153 Brooks Road, Rome, NY | 315.336.3306 | 153 Brooks Road, Rome, NY | 315.336.3306 |

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Thomas S. Messerges, Ezzat A. Dabbish Motorola Labs Shin Seung Uk.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Secure Socket Layer.
System Center Configuration Manager Push Software By, Teresa Behm.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Payment Card Industry (PCI) Data Security Standard
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
1 Using Compressed Files and Folders Applications and operating systems read and write to compressed files. NTFS uncompresses the file before making it.
Understanding Active Directory
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
Microsoft ® Official Course Module 9 Configuring Applications.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Week #7 Objectives: Secure Windows 7 Desktop
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Configuring Encryption and Advanced Auditing
Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Module 3: Configuring File Access and Printers on Windows 7 Clients
Module 5: Designing Security for Internal Networks.
Chapter 2 Securing Network Server and User Workstations.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Windows 2000 Security Yingzi Jin. Introduction n Active Directory n Group Policy n Encrypting File System.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Managing Applications, Services, Folders, and Libraries Lesson 4.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Introduction to Active Directory
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
CPT 123 Internet Skills Class Notes Internet Security Session B.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
ArcGIS for Server Security: Advanced
Security of a Local Area Network
IS4550 Security Policies and Implementation
Chapter 28: User Security
Install AD Certificate Services
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Enterprise Data Protection Against Exfiltration Dave ClimekAFRL Program Manager Sal PaladinoAIS Program Manager Rick Gloo AIS Principal Investigator Dan Kalil AIS Commercialization Lead Trent BrunsonTechnical Lead Dave ClimekAFRL Program Manager Sal PaladinoAIS Program Manager Rick Gloo AIS Principal Investigator Dan Kalil AIS Commercialization Lead Trent BrunsonTechnical Lead Localized Encryption Groups Phase II SBIR Localized Encryption Groups Phase II SBIR Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | The necessity for increased information sharing across organizations complicates the methods required to detect and prevent the exfiltration of sensitive data. The problem of detecting and preventing all possible data exfiltration paths has become nearly insurmountable with the changing landscape in data file formats, network protocols, and data sharing technologies.  Current approaches are limited by: File Locker Files are only safe while stored in the secure folder, not if data is stored elsewhere on HD or portable media or during data transfer. DoD Encryption Wizard and Microsoft Encrypting File System Manual process that interferes with user workflow. Does not protect files in transit. File Vault Data protect while computer is logged out or shut down. Localized Encryption Groups Problem Statement and Current Tech Localized Encryption Groups Problem Statement and Current Tech Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Objective Create automated encryption service that never leaves data at rest or in transit in cleartext. Approach the data exfiltration problem on a per-file basis at the origin of creation and provide per-file metadata to track the data files. Perform all cryptography and policy enforcement behind the scenes and not interfere with user productivity. Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | LEG Architecture  Monitors the file system for reads and writes.  Handles encrypted/decrypted traffic between application and LEG Enterprise component  Communicates to LEG Enterprise processes that can read/write  Maintains a whitelist of applications  Handles cryptographic operations  Checks whitelisted processes from kernel driver  Builds header  Creates cryptographic keys from user certificates  Handles communication between Enterprise systems Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | LEG File Diagram  Users in the header will be searchable via public keys  Each block of the header has a length and type ◦Length: length of the block ◦Type: Public key or Symmetric key Current header implementation File Content User N’s encrypted symmetric keyUser N’s public keyUser 1’s encrypted symmetric keyUser 1’s public keyLEG header ID, version, and length Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Additional Developments CAC Capabilities LEG extracts: –CHUID: User and agency identification –x509 Certificates for encryption purposes Will be able to decrypt data with stored private keys Can hold up to 20 retired private keys Clipboard Restrictions LEG notified when user updates clipboard LEG receives name/dir. of active application Global hooks to be implemented to handle paste/print actions Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | LEG Demo  The application queries active directory for the LEG certificate.  Authorized LEG users are given access to the certificate, unauthorized users are not.  A random symmetric key is generated to encrypt the file.  The certificate is used to encrypt and decrypt the symmetric key.  The symmetric key is encrypted and stored in the header for later decryption. Certificates for encryption and decryption Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | LEG Driver Demo All file types default to “Out-of-Policy” “In-Policy” Files have an Application Whitelist and Graylist –Programs opening “In-Policy” Files are implicit deny –A whitelisted application may encrypt/decrypt the file –A graylisted application may move the “raw” file Explorer.exe should be universally graylisted –Responsible for moving, copying, zipping and accessing files In-Policy File TypeWhitelisted AppsGraylisted Apps *.txtNotepadExplorer, Internet Explorer *.rtfWord, WordpadExplorer, Firefox *.sd0NotepadExplorer, Internet Explorer *.sd1NotepadExplorer, Internet Explorer Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Commercialization Activities  LEG is being developed to run on Microsoft® Windows operating systems, supporting enterprise systems in both government and industry  Integration with existing applications may reduce time to market and ensure LEG’s diverse availability within multiple markets ◦Considering integration with McAfee Host Based Security System (HBSS) and the McAfee Vendor Alliance ◦Exploring partnership with Wetstone Technologies to leverage relationships with industry leading security providers Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Questions Thank You Approved for Public Release; Distribution Unlimited: 88ABW , 7 AUG 2013

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.