“ cfit telediscussion ” howard a. schmidt director, information security (ciso) microsoft...
TRANSCRIPT
![Page 1: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/1.jpg)
““CFIT TelediscussionCFIT Telediscussion””
Howard A. SchmidtDirector, Information Security
(CISO)Microsoft Corporation
January 20th, 2000
![Page 2: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/2.jpg)
IAP – Howard A. Schmidt
TopicsTopics
• Information Assurance Program Core Competencies
• Information Security Responsibilities/Structure
•Q & A
![Page 3: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/3.jpg)
IAP – Howard A. Schmidt
Information Assurance Information Assurance ProgramProgram
![Page 4: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/4.jpg)
IAP – Howard A. Schmidt
Pillars of IA Core Competencies
Dis
aste
r R
ecov
ery
Bac
kup
Str
ateg
y
Tel
ecom
m
Sec
uri
ty
Ph
ysic
al S
ecu
rity
App
licat
ion
Sec
uri
ty
Dat
a C
lass
/Ret
entio
n
Tel
ecom
m
Sec
uri
ty
Info
rmat
ion
Sec
uri
ty
Information Assurance ProgramInformation Assurance Program
![Page 5: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/5.jpg)
IAP – Howard A. Schmidt
IAP ObjectivesIAP Objectives
• Right information, to the right person at the right time
• Authorized un-compromised access– Reliable/Available– What you sent is what they get (WYSIWTG)
• Consist of programs, processes & procedures
• Corporate wide program– IAP project should be an “umbrella” for all
Information Assurance activities
![Page 6: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/6.jpg)
IAP – Howard A. Schmidt
Business Continuity Business Continuity PlanPlan• Disasters
• Virus• Fire• Natural• Sabotage• Y2K• Hacks
• 24-48 Hrs ramp up to minimum configuration
• How many Critical Apps exist (Including Infrastructure)?
• Enterprise Wide Data Centers• Does NOT create redundant data centers
•Expensive•Technology
![Page 7: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/7.jpg)
IAP – Howard A. Schmidt
Data Data Retention/ClassificationRetention/Classification
• ALL data is not the same.• Legal• Financial• Historical• Personal
• E-Mail & attachments comprised of information from routine to highly confidential.
• Various retention periods (by law)• Consolidation of group servers/shares (1st
Step)• Capability needs to be built into future
products
![Page 8: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/8.jpg)
IAP – Howard A. Schmidt
Backup Procedure & Backup Procedure & ProcessProcess
•Linked to Data Class/Retention Projects
•Reduce storage of non-critical data
•Efficient recovery of needed data
•Reduction of offsite storage costs
•Expedite Disaster Recovery
![Page 9: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/9.jpg)
IAP – Howard A. Schmidt
Telecommunications Telecommunications SecuritySecurity
•PBX Security– Audits– “Phreaking tools”
•RAS Security– Concerns of non-encrypted RAS use in some locations
•Analog Lines– Desktop Modems
•Mobile Phones– More secure– GSM– CDMA/TDMA
![Page 10: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/10.jpg)
IAP – Howard A. Schmidt
IAP Application IAP Application SecuritySecurity
•As InfoSec professionals, work with developer and product security groups – Part of the design review from
outset of product life cycle– Review potential vulnerabilities in
3rd party apps– Coordinate with external peer IS
shops to evangelize our successes and get feedback on how we can do better
![Page 11: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/11.jpg)
IAP – Howard A. Schmidt
IAP Physical SecurityIAP Physical Security
• Relationship to Information Security
• Not just Guns, gates & guards– Controlled access system– Securing network taps in public areas– Securing phone/wiring closets– BP,JV & New Acquisition reviews– Physical Security Investigations
![Page 12: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/12.jpg)
IAP – Howard A. Schmidt
UnauthorizedAccess
Threats to Information Threats to Information SecuritySecurity
InternetInternet
CDCs, RDCsTail Sites
InternetData CentersCorpNet
PSS EVN3rd Party
Connections
Labs
E-mail gateways
Proxies
Home LANs
PPTP/RAS Servers
Direct Taps
Remote Users
Intrusions
Denial ofService
SPAM
IntellectualProperty Theft
Virus
Phreaking
Malicious Code
Criminal /CI Use ofOnline Services
![Page 13: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/13.jpg)
IAP – Howard A. Schmidt
Strategic Technology & Strategic Technology & Security ConsultingSecurity Consulting
• Test implementation new Technologies– IPsec, IPv6, Kerberos, Certificates,
Smartcards, Encryption,Biometrics • Test new Connectivity
Technology– xDSL, Cable Modem, Wireless
• Evaluate Security Technology– Firewalls, Monitors, Scanners
• Apply Technology to Security– Home LAN, Business Partners, Joint
Ventures, Security Consulting
![Page 14: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/14.jpg)
IAP – Howard A. Schmidt
Red Team MissionRed Team Mission• Attack Corporate nets to find
vulnerabilities before hackers do• Develop comprehensive catalog
of attack techniques– Reverse engineer hacker tools (BO/BO2K)
• Assess & verify compliance to CERT advisories, worldwide
• Monitor hacker activities on the internet (irc, newsgroups etc.)
• Improve security by iterative penetration testing
![Page 15: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/15.jpg)
IAP – Howard A. Schmidt
CERT FunctionCERT Function• Responds to Security Incidents• Provides real time Intrusion Detection Monitoring• Interfaces with engineering teams.• Database & Disseminate Security Advisories
– Security Bulletins– Virus
• Provide “hot fixes” for RED Team• De-Conflicts RED Team actions.• Co-ordinates with other CERTS• Handles SPAM issues • Anti-Virus
– Desktop– Internet Mail connectors– Proxies
Computer Emergency Response TeamComputer Emergency Response Team
![Page 16: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/16.jpg)
IAP – Howard A. Schmidt
Investigations TeamInvestigations Team • Internal HR investigations• Attacks against networks/systems
– Hacks– Denial Of Service attacks– Criminal SPAM
• Impersonation of Employees/Executives
• Criminal Investigations– Obtain evidence for Law Enforcement/Defense– Computer Forensic assistance
![Page 17: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/17.jpg)
IAP – Howard A. Schmidt
User Education & User Education & AwarenessAwareness
![Page 18: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/18.jpg)
IAP – Howard A. Schmidt
Info.SafeInfo.Safe
• A global program• Protect the most precious assets:
Your ideas, plans, specifications, and code
• Not about the what is bad - focus on risk awareness, and the propagation and reinforcement of good practices
““Information Security Awareness for Information Security Awareness for Everyone”Everyone”
![Page 19: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/19.jpg)
IAP – Howard A. Schmidt
Info.SafeInfo.Safe
• Objectives:– Drive information
and raise awareness• Risks and
opportunities
– Enable behavior change• Reinforce and
recognize good practices
• Audiences: • EVERYONE!
– Management (All levels)
– Technical staff– Administrative
Communication & LearningCommunication & Learning
![Page 20: “ CFIT Telediscussion ” Howard A. Schmidt Director, Information Security (CISO) Microsoft Corporation January 20 th, 2000](https://reader035.vdocuments.us/reader035/viewer/2022070407/56649e215503460f94b0d381/html5/thumbnails/20.jpg)
IAP – Howard A. Schmidt
• Channels:– Electronic:
• Intranet
– Live venues•Classroom,
brownbag lunches, staff mtgs.
– Print•Newsletters,
brochures, posters
• Initiatives:– Website updates,
security channel, publicity
– Multipurpose slide deck, presenters kit
– Briefing series– Info assurance
recognition
Info.Safe Info.Safe
Communication & LearningCommunication & Learning