The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps

1. System Administrator Training Security must be in place from the cradle to the grave for every system Server consolidation can open up secure systems to potential vulnerabilities System Administrator shortcuts sometimes compromise good security _____________________________________________ Department of Defense requires a two week training certification and background check on all system administrators

2. End User Training Security training should be required before initial access and reoccurring thereafter Users can defeat millions of dollars of security just be giving away their password Most users are just trying to be helpful Management needs a favor _____________________________________________ Department of Defense requires security training pertinent to the users system before a password is issued and annually thereafter

3. Defense in Depth Use multiple security measures to secure your system There is no one product that implements good information security Firewalls, Intrusion Detection Systems, Anti- Virus Software, Access Control Lists, Data Backups, Software Patches _______________________________________ Department of Defense requires software patches and compliancy verification

4. Offsite Systems Examples: Laptops, PDAs, Wireless Devices These systems may be compromised offsite and then be brought inside the network By nature people do not report lost equipment immediately _______________________________________ The Department of Defense regulates the use of wireless and infrared technologies

5. Vulnerability Assessments Scan systems from the inside and outside to test security and patch security issues Consider an outside company to do the assessment to obtain a unbiased assessment _____________________________________________ Department of Defense require annual vulnerability assessments and provides software for security officers to conduct assessments on a more frequent basis

6. Stringent Policies User policies must be easy to understand Concise Clear User policies should provide consequences for not following the policies All personnel should be subject to the policies _____________________________________________ Military personnel may be court-martialed for not following regulations and policies, DoD civilians risk losing their jobs

7. Incident Response Plans Users should know how to react when their system acts abnormal System Administrators should know what procedures to take during an incident Organizations should have a disaster recovery plan and test it periodically _____________________________________________ The Department of Defense has layers of computer emergency response teams in place to handle information security incidents

8. System Documentation and Standardization System security should be documented Consider a formal acceptance of the security of all systems Standardization of security configurations is the key to security _______________________________________ Department of Defense requires a formal Certification and Accreditation of all information systems

9. Prevention\Detection Prevention is ideal, but detection is a must You cannot prevent all attacks Those attacks that you cannot prevent, must be detected in time to defend against them Plans are based on threats, value of the information, and the costs of securing the data _____________________________________________ Firewalls and Intrusion Detection Systems are located at all entry points to the DoD network

10. Passwords or Certificates User IDs and passwords are still the most common authentication mechanism All passwords can be broken given enough time and resources, complex passwords or lengthy passphases are the key to good security (PKI) Certificate authentication allows encryption, non-repudiation, and digital signatures _____________________________________________ The DoD is implementing a enterprise wide PKI system

Questions