1 / 24

Howard A. Schmidt Chief Security Officer Microsoft Corporation

Security@Microsoft MAY 2001. Howard A. Schmidt Chief Security Officer Microsoft Corporation. Topics. Microsoft Information Assurance Program (MIAP) Information Security Teams and Roles IA Technology and Trends Community Leadership Q&A. Microsoft Information Assurance Program.

jackson-gonzalez
Download Presentation

Howard A. Schmidt Chief Security Officer Microsoft Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security@Microsoft MAY 2001 Howard A. Schmidt Chief Security Officer Microsoft Corporation

  2. Topics • Microsoft Information Assurance Program (MIAP) • Information Security Teams and Roles • IA Technology and Trends • Community Leadership • Q&A

  3. Microsoft Information Assurance Program

  4. Securing the Digital Nervous System • 400+ worldwide IT locations Network Information & Communications • 9 million voice calls per month • 4 M + e-mail messages per day • 145 video conference sites • Over 600 line of business applications Data Center • Over 150,000 PCs • 12,000 + servers PCs

  5. Information Assurance Program Pillars of IA Program Class and Retention Information Security Telecomm Security Telecomm Security Backup Strategy Application Security Physical Security Disaster Recovery

  6. IAP Objectives • Right information, to the right person at the right time, ANYWHERE, ANYTIME, ANY DEVICE • Authorized un-compromised access • Reliable/Available • What you sent is what they get (WYSIWTG) • Consist of programs, processes & procedures • Corporate wide program • IA program should be an “umbrella” for all Information Assurance activities

  7. Telecommunications Security • PBX Security Audits “Phreaking tools” • RAS Security • Concerns of non-encrypted RAS use in some locations • Analog Lines • Desktop Modems • Mobile Phones More secure • GSM • CDMA/TDMA

  8. IAP Application Security • As InfoSec professionals, work with developer and product security groups • Part of the design review from outset of product life cycle • Review potential vulnerabilities in 3rd party apps • Coordinate with external peer IS shops to evangelize our successes and get feedback on how we can do better

  9. IAP Physical Security • Relationship to information assurance program • Not just gates & guards • Controlled access system • Securing network taps in public areas • Securing phone/wiring closets • BP,JV & new acquisition reviews

  10. Threats to Information Security IntellectualProperty Theft UnauthorizedAccess Intrusions Internet Home LANs Criminal /CI Use ofOnlineServices E-mail gateways PPTP/RAS Servers Remote Users Proxies DirectTaps Labs InternetData Centers CDCs, RDCsTail Sites CorpNet SPAM 3rd PartyConnections PSS EVN Virus Denial ofService Phreaking Malicious Code

  11. Building Blocks of Robust Security • Engineer it securely • Secure it before you deploy it • Administer it securely • Test it’s defenses • Respond to it’s weakness/exploits • Investigate the threats • Education and awareness

  12. Security Structure • World-Wide Security Operations (Phys) • Campus Security Guards • Facilities Security Design & Access Controls • Executive/Employee Security Services • World-Wide IT Security • Vulnerability assessment team (Red Team) • Crypto Mgt./PKI • Security Consulting • Network Incident Response Team • Project Management office • Security Communications & Tools Development • Business Support Office • Investigations and Financial Recovery

  13. Enterprise Directory Management • Professional system administrators (First line of defense) • Account/machine permissions • Add, remove, change, create shares • Troubleshooting • Create local/global groups on shares and domains • Domain and trust • Approvals, creation, removal and support • 1st Tier Account Auditing • Site support for the Intranet environment

  14. Vulnerability Assessment Team (Red Team) • Audit Corporate nets to find vulnerabilities before hackers do • Develop comprehensive catalog of attack techniques • Reverse engineer hacker tools (BO/BO2K) • Assess & verify compliance to CERT advisories, worldwide • Monitor hacker activities on the internet (irc, newsgroups etc.) • Improve security by iterative penetration testing

  15. Emergency Response Function (MS-CERT) • Responds to Security Incidents • Provides real time intrusion detection Monitoring • Interfaces with engineering teams. • Database & Disseminate Security Advisories • Security Bulletins (internal) • Virus • Provide “hot fixes” for Red Team • De-conflicts Red Team actions. • Co-ordinates with other CERTS • Handles SPAM issues • Anti-Virus • Desktop • Internet Mail connectors • Proxies • Exchange AV

  16. Product Security Response Center (MSRC)(Part of Product Group) • Interface to Microsoft customers • Suspected/reported vulnerabilities • Dissemination of patches and bulletins • Proactive security information and best practices • Interface to MS-CERT and Red Team • Internally detected vulnerabilities and attacks • Warning of externally reported vulnerabilities • Coordinate product team response

  17. Product Teams (SE and Dev) • Sustaining engineering (SE teams) • Evaluate reported vulnerabilities • Search for related problems on valid report • Produce, test, package patch • Product teams (program management, development, test) • Back up SE teams • Incorporate lessons learned in new products • Improve processes and products • New security features and standards • Reduced vulnerabilities

  18. Investigations Team • Internal HR related. • Attacks against networks/systems • Hacks • Denial Of Service attacks • “Criminal” SPAM • Impersonation of Employees/Executives • Criminal Investigations • Obtain evidence for Law Enforcement/Defense • Computer Forensic assistance

  19. Technology and Trends • IA Strategic Technology and Consulting team focuses on new technologies • Evaluation • Pilots • Early applications • Microsoft products and betas • “Dogfooding” security • Third party tools and technologies

  20. Key Technology Trends • Secure management • Active directory • Security configuration toolset • Group policy • Authentication • Kerberos (strong distributed authentication) • Smart cards • Biometrics • PKI • Network Security • Integrated remote access and VPN • IPsec VPN • Cable and DSL

  21. Key Technology Trends • Firewalls • Integrated management (ISA Server) • HTTP as universal transport • Firewall appliances • Personal firewalls • Intrusion detection • Still an evolving technology • Volume of reports • False positives, missed events • Vulnerability scanning • Many products • Useful but labor intensive

  22. Community Leadership • Infrastructure protection • Cyber crime and law enforcement • Computer Security and Privacy Advisory Board • Chief Information Security Officers’ Forum • Security Summit

  23. Public/Private Partnerships • Critical Infrastructure Assurance Office (CIAO) • President’s Committee of Advisors on Science and Technology (PCAST) • Institute for Information Infrastructure Protection (I3P) • NATO/Lathe Gambit • Information Sharing and Analysis Centers (ISACs) • National White Collar Crime Center (NWCCC) • National/Regional CyberCrime Summits (DoJ) • National CyberCrime Training Partnership (NCTP) • NIST/NIJ Computer Crime Pamphlets • G8 Cyber-Crime Sub Committee • National Security Telecommunications Advisory Council (NSTAC)

  24. Questions? Howard A. Schmidt 425-936-3890 howards@microsoft.com howard.schmidt1@us.army.mil

More Related