Security for Privacy Professionals
IAPP Privacy Futures
Jeff Williams, MBA/TM CISSP IAM
Privacy Officer, Microsoft Services
You cannot ensure privacy if you don’t first have security
Axiom
Security Operating Security Operating PrinciplesPrinciples
Corporate Security Corporate Security Mission and VisionMission and Vision
Security StrategySecurity Strategy
Risk-Based Decision ModelRisk-Based Decision Model
Tactical PrioritizationTactical Prioritization
Mission
Assess Risk
Define Policy
Monitor
Audit
Prevent malicious or unauthorized use that results in the loss of intellectual property or productivity by systematically assessing, communicating, and mitigating risks to digital assets
Vision
• Five Trustworthy Assurances– My identity is not compromised– Resources are secure and available– Data and communications are private– Roles and accountability are clearly defined– There is a timely response to risks and threats
An IT environment comprised of services, applications, and infrastructure that implicitly provides availability, privacy, and security to any client
Operating Principles
• Management commitment– Manage risk according to business objectives– Define organizational roles and responsibilities
• Users and data– Manage to practice of least privilege– Strictly enforce privacy and privacy rules
• Application and system development– Build security into development life cycle– Create layered defense and reduce attack surface
• Operations and maintenance– Integrate security into operations framework– Align monitor, audit, and response functions to operational functions
Security Landscape
State of the Nation
• Security problems are growing• Total financial losses double 2002 levels• Most organizations are not yet equipped to
deal with security threats • Growth of the external threat• New and evolving threats• 95% of security issues could have been
avoided if systems were properly configured and patched
CERT 2003: Computer Crime Survey
What you may not have known…
• DDoS extortion can pay $50k+ per incident– Costs very little < $1000
• The “Really Bad People” pay “ethically challenged” techies to do their dirty work– Execute DDoS, write bots, code exploits, provide ‘zero-
day’ exploit information, compromise specific systems– Anonymous payments via Paypal etc.– No questions asked
• Spam pays too– AOL gave away the Porsche Boxster confiscated from
a convicted Spammer– How much has been pocketed by how many?
• Who paid them?
Understanding the Landscape
Author
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddieScript-Kiddie HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
Trespasser
An Evolving Threat
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Largest Largest area by area by volumevolume
Largest area by $ Largest area by $ lostlost
Script-KiddieScript-Kiddie
Largest segment Largest segment by by $ spent on $ spent on defensedefense
Fastest Fastest growingrowing g segmensegmentt
AuthorVandal
Thief
Spy
Trespasser
Security is nothing more than Managing Risk
Enterprise Risk Model
High
Low High
Imp
act
to
Bu
sin
es
s(D
efin
ed b
y B
usi
nes
s O
wn
er)
Low
Acceptable RiskAcceptable Risk
Unacceptable RiskUnacceptable Risk
Probability of Exploit(Defined by Corporate Security)
Risk assessment drives Risk assessment drives to acceptable riskto acceptable risk
Risk Analysis by Asset Class
Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks HostHost
Unauthenticated access to applications, unchecked memory allocations
ApplicationApplication
Compromise of integrity or privacy of accounts
AccountAccount
Unmanaged trusts enable movement among environments
TrustTrust
Data sniffing on the wire, network fingerprinting
NetworkNetwork AssetsAssets
Components of Risk Assessment
Asset Threat
Impact
Vulnerability Mitigation
Probability
++
==
What are you trying toassess?
What are you afraid of
happening?
What is the impact to the
business?
How could the threat occur?
What is currently
reducing the risk?
How likely is the threat giventhe controls?
Current Level of Risk
What is the probability that the threat will overcome controls to successfully exploit the
vulnerability and affect the asset?
Risk Management Process and Roles
33 44
SecuritySolutions &Initiatives
Sustained Operations
Cross-IT Teams
Corporate Security
TacticalPrioritization
11
PrioritizeRisks
22
Security Policy
55
Compliance
Risk Assessment
• Can’t eliminate risk
• Three things we can do– Accept– Mitigate– Transfer
• Security policy helps determine which
Risk mitigation
Preventing
Detecting
Responding
Each builds on the previous…
Risk Computation
• Useful formula
• If any term is zero, risk is zero
• Balance cost of attack vs. cost to secure
• Remember your soft costs
• Don’t forget liability– Eve hacks Alice, uses Alice to hack Bob; Bob
sues Alice for failure to maintain security. Civil only; whose laws apply?
• Factor in cost to repair reputation
R = T × V × E
How to Compromise a System
1. Port scan—what’s listening
2. Sniff traffic—URLs, clear text passwords
3. Launch scripts to probe for vulnerabilities
4. Run a privilege escalation attack
5. Infect; leave backdoors
6. Cover tracks in the logs
7. Get out
Trojans, Viruses, Bots and Worms
• Multiple delivery mechanisms
• Run in context of logged on user
• Send personal data to attackers
• Send malicious data to attack others
• Open holes for access from Internet
• Backups won’t help if not clean
Document the threats
• Documenting threats to your systems is difficult– What kinds of things can go wrong?– How can an attacker take advantage of your
network?
• You must think like an attacker – What are the juicy bits of data?– What do they want to do with your
environment?
• Evaluate chains– If item A occurs then item B can occur…
Fault Trees
• Demonstrate logical paths through a system• Used to highlight faults in a system• Points out relationships between faults• Allow us to estimate the interactions
between faults
Defense in Depth• Using a layered approach:
– Increases an attacker’s risk of detection – Reduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, patch management, authentication, HIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACL, encryption, Rights Management
User education
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
Defenses
• Defense in depth– Networks– Hosts– Applications– Users
Network Defenses
• Border router– Ingress and egress filtering
• Firewalls– Is high availability a business requirement?
• Authentication– Check credentials before allowing through
• Encryption– VPNs, IPSec ESP tunnel mode
• Not just perimeter, though...– Can do all this between logical and business security
zones, too
Host Defenses
• Updated anti-virus, hotfixes, service packs• Control security settings and software
distribution/installation with group policy• Authenticated connections
– IPSec AH, 802.1x
• Encrypted sessions– IPSec ESP transport mode
• Restricted connections, in and out– IPSec filtering, ICF
• File Integrity monitoring
The art of patching without patching
Turn stuff off!…or don’t install it in the first place
Application Defenses
• Encrypted communications– SSL/TLS, S/MIME
• Signed communications– S/MIME, code signing
• Authorization– Fine for public services– Must do this if you need to know who
• Strong security development practices
Defense Against Users
• Principle of least privilege (POLP)– Users aren’t local administrators– Trust those who are admins, though– Configure trust relationships only where there is a
business need– Appropriate access lists and rights, again following
business needs
• Don’t read e-mail with admin account
Technologies
• Prevention– Internet Connection Firewall– IPSec (encryption, authentication, filtering)– ISA Server (rules and filters)– Distribution of current updates
• Group policy• Corporate Windows Update• Systems Management Server
Technologies
• Detection– Security logging and auditing– Port scanning– NetMon from SMS– Microsoft Operations Manager– ISA Server (IDS and honeypot)
Non-technologies
• Response– People and processes– You need a plan. Period
10 Things Attackers Don’t Want You To Do
1. Ensure everything is fully patched2. Use strong pass phrases3. Open only necessary holes in firewalls 4. Harden servers 5. Use properly hardened applications6. Use least privilege7. Restrict outbound traffic8. Restrict internal traffic9. Micro-manage service accounts10. Maintain a healthy level of paranoia
This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, MSN, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Appendix
Organizational: directed to management’s commitment to risk management and security awareness
•Manage risk according to business objectives•Define organizational roles and responsibilities•Invest in secure design•Commit to secure operations
Users and data: includes authentication, user privacy, and data authorization
•Manage to practice of least privilege•Base decision on data classification and fair use•Enforce privacy and privacy rules•Ensure data integrity•Monitor identity assurance•Build in availability
Application and system development: dedicated to the design and development of secure systems
•Build security into the life cycle•Design defense in depth•Reduce attack surface•Keep it simple
Operations and maintenance: people, processes, and technology to build, maintain, and operate secure systems
•Plan for system maintenance•Enforce security configuration and hardening•Monitor and audit•Practice incident response•Verify disaster recovery
SecuritySecurityCategory Security Principle
Most Common Risks
• Poor password management
• Weak account management processes
• Unsecured and unmanaged remote computers
• Poorly configured and unpatched systems
• Weak auditing and monitoring processes
• Inadequately restricted access to critical information
Network Security Hardening
• Default OS configuration is acceptable for a trusted network– Windows 2000 is very open by default– Windows Server 2003 is much more secure
• Still room for improvement
– Application hardening is critical• Same rules apply as for platform
Lemma: You cannot design an optimal security configuration without a thorough understanding of the usage pattern of a system
Threat Modeling
• Understanding and communicating the threats to your environment
• Commonly used in application design
• Writing Secure Code 2nd Ed.
• Can also be applied to networks
Best Practices• Document
– Model applications and services– Environment dependent
• Segregate– Applications– Security requirements
• Restrict– Disable services– Close ports
• Use IPSec or RRAS filters– Use different passwords
Document
• Purpose is to communicate what the environment looks like
• Use well understood modeling techniques– Modified Data flow diagrams– Threat trees– Verbose documentation
Model The NetworkInternet
Domain Controller
Client
Corporate Domain Controller
Corporate Clients
Client
Web Farm 2 Web Farm 1 SQL ClusterVPN Server
SQL Cluster
Corp Servers
Superimpose a DFDInternet
Domain Controller
Client
Corporate Domain Controller
Corporate Clients
Client
Web Farm 2 Web Farm 1 SQL ClusterVPN Server
SQL Cluster
Corp Servers
Segregate
• Segregate systems by application and security requirements
• Should you trust systems that are not part of your application?– Which systems do they trust?– What are their security requirements?
• Less sensitive systems may depend on more sensitive systems
• More sensitive systems MUST NEVER depend on less sensitive systems
Network Segmentation
Documenting Segments
Domain Controller
Corp Servers Corp ClientsCorp DCs
Internet Client
Web F
arm 1
SQ
L Cluster 1
Web F
arm 2
SQ
L Cluster 2 VPN
Domain Controller
1433
DC Traffic
DC Traffic
DC traffic
80, 443
443
1433 3389
3389
3389
Term Serv
Term Serv3389
3389
1723
1433
DC traffic DC traffic
DC traffic
DC traffic
DC traffic
DC traffic
3389
DC Traffic
Restrict
• Policies allow nothing but…– Disable unnecessary services– Remove users– Restrict privileges– Turn on security tweaks– Remove permissions– Set very strong passwords
• Restrict communications– IPSec– RRAS filters
Trust Boundaries
• Systems and entities you trust are included within your trust boundary
• Should your trust boundary include databases?– It depends
• Who writes to them?• Do you trust those systems?
– If you trust the systems that write to the database you may still not want to trust the database
• Is it secure?
Trust Boundaries
Internet Client
Web F
arm
1
SQL 1
Domain Controller
1433
DC TrafficDC Traffic
80, 443
Trust Boundary
Staging Server
445
1433
Conclusion
• Prevention is less costly than reacting to incidents
• Enterprises should develop a system of security audits, system scans, and remediation steps and educate users about protecting their systems
• Impact to systems is reduced by having a detailed, well-rehearsed, and flexible incident response plan
Best Practices
• Upgrade from any unsupported OS• Prioritize according to risk assessment• Establish service management framework• Start with a pilot project in a small, controlled area• Anticipate evolutionary changes in technology• Actively manage employee education and
communication• Consider network bandwidth constraints• Train end users to identify virus behavior and proper
response• Stay secure and informed
Conclusion
• Network security is difficult• Hardening networks requires
understanding the environment– Optimal hardening requires deep
understanding• There is a fundamental tradeoff between
security and usability• Three-phase approach to network
hardening– Document– Segregate– Restrict
Other Resources
Technical information
Microsoft Security Best Practiceshttp://www.microsoft.com/technet/security/bestprac.asp
MBSAhttp://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp
Attend a free chat or web casthttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp
List of newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
Security Guidance And Training
Windows 2000 Security Hardening Guidehttp://www.microsoft.com/technet/security/prodtech/Windows/Win2kHG/default.asp
Windows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14846
Windows XP Security Guidehttp://go.microsoft.com/fwlink/?LinkId=14839
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XPhttp://go.microsoft.com/fwlink/?LinkId=15159
Microsoft Guide to Security Patch Managementhttp://www.microsoft.com/technet/security/topics/patch/default.asp