Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Challenges & Best Practices Meng-Chow Kang, CISA, CISSP Chief Security & Privacy Advisor Microsoft Asia Pacific.

Published byJocelyn Brown Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Challenges & Best Practices Meng-Chow Kang, CISA, CISSP Chief Security & Privacy Advisor Microsoft Asia Pacific."— Presentation transcript:

1 Information Security Challenges & Best Practices Meng-Chow Kang, CISA, CISSP Chief Security & Privacy Advisor Microsoft Asia Pacific

2 A Framework Approach Mission and VisionPrinciples of Operation & Management Decision & Prioritization Model Implementation Tactics Threats & Vulnerabilities Landscape People, Processes, & Tools What constitutes an effective strategy?

3 Understanding the Landscape Author National Interest Personal Gain Personal Fame Curiosity Script-Kiddie Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser

4 An Evolving Threat National Interest Personal Gain Personal Fame Curiosity Hobbyist Hacker Expert Specialist Largest area by volume Largest area by $ lost Script-Kiddie Largest segment by $ spent on defense Fastestgrowingsegment AuthorVandal Thief Spy Trespasser

5 E-SECURITY INDEX 12 month high: 1,776 (Aug’03) 12 month median: 1,350 May’s Index = 1,682 12 month low: 972 (May’03) 12 month mean: 1,383

6 e-Cop’s e-Security Index has been tracking an average weighted monthly increase of about 8% in security incidents since Sep 2001 Nimda.B Maldal.D Klez.H Bugbear Sobig E. Hacker Competition Blaster & Sobig F. Sasser Source: e-Cop

7 * North Asia excludes Japan & South KoreaSource: e-Cop

8

9 Most attacks occur here Situation Hackers rely on patches to develop exploits Some security researchers are still disclosing vulnerabilities irresponsibly Product ship VulnerabilitydiscoveredComponentmodified Patch released Patch deployed at customer site Why does this gap exist? Lack-of or ineffective patch management process Lack-of defense-in-depth and configuration management in infrastructure security

10 Exploit Timeline Process, Guidance, Tools Critical Days From Patch To Exploit Have decreased so that patching is not a defense in large organizations Average 9 days for patch to be reverse engineered to identify vulnerability I Product ship IVulnerabilitydiscoveredIVulnerability made public/ Component fixed I Fix deployed I at customer site Why does this gap exist? exploit code patch Days between patch & exploit 151 180 331 Blaster Welchia/ Nachi Nimda 25 SQL Slammer

11 Sydney Chofu & Otemachi Les Ulis Thames Valley Park Dublin Benelux Madrid Dubai Singapore Johannesburg Sao Paulo 90,000 mailboxes Canyon Park, Redmond Las Colinas Charlotte Chicago Milan Stockholm Munich 400+ supported Microsoft sites worldwide 3M+ e-mail messages per day 300,000+ network devices 6,000 data-center servers 110 Exchange servers/36 mailbox servers Silicon Valley 400 primary LOB applications 26 million voice calls per month 55,000 employees Microsoft IT Environment What’s your Technology Profile? What’s your Threat environment? What’s your Risk Profile?

12 Mission and VisionPrinciples of Operation & Management Decision & Prioritization Model Implementation Tactics Threats & Vulnerabilities Landscape People, Processes, & Tools

13 Mission Assess Risk Define Policy Monitor Audit Prevent malicious or unauthorized use that results in the loss of Microsoft intellectual property or productivity by systematically assessing, communicating, and mitigating risks to digital assets An IT environment comprised of services, applications, and infrastructure that implicitly provides availability, privacy, and security to any client Five Trustworthy Assurances My identity is not compromised Resources are secure and available Data and communications are private Roles and accountability are clearly defined There is a timely response to risks and threats Vision

14 Other Business Drivers Online Business Enablement Reducing Operational Costs Security Risk Management Reducing cost of unexpected security events Reducing losses from frauds and security failures Reducing exposures to technology threats Preventing computer-related frauds Enforce policies and improve audit capability Integrate Partners in Supply Chain Connect with Customers Empower the information workers Regulatory Compliance HIPAAGramm-Leach-Bliley Sarbane-Oxley Act

15 Mission and VisionPrinciples of Operation & Management Decision & Prioritization Model Implementation Tactics Threats & Vulnerabilities Landscape People, Processes, & Tools

16 Security Principles Management commitment Manage risk according to business objectives Define organizational roles and responsibilities Users and data Manage to practice of least privilege Strictly enforce privacy and privacy rules Application and system development Build security into development life cycle (Microsoft SD3+C Framework) Create layered defense and reduce attack surface (Defense-in-depth) Operations and maintenance Integrate security into operations framework Align monitor, audit, and response functions to operational functions Watchful, constant vigilance, readiness, and responsiveness

17 Strategies for Security Policies Root your security policy in well-known industry standards or regulations ISO 17799 – Security Management Best Practices ISC2 Common Book of Knowledge RFC 2196 – Site Security Handbook Security policies have to start from the top down Illustrate the value of security policy to management Get corporate legal and HR departments to assist you

18 Environment conducive for protection Protection ready versus attackers’ friendly Laws and regulations Enforcements Rewards and penalties Think and do security

19 Mission and VisionPrinciples of Operation & Management Decision & Prioritization Model Implementation Tactics Threats & Vulnerabilities Landscape People, Processes, & Tools

20 Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk

21 Risk Management Process and Roles 34 Security Solutions & Initiatives Sustained Operations Cross-IT Teams Corporate Security TacticalPrioritization 1 Prioritize Risks 2 Security Policy 5 Compliance

22 Corrective Actions Continuous Risk Assessments Network Infrastructure Risk Assessment Platform Infrastructure Risk Assessment Continuous Application Risk Assessment Risk Profile Remediation Projects Tactical Action Plans A Risk-based Approach Self Assement Reports LOB’s Control Self Assessment AuditReports Not available yet. Review of issues accuracy & action plans quality Awareness Program IT Control Policies Focused Programs Where/what are the risks? How are they affecting the Organization? What are we doing about them? TS/LOB ALL GAD’s Audit Program ALL Regulators’ Inspection Progress scorecard used. Security Services Ext Connectivity Network Certification OSP Project Security New applications & infrastructure projects ALL

23 Mission and VisionPrinciples of Operation & Management Decision & Prioritization Model Implementation Tactics Threats & Vulnerabilities Landscape People, Processes, & Tools

24 Representative Risks and Tactics Tactical Solutions Enterprise Risks Embody Trustworthy Computing Secure Environmental Remediation Unpatched Devices Network Segmentation Through IPSec Unmanaged Devices Secure Remote User Remote and Mobile Users Two-Factor for Remote Access and Administrators Single-Factor Authentication Managed Source Initiatives Focus Controls Across Key Assets

25 Defense in Depth Using a layered approach Increases attacker’s risk of detection Reduces attacker’s chance of success Policies, Procedures, and Awareness OS hardening, authentication, patch management, HIDS Firewalls, VPN quarantine Guards, locks, tracking devices Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education Physical Security Perimeter Internal Network Host Application Data

26 Mission and VisionPrinciples of Operation & Management Decision & Prioritization Model Implementation Tactics Threats & Vulnerabilities Landscape People, Processes, & Tools

27 Corporate Security Group Organization Corporate Security Group Threat, Risk Analysis, and Policy Assessment and Compliance Monitoring, Intrusion Detection, and Incident Response Shared Services Operations Threat and Risk Analysis Policy Development Product Evaluation Design Review Structure Standards Security Management Security Assessment Compliance and Remediation Monitoring and Intrusion Detection Rapid Response and Resolution Forensics IT Investigations Physical and Remote Access Certificate Administration Security Tools Initiative Management

28 Processes and Tools Driven (influenced) largely by policies and strategy Common challenges Information security/risk budget normally not covering cost of devising and implementing security processes and tools, in particular, tools required for risk analysis and performance measurement Spreadsheets as database of control status Checklist remains predominantly tool of choice Quality of answers vs completion of checklist questions No linkages to organization’s technology/information inventory

29 Security Readiness Risk management does not guarantee risk elimination Exploits increasingly sophisticated Ready to act, ready to change Education and training Scenarios planning Drills, drills, drills …

30 Security Response Plan Information on security incident received Vulnerability detected by audit Decision to begin Response Plan by IT Security Risk rating Response team assembled Ticket opened RESPONSE PLAN Evaluation Isolate and contain threat Analyze and respond Alert others as required Begin system remediation O n g o i n g e v a l u a t i o n a n d r e s p o n s e r e v i s i o n s O n g o i n g a u d i t De-escalation return to normal operations Post-incident review ticket closed Determining the Risk Rating of the Incident/Vulner ability Involves: Severity of the event Overall business impact Criticality of vulnerable/attack ed assets Public availability of information Scope of exposure Determine remediation

31 Summary No silver bullet Understand and keep in tap of the changing threat environment Develop a cybersecurity strategy with clear mission and vision, adopting a decision and prioritization model, with strong security principles to guide implementation and selection of solutions Combine technology, procedures, and proper use of personnel to reduce vulnerabilities A preventative approach toward critical security issues is less expensive than correcting vulnerabilities after systems have been compromised Constant vigilance and readiness to response at all time Mission and Vision Principles of Operation & Management Decision & Prioritization Model Implementation Tactics Threats & Vulnerabilities Landscape People, Processes, & Tools Security is a journey, not a destination

32 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Information Security Challenges & Best Practices Meng-Chow Kang, CISA, CISSP Chief Security & Privacy Advisor Microsoft Asia Pacific."

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.

16254_08_2002 © 2002, Cisco Systems, Inc. All rights reserved. Cisco’s Security Vision Mario Mazzola Chief Development Officer August 29, 2002.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
Operational MS Tibor Kolejak Regional IT Site Manger Microsoft Czech Republic Tibor Kolejak Regional IT Site Manger Microsoft Czech Republic.

Operational MS Tibor Kolejak Regional IT Site Manger Microsoft Czech Republic Tibor Kolejak Regional IT Site Manger Microsoft Czech Republic.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
SAM for Mobile Device Management Presenter Name. of employees spend at least some portion of their time working outside their office. Mobility is the.

SAM for Mobile Device Management Presenter Name. of employees spend at least some portion of their time working outside their office. Mobility is the.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Similar presentations

Ads by Google