Information Security Information Security Challenges & Best PracticesChallenges & Best Practices

Meng-Chow Kang, CISA, CISSPMeng-Chow Kang, CISA, CISSP

Chief Security & Privacy AdvisorChief Security & Privacy Advisor

Microsoft Asia PacificMicrosoft Asia Pacific

A Framework ApproachA Framework Approach

Mission and Vision

Principles of Operation & Management

Decision & Prioritization Model

Implementation Tactics

Th

reats

& V

uln

era

bili

ties

Landsc

ape

People

, Pro

cess

es,

& T

ools

What constitutes an effective strategy?

Understanding the Understanding the LandscapeLandscape

Author

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddieScript-Kiddie HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Vandal

Thief

Spy

Trespasser

An Evolving ThreatAn Evolving Threat

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Largest Largest area by area by volumevolume

Largest area by $ Largest area by $ lostlost

Script-KiddieScript-Kiddie

Largest segment Largest segment by by $ spent on $ spent on defensedefense

Fastest Fastest growingrowing g segmensegmentt

AuthorVandal

Thief

Spy

Trespasser

Regional e-Security Index

1,682

1,490

-

200

400

600

800

1,000

1,200

1,400

1,600

1,800

2,000

M-03 J-03 J-03 A-03 S-03 O-03 N-03 D-03 J-04 F-04 M-04 A-04 M-04

Index

Sca

le - B

ase

Mon

th July

200

1

Monthly Index 2003/4

3 Month Moving Average Index

E-SECURITY INDEX 12 month high: 1,776 (Aug’03) 12 month median: 1,350

May’s Index = 1,682 12 month low: 972 (May’03) 12 month mean: 1,383

Regional e-Security Index

1,776

1,303

1,7501,682

1,442

1,347

1,4081,353

1,309

1,242

1,007

862

958

820

789

482

1,207

991

935

637

816

1,201

948

567

730

916

559

1,139

783

906

1,028

972

R2 = 66%

-

200

400

600

800

1,000

1,200

1,400

1,600

1,800

2,000

S-01

O-01

N-01

D-01

J-02

F-02

M-02

A-02

M-02

J-02

J-02

A-02

S-02

O-02

N-02

D-02

J-03

F-03

M-03

A-03

M-03

J-03

J-03

A-03

S-03

O-03

N-03

D-03

J-04

F-04

M-04

A-04

M-04Month

Inde

x Sc

ale

(Bas

e M

onth

- Ju

ly 2

001)

e-Security Index

Poly. (e-Security Index)

e-Cop’s e-Security Index has been tracking an average weighted monthly increase of about 8% in security incidents since Sep 2001

Nimda.B

Maldal.D

Klez.H Bugbear

Sobig E.

HackerCompetition

Blaster & Sobig F.Sasser

Source: e-Cop

Originating Attack Sources - April 2004

SouthAmerica

1%

ASEAN23%

NorthAmerica

28%

Japan13%

ANZ12%

NorthAsia11%

SouthAsia3%

Russia3%

Korea1%Western Europe

3%

EasternEurope

2%

* North Asia excludes Japan & South Korea Source: e-Cop

24%21%

18%10%

8%5%

3%

3%

2%

6%

0% 5% 10% 15% 20% 25%

% of Total Recorded

Microsoft Machines Service Vulnerabilities Attacks & Probes

ICMP information gathering techniques

HTTP Service Vulnerabilities Attacks & Probes

SMTP Service and Vulnerabilities Attacks & Probes

DNS Service and Vulnerabilities Attacks & Probes

TCP 2745 Service Vulnerabilities Attacks & Probes

TCP 123 Service Vulnerabilities Attacks & Probes

TCP 1025 Service Vulnerabilities Attacks & Probes

TCP 2967 Service Vulnerabilities Attacks & Probes

Others

Top 10 Attack Types & Patterns - April 2004

Source: e-Cop

Most attacks Most attacks occur hereoccur here

SituationSituation

Hackers rely on patches to develop exploitsHackers rely on patches to develop exploits

Some security researchers are still disclosing Some security researchers are still disclosing vulnerabilities irresponsiblyvulnerabilities irresponsibly

Product Product shipship

VulnerabilityVulnerabilitydiscovereddiscovered

ComponentComponentmodifiedmodified

Patch Patch releasedreleased

Patch Patch deployeddeployed

at customer at customer sitesite

Why does this Why does this gap exist?gap exist?

Lack-of or ineffective patch management processLack-of or ineffective patch management process

Lack-of defense-in-depth and configuration Lack-of defense-in-depth and configuration management in infrastructure securitymanagement in infrastructure security

Exploit TimelineExploit TimelineProcess, Guidance, Tools Process, Guidance, Tools CriticalCritical

Days From Patch To ExploitDays From Patch To ExploitHave decreased so that Have decreased so that patching is not a defense in patching is not a defense in large organizationslarge organizations

Average 9 days for patch to Average 9 days for patch to be reverse engineered to be reverse engineered to identify vulnerabilityidentify vulnerability

IIProduct Product

shipship

IIVulnerabilityVulnerabilitydiscovereddiscovered

IIVulnerabilityVulnerabilitymade public/made public/

Component fixedComponent fixed

IIFix Fix

deployeddeployed

IIFix deployedFix deployedat customer at customer

sitesite

Why does this Why does this gap exist?gap exist?

exploitexploitcodecodepatchpatch

Days between patch & exploitDays between patch & exploit

151151180180

331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

2525SQL SQL

SlammerSlammer

SydneySydney

Chofu & OtemachiChofu & Otemachi

Les UlisLes UlisThames Valley Park Thames Valley Park

DublinDublinBeneluxBenelux

MadridMadrid

DubaiDubai

SingaporeSingapore

JohannesburgJohannesburg

Sao PauloSao Paulo

90,000 90,000 mailboxesmailboxes

Canyon Park,Canyon Park,RedmondRedmond

Las ColinasLas ColinasCharlotteCharlotte

ChicagoChicagoMilanMilan

StockholmStockholm

MunichMunich

400+ 400+ supported supported Microsoft Microsoft sites sites worldwideworldwide

3M+ e-mail messages per 3M+ e-mail messages per dayday

300,000+ network 300,000+ network devicesdevices6,000 data-center 6,000 data-center serversservers

110 110 Exchange Exchange servers/36 servers/36 mailbox mailbox serversservers

Silicon ValleySilicon Valley

400 primary LOB applications400 primary LOB applications26 million voice calls per 26 million voice calls per monthmonth55,000 employees55,000 employees

Microsoft IT EnvironmentMicrosoft IT Environment

What’s your Technology Profile?What’s your Technology Profile?What’s your Threat environment?What’s your Threat environment?

What’s your Risk Profile?What’s your Risk Profile?

Mission and Vision

Principles of Operation & Management

Decision & Prioritization Model

Implementation Tactics

Th

reats

& V

uln

era

bili

ties

Landsc

ape

People

, Pro

cess

es,

& T

ools

MissionMissionAssess Assess

RiskRisk

DefinDefine e

PolicPolicyy

MonitorMonitor

AuditAudit

Prevent malicious or Prevent malicious or unauthorized use that results in unauthorized use that results in the loss of Microsoft intellectual the loss of Microsoft intellectual property or productivity by property or productivity by systematically assessing, systematically assessing, communicating, and mitigating communicating, and mitigating risks to digital assetsrisks to digital assets

An IT environment comprised of An IT environment comprised of services, applications, and services, applications, and infrastructure that implicitly infrastructure that implicitly provides availability, privacy, provides availability, privacy, and security to any clientand security to any client

Five Trustworthy Five Trustworthy AssurancesAssurances

My identity is not My identity is not compromisedcompromisedResources are secure Resources are secure and availableand availableData and Data and communications are communications are privateprivateRoles and accountability Roles and accountability are clearly definedare clearly definedThere is a timely There is a timely response to risks and response to risks and threatsthreats

VisionVision

Other Business DriversOther Business Drivers

Online Business EnablementOnline Business Enablement

Reducing Operational CostsReducing Operational Costs

Security Risk ManagementSecurity Risk Management

Reducing cost of unexpected security Reducing cost of unexpected security eventseventsReducing losses from frauds and security Reducing losses from frauds and security failuresfailures

Reducing cost of unexpected security Reducing cost of unexpected security eventseventsReducing losses from frauds and security Reducing losses from frauds and security failuresfailures

Reducing exposures to technology threatsReducing exposures to technology threatsPreventing computer-related fraudsPreventing computer-related fraudsEnforce policies and improve audit Enforce policies and improve audit capabilitycapability

Reducing exposures to technology threatsReducing exposures to technology threatsPreventing computer-related fraudsPreventing computer-related fraudsEnforce policies and improve audit Enforce policies and improve audit capabilitycapability

Integrate Partners in Supply ChainIntegrate Partners in Supply ChainConnect with CustomersConnect with CustomersEmpower the information workersEmpower the information workers

Integrate Partners in Supply ChainIntegrate Partners in Supply ChainConnect with CustomersConnect with CustomersEmpower the information workersEmpower the information workers

Regulatory ComplianceRegulatory Compliance HIPAAHIPAAGramm-Leach-Bliley Gramm-Leach-Bliley Sarbane-Oxley ActSarbane-Oxley Act

HIPAAHIPAAGramm-Leach-Bliley Gramm-Leach-Bliley Sarbane-Oxley ActSarbane-Oxley Act

Mission and Vision

Principles of Operation & Management

Decision & Prioritization Model

Implementation Tactics

Th

reats

& V

uln

era

bili

ties

Landsc

ape

People

, Pro

cess

es,

& T

ools

Security Principles Security Principles

Management commitmentManagement commitmentManage risk according to business objectivesManage risk according to business objectives

Define organizational roles and responsibilitiesDefine organizational roles and responsibilities

Users and dataUsers and dataManage to practice of least privilegeManage to practice of least privilege

Strictly enforce privacy and privacy rulesStrictly enforce privacy and privacy rules

Application and system developmentApplication and system developmentBuild security into development life cycle (Build security into development life cycle (Microsoft SD3+C Microsoft SD3+C FrameworkFramework))

Create layered defense and reduce attack surface (Create layered defense and reduce attack surface (Defense-Defense-in-depthin-depth))

Operations and maintenanceOperations and maintenanceIntegrate security into operations frameworkIntegrate security into operations framework

Align monitor, audit, and response functions to operational Align monitor, audit, and response functions to operational functionsfunctions

Watchful, constant vigilance, readiness, and responsivenessWatchful, constant vigilance, readiness, and responsiveness

Strategies for Security Strategies for Security PoliciesPolicies

Root your security policy in well-known Root your security policy in well-known industry standards or regulations industry standards or regulations

ISO 17799 – Security Management Best ISO 17799 – Security Management Best Practices Practices ISC2 Common Book of Knowledge ISC2 Common Book of Knowledge RFC 2196 – Site Security Handbook RFC 2196 – Site Security Handbook

Security policies have to start from the Security policies have to start from the top down top down

Illustrate the value of security policy to Illustrate the value of security policy to management management Get corporate legal and HR departments Get corporate legal and HR departments to assist youto assist you

Environment conducive for Environment conducive for protectionprotection

Protection ready versus attackers’ Protection ready versus attackers’ friendlyfriendly

Laws and regulationsLaws and regulations

EnforcementsEnforcements

Rewards and penaltiesRewards and penalties

Think and do securityThink and do security

Mission and Vision

Principles of Operation & Management

Decision & Prioritization Model

Implementation Tactics

Th

reats

& V

uln

era

bili

ties

Landsc

ape

People

, Pro

cess

es,

& T

ools

Enterprise Risk ModelEnterprise Risk Model

HigHighh

LowLow HigHighh

Imp

act

to B

usin

ess

Imp

act

to B

usin

ess

(Defi

ned

by B

usin

ess

(Defi

ned

by B

usin

ess

Ow

ner)

Ow

ner)

LowLow

Acceptable Risk

Unacceptable Risk

Probability of ExploitProbability of Exploit(Defined by Corporate (Defined by Corporate

Security)Security)

Risk assessment drives to acceptable risk

Risk Management Risk Management Process and RolesProcess and Roles

33 44

SecuritySecuritySolutions Solutions

&&InitiativesInitiatives

Sustained Sustained OperationsOperations

Cross-IT Cross-IT TeamsTeams

Corporate SecurityCorporate Security

TacticalTacticalPrioritizationPrioritization

11

PrioritizeRisks

22

Security Policy

55

Compliance

Corrective ActionsCorrective Actions

Continuous Risk Continuous Risk AssessmentsAssessments

Network Infrastructure Risk Assessment

Platform Infrastructure Risk Assessment

Continuous Application Risk Assessment

Risk ProfileRisk ProfileRemediation Projects

Tactical Action Plans

A Risk-based ApproachA Risk-based Approach

Self AssementSelf AssementReportsReports

LOB’s Control Self Assessment

AuditAuditReportsReports

Not available yet.

Review of issues accuracy & action plans quality

Awareness ProgramAwareness Program

IT Control Policies

Focused Programs

Where/what are the risks?

How are they affecting the Organization?

What are we doing about them?

TS

/LO

BA

LL

GAD’s Audit Program

ALL

Regulators’ Inspection Progress scorecard used.

Security ServicesSecurity Services

Ext Connectivity

Network Certification

OSP

Project SecurityProject Security

New applications & infrastructure projectsA

LL

Mission and Vision

Principles of Operation & Management

Decision & Prioritization Model

Implementation Tactics

Th

reats

& V

uln

era

bili

ties

Landsc

ape

People

, Pro

cess

es,

& T

ools

Representative Risks and Representative Risks and TacticsTactics

Tactical SolutionsTactical SolutionsEnterprise RisksEnterprise Risks

EmbodyTrustworthyComputing

Secure Environmental Secure Environmental RemediationRemediation

Secure Environmental Secure Environmental RemediationRemediationUnpatched DevicesUnpatched DevicesUnpatched DevicesUnpatched Devices

Network Segmentation Network Segmentation Through IPSecThrough IPSec

Network Segmentation Network Segmentation Through IPSecThrough IPSecUnmanaged DevicesUnmanaged DevicesUnmanaged DevicesUnmanaged Devices

Secure Remote UserSecure Remote UserSecure Remote UserSecure Remote UserRemote and Mobile Remote and Mobile UsersUsers

Remote and Mobile Remote and Mobile UsersUsers

Two-Factor for Remote Two-Factor for Remote Access and Access and

AdministratorsAdministrators

Two-Factor for Remote Two-Factor for Remote Access and Access and

AdministratorsAdministrators

Single-Factor Single-Factor AuthenticationAuthenticationSingle-Factor Single-Factor

AuthenticationAuthentication

Managed Source Managed Source InitiativesInitiatives

Managed Source Managed Source InitiativesInitiatives

Focus Controls Focus Controls Across Key AssetsAcross Key Assets

Focus Controls Focus Controls Across Key AssetsAcross Key Assets

Defense in DepthDefense in DepthUsing a layered approachUsing a layered approach

Increases attacker’s risk of detection Increases attacker’s risk of detection

Reduces attacker’s chance of successReduces attacker’s chance of success

Policies, Procedures, and Awareness

Policies, Procedures, and Awareness

OS hardening, OS hardening, authentication, authentication, patch patch managementmanagement, HIDS, HIDS

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking Guards, locks, tracking devicesdevices

Network segments, IPSec, Network segments, IPSec, NIDSNIDS

Application hardening, Application hardening, antivirusantivirus

ACL, encryptionACL, encryption

User educationUser education

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

Mission and Vision

Principles of Operation & Management

Decision & Prioritization Model

Implementation Tactics

Th

reats

& V

uln

era

bili

ties

Landsc

ape

People

, Pro

cess

es,

& T

ools

Corporate Security Group Corporate Security Group OrganizationOrganization

Corporate Security GroupCorporate Security Group

Threat, RiskThreat, RiskAnalysis, and Analysis, and PolicyPolicy

Assessment Assessment andandComplianceCompliance

Monitoring, Monitoring, Intrusion Intrusion Detection, and Detection, and Incident Incident ResponseResponse

Shared Shared ServicesServicesOperationsOperations

Threat and Threat and RiskRiskAnalysisAnalysisPolicyPolicyDevelopmentDevelopment

ProductProductEvaluationEvaluation

DesignDesignReviewReview

StructureStructureStandardsStandards

SecuritySecurityManagementManagement

SecuritySecurityAssessmentAssessment

Compliance Compliance andandRemediationRemediation

Monitoring Monitoring andandIntrusion Intrusion DetectionDetectionRapid Rapid ResponseResponseand and ResolutionResolutionForensicsForensics

ITITInvestigationsInvestigations

Physical andPhysical andRemote Remote AccessAccessCertificateCertificateAdministratioAdministrationnSecuritySecurityToolsTools

InitiativeInitiativeManagementManagement

Processes and ToolsProcesses and Tools

Driven (influenced) largely by policies and Driven (influenced) largely by policies and strategystrategy

Common challengesCommon challengesInformation security/risk budget normally not Information security/risk budget normally not covering cost of devising and implementing covering cost of devising and implementing security processes and tools, in particular, security processes and tools, in particular, tools required for risk analysis and tools required for risk analysis and performance measurementperformance measurement

Spreadsheets as database of control statusSpreadsheets as database of control status

Checklist remains predominantly tool of Checklist remains predominantly tool of choicechoice

Quality of answers vs completion of checklist Quality of answers vs completion of checklist questionsquestions

No linkages to organization’s No linkages to organization’s technology/information inventorytechnology/information inventory

Security ReadinessSecurity Readiness

Risk management does not Risk management does not guarantee risk eliminationguarantee risk elimination

Exploits increasingly sophisticatedExploits increasingly sophisticated

Ready to act, ready to changeReady to act, ready to change

Education and trainingEducation and training

Scenarios planningScenarios planning

Drills, drills, drills …Drills, drills, drills …

Security Response PlanSecurity Response Plan

Information on Information on security incident security incident

receivedreceived

Vulnerability Vulnerability detected by detected by

auditaudit

Decision to Decision to begin Response begin Response

Plan by IT Plan by IT SecuritySecurity

Risk ratingRisk rating

Response Response team team

assembledassembled

Ticket openedTicket opened

RESPONSE PLANRESPONSE PLAN

EvaluationEvaluation

Isolate and contain threatIsolate and contain threat

Analyze and respondAnalyze and respond

Alert others as requiredAlert others as required

Begin system remediationBegin system remediation

OOnn gg oo ii nn gg ee vv aa

ll uu aa tt ii oo nn aa nn dd rr ee ss pp oo nn ss ee rr ee vv ii ss ii oo nn ssOO

nn gg ooii nn gg aa uu dd ii tt

De-escalation De-escalation return to return to normal normal

operationsoperations

Post-incident Post-incident review ticket review ticket

closedclosed

Determining Determining the Risk the Risk Rating of Rating of the the Incident/VulIncident/Vulnerability nerability Involves:Involves:Severity of the Severity of the eventeventOverall business Overall business impactimpactCriticality of Criticality of vulnerable/attacvulnerable/attacked assetsked assetsPublic Public availability of availability of informationinformationScope of Scope of exposureexposure

Determine remediationDetermine remediation

SummarySummary

No silver bulletNo silver bullet

Understand and keep in tap of the changing threat Understand and keep in tap of the changing threat environmentenvironment

Develop a cybersecurity strategy with clear mission and Develop a cybersecurity strategy with clear mission and vision, adopting a decision and prioritization model, with vision, adopting a decision and prioritization model, with strong security principles to guide implementation and strong security principles to guide implementation and selection of solutions selection of solutions

Combine technology, procedures, and proper use of Combine technology, procedures, and proper use of personnel to reduce vulnerabilitiespersonnel to reduce vulnerabilities

A preventative approach toward critical security issues is A preventative approach toward critical security issues is less expensive than correcting vulnerabilities after systems less expensive than correcting vulnerabilities after systems have been compromisedhave been compromised

Constant vigilance and readiness to response at all timeConstant vigilance and readiness to response at all time

Mission and Vision

Principles of Operation & Management

Decision & Prioritization Model

Implementation Tactics

Th

reats

& V

uln

era

bili

ties

Landsc

ape

People

, Pro

cess

es,

& T

ools

Security is a Security is a journey, not a journey, not a destinationdestination

© 2004 Microsoft Corporation. All rights reserved.© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.