the whole/hole of security public (dod) v. corporate carl bourland us army judge advocate generals...
TRANSCRIPT
![Page 1: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/1.jpg)
The Whole/Hole of Security Public (DoD) v. Corporate
Carl Bourland
US Army Judge Advocate General’s Corps
![Page 2: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/2.jpg)
1. System Administrator Training Security must be in place from the “cradle to the
grave” for every system Server consolidation can open up secure systems to
potential vulnerabilities System Administrator shortcuts sometimes
compromise good security_____________________________________________ Department of Defense requires a two week training
certification and background check on all system administrators
![Page 3: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/3.jpg)
2. End User Training Security training should be required before initial
access and reoccurring thereafter Users can defeat millions of dollars of security just
be giving away their password Most users are “just trying to be helpful” Management needs “a favor”
_____________________________________________ Department of Defense requires security training
pertinent to the user’s system before a password is issued and annually thereafter
![Page 4: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/4.jpg)
3. Defense in Depth Use multiple security measures to secure your
system There is no one product that implements good
information security Firewalls, Intrusion Detection Systems, Anti-Virus
Software, Access Control Lists, Data Backups, Software Patches
_______________________________________ Department of Defense requires software patches
and compliancy verification
![Page 5: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/5.jpg)
4. Offsite Systems Examples: Laptops, PDAs, Wireless Devices These systems may be compromised offsite and then
be brought inside the network By nature people do not report lost equipment
immediately_______________________________________ The Department of Defense regulates the use of
wireless and infrared technologies
![Page 6: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/6.jpg)
5. Vulnerability Assessments Scan systems from the inside and outside to test
security and patch security issues Consider an outside company to do the assessment
to obtain a unbiased assessment
_____________________________________________ Department of Defense require annual vulnerability
assessments and provides software for security officers to conduct assessments on a more frequent basis
![Page 7: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/7.jpg)
6. Stringent Policies User policies must be easy to understand
Concise Clear
User policies should provide consequences for not following the policies
All personnel should be subject to the policies_____________________________________________ Military personnel may be court-martialed for not
following regulations and policies, DoD civilians risk losing their jobs
![Page 8: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/8.jpg)
7. Incident Response Plans Users should know how to react when their system
acts abnormal System Administrators should know what
procedures to take during an incident Organizations should have a disaster recovery plan
and test it periodically_____________________________________________ The Department of Defense has layers of computer
emergency response teams in place to handle information security incidents
![Page 9: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/9.jpg)
8. System Documentation and Standardization System security should be documented Consider a formal acceptance of the security of all
systems Standardization of security configurations is the key
to security
_______________________________________ Department of Defense requires a formal
Certification and Accreditation of all information systems
![Page 10: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/10.jpg)
9. Prevention\Detection Prevention is ideal, but detection is a must You cannot prevent all attacks Those attacks that you cannot prevent, must be
detected in time to defend against them Plans are based on threats, value of the information,
and the costs of securing the data_____________________________________________ Firewalls and Intrusion Detection Systems are
located at all entry points to the DoD network
![Page 11: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/11.jpg)
10. Passwords or Certificates User IDs and passwords are still the most common
authentication mechanism All passwords can be broken given enough time and
resources, complex passwords or lengthy passphases are the key to good security
(PKI) Certificate authentication allows encryption, non-repudiation, and digital signatures
_____________________________________________ The DoD is implementing a enterprise wide PKI
system
![Page 12: The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps](https://reader036.vdocuments.us/reader036/viewer/2022082805/5514ea9a550346935c8b5aac/html5/thumbnails/12.jpg)
Questions