The Big Picture on Security Frank O’Keeffe Regional Information Security Manager Microsoft Corporation
Agenda Introduction What is Information Security Evolving Threat Landscape Information Security at Microsoft Conclusions Questions
Volunteers for extra assignments Works late hours Takes work home Never takes a vacation Interested in what co-workers are doing The ideal employee “Potential Spy”- NSA
Why do we need security Irish bank's stolen laptops contain 10,000 customer files Agence France-Presse Posted date: April 22, 2008 DUBLIN--Four laptop computers stolen from one of Ireland's largest commercial banks contain the unencrypted details of some 10,000 customers, the bank said on Tuesday. UK health agency loses 31,000 patients records Monday, June 23, 2008 Unencrypted laptops containing 31,000 patient records have been lost by two NHS trusts. A laptop containing 11,000 patient records was stolen from a GP’s home in Wolverhampton. And St George’s Hospital in London has admitted that six laptops were stolen from its filing cabinets at the start of the month, containing the records of 20,000 patients. Sixteen NI government laptops lost BBC News May 23, 2008 “A total of 16 laptop computers have disappeared from executive departments in the past year. They were among a total of 38 electronic devices that were listed as lost or stolen since the start of May 2007.” Opposition party press release: October 1, 2008 “"I find it incredible to discover that 19 laptops, 3 desktops, at least 9 Blackberry mobile phones and 4 portable storage devices have been lost across the Departments in On average, a device that could contain sensitive information about people is lost nearly every week.”
Agenda Introduction What is Information Security Evolving Threat Landscape Information Security at Microsoft Conclusions Questions
What is Information Security People Processes Technology Awareness and Training Employee exit Reference Checks Employee On boarding Access based on business need Vulnerability Management Network segmentation Intrusion detection Encryption Anti-malware Policies and Standards Incident Response Separation of Duties Systems Development Lifecycle
Agenda Introduction What is Information Security Evolving Threat Landscape Information Security at Microsoft Conclusions Questions
Evolving Threat Landscape Local Area Networks First PC virus Boot sector viruses Create notoriety or cause havoc Slow propagation 16-bit DOS 1986–1995 Internet Era Macro viruses Script viruses Create notoriety or cause havoc Faster propagation 32-bit Windows 1995–2000 Broadband prevalent Spyware, Spam Phishing Botnets Rootkits Financial motivation Internet wide impact 32-bit Windows 2000–2005 Hyper jacking Peer to Peer Social engineering Application attacks Financial motivation Targeted attacks 64-bit Windows 2006+
Evolving Threat Landscape National Interest Personal Gain Personal Fame Curiosity AmateurExpertSpecialist Largest area by volume Largest area by $ lost $ lost Script-Kiddy Largest segment by $ spent on defense Fastestgrowingsegment Author Vandal Thief Spy Trespasser Crime On The Rise Hardware O/S Drivers Applications GUI User Physical Examples: SpywareSpyware RootkitsRootkits Application attacksApplication attacks Phishing/Social engineeringPhishing/Social engineering Decreasing patch windowDecreasing patch window Zero-day attacksZero-day attacks Attacks Getting More Sophisticated Traditional defenses are inadequate Increasingly Sophisticated Malware Anti-malware alone is not sufficient Number of variants from over 7,000 malware families (1H07) Source: Microsoft Security Intelligence Report (January – June 2007) mainframe client/server Internet mobility C2C B2C B2B Pre-1980s1980s1990s2000s Number of Digital IDs Exponential Growth of IDs Identity and access management challenging
Agenda Introduction What is Information Security Evolving Threat Landscape Information Security at Microsoft Conclusions Questions
Dublin Redmond Singapore Microsoft IT Environment
Information Security Drivers Security of Information Assets Privacy Protection Industry Mandates Mobile Devices Collaboration Tools Dogfooding Global Business Model Customer Requirements Supplier Requirements
Microsoft Information Security Concerns Regulatory and statutory compliance Mobility of data Unauthorized access to data Malicious software Supporting an evolving client
Security Teams Risk Management Policy Compliance Product Security Forensics and investigations Network monitoring Hotmail MSN Windows Live Security Champions Privacy Champions
Security Policy: A Layered Approach Microsoft Information Security Program (MISP) Accountabilities that require Microsoft to operate a security program Establishes framework for a risk- & policy-based approach to protecting assets Information Security Policy Contains principles for protecting and properly using corporate resources Supports specific BU security standards, operating procedures, and guidelines Information Security Standards Provide requirements and prescriptive guidance that enables users to comply with the Information Security Policy
Information Security Challenges – Where’s the Data Data In TransitIn Databases In Spreadsheets On a network share On my phoneOn my laptop Through web applications Outsourced to 3 rd party
Case Study - BitLocker Strategy and PreparationDeployment Pilot to determine best deployment method Focus on high-risk mobile users Executive SupportTPM + PIN preferred model (otherwise USB start-up key) Policy requires personal presenceBitLocker image developed Multiple hardware typesInstall fairs to drive deployment Helpdesk and support technicians trained New laptops “BitLocker ready” Scripts to monitor complianceRecovery enabled through Active Directory Targeted user educationSupport materials for self-install Technet – IT Showcase - Deployment Planning for BitLocker Drive Encryption for Windows Vista Microsoft needed to reduce the likelihood of its intellectual property and personally identifiable information (PII) from being stolen from employees' computers. Additionally, Microsoft wanted to demonstrate for its customers how to protect against these threats.
Agenda Introduction What is Information Security Evolving Threat Landscape Information Security at Microsoft Conclusions Questions
Conclusions Security must support business objectives Requires Leadership Visibility and Support Controls based on Risk Combines People, Processes, Technology Focus on Vital Assets and Data
Questions
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.