howard a schmidt chief security officer microsoft corporation n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Howard A. Schmidt Chief Security Officer Microsoft Corporation PowerPoint Presentation
Download Presentation
Howard A. Schmidt Chief Security Officer Microsoft Corporation

Loading in 2 Seconds...

play fullscreen
1 / 24
jackson-gonzalez

Howard A. Schmidt Chief Security Officer Microsoft Corporation - PowerPoint PPT Presentation

105 Views
Download Presentation
Howard A. Schmidt Chief Security Officer Microsoft Corporation
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security@Microsoft MAY 2001 Howard A. Schmidt Chief Security Officer Microsoft Corporation

  2. Topics • Microsoft Information Assurance Program (MIAP) • Information Security Teams and Roles • IA Technology and Trends • Community Leadership • Q&A

  3. Microsoft Information Assurance Program

  4. Securing the Digital Nervous System • 400+ worldwide IT locations Network Information & Communications • 9 million voice calls per month • 4 M + e-mail messages per day • 145 video conference sites • Over 600 line of business applications Data Center • Over 150,000 PCs • 12,000 + servers PCs

  5. Information Assurance Program Pillars of IA Program Class and Retention Information Security Telecomm Security Telecomm Security Backup Strategy Application Security Physical Security Disaster Recovery

  6. IAP Objectives • Right information, to the right person at the right time, ANYWHERE, ANYTIME, ANY DEVICE • Authorized un-compromised access • Reliable/Available • What you sent is what they get (WYSIWTG) • Consist of programs, processes & procedures • Corporate wide program • IA program should be an “umbrella” for all Information Assurance activities

  7. Telecommunications Security • PBX Security Audits “Phreaking tools” • RAS Security • Concerns of non-encrypted RAS use in some locations • Analog Lines • Desktop Modems • Mobile Phones More secure • GSM • CDMA/TDMA

  8. IAP Application Security • As InfoSec professionals, work with developer and product security groups • Part of the design review from outset of product life cycle • Review potential vulnerabilities in 3rd party apps • Coordinate with external peer IS shops to evangelize our successes and get feedback on how we can do better

  9. IAP Physical Security • Relationship to information assurance program • Not just gates & guards • Controlled access system • Securing network taps in public areas • Securing phone/wiring closets • BP,JV & new acquisition reviews

  10. Threats to Information Security IntellectualProperty Theft UnauthorizedAccess Intrusions Internet Home LANs Criminal /CI Use ofOnlineServices E-mail gateways PPTP/RAS Servers Remote Users Proxies DirectTaps Labs InternetData Centers CDCs, RDCsTail Sites CorpNet SPAM 3rd PartyConnections PSS EVN Virus Denial ofService Phreaking Malicious Code

  11. Building Blocks of Robust Security • Engineer it securely • Secure it before you deploy it • Administer it securely • Test it’s defenses • Respond to it’s weakness/exploits • Investigate the threats • Education and awareness

  12. Security Structure • World-Wide Security Operations (Phys) • Campus Security Guards • Facilities Security Design & Access Controls • Executive/Employee Security Services • World-Wide IT Security • Vulnerability assessment team (Red Team) • Crypto Mgt./PKI • Security Consulting • Network Incident Response Team • Project Management office • Security Communications & Tools Development • Business Support Office • Investigations and Financial Recovery

  13. Enterprise Directory Management • Professional system administrators (First line of defense) • Account/machine permissions • Add, remove, change, create shares • Troubleshooting • Create local/global groups on shares and domains • Domain and trust • Approvals, creation, removal and support • 1st Tier Account Auditing • Site support for the Intranet environment

  14. Vulnerability Assessment Team (Red Team) • Audit Corporate nets to find vulnerabilities before hackers do • Develop comprehensive catalog of attack techniques • Reverse engineer hacker tools (BO/BO2K) • Assess & verify compliance to CERT advisories, worldwide • Monitor hacker activities on the internet (irc, newsgroups etc.) • Improve security by iterative penetration testing

  15. Emergency Response Function (MS-CERT) • Responds to Security Incidents • Provides real time intrusion detection Monitoring • Interfaces with engineering teams. • Database & Disseminate Security Advisories • Security Bulletins (internal) • Virus • Provide “hot fixes” for Red Team • De-conflicts Red Team actions. • Co-ordinates with other CERTS • Handles SPAM issues • Anti-Virus • Desktop • Internet Mail connectors • Proxies • Exchange AV

  16. Product Security Response Center (MSRC)(Part of Product Group) • Interface to Microsoft customers • Suspected/reported vulnerabilities • Dissemination of patches and bulletins • Proactive security information and best practices • Interface to MS-CERT and Red Team • Internally detected vulnerabilities and attacks • Warning of externally reported vulnerabilities • Coordinate product team response

  17. Product Teams (SE and Dev) • Sustaining engineering (SE teams) • Evaluate reported vulnerabilities • Search for related problems on valid report • Produce, test, package patch • Product teams (program management, development, test) • Back up SE teams • Incorporate lessons learned in new products • Improve processes and products • New security features and standards • Reduced vulnerabilities

  18. Investigations Team • Internal HR related. • Attacks against networks/systems • Hacks • Denial Of Service attacks • “Criminal” SPAM • Impersonation of Employees/Executives • Criminal Investigations • Obtain evidence for Law Enforcement/Defense • Computer Forensic assistance

  19. Technology and Trends • IA Strategic Technology and Consulting team focuses on new technologies • Evaluation • Pilots • Early applications • Microsoft products and betas • “Dogfooding” security • Third party tools and technologies

  20. Key Technology Trends • Secure management • Active directory • Security configuration toolset • Group policy • Authentication • Kerberos (strong distributed authentication) • Smart cards • Biometrics • PKI • Network Security • Integrated remote access and VPN • IPsec VPN • Cable and DSL

  21. Key Technology Trends • Firewalls • Integrated management (ISA Server) • HTTP as universal transport • Firewall appliances • Personal firewalls • Intrusion detection • Still an evolving technology • Volume of reports • False positives, missed events • Vulnerability scanning • Many products • Useful but labor intensive

  22. Community Leadership • Infrastructure protection • Cyber crime and law enforcement • Computer Security and Privacy Advisory Board • Chief Information Security Officers’ Forum • Security Summit

  23. Public/Private Partnerships • Critical Infrastructure Assurance Office (CIAO) • President’s Committee of Advisors on Science and Technology (PCAST) • Institute for Information Infrastructure Protection (I3P) • NATO/Lathe Gambit • Information Sharing and Analysis Centers (ISACs) • National White Collar Crime Center (NWCCC) • National/Regional CyberCrime Summits (DoJ) • National CyberCrime Training Partnership (NCTP) • NIST/NIJ Computer Crime Pamphlets • G8 Cyber-Crime Sub Committee • National Security Telecommunications Advisory Council (NSTAC)

  24. Questions? Howard A. Schmidt 425-936-3890 howards@microsoft.com howard.schmidt1@us.army.mil