information security addressing surety for various communities l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security: Addressing Surety for Various Communities PowerPoint Presentation
Download Presentation
Information Security: Addressing Surety for Various Communities

Loading in 2 Seconds...

play fullscreen
1 / 23

Information Security: Addressing Surety for Various Communities - PowerPoint PPT Presentation


  • 84 Views
  • Uploaded on

Information Security: Addressing Surety for Various Communities. Georgia Tech Information Security Center Fall 2004 Distinguished Lecture Series November 4, 2004 Roger Callahan Bank of America. 1. Today *. Discuss the need for information security “surety”. What does that mean?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information Security: Addressing Surety for Various Communities' - myrna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information security addressing surety for various communities

Information Security:Addressing Surety for Various Communities

Georgia Tech Information Security Center

Fall 2004 Distinguished Lecture Series

November 4, 2004

Roger Callahan

Bank of America

1

today
Today*
  • Discuss the need for information security “surety”.
  • What does that mean?
  • Emerging indications.
  • “Surety” framework.

*Note: These views represent solely those of the author and not necessarily those of Bank of America.

slide5

Number of transistors on a microprocessor

Source: http://www.intel.com/research/silicon/mooreslaw.htm

slide6

Source: “Exploiting Software: How to Break Code”, Gary McGraw and Greg Hoglund, Addison-Wesley 2004

slide7

Number of transistors on microprocessor**

Today’s amazing information technology environment

*Source: Bureau of Economic Analysis Data published March 25, 2004

**Source: http://www.intel.com/research/silicon/mooreslaw.htm

*** Source: Internet Software Consortium (www.isc.org)

****Source: “Exploiting Software: How to Break Code”, Gary McGraw and Greg Hoglund, Addison-Wesley 2004

a perspective
A Perspective
  • Communications Security (COMSEC) BC
  • Computer Security (COMPUSEC) 1970
  • Information Security (INFOSEC) 1980
  • Information Assurance (IA) mid-1990s
    • Defensive Information Warfare
  • Critical Infrastructure Protection late-1990s
    • Critical Infrastructure Assurance
  • Homeland Security 2001-2003
for discussion
For Discussion
  • This complex information technology environment and continuing rapid change in technology challenges everyone.
  • All businesses, but especially small businesses and personal users, have significant computing and communication power at their disposal and are using it.
  • Knowledge and diligence are essential to achieving secure use of information systems.
  • Significant variance in the application of adequate information security practices exists.
  • Can a new “surety” approach improve the situation?
value in centralized management approaches perimeter security experience
Value in Centralized Management ApproachesPerimeter Security Experience

Each Operational Organizational Unit Manages Their Firewalls

value in centralized management approaches perimeter security experience11
Value in Centralized Management ApproachesPerimeter Security Experience

An Information Security Organization Manages a Firewall Utility

slide12

People

Technology

Process

Prevent

Detect

Respond/

Recover

Comprehensive Protection Framework

Defense in Depth

an interesting measure
An Interesting Measure

Source: Internet Storm Center – SANS Organization

(http://isc.sans.org/survivabilityhistory.php

proactive protection measures
Proactive Protection Measures
  • Firewall
  • Anti-Viral Software
  • Configurations & Practices that Reduce Risks
  • Monitoring
  • Keep Knowledge Current
  • Apply Software Updates (patches)
surety
Surety

Definition: 3) A pledge or formal promise made to secure against loss, damage, or default: a guarantee or security.1

Familiar legal arrangement:

Surety Bonds – three-party agreements in which the issuer of the bond (the surety) joins with a second party (the principal) in guaranteeing to a third party (the obligee) the fulfillment of an obligation on the part of the principal.

  • An obligee is the party (person, corporation or government agency) to whom a bond is given.
  • The obligee is also the party protected by the bond against loss.2

1The American Heritage Dictionary

2

other applications of the word surety
Other Applications of the Word ‘Surety’

Sandia National Laboratories:

  • Weapons surety

Engineering design concepts related originally to nuclear weapons engineering.

  • Surety of an information system

Defined as ensuring the “correct” operation of an information system through the incorporation of appropriate levels of safety, functionality, confidentiality, availability and integrity1.

Through a integrated risk assessment modeling methodology to identify proper design decisions.

1 “Toward a Risk-Based Approach to the Assessment of the Surety of Information Systems” – U.S. DOE Contract DE-AC04-94AL8500

an information security surety framework
An Information Security Surety Framework
  • A ‘Managed Service’ that provides a guarantee (“surety”) of a particular level of security that includes recovery, if the guarantee is not met.
  • Requires:
    • Business case:
      • Applicability
      • Defined levels of security.
      • Use of risk management (e.g. insurance industry collaboration)
    • Appropriate public policy and legal construct.
      • A ‘safe harbor’ for qualified service providers.
      • Rapid mediation/dispute resolution mechanism
    • Required technological implementation mechanisms.
      • Proactive defense in depth approach, remote configuration and management and configuration control, monitoring capability and ability to log and quantify causes of a failure.
emerging indications
Emerging Indications
  • Automated virus updates
  • ISP spam and content filtering
  • Protection from DDOS
  • QOS options
slide20

A Parallel

Enterprise

Small Business

Consumer

surety for various communities
Surety For Various Communities

Consumers

Surety Opportunity

Small Businesses

Large Enterprises

slide22

How could the concept be further developed?

An Integrated Effort:

  • Business Case
  • Risk Management Options
  • Public Policy Benefit
  • Legal Solution
  • Technological Construct
  • Dispute Resolution Mechanism
  • Pilot Implementation
slide23

Surety may be in your future…

Roger Callahan

Phone: 704-388-8455

Email: roger_callahan@bellsouth.net