Sites

InternetData CentersCorpNet

PSS EVN3rd Party

Connections

Labs

E-mail gateways

Proxies

Home LANs

PPTP/RAS Servers

Direct Taps

Remote Users

Intrusions

Denial ofService

SPAM

IntellectualProperty Theft

Virus

Phreaking

Malicious Code

Criminal /CI Use ofOnline Services

Building Blocks of Robust SecurityBuilding Blocks of Robust Security

Engineer it securelyEngineer it securely• Secure it before you deploy itSecure it before you deploy it

Administer it securelyAdminister it securely Test it’s defensesTest it’s defenses Respond to it’s Respond to it’s

weakness/exploitsweakness/exploits Investigate the threatsInvestigate the threats Education and awarenessEducation and awareness

Security Structure Security Structure World-Wide Security Operations (Phys)World-Wide Security Operations (Phys)

Campus Security GuardsCampus Security Guards Facilities Security Design & Access ControlsFacilities Security Design & Access Controls Executive/Employee Security ServicesExecutive/Employee Security Services

World-Wide IT Security World-Wide IT Security Vulnerability assessment team (Red Team)Vulnerability assessment team (Red Team) Crypto Mgt./PKICrypto Mgt./PKI Security ConsultingSecurity Consulting Network Incident Response TeamNetwork Incident Response Team Project Management officeProject Management office

Security Communications & Tools DevelopmentSecurity Communications & Tools Development Business Support OfficeBusiness Support Office Investigations and Financial RecoveryInvestigations and Financial Recovery

Enterprise Directory ManagementEnterprise Directory Management

Professional system administrators (First line Professional system administrators (First line of defense)of defense)

Account/machine permissionsAccount/machine permissions

Add, remove, change, create sharesAdd, remove, change, create shares

TroubleshootingTroubleshooting

Create local/global groups on shares and Create local/global groups on shares and domainsdomains

Domain and trust Domain and trust

Approvals, creation, removal and supportApprovals, creation, removal and support 11stst Tier Account Auditing Tier Account Auditing Site support for the Intranet environmentSite support for the Intranet environment

Vulnerability Assessment Team (Red Team)Vulnerability Assessment Team (Red Team)

Audit Corporate nets to find vulnerabilities Audit Corporate nets to find vulnerabilities before hackers dobefore hackers do

Develop comprehensive catalog of attack Develop comprehensive catalog of attack techniquestechniques

Reverse engineer hacker tools (BO/BO2K)Reverse engineer hacker tools (BO/BO2K) Assess & verify compliance to CERT advisories, Assess & verify compliance to CERT advisories,

worldwideworldwide Monitor hacker activities on the internet (irc, Monitor hacker activities on the internet (irc,

newsgroups etc.)newsgroups etc.) Improve security by iterative penetration testingImprove security by iterative penetration testing

Emergency Response Function (MS-CERT)Emergency Response Function (MS-CERT)

Responds to Security IncidentsResponds to Security Incidents Provides real time intrusion detection MonitoringProvides real time intrusion detection Monitoring Interfaces with engineering teams.Interfaces with engineering teams. Database & Disseminate Security AdvisoriesDatabase & Disseminate Security Advisories

Security Bulletins (internal)Security Bulletins (internal)VirusVirus

Provide “hot fixes” for Red TeamProvide “hot fixes” for Red Team De-conflicts Red Team actions.De-conflicts Red Team actions. Co-ordinates with other CERTSCo-ordinates with other CERTS Handles SPAM issues Handles SPAM issues Anti-VirusAnti-Virus

DesktopDesktopInternet Mail connectorsInternet Mail connectorsProxiesProxiesExchange AVExchange AV

Product Security Response Center (MSRC)Product Security Response Center (MSRC)(Part of Product Group)(Part of Product Group)

Interface to Microsoft customersInterface to Microsoft customers

Suspected/reported vulnerabilitiesSuspected/reported vulnerabilities

Dissemination of patches and bulletinsDissemination of patches and bulletins

Proactive security information and best Proactive security information and best practicespractices

Interface to MS-CERT and Red TeamInterface to MS-CERT and Red Team

Internally detected vulnerabilities and attacksInternally detected vulnerabilities and attacks

Warning of externally reported vulnerabilitiesWarning of externally reported vulnerabilities Coordinate product team responseCoordinate product team response

Product Teams (SE and Dev)Product Teams (SE and Dev)

Sustaining engineering (SE teams)Sustaining engineering (SE teams)

Evaluate reported vulnerabilitiesEvaluate reported vulnerabilities

Search for related problems on valid reportSearch for related problems on valid report

Produce, test, package patchProduce, test, package patch Product teams (program management, Product teams (program management,

development, test)development, test)

Back up SE teams Back up SE teams

Incorporate lessons learned in new productsIncorporate lessons learned in new products

Improve processes and productsImprove processes and products New security features and standardsNew security features and standards Reduced vulnerabilitiesReduced vulnerabilities

Investigations TeamInvestigations Team Internal HR related.Internal HR related. Attacks against networks/systemsAttacks against networks/systems

HacksHacks

Denial Of Service attacksDenial Of Service attacks

““Criminal” SPAM Criminal” SPAM Impersonation of Employees/ExecutivesImpersonation of Employees/Executives Criminal InvestigationsCriminal Investigations

Obtain evidence for Law Enforcement/DefenseObtain evidence for Law Enforcement/Defense

Computer Forensic assistanceComputer Forensic assistance

Technology and TrendsTechnology and Trends

IA Strategic Technology and Consulting IA Strategic Technology and Consulting team focuses on new technologies team focuses on new technologies

EvaluationEvaluation

PilotsPilots

Early applicationsEarly applications Microsoft products and betasMicrosoft products and betas

““Dogfooding” securityDogfooding” security Third party tools and technologiesThird party tools and technologies

Key Technology TrendsKey Technology Trends

Secure managementSecure managementActive directoryActive directorySecurity configuration toolsetSecurity configuration toolsetGroup policyGroup policy

Authentication Authentication Kerberos (strong distributed authentication)Kerberos (strong distributed authentication)Smart cardsSmart cardsBiometricsBiometricsPKIPKI

Network SecurityNetwork SecurityIntegrated remote access and VPNIntegrated remote access and VPNIPsec VPNIPsec VPNCable and DSLCable and DSL

Key Technology TrendsKey Technology Trends

FirewallsFirewallsIntegrated management (ISA Server)Integrated management (ISA Server)HTTP as universal transportHTTP as universal transportFirewall appliancesFirewall appliancesPersonal firewallsPersonal firewalls

Intrusion detectionIntrusion detectionStill an evolving technologyStill an evolving technologyVolume of reportsVolume of reportsFalse positives, missed eventsFalse positives, missed events

Vulnerability scanningVulnerability scanningMany productsMany productsUseful but labor intensiveUseful but labor intensive

Community LeadershipCommunity Leadership

Infrastructure protectionInfrastructure protection Cyber crime and law enforcementCyber crime and law enforcement Computer Security and Privacy Computer Security and Privacy

Advisory BoardAdvisory Board Chief Information Security Chief Information Security

Officers’ ForumOfficers’ Forum Security SummitSecurity Summit

Public/Private PartnershipsPublic/Private Partnerships Critical Infrastructure Assurance Office (CIAO)Critical Infrastructure Assurance Office (CIAO) President’s Committee of Advisors on Science and President’s Committee of Advisors on Science and

Technology (PCAST)Technology (PCAST)Institute for Information Infrastructure Protection (IInstitute for Information Infrastructure Protection (I33P) P)

NATO/Lathe GambitNATO/Lathe Gambit Information Sharing and Analysis Centers (ISACs) Information Sharing and Analysis Centers (ISACs) National White Collar Crime Center (NWCCC)National White Collar Crime Center (NWCCC) National/Regional CyberCrime Summits (DoJ)National/Regional CyberCrime Summits (DoJ) National CyberCrime Training Partnership (NCTP)National CyberCrime Training Partnership (NCTP) NIST/NIJ Computer Crime PamphletsNIST/NIJ Computer Crime Pamphlets G8 Cyber-Crime Sub CommitteeG8 Cyber-Crime Sub Committee National Security Telecommunications Advisory National Security Telecommunications Advisory

Council (NSTAC)Council (NSTAC)

Questions?Howard A. Schmidt

425-936-3890

howards@microsoft.com

howard.schmidt1@us.army.mil