The Whole/Hole of Security Public (DoD) v. Corporate

Carl Bourland

US Army Judge Advocate General’s Corps

1. System Administrator Training Security must be in place from the “cradle to the

grave” for every system Server consolidation can open up secure systems to

potential vulnerabilities System Administrator shortcuts sometimes

compromise good security_____________________________________________ Department of Defense requires a two week training

certification and background check on all system administrators

2. End User Training Security training should be required before initial

access and reoccurring thereafter Users can defeat millions of dollars of security just

be giving away their password Most users are “just trying to be helpful” Management needs “a favor”

_____________________________________________ Department of Defense requires security training

pertinent to the user’s system before a password is issued and annually thereafter

3. Defense in Depth Use multiple security measures to secure your

system There is no one product that implements good

information security Firewalls, Intrusion Detection Systems, Anti-Virus

Software, Access Control Lists, Data Backups, Software Patches

_______________________________________ Department of Defense requires software patches

and compliancy verification

4. Offsite Systems Examples: Laptops, PDAs, Wireless Devices These systems may be compromised offsite and then

be brought inside the network By nature people do not report lost equipment

immediately_______________________________________ The Department of Defense regulates the use of

wireless and infrared technologies

5. Vulnerability Assessments Scan systems from the inside and outside to test

security and patch security issues Consider an outside company to do the assessment

to obtain a unbiased assessment

_____________________________________________ Department of Defense require annual vulnerability

assessments and provides software for security officers to conduct assessments on a more frequent basis

6. Stringent Policies User policies must be easy to understand

Concise Clear

User policies should provide consequences for not following the policies

All personnel should be subject to the policies_____________________________________________ Military personnel may be court-martialed for not

following regulations and policies, DoD civilians risk losing their jobs

7. Incident Response Plans Users should know how to react when their system

acts abnormal System Administrators should know what

procedures to take during an incident Organizations should have a disaster recovery plan

and test it periodically_____________________________________________ The Department of Defense has layers of computer

emergency response teams in place to handle information security incidents

8. System Documentation and Standardization System security should be documented Consider a formal acceptance of the security of all

systems Standardization of security configurations is the key

to security

_______________________________________ Department of Defense requires a formal

Certification and Accreditation of all information systems

9. Prevention\Detection Prevention is ideal, but detection is a must You cannot prevent all attacks Those attacks that you cannot prevent, must be

detected in time to defend against them Plans are based on threats, value of the information,

and the costs of securing the data_____________________________________________ Firewalls and Intrusion Detection Systems are

located at all entry points to the DoD network

10. Passwords or Certificates User IDs and passwords are still the most common

authentication mechanism All passwords can be broken given enough time and

resources, complex passwords or lengthy passphases are the key to good security

(PKI) Certificate authentication allows encryption, non-repudiation, and digital signatures

_____________________________________________ The DoD is implementing a enterprise wide PKI

system

Questions