microsoft security strategy and mits compliance planning tools john weigelt national technology...
TRANSCRIPT
Microsoft Security Strategy and MITS Compliance Planning Tools
John WeigeltNational Technology OfficerMicrosoft Canada
AgendaAgenda
Welcome/IntroductionWelcome/Introduction
Microsoft’s Security StrategyMicrosoft’s Security Strategy
MITS History/Background InformationMITS History/Background Information
Introduction to Microsoft’s MITS Introduction to Microsoft’s MITS Compliance Planning Guide and On-line Compliance Planning Guide and On-line Compliance ToolsCompliance Tools
Q&AQ&A
Welcome to the Microsoft Welcome to the Microsoft MITS Seminar SeriesMITS Seminar Series
Oct 3 – Introduction to Microsoft’s Security Oct 3 – Introduction to Microsoft’s Security Strategy and MITS Compliance ToolsStrategy and MITS Compliance Tools
Oct 10 – Risk ManagementOct 10 – Risk Management
Oct 17 – Active Security Cycle and Oct 17 – Active Security Cycle and Defence-in-DepthDefence-in-Depth
Information Information DrivenDriven
Information Information DrivenDriven
ExperiencesExperiencesExperiencesExperiences
ConnectedConnectedConnectedConnected
Self-Self-organizationorganization
ReplicationReplication
HandwritinHandwritingg
SpeecSpeechh
ContentContentAddressabilityAddressability
Amazing, engaging Amazing, engaging visualizationvisualization
Machine-to-Machine-to-Machine Machine
InteractionInteraction
Person-to-PersonPerson-to-PersonInteractionInteraction
Person-to-Person-to-MachineMachine
InteractionInteraction
SeamSeamless Computingless Computing
The Evolving ThreatThe Evolving Threat
Vandal
Trespasser
Thief
Spy
Author
National Interest
Personal Gain
Personal Fame
Curiosity
Script-Kiddy Undergrad Expert Specialist
Expertise
Moti
vati
on
Increasingly Challenging Security ConcernsIncreasingly Challenging Security ConcernsThreats are moreThreats are more
dangerous than everdangerous than everFragmentation ofFragmentation of
security technologysecurity technologyDifficult to use,Difficult to use,
deploy and managedeploy and manage
More advancedMore advanced
Profit motivatedProfit motivated
More frequentMore frequent
Application-orientedApplication-oriented
Too many point Too many point products products
Poor interoperability Poor interoperability among security among security productsproducts
Lack of integration Lack of integration with IT infrastructurewith IT infrastructure
Multiple consolesMultiple consoles
Uncoordinated event Uncoordinated event reporting & analysisreporting & analysis
Cost and complexityCost and complexity
Security Solution RequirementsSecurity Solution RequirementsSecurity Solution RequirementsSecurity Solution Requirements
““All security frameworks All security frameworks should include a should include a comprehensive, comprehensive, layered approach...” layered approach...”
Understanding the Nine Protection Understanding the Nine Protection Styles of Host-Based Intrusion Styles of Host-Based Intrusion PreventionPreventionGartner – May 2005Gartner – May 2005
““Integration and simplified manageabilityIntegration and simplified manageabilityare important drivers when purchasing are important drivers when purchasing securitysecurity””
The State of Security in SMB & Enterprises,The State of Security in SMB & Enterprises,Forrester Research, Inc. Forrester Research, Inc. –– Sept. 21, 2005 Sept. 21, 2005
Viruses, Spyware and WormsViruses, Spyware and WormsBotnets and RootkitsBotnets and RootkitsSPAM, Phishing, Evil Twins and FraudSPAM, Phishing, Evil Twins and Fraud
Deploying Security UpdatesDeploying Security UpdatesSystem Identification and ConfigurationSystem Identification and ConfigurationSecurity Policy EnforcementSecurity Policy Enforcement
Identity Management and Access ControlIdentity Management and Access ControlManaging Access in the Extended EnterpriseManaging Access in the Extended EnterpriseSecurity Risk of Unmanaged PCsSecurity Risk of Unmanaged PCs
Regulatory ComplianceRegulatory ComplianceDevelop and Implement of Security PoliciesDevelop and Implement of Security PoliciesReporting and AccountabilityReporting and Accountability
Virus & Malware
Prevention
Business
Practices
Implementing
Defense in Depth
Security
Management
Security: Solution EnablerSecurity: Solution Enabler
A safe Internet experience for CitizensA safe Internet experience for Citizens
Secure Wireless Secure Wireless
Secure MobilitySecure Mobility
Reliable Client MachinesReliable Client Machines
Public Safety Community InteroperabilityPublic Safety Community Interoperability
Inter-jurisdictional CollaborationInter-jurisdictional Collaboration
Trusted Digital Communities Trusted Digital Communities
How Do YouHow Do YouTrust Your Environment?Trust Your Environment?
Detailed policies and proceduresDetailed policies and proceduresAwareness and educationAwareness and educationLeverage existing product featuresLeverage existing product featuresEmploy specialized solutionsEmploy specialized solutionsMaximize the use of trustworthy productsMaximize the use of trustworthy products
Designed and Evaluated to be secureDesigned and Evaluated to be secure
Ongoing maintenanceOngoing maintenanceAll while ensuring consistency with traditional All while ensuring consistency with traditional
service delivery channelsservice delivery channels
Implement Defence in DepthEngages the entire organization for successEngages the entire organization for success
Allows for the allocation of controls outside of ITAllows for the allocation of controls outside of IT
Supports a multidisciplinary approachSupports a multidisciplinary approach
LegislationLegislation
PoliciesPoliciesProceduresProcedures
Physical ControlsPhysical ControlsNative
Application Features
Native Application
Features
SpecializedCapabilitiesSpecializedCapabilities
SecureSecure against against attacksattacks
Protects Protects confidentialityconfidentiality, , integrityintegrity and and availabilityavailability of of data and systemsdata and systems
ManageableManageable
ProtectsProtects from from unwanted unwanted communication communication
ControlsControls for for informational informational privacyprivacy
Products, online Products, online services adhere to services adhere to fair information fair information principlesprinciples
PredictablePredictable, , consistent, consistent, responsive serviceresponsive service
MaintainableMaintainable, , easy to configure easy to configure and manage and manage
ResilientResilient, works , works despite changesdespite changes
RecoverableRecoverable, , easily restoredeasily restored
ProvenProven, ready to , ready to operateoperate
Commitment to Commitment to customer-centric customer-centric InteroperabilityInteroperability
Recognized Recognized industry industry leaderleader, , world-class world-class partnerpartner
Open, Open, transparenttransparent
Fundamentally secure platforms enhanced by security products, Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safeservices and guidance to help keep customers safe
Excellence in Excellence in fundamentalsfundamentals
Security Security innovationsinnovations
Best practices, Best practices, whitepapers and whitepapers and toolstools
Authoritative Authoritative incident responseincident response
Security Security awareness and awareness and education through education through partnerships and partnerships and collaborationcollaboration
Information Information sharing on threat sharing on threat landscapelandscape
Microsoft’s Security Development LifecycleMicrosoft’s Security Development LifecycleCorporate process and standard for security in engineeringCorporate process and standard for security in engineering
Evangelized internally through trainingEvangelized internally through training
Verified through pre-ship auditVerified through pre-ship audit
The Security Development LifecycleThe Security Development Lifecycle book book
Shared with ISV and IT development partnersShared with ISV and IT development partnersDocumentation and training Documentation and training
Learning Paths for SecurityLearning Paths for Security
Active community involvementActive community involvement
Automated with tools in Visual StudioAutomated with tools in Visual StudioPREPREffastast
FxCop FxCop
DesignDefine security architecture and design guidelines Document elements of software attack surfaceThreat Modeling
Standards, best practices, and toolsApply coding and testing standardsApply security tools (fuzzing tools, static-analysis tools, etc)
Security PushSecurity code reviewsFocused security testingReview against new threatsMeet signoff criteria
Final Security Review Independent review conducted by the security team Penetration testingArchiving ofcompliance info
RTM and Deployment
Signoff
Security ResponsePlan and process in placeFeedback loop back into the development processPostmortems
Product InceptionAssign security advisorIdentify security milestonesPlan security integration into product
More than 288 More than 288 million copies million copies distributeddistributed
Significantly less Significantly less likely to be likely to be infected by infected by malwaremalware
Service Pack 2 Service Pack 1
More than 4.7 More than 4.7 million downloads million downloads
More secure by More secure by design; more design; more secure by defaultsecure by default
Helps protect Helps protect against spyware; against spyware; Included in Included in Windows VistaWindows Vista
Most popular Most popular download in download in Microsoft history; Microsoft history; protecting more protecting more than 28M than 28M customerscustomers
3.4B total 3.4B total executions; 19M executions; 19M disinfectionsdisinfections
Dramatically Dramatically reduced the reduced the number number of Bot infectionsof Bot infections
As of May 2006As of May 2006
Guidance
Developer Tools
SystemsManagementActive Directory Active Directory
Federation Services Federation Services (ADFS)(ADFS)
Identity
Management
Services
Information
Protection
Encrypting File System (EFS)
Encrypting File System (EFS)
BitLocker™
BitLocker™
Network Access Protection (NAP)
Client and Server OS
Server Applicatio
ns
Edge
Guidance and ToolsGuidance and ToolsDelivering Support, Creating CommunityDelivering Support, Creating Community
o Security toolsSecurity toolsMicrosoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer
Security Bulletin Search ToolSecurity Bulletin Search Tool
o Guidance and trainingGuidance and trainingSecurity Guidance CenterSecurity Guidance Center
E-Learning ClinicsE-Learning Clinics
o Community engagementCommunity engagementNewslettersNewsletters
Webcasts and chatsWebcasts and chats
Insights directly from Insights directly from the MSRC teamthe MSRC team
Updates on recent Updates on recent security relatedsecurity relatednews, activities, news, activities, announcements,announcements,and threat issuesand threat issues
http://blogs.technet.com/msrc/
MSRC BlogMSRC Blog
Supplement Microsoft Supplement Microsoft Security BulletinsSecurity Bulletins
Provide early information Provide early information about vulnerabilities, about vulnerabilities, mitigations and mitigations and workaroundsworkarounds
Updated throughout Updated throughout incident with new incident with new informationinformation
Security Security AdvisoriesAdvisories
Managing and resolving security Managing and resolving security vulnerabilities and security incidentsvulnerabilities and security incidents
Published forPublished foreach Microsofteach Microsoftsecurity updatesecurity update
Mitigations and Mitigations and workarounds forworkarounds forfixed vulnerabilitiesfixed vulnerabilities
Distribution and Distribution and deployment guidancedeployment guidance
Bulletin ratingsBulletin ratingsCriticalCritical
ImportantImportant
ModerateModerate
LowLow
Security Security BulletinsBulletins
Primary Security Primary Security ConcernConcern
Microsoft Security Collaboration Microsoft Security Collaboration for Governmentsfor Governments
Offerings are designed to address different Offerings are designed to address different concernsconcerns
Security of IT Security of IT deploymentsdeployments
ProductProductsecuritysecurity
Computing Computing safetysafety
Government Security Program (GSP)•Source code access•Certification evidence•Training•Feedback•New - now includes GSHP
Primary audience:•Policy makers•Purchasing decision makers
Security mobilization•Prescriptive guidance via on-line content, CD-ROM, on-line training, service offerings
Primary audience:•IT managers & professionals•Developers
Security Cooperation Program (SCP)•Incident response and public safety collaboration•Cooperative projects•Information exchange
Primary audience:•Policy and national security agencies•Public safety and incident response agencies
Security Cooperation ProgramSecurity Cooperation Program
““This innovative alliance demonstrates the This innovative alliance demonstrates the government of Canada’s commitment to government of Canada’s commitment to cybersecurity. Prevention of cybersecurity. Prevention of cyberdisruptions and improving our cyberdisruptions and improving our capacity to respond to incidents are critical capacity to respond to incidents are critical to securing both our economy and public to securing both our economy and public safety.safety.””
Honorable Anne McLellanHonorable Anne McLellanFormer Deputy Prime Minister and Former Deputy Prime Minister and Minister of Public Safety and Emergency Preparedness CanadaMinister of Public Safety and Emergency Preparedness Canada
Microsoft Government Microsoft Government Security ProgramSecurity Program
The Government Security Program (GSP) is a global initiative that provides national governments and international organizations with access to the Windows source code, related technical information, and development personnel.
This access enhances governments’ ability to better evaluate and protect their existing systems and to more securely design, build, deploy, and maintain their computing infrastructures.
Seamless Service Delivery
Peter Watkins, CTO BC Gov
Resource
Health
Social
Education
Legal
Commerce
Ministry
Ministry
Ministry
Ministry
Ministry
Ministry
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
PrivateSec
BroaderPublicSector
BroaderPublicSector
BroaderPublicSector Broader
PublicSector Broader
PublicSector
BroaderPublicSector
BroaderPublicSector
BroaderPublicSector
BroaderPublicSector
BroaderPublicSector
BroaderPublicSectorBroader
PublicSector
The Gartner Hype CycleThe Gartner Hype Cycle
•[Insert intro video]
The Context Of ComplianceThe Context Of Compliance
COMPLIANCESarbanes-Oxley
Fiscal accountability for all public companies
Personal Information Protection Electronic Documents Act (PIPEDA)
U.S. PATRIOT Act
Freedom of Information, Privacy Protection Act
BC law for protection of personal information
Management of InformationManagement of InformationTechnology SecurityTechnology Security
California SB 1386
Law requiring customer notification if their personal data
was, or was believed to be , compromised
Gramm-Leach Bliley Act (GLBA)
Privacy of financial information
Defines requirements for aComprehensive ITSecurity ProgramPersonal Health
Information Protection Act (PHIPA)
Ontario law for protection of personal health Information
Compliance must be addressed in each Compliance must be addressed in each architectural elementarchitectural element
List of important
things
List of processes
List of locations
List of organizations
List of eventsBusiness
vision, goals, strategies
Informationmodel
Process model
Logistics network
Work flow model
Master schedule
Business plan,
PerformanceModel
Logical data model
Application architecture
Distribution architecture
Human interface
architecture
Processing structure
Business rule model
Physical data model
System design
System architecture
Presentation architecture
Control structure
Rule design
Data definition Program Network architecture
Security architecture
Timing definition
Rule specification
What How Where Who When Why
Contextual
Conceptual
Logical
Physical
Implementation
Strategic/Business
Systems
DetailedBlueprints
Framework Copyright by John Zachman
Data Services Networks People Schedules RulesOperationsFunctioningOrganization
List of important
things
List of processes
List of locations
List of organizations
List of eventsBusiness
vision, goals, strategies
Informationmodel
Process model
Logistics network
Work flow model
Master schedule
Business plan,
PerformanceModel
Logical data model
Application architecture
Distribution architecture
Human interface
architecture
Processing structure
Business rule model
Physical data model
System design
System architecture
Presentation architecture
Control structure
Rule design
Data definition Program Network architecture
Security architecture
Timing definition
Rule specification
What How Where Who When Why
Contextual
Conceptual
Logical
Physical
Implementation
Strategic/Business
Systems
DetailedBlueprints
Framework Copyright by John Zachman
Data Services Networks People Schedules RulesOperationsFunctioningOrganization
Microsoft Regulatory Compliance Microsoft Regulatory Compliance GuideGuide
The guide describes a framework of The guide describes a framework of control objectives which can be applied to control objectives which can be applied to a variety of compliance vehiclesa variety of compliance vehicles
Based upon HIPPA, SARBOX, GLBA, EUDPDBased upon HIPPA, SARBOX, GLBA, EUDPD
Strong affinity between the control Strong affinity between the control objectives in the guide and other audit objectives in the guide and other audit frameworksframeworks
Control objectives are in business Control objectives are in business outcome language outcome language
http://www.microsoft.com/technet/security/topics/complianceandpolicies/compliance/rcguide/default.mspx?mfr=truehttp://www.microsoft.com/technet/security/topics/complianceandpolicies/compliance/rcguide/default.mspx?mfr=true
Microsoft Regulatory Compliance Microsoft Regulatory Compliance GuideGuide
Describes generic technology categories Describes generic technology categories and maps them against the control and maps them against the control objectivesobjectives
These technology categories provide a These technology categories provide a common ontology for applying tools to common ontology for applying tools to address compliance requirementsaddress compliance requirements
Maps technology categories against Maps technology categories against Microsoft products and guidanceMicrosoft products and guidance
Defense in DepthDefense in Depth
PolicyPolicy
ProcessProcess
PeoplePeople
ProductProduct
PartnershipsPartnerships
LegislationLegislation
Government Security PolicyGovernment Security Policy
Management of IT Security StdManagement of IT Security Std
Detailed Technical StandardsDetailed Technical Standards
Security Guidance FrameworkSecurity Guidance FrameworkTier 1Tier 1
GovernmentGovernmentSecuritySecurityPolicyPolicy
Tier 2Tier 2
Operational Security StandardsOperational Security Standards
Tier 3Tier 3
Detailed Technical StandardsDetailed Technical Standards
MITS
Government Security PolicyGovernment Security Policy
Originally created in 1986Originally created in 1986Reviewed in 1994 and 2002Reviewed in 1994 and 2002
prescribes the application of safeguards to reduce the prescribes the application of safeguards to reduce the risk of injury. It is designed to protect employees, risk of injury. It is designed to protect employees, preserve the confidentiality, integrity, availability and preserve the confidentiality, integrity, availability and value of assets, and assure the continued delivery of value of assets, and assure the continued delivery of services. Since the Government of Canada relies services. Since the Government of Canada relies extensively on information technology (IT) to provide its extensively on information technology (IT) to provide its services, this policy emphasizes the need for services, this policy emphasizes the need for departments to monitor their electronic operations.departments to monitor their electronic operations.
Government Security PolicyGovernment Security Policy
Defines a comprehensive security Defines a comprehensive security program for government departmentsprogram for government departments
Organization and AdministrationOrganization and Administration
Personnel SecurityPersonnel Security
Physical SecurityPhysical Security
Information Technology SecurityInformation Technology Security
Security In ContractingSecurity In Contracting
Business ContinuityBusiness Continuity
SanctionsSanctions
What is MITS?What is MITS?The Management of Information The Management of Information Technology Security (MITS) standard is a Technology Security (MITS) standard is a Treasury Board standard that applies to Treasury Board standard that applies to GoC departments and agenciesGoC departments and agencies
Purpose: Purpose: This standard defines baseline This standard defines baseline security requirements that federal security requirements that federal departments must fulfill to ensure the departments must fulfill to ensure the security of information and information security of information and information technology (IT) assets under their control.technology (IT) assets under their control.
Compliance deadline: 31 Dec 2006Compliance deadline: 31 Dec 2006
Some items to be aware of…Some items to be aware of…
MITS is not prescriptive – it describes what MITS is not prescriptive – it describes what must be done, not howmust be done, not how
MITS is the minimum baseline – not the MITS is the minimum baseline – not the maximummaximum
MITS addresses more than technology (People, MITS addresses more than technology (People, Policy, Process, Product, Partnership)Policy, Process, Product, Partnership)
MITS compliance does not guarantee securityMITS compliance does not guarantee security
MITS is not the only compliance area GoC MITS is not the only compliance area GoC departments/agencies must contend withdepartments/agencies must contend with
MITS (and other guidelines) will evolveMITS (and other guidelines) will evolve
Microsoft’s MITS Compliance Microsoft’s MITS Compliance Planning GuidePlanning Guide
Primary purpose:Primary purpose:To help departments enhance their information security To help departments enhance their information security postureposture
Other ObjectivesOther ObjectivesTo assist in identifying where existing technology To assist in identifying where existing technology investments can be leveraged to respond to the MITS investments can be leveraged to respond to the MITS requirementrequirement
To demonstrate how the generic technology categories To demonstrate how the generic technology categories can be applied to many compliance requirementscan be applied to many compliance requirements
Microsoft’s MITS Compliance Microsoft’s MITS Compliance Planning GuidePlanning Guide
The guide identifies specific Microsoft products The guide identifies specific Microsoft products and services that can be used to help respond to and services that can be used to help respond to the 120+ mandatory MITS requirementsthe 120+ mandatory MITS requirements
While this guide is focused on MITS, it is also While this guide is focused on MITS, it is also designed to provide a generic framework that can designed to provide a generic framework that can be used to:be used to:
Evolve with MITS and related GoC IT Security Evolve with MITS and related GoC IT Security guidelinesguidelines
Respond to other guidelines and legislation, not just Respond to other guidelines and legislation, not just MITSMITS
Help non-GoC organizations (Provincial, Municipal, Help non-GoC organizations (Provincial, Municipal, Private Industry) Private Industry)
Generic Framework(20 Technical Solution Categories)
MITS Major Section Mapping AgainstTechnical Solution Categories
(Table 1)
MITS Compliance Matrix(Annex A)
Microsoft’s MITS Compliance Microsoft’s MITS Compliance Planning Guide Approach/StructurePlanning Guide Approach/Structure
Microsoft’s MITS Compliance Microsoft’s MITS Compliance Planning Guide - FrameworkPlanning Guide - Framework
The Guide adapts the regulatory The Guide adapts the regulatory framework of control objectivesframework of control objectives
Strong affinity between the control Strong affinity between the control objectives in the guide and other audit objectives in the guide and other audit frameworksframeworks
Generic categories in business outcome Generic categories in business outcome language that can be applied language that can be applied
Microsoft’s MITS Compliance Planning Guide Microsoft’s MITS Compliance Planning Guide
Technology CategoriesTechnology CategoriesDocument ManagementDocument Management
Business Process Business Process ManagementManagement
Project ManagementProject Management
Risk AssessmentRisk Assessment
Change managementChange management
Network SecurityNetwork Security
Host ControlHost Control
Malicious Software Malicious Software PreventionPrevention
Application SecurityApplication Security
Messaging and CollaborationMessaging and Collaboration
Data Classification and Data Classification and ProtectionProtection
Identity ManagementIdentity Management
Authentication, Authorization Authentication, Authorization and Access Controland Access Control
TrainingTraining
Physical SecurityPhysical Security
Vulnerability IdentificationVulnerability Identification
Monitoring and ReportingMonitoring and Reporting
Disaster Recovery and Disaster Recovery and FailoverFailover
Incident Management and Incident Management and Trouble TrackingTrouble Tracking
Mobile ComputingMobile Computing
Microsoft’s MITS Compliance Microsoft’s MITS Compliance Planning Guide - MappingPlanning Guide - Mapping• Generally, no one technology category will Generally, no one technology category will
alone satisfy the MITS mandatory alone satisfy the MITS mandatory requirementrequirement
• Mapping matrix provides a straightforward Mapping matrix provides a straightforward mechanism to illustrate the technologies mechanism to illustrate the technologies that can be used to address the that can be used to address the requirementrequirement
• Matrix looks to describe the various Matrix looks to describe the various complementary tools to satisfy the complementary tools to satisfy the requirement in a holistic mannerrequirement in a holistic manner
Table 1 –Table 1 – MITS Mapping MITS Mapping
ü ü ü
ü
ü
ü
ü
ü
ü
ü ü
ü
ü
ü ü
ü
9.2 Senior Management
9.3 Departmental Security Officer
9.4 Chief Information Officer9.5 Business Continuity Planning Coordinator9.6 Program and Service Delivery Managers9.7 IT Operational Personnel
9.8 Other Personnel
9.9 COMSEC Custodian
9.10 IT Project Managers
10. Departmental IT Security Policy ü ü ü ü ü ü ü ü ü ü
ü
ü
ü
ü ü
ü ü ü ü ü
ü ü ü ü ü ü ü ü ü
ü ü ü ü ü ü ü ü ü
ü ü ü ü ü ü ü ü ü
11. IT Security Resources for Projects12.1 Security in the System Development Life Cycle12.2 Identification and Categorization of Information and IT Assets12.3 Security Risk Management
12.3.2 Threat and Risk Assessment
12.3.3 Certification and Accreditation
12.5 Vulnerability Management
12.5.1 Vulnerability Assessments
12.6 Segregation of Responsibilities
12.8 Continuity Planning
9.1 IT Security Coordinator
12.11.1 Self-Assessment
12.11.2 Internal Audit
12.10 Sharing and Exchange of Information and IT Assets
Document M
anagement
Business Process Managem
ent
Project Managem
ent
Data Classification and Protection
Risk Assessment
Change Managem
ent
Network Security
Host Control
Malicious Software Prevention
Application Security
Messaging and Collaboration
Identity Managem
ent
Authentication, Authorization & Access ControlTraining
Physical Security
Vulnerability Identification
Monitoring and Reporting
Disaster Recovery and Failover
Incident Managem
ent and Trouble-Tracking
Mobile Com
puting
ü ü ü ü ü ü ü ü ü ü ü ü
ü ü ü
ü
ü ü
ü
ü
ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü
ü ü
ü ü üüü ü ü ü ü ü ü ü ü ü ü ü
ü
ü ü
12.5.2 Patch Management
12.11 Departmental IT Security Assessment and Audit
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü
ü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü ü ü ü ü ü ü
ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü
ü ü ü
ü ü
ü
ü ü üü ü
ü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
Table 1Table 1 MITS Mapping MITS Mapping (cont’d) (cont’d)
13. Graduated Safeguards14.1 Configuration Management and Change Control
15. Active Defence Strategy
16.4.1 Selection of Security Products
16.4.2 Identification and Authentication16.4.3 Authorization and Access Control16.4.4 Cryptography
16.4.5 Public Key Infrastructure16.4.6 Network Security and Perimeter Defence
ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü
16.4.7 Mobile Computing and Teleworking16.4.8 Wireless Devices16.4.11 Software Integrity and Security Configuration16.4.12 Malicious Code
17. Detection
18. Response and Recovery
Document M
anagement
Business Process Managem
ent
Project Managem
ent
Data Classification and Protection
Risk Assessment
Change Managem
ent
Network Security
Host Control
Malicious Software Prevention
Application Security
Messaging and Collaboration
Identity Managem
ent
Authentication, Authorization & Access ControlTraining
Physical Security
Vulnerability Identification
Monitoring and Reporting
Disaster Recovery and Failover
Incident Managem
ent and Trouble-Tracking
Mobile Com
puting
16.1 Physical Security within the IT Security Environment16.2 Storage, Disposal and Destruction of IT Media16.3 Personnel Security within the IT Security Environment
12.13 IT Security Training
12.12 IT Security Awareness
14.2 Problem Reporting/Help Desk
14.3 System Support Services
18.3 Incident Response
18.4 Incident Reporting
18.5 Recovery
18.6 Post Incident Analysis
ü
üü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü
ü
üü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü ü
ü
ü
ü
ü
üü üü ü
üü
ü
üüü
üü
ü
ü
ü
ü
ü
ü
ü
ü
ü
ü
Microsoft’s MITS Compliance Microsoft’s MITS Compliance Planning Guide – Compliance Planning Guide – Compliance MatrixMatrix
Illustrates Microsoft technologies and Illustrates Microsoft technologies and guidance that can be used to meet the guidance that can be used to meet the MITS requirementMITS requirement
Many guidance documents provide Many guidance documents provide technology independent directiontechnology independent direction
E.g. Writing Secure Code 2ed, Threat E.g. Writing Secure Code 2ed, Threat Modeling, Security Development LifecycleModeling, Security Development Lifecycle
Engineering Engineering for Securityfor Security
Windows Windows Service Service
HardeningHardening
Kernel SecurityKernel Security
Improved Security Improved Security Development Development Lifecycle (SDL) Lifecycle (SDL) processprocess
Threat modeling and Threat modeling and code reviews code reviews
Common Criteria (CC) Common Criteria (CC) CertificationCertification
Runs services with Runs services with reduced privilegesreduced privileges
Services have Services have profiles for allowed profiles for allowed file system, registry, file system, registry, and network and network activities that are activities that are enforced by the enforced by the firewall and ACLsfirewall and ACLs
Make it harder for Make it harder for rootkits to elude rootkits to elude detectiondetection x64 Driver Signingx64 Driver Signing
Kernel-mode drivers Kernel-mode drivers must be signed must be signed
Kernel Patch Kernel Patch ProtectionProtection
Kernel hooks by Kernel hooks by applications disabledapplications disabled
Threat and vulnerability mitigationThreat and vulnerability mitigation
PreventionPrevention IsolationIsolation RecoveryRecovery
Forefront Client Forefront Client SecuritySecurity
Windows DefenderWindows Defender
Data Execution Data Execution Prevention (DEP) and Prevention (DEP) and Address Space Layout Address Space Layout Randomization (ASLR)Randomization (ASLR)
Virtual PC and Virtual PC and Virtual ServerVirtual Server
Windows FirewallWindows Firewall
IPSecIPSec
IE Protected ModeIE Protected Mode
NAPNAP
ISA ServerISA Server
File back up and File back up and restorerestoreCompletePCCompletePC™™ image- image-based backup based backup System RestoreSystem RestoreSystem Center Data System Center Data Protection ManagerProtection ManagerVolume Shadow Volume Shadow CopiesCopiesVolume RevertVolume Revert
Stop known and Stop known and unknown attacksunknown attacks
Limit impact of Limit impact of attacksattacks
Restore to known Restore to known good stategood state
Shows status Shows status of security of security software and software and settingssettingsMonitor Monitor multiple multiple vendors’ vendors’ security security solutions solutions running on a running on a PC and PC and indicate which indicate which are enabled are enabled and up-to-date and up-to-date
Bi-directional Bi-directional firewall firewall capabilities; capabilities; on by defaulton by defaultKey component Key component to enforce service to enforce service hardeninghardeningIPSec integrationIPSec integrationCan be disabled Can be disabled by 3by 3rdrd party party firewall firewall applicationsapplications
Detection and Detection and removal removal of spyware and of spyware and other potentially other potentially unwanted unwanted softwaresoftware
Protection of OS Protection of OS extensibility extensibility pointspoints
Protect against Protect against damage caused damage caused by malware by malware installinstall
IE process IE process ‘sandboxed’ ‘sandboxed’ to protect OSto protect OS
Designed for Designed for security and security and compatibilitycompatibility
IE ProtectedIE ProtectedModeMode
Windows Windows DefenderDefender
Windows Windows FirewallFirewall
Windows Windows Security Security CenterCenter
Policy definitionPolicy definitionand enforcementand enforcementProtects information Protects information wherever it travelswherever it travels In Windows Vista - In Windows Vista - Integrated RMS Client Integrated RMS Client Policy-based Policy-based protection of protection of document libraries in document libraries in SharepointSharepoint
User-based file and User-based file and folder encryption folder encryption
In Windows Vista - In Windows Vista - Ability to store EFS Ability to store EFS keys on a smart keys on a smart cardcard
Hardware-enabled Hardware-enabled data protectiondata protection
Provides full Provides full volume encryption volume encryption
Laptop and server Laptop and server scenarios scenarios
In Windows VistaIn Windows Vista
AuthenticationAuthentication User Account User Account ControlControl
Network Access Network Access ProtectionProtection
New Logon New Logon Architecture Architecture replacing GINAreplacing GINA
Smart Card Smart Card integrationintegration
Native Smart Card Native Smart Card supportsupport
Strong authenticationStrong authentication
Easier to run as Easier to run as standard userstandard user
Parental controls Parental controls
Greater protection Greater protection for administratorsfor administrators
Ensure that only Ensure that only “healthy” machines “healthy” machines can access corporate can access corporate datadata
Enable “unhealthy” Enable “unhealthy” machines to get machines to get clean before they clean before they gain access gain access
Enable secure, policy-based access only to Enable secure, policy-based access only to legitimate userslegitimate users
Trust EcosystemTrust Ecosystem Credential Credential ManagementManagement
Access and Access and AuthorizationAuthorization
Active Directory Active Directory Federation ServicesFederation Services
ADAM and AZManADAM and AZMan
Windows CardSpace™ Windows CardSpace™ (formerly Info Card)(formerly Info Card)
Microsoft Identity Microsoft Identity Integration Server Integration Server (MIIS)(MIIS)
Certificate Lifecycle Certificate Lifecycle ManagerManager
Certificate ServicesCertificate Services
Credential roamingCredential roaming
Role-based Role-based access controlaccess control
Windows Auditing Windows Auditing improvementsimprovements
Client and Server OS
Server Applications
Edge
Microsoft Forefront provides greater protection and Microsoft Forefront provides greater protection and control over the security of your business’ network control over the security of your business’ network infrastructure infrastructure
Windows Mobile 5 devices with MSFP Windows Mobile 5 devices with MSFP directly interacts with Exchange Server 2003 SP2directly interacts with Exchange Server 2003 SP2
Device SecurityDevice SecurityPassword PIN Policy EnforcementDevice Wipe (local and remote)Secure Messaging Certificate AuthenticationRemotely Manage and Enforce Corporate IT Policies (over the air)Server Sync – “get” e-mail, when and where you want
On-line ToolsOn-line Tools
Microsoft MITS Compliance Planning Microsoft MITS Compliance Planning Guide available at Microsoft.caGuide available at Microsoft.ca
MITS Compliance MITS Compliance Questionnaire/ScorecardQuestionnaire/Scorecard
Contact e-mail address: Contact e-mail address: [email protected]@microsoft.com
DemoDemo
Security toolsSecurity toolsMicrosoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer
http://www.microsoft.com/technet/Security/tools/default.mspxhttp://www.microsoft.com/technet/Security/tools/default.mspx
Security Bulletin Search ToolSecurity Bulletin Search Toolhttp://www.microsoft.com/technet/security/current.aspx http://www.microsoft.com/technet/security/current.aspx
Guidance and trainingGuidance and trainingSecurity guidance, tools, updates for the home Security guidance, tools, updates for the home
http://www.microsoft.com/athome/security/protect/default.mspx http://www.microsoft.com/athome/security/protect/default.mspx
Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidance/default.mspx http://www.microsoft.com/security/guidance/default.mspx
E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/security/https://www.microsoftelearning.com/security/
XP SP2 focus-https://www.microsoftelearning.com/xpsp2/XP SP2 focus-https://www.microsoftelearning.com/xpsp2/
Community engagementCommunity engagementNewslettersNewsletters
http://www.microsoft.com/technet/security/secnews/newsletter.htm http://www.microsoft.com/technet/security/secnews/newsletter.htm
Webcasts and chatsWebcasts and chatshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx
Great Starting Point - http://www.microsoft.com/security/guidance/default.mspx
Additional ResourcesAdditional ResourcesMicrosoft Home:Microsoft Home:
http://www.microsoft.com/http://www.microsoft.com/Security Related:Security Related:
http://www.microsoft.com/security/http://www.microsoft.com/security/Product Related: Product Related:
http://www.microsoft.com/products/http://www.microsoft.com/products/Partner resource: Partner resource:
http://msreadiness.com/http://msreadiness.com/IT Pros: IT Pros:
http://technet.microsoft.com/http://technet.microsoft.com/Developers: Developers:
http://msdn.microsoft.com/http://msdn.microsoft.com/
Q&AQ&A
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
John [email protected]