Upload
asher-stewart
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Security Security Technology: A Technology: A 360° perspective360° perspective
Steven AdlerSteven AdlerSecurity StrategistSecurity StrategistMicrosoft EMEAMicrosoft EMEA
AgendaAgenda
Current SituationCurrent SituationImplementing a Security PolicyImplementing a Security PolicyCreating a Secure Connected Creating a Secure Connected InfrastructureInfrastructure
Secure Network ConnectivitySecure Network ConnectivityIdentity ManagementIdentity ManagementSecurity Management & OperationsSecurity Management & Operations.NET Framework.NET Framework
SummarySummary
Increasing number of attacksIncreasing number of attacks
CERT Incident summary 1988 - 2003
020000400006000080000
100000120000140000160000
1988
1990
1992
1994
1996
1998
2000
2002
Source: Symantec, CERT Incident SummarySource: Symantec, CERT Incident Summary
Cost of security incidentsCost of security incidentsOverall Overall Large BusinessLarge Business
Disruption to Disruption to businessbusiness
£5,000 - £10,000£5,000 - £10,000over 1-2 daysover 1-2 days
£50,000-£50,000-£150,000£150,000over 1-3 daysover 1-3 days
Time spent Time spent responding to responding to incidentincident
£500 - £1,000£500 - £1,0002-4 man days2-4 man days
£3,000 - £6,000£3,000 - £6,00010-20 man days10-20 man days
Direct cash spent Direct cash spent responding to responding to incidentincident
£1,000-£2,000£1,000-£2,000 £5,000-£10,000£5,000-£10,000
Direct Financial Direct Financial LossLoss
£200 - £500£200 - £500 £2,000-£4,000£2,000-£4,000
Damage to Damage to reputationreputation
£100 - £300£100 - £300 £5,000 - £20,000£5,000 - £20,000
Total Cost of Total Cost of worst incident on worst incident on averageaverage
£7,000 - £14,000£7,000 - £14,000 £65,000 - £65,000 - £190,000£190,000Source: Information Security Breaches Survey 2004 UK Dept. of Trade and IndustrySource: Information Security Breaches Survey 2004 UK Dept. of Trade and Industry
Implementation of security Implementation of security policiespolicies
Source: Information Security Breaches Survey 2004 UK Dept. of Trade and IndustrySource: Information Security Breaches Survey 2004 UK Dept. of Trade and Industry
0 50 100
Small (1-49)
Medium(50-249)
Large (250+)
ISBS 2004ISBS 2002
Principles of IT Security - Principles of IT Security - BS7799BS7799
ConfidentialityProtection from unauthorized disclosure of sensitive, both business and personal, information
IntegrityMaking sure that information is always accurate and up to date
AvailabilityMaking sure that vital information and services are always available to authorized users whenever necessary
AuthenticityMaking sure the source of the information is really what it claims to be
AccountabilityMaking sure you will get the information where you want for when you need it!
Security Policies BS7799Security Policies BS7799
Security policyOrganizational securityAsset classification & controlPersonnel securityPhysical & environmentalCommunications & operations managementAccess controlSystems development & maintenanceBusiness continuity managementCompliance
Adopting in-depth defenceAdopting in-depth defenceAim of strategy is to:Aim of strategy is to:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection
Reduces an attacker’s chance of successReduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, patch management, OS hardening, patch management, authentication, HIDSauthentication, HIDS
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devicesGuards, locks, tracking devices
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User educationUser education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Access ControlAccess Control“To control access according to Business and “To control access according to Business and Security requirements”Security requirements” – BS 7799 – BS 7799
Business requirements
User access management
User responsibilities
Network access control
Operating System access control
Application access control
Monitoring System access control
Mobile Computing and Teleworking
Some examples of BS7799Some examples of BS7799
9.7.2 Monitoring System Use9.7.2 Monitoring System Use“Access is to be logged and monitored to “Access is to be logged and monitored to identify potential misuse of systems or identify potential misuse of systems or information”information”
5.2.1Information Classification5.2.1Information Classification“The organisation must record, maintain “The organisation must record, maintain and update a database of its information and update a database of its information assets”assets”
8.1.3 Security Incident Handling8.1.3 Security Incident Handling“Information relating to security incidents “Information relating to security incidents may only be released by authorised may only be released by authorised persons”persons”
Applying BS7799 in WindowsApplying BS7799 in Windows
Access ControlsAccess ControlsNTFS and Access Control Lists (ACL)NTFS and Access Control Lists (ACL)
Monitoring System UseMonitoring System UseWindows Audit logsWindows Audit logs
IIS, ISA logsIIS, ISA logs
Windows Management Instrumentation (WMI)Windows Management Instrumentation (WMI)
Microsoft Operations ManagerMicrosoft Operations Manager
Password PolicyPassword PolicyEnforce password complexity & lifecycle using Enforce password complexity & lifecycle using Group PolicyGroup Policy
Higher security requirements may be enforced Higher security requirements may be enforced via physical tokens (smartcard)via physical tokens (smartcard)
Password PoliciesPassword Policies
Minimum Password LengthMinimum Password Length
Password Complexity (E.g. 0-9,A-z,#-Password Complexity (E.g. 0-9,A-z,#-@)@)
Password AgeingPassword Ageing
Password HistoryPassword History
Reduce the number of Reduce the number of accounts/passwordsaccounts/passwords(E.g. Single Signon, Password (E.g. Single Signon, Password synchronization)synchronization)
Enforce smartcard usageEnforce smartcard usage
Secure Network ConnectivitySecure Network Connectivity
ISA ServerWindows 2000, Windows .NET Server
Virtual Private Networking (VPN)Wireless (802.11b, 802.1x)IPSecX.509 v3 PKI
Secure Wireless LANSecure Wireless LAN
802.11/.1X802.11/.1XAccess PointAccess Point
Domain UserDomain UserCertificateCertificate
LaptopLaptop
Con
trol
led
Port
Con
trol
led
Port
Unc
ontr
olle
d
Unc
ontr
olle
d Po
rtPo
rt
RADIUSRADIUS(IAS)(IAS)
DomainDomainControllerController
CertificateCertificateAuthorityAuthority
DHCPDHCP ExchangeExchange
FileFilePeersPeers
Domain Domain ControllerControllerused to log onto used to log onto domain after domain after obtaining an IP obtaining an IP address from address from DHCPDHCP
EAP/TLS EAP/TLS ConnectionConnection
Security Management & Security Management & OperationsOperations
Microsoft Baseline Security AnalyserHotFixNetCheckIISLockdownSoftware Update ServiceSystems Management Server 2003Microsoft Operations Manager
Software Update Services (SUS)Software Update Services (SUS)
SUS Child SUS Child Server(s)Server(s)
AutoUpdate AutoUpdate ClientsClients
Group PolicyGroup PolicySUS Parent SUS Parent ServerServer
Windows Updatewindowsupdate.microsoft.com
TestTest EnvironmentEnvironment
Identity ManagementIdentity Management
Active DirectoryAuthentication dataPolicy based administrationIntegrated with PKI
Active Directory Application ModeLight weight, stand alone LDAP directoryExtensible schema, replicated partitions
Microsoft Identity Integration ServerSynchronization of identitiesProvisioning
MS Identity Integration ServerMS Identity Integration ServerEnsure consistency & utility of digital identity Ensure consistency & utility of digital identity datadata
Active Directory & ADAMActive Directory & ADAMSingle store for users, computers, Single store for users, computers, services, groups, etc.services, groups, etc.Distributed, replicated for Distributed, replicated for availabilityavailabilityAutomated security policy Automated security policy managementmanagementLDAP v3 compliantLDAP v3 compliantADAM for app-specific dataADAM for app-specific data
Microsoft Identity Integration Microsoft Identity Integration ServerServerDirectory synchronizationDirectory synchronization
LDAP (ADAM, iPlanet, etc)LDAP (ADAM, iPlanet, etc)Relational databasesRelational databasesApplication specificApplication specific
Account ProvisioningAccount ProvisioningAutomate account creationAutomate account creationAutomate account de-provisioningAutomate account de-provisioning
Password Management Password Management Self-service password resetSelf-service password reset
Account DirectoryAccount Directory
LDAPLDAP SQLSQL
Enterprise Enterprise AppApp
ExchangeExchange
Web ServiceWeb Service
File ShareFile Share
ApplicationApplicationApplicationApplicationActiveActive
DirectoryDirectory
.NET Framework.NET Framework
Code Access SecurityCompiler Enhancements (/GS flags)Supports multiple Authentication mechanismsASP.NET – authorization modelCryptographic NamespaceInstrumentation via WMI
Visual Studio – Compiler Visual Studio – Compiler EnhancementsEnhancements
void BadFunction (char * p1)void BadFunction (char * p1){{char [MAX] p2;char [MAX] p2;strcpy (p1,p2);strcpy (p1,p2);……return;return;}}
Education & GuidanceEducation & GuidancePublications Prescriptive GuidancePublications Prescriptive Guidance
Patterns and PracticesPatterns and PracticesHow-to configure for securityHow-to configure for securityHow Microsoft Secures MicrosoftHow Microsoft Secures Microsoft
Online CommunityOnline CommunitySecurity Zone for Security Zone for IT ProfessionalsIT Professionals
Web EducationWeb EducationMBSA, HFNetchkMBSA, HFNetchk
Security GuidesSecurity Guides
Monthly security webcastsMonthly security webcasts
Summary: Action PlanSummary: Action Plan
Implement a security programImplement a security programCreate organizational responsibilitiesCreate organizational responsibilities
Define security policyDefine security policy
Execute security program to implement policyExecute security program to implement policy
Audit for compliance to policyAudit for compliance to policy
RemediationRemediation
Ongoing review (new threats, technologies)Ongoing review (new threats, technologies)
Be proactiveBe proactiveDon’t wait till the next attack !Don’t wait till the next attack !
ResourcesResourcesGeneralGeneralhttp://www.microsoft.com/securityhttp://www.microsoft.com/security
IT ProfessionalsIT Professionalshttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security
Patch ManagementPatch Managementhttp://www.microsoft.com/technet/security/topics/patchhttp://www.microsoft.com/technet/security/topics/patch
Best Practices for Defense in DepthBest Practices for Defense in Depthhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
How Microsoft Secures MicrosoftHow Microsoft Secures Microsofthttp://www.microsoft.com/technet/itsolutions/msit/ http://www.microsoft.com/technet/itsolutions/msit/
security/mssecbp.aspsecurity/mssecbp.asp
MSDN Security Development ToolsMSDN Security Development Toolshttp://msdn.microsoft.com/security/downloads/tools/ http://msdn.microsoft.com/security/downloads/tools/
default.aspxdefault.aspx
Security PoliciesSecurity PoliciesNIST http://www.nist.govNIST http://www.nist.govISO1779 http://www.iso17799software.comISO1779 http://www.iso17799software.com
ResourcesResourcesThreats and Countermeasures: Security Settings in Windows Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XPServer 2003 and Windows XPhttp://go.microsoft.com/fwlink/?LinkId=15160http://go.microsoft.com/fwlink/?LinkId=15160 Windows Server 2003 Security GuideWindows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846 http://go.microsoft.com/fwlink/?LinkId=14846 Microsoft Security SolutionsMicrosoft Security Solutionshttp://www.microsoft.com/business/solutions/default.mspx http://www.microsoft.com/business/solutions/default.mspx Systems Management ServerSystems Management Serverwww.microsoft.com/smserver/ www.microsoft.com/smserver/ Software Update ServicesSoftware Update Serviceswww.microsoft.com/sus www.microsoft.com/sus Microsoft Operations ManagerMicrosoft Operations Managerwww.microsoft.com/mom www.microsoft.com/mom ISA ServerISA Serverwww.microsoft.com/isa www.microsoft.com/isa