Security Security Technology: A Technology: A 360° perspective360° perspective

Steven AdlerSteven AdlerSecurity StrategistSecurity StrategistMicrosoft EMEAMicrosoft EMEA

AgendaAgenda

Current SituationCurrent SituationImplementing a Security PolicyImplementing a Security PolicyCreating a Secure Connected Creating a Secure Connected InfrastructureInfrastructure

Secure Network ConnectivitySecure Network ConnectivityIdentity ManagementIdentity ManagementSecurity Management & OperationsSecurity Management & Operations.NET Framework.NET Framework

SummarySummary

Increasing number of attacksIncreasing number of attacks

CERT Incident summary 1988 - 2003

020000400006000080000

100000120000140000160000

1988

1990

1992

1994

1996

1998

2000

2002

Source: Symantec, CERT Incident SummarySource: Symantec, CERT Incident Summary

Cost of security incidentsCost of security incidentsOverall Overall Large BusinessLarge Business

Disruption to Disruption to businessbusiness

£5,000 - £10,000£5,000 - £10,000over 1-2 daysover 1-2 days

£50,000-£50,000-£150,000£150,000over 1-3 daysover 1-3 days

Time spent Time spent responding to responding to incidentincident

£500 - £1,000£500 - £1,0002-4 man days2-4 man days

£3,000 - £6,000£3,000 - £6,00010-20 man days10-20 man days

Direct cash spent Direct cash spent responding to responding to incidentincident

£1,000-£2,000£1,000-£2,000 £5,000-£10,000£5,000-£10,000

Direct Financial Direct Financial LossLoss

£200 - £500£200 - £500 £2,000-£4,000£2,000-£4,000

Damage to Damage to reputationreputation

£100 - £300£100 - £300 £5,000 - £20,000£5,000 - £20,000

Total Cost of Total Cost of worst incident on worst incident on averageaverage

£7,000 - £14,000£7,000 - £14,000 £65,000 - £65,000 - £190,000£190,000Source: Information Security Breaches Survey 2004 UK Dept. of Trade and IndustrySource: Information Security Breaches Survey 2004 UK Dept. of Trade and Industry

Physical SecurityPhysical Security

Education & AwarenessEducation & Awareness

Implementation of security Implementation of security policiespolicies

Source: Information Security Breaches Survey 2004 UK Dept. of Trade and IndustrySource: Information Security Breaches Survey 2004 UK Dept. of Trade and Industry

0 50 100

Small (1-49)

Medium(50-249)

Large (250+)

ISBS 2004ISBS 2002

Principles of IT Security - Principles of IT Security - BS7799BS7799

ConfidentialityProtection from unauthorized disclosure of sensitive, both business and personal, information

IntegrityMaking sure that information is always accurate and up to date

AvailabilityMaking sure that vital information and services are always available to authorized users whenever necessary

AuthenticityMaking sure the source of the information is really what it claims to be

AccountabilityMaking sure you will get the information where you want for when you need it!

Security Policies BS7799Security Policies BS7799

Security policyOrganizational securityAsset classification & controlPersonnel securityPhysical & environmentalCommunications & operations managementAccess controlSystems development & maintenanceBusiness continuity managementCompliance

Adopting in-depth defenceAdopting in-depth defenceAim of strategy is to:Aim of strategy is to:

Increases an attacker’s risk of detection Increases an attacker’s risk of detection

Reduces an attacker’s chance of successReduces an attacker’s chance of success

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, patch management, OS hardening, patch management, authentication, HIDSauthentication, HIDS

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devicesGuards, locks, tracking devices

Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS

Application hardening, antivirusApplication hardening, antivirus

ACL, encryptionACL, encryption

User educationUser education

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

Access ControlAccess Control“To control access according to Business and “To control access according to Business and Security requirements”Security requirements” – BS 7799 – BS 7799

Business requirements

User access management

User responsibilities

Network access control

Operating System access control

Application access control

Monitoring System access control

Mobile Computing and Teleworking

Some examples of BS7799Some examples of BS7799

9.7.2 Monitoring System Use9.7.2 Monitoring System Use“Access is to be logged and monitored to “Access is to be logged and monitored to identify potential misuse of systems or identify potential misuse of systems or information”information”

5.2.1Information Classification5.2.1Information Classification“The organisation must record, maintain “The organisation must record, maintain and update a database of its information and update a database of its information assets”assets”

8.1.3 Security Incident Handling8.1.3 Security Incident Handling“Information relating to security incidents “Information relating to security incidents may only be released by authorised may only be released by authorised persons”persons”

Applying BS7799 in WindowsApplying BS7799 in Windows

Access ControlsAccess ControlsNTFS and Access Control Lists (ACL)NTFS and Access Control Lists (ACL)

Monitoring System UseMonitoring System UseWindows Audit logsWindows Audit logs

IIS, ISA logsIIS, ISA logs

Windows Management Instrumentation (WMI)Windows Management Instrumentation (WMI)

Microsoft Operations ManagerMicrosoft Operations Manager

Password PolicyPassword PolicyEnforce password complexity & lifecycle using Enforce password complexity & lifecycle using Group PolicyGroup Policy

Higher security requirements may be enforced Higher security requirements may be enforced via physical tokens (smartcard)via physical tokens (smartcard)

Password PoliciesPassword Policies

Minimum Password LengthMinimum Password Length

Password Complexity (E.g. 0-9,A-z,#-Password Complexity (E.g. 0-9,A-z,#-@)@)

Password AgeingPassword Ageing

Password HistoryPassword History

Reduce the number of Reduce the number of accounts/passwordsaccounts/passwords(E.g. Single Signon, Password (E.g. Single Signon, Password synchronization)synchronization)

Enforce smartcard usageEnforce smartcard usage

Example of Active Directory Example of Active Directory Group PolicyGroup Policy

Secure Network ConnectivitySecure Network Connectivity

ISA ServerWindows 2000, Windows .NET Server

Virtual Private Networking (VPN)Wireless (802.11b, 802.1x)IPSecX.509 v3 PKI

Secure Wireless LANSecure Wireless LAN

802.11/.1X802.11/.1XAccess PointAccess Point

Domain UserDomain UserCertificateCertificate

LaptopLaptop

Con

trol

led

Port

Con

trol

led

Port

Unc

ontr

olle

d

Unc

ontr

olle

d Po

rtPo

rt

RADIUSRADIUS(IAS)(IAS)

DomainDomainControllerController

CertificateCertificateAuthorityAuthority

DHCPDHCP ExchangeExchange

FileFilePeersPeers

Domain Domain ControllerControllerused to log onto used to log onto domain after domain after obtaining an IP obtaining an IP address from address from DHCPDHCP

EAP/TLS EAP/TLS ConnectionConnection

Security Management & Security Management & OperationsOperations

Microsoft Baseline Security AnalyserHotFixNetCheckIISLockdownSoftware Update ServiceSystems Management Server 2003Microsoft Operations Manager

Software Update Services (SUS)Software Update Services (SUS)

SUS Child SUS Child Server(s)Server(s)

AutoUpdate AutoUpdate ClientsClients

Group PolicyGroup PolicySUS Parent SUS Parent ServerServer

Windows Updatewindowsupdate.microsoft.com

TestTest EnvironmentEnvironment

Identity ManagementIdentity Management

Active DirectoryAuthentication dataPolicy based administrationIntegrated with PKI

Active Directory Application ModeLight weight, stand alone LDAP directoryExtensible schema, replicated partitions

Microsoft Identity Integration ServerSynchronization of identitiesProvisioning

MS Identity Integration ServerMS Identity Integration ServerEnsure consistency & utility of digital identity Ensure consistency & utility of digital identity datadata

Active Directory & ADAMActive Directory & ADAMSingle store for users, computers, Single store for users, computers, services, groups, etc.services, groups, etc.Distributed, replicated for Distributed, replicated for availabilityavailabilityAutomated security policy Automated security policy managementmanagementLDAP v3 compliantLDAP v3 compliantADAM for app-specific dataADAM for app-specific data

Microsoft Identity Integration Microsoft Identity Integration ServerServerDirectory synchronizationDirectory synchronization

LDAP (ADAM, iPlanet, etc)LDAP (ADAM, iPlanet, etc)Relational databasesRelational databasesApplication specificApplication specific

Account ProvisioningAccount ProvisioningAutomate account creationAutomate account creationAutomate account de-provisioningAutomate account de-provisioning

Password Management Password Management Self-service password resetSelf-service password reset

Account DirectoryAccount Directory

LDAPLDAP SQLSQL

Enterprise Enterprise AppApp

ExchangeExchange

Web ServiceWeb Service

File ShareFile Share

ApplicationApplicationApplicationApplicationActiveActive

DirectoryDirectory

.NET Framework.NET Framework

Code Access SecurityCompiler Enhancements (/GS flags)Supports multiple Authentication mechanismsASP.NET – authorization modelCryptographic NamespaceInstrumentation via WMI

Visual Studio – Compiler Visual Studio – Compiler EnhancementsEnhancements

void BadFunction (char * p1)void BadFunction (char * p1){{char [MAX] p2;char [MAX] p2;strcpy (p1,p2);strcpy (p1,p2);……return;return;}}

Education & GuidanceEducation & GuidancePublications Prescriptive GuidancePublications Prescriptive Guidance

Patterns and PracticesPatterns and PracticesHow-to configure for securityHow-to configure for securityHow Microsoft Secures MicrosoftHow Microsoft Secures Microsoft

Online CommunityOnline CommunitySecurity Zone for Security Zone for IT ProfessionalsIT Professionals

Web EducationWeb EducationMBSA, HFNetchkMBSA, HFNetchk

Security GuidesSecurity Guides

Monthly security webcastsMonthly security webcasts

Summary: Action PlanSummary: Action Plan

Implement a security programImplement a security programCreate organizational responsibilitiesCreate organizational responsibilities

Define security policyDefine security policy

Execute security program to implement policyExecute security program to implement policy

Audit for compliance to policyAudit for compliance to policy

RemediationRemediation

Ongoing review (new threats, technologies)Ongoing review (new threats, technologies)

Be proactiveBe proactiveDon’t wait till the next attack !Don’t wait till the next attack !

ResourcesResourcesGeneralGeneralhttp://www.microsoft.com/securityhttp://www.microsoft.com/security

IT ProfessionalsIT Professionalshttp://www.microsoft.com/technet/securityhttp://www.microsoft.com/technet/security

Patch ManagementPatch Managementhttp://www.microsoft.com/technet/security/topics/patchhttp://www.microsoft.com/technet/security/topics/patch

Best Practices for Defense in DepthBest Practices for Defense in Depthhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

How Microsoft Secures MicrosoftHow Microsoft Secures Microsofthttp://www.microsoft.com/technet/itsolutions/msit/ http://www.microsoft.com/technet/itsolutions/msit/

security/mssecbp.aspsecurity/mssecbp.asp

MSDN Security Development ToolsMSDN Security Development Toolshttp://msdn.microsoft.com/security/downloads/tools/ http://msdn.microsoft.com/security/downloads/tools/

default.aspxdefault.aspx

Security PoliciesSecurity PoliciesNIST http://www.nist.govNIST http://www.nist.govISO1779 http://www.iso17799software.comISO1779 http://www.iso17799software.com

ResourcesResourcesThreats and Countermeasures: Security Settings in Windows Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XPServer 2003 and Windows XPhttp://go.microsoft.com/fwlink/?LinkId=15160http://go.microsoft.com/fwlink/?LinkId=15160 Windows Server 2003 Security GuideWindows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846 http://go.microsoft.com/fwlink/?LinkId=14846 Microsoft Security SolutionsMicrosoft Security Solutionshttp://www.microsoft.com/business/solutions/default.mspx http://www.microsoft.com/business/solutions/default.mspx Systems Management ServerSystems Management Serverwww.microsoft.com/smserver/ www.microsoft.com/smserver/ Software Update ServicesSoftware Update Serviceswww.microsoft.com/sus www.microsoft.com/sus Microsoft Operations ManagerMicrosoft Operations Managerwww.microsoft.com/mom www.microsoft.com/mom ISA ServerISA Serverwww.microsoft.com/isa www.microsoft.com/isa

© 2002 Microsoft Corporation. All rights reserved.© 2002 Microsoft Corporation. All rights reserved.