SlideShare a Scribd company logo

Security_Updates_cybersecuirty ppt presentation.ppt

Download as PPT, PDF
2
21881a6619

The document outlines a comprehensive overview of security trends and practices, emphasizing a process-oriented approach to security management. It discusses various frameworks, including defense in depth, OCTAVE, and threat modeling, while highlighting the importance of tailored risk assessment and mitigation strategies. Current security issues such as mobile security, spyware, compliance auditing, and the need for application-level protections are also addressed in context of evolving technologies.

Internet
1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Security Overview: Trends Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd rafal@projectbotticelli.co.uk
2 Objectives Overview a process-oriented approach to security Discuss the recent trends in approaching security issues
3 Session Agenda Frameworks, Processes and Concepts Issues Trends
4 The Problem We have (more than enough) security technologies, but we do not know how (and if) we are secure
5 Security Frameworks
6 Security Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger or threat โ€ฆtherefore, in practice, an impossible goal ๏Œ What can we do then? Be as secure as needed Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafalโ€™s Definition)
7 Adequate Security CERT usefully suggests: โ€œA desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.โ€ โ€“ www.cert.org/governance/adequate.html Risk Appetite โ€“ defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions Relates to risks that must be mitigated and managed Risk Tolerance โ€“ residual risk accepted Relates to risk for which no mitigation would be in place
8 Approaches for Achieving Security Two approaches are needed: Active, dynamic, transient Implemented through behaviour and pattern analysis Passive, static, pervasive Implemented through cryptography
9 Holistic View of Security Security should be: Static + Active Across All Your Assets Based On Ongoing Threat Risk Assessment
10 Framework 1: Defense in Depth Using a layered approach: Increases an attackerโ€™s risk of detection Reduces an attackerโ€™s chance of success Policies, Procedures, & Awareness OS hardening, update management, authentication Firewalls, VPN quarantine Guards, locks, tracking devices, HSM Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education against social engineering Physical Security Perimeter Internal Network Host Application Data
11 Secure Environment A secure environment is a combination of: Hardened hosts (nodes) Intrusion Detection System (IDS) Operating Processes Standard and Emergency Threat Modelling and Analysis Dedicated Responsible Staff Chief Security Officer (CSO) responsible for all Continuous Training Users and security staff โ€“ against โ€œsocial engineeringโ€
12 Framework 2: OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation Carnegie-Mellon University guidance Origin in 2001 Used by US military and a growing number of larger organisations www.cert.org/octave
13 Concept of OCTAVE Workshop-based analysis Collaborative approach Guided by an 18-volume publication Very specific, with suggested timings, personnel selection etc. www.cert.org/octave/omig.html Smaller version, OCTAVE-S, for small and medium organisations www.cert.org/octave/osig.html
14 OCTAVE Process Progressive Series of Workshops Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans
15 Framework 3: Security Risk Analysis A simplified approach, taking into account your assets exposure to security risks Requires: 1. Identifying your assets 2. Assesing risks and their impact, probability and exposure 3. Formulating plans to reduce overall risk exposure
16 Risk Impact Assessment For each asset and risk attach a measure of impact Monetary scale if possible (difficult) or relative numbers with agreed meaning E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) Ex: Asset: Internal MD mailbox Risk: Access to content by press Impact: Catastrophic (5)
17 Risk Probability Assessment Now for each entry measure probability the loss may happen Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9) Ex: Asset: Internal MD mailbox Risk: Access to content by press Probability: Low (0.3)
18 Risk Exposure and Risk List Multiply probability by impact for each entry Exposure = Probability x Impact Sort by exposure High-exposure risks need very strong security measures Lowest-exposure risks can be covered by default mechanisms or ignored Example: Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples
19 Mitigation and Contingency For high-exposure risks plan: Mitigation: Reduce its probability or impact (so exposure) Transfer: Make someone else responsible for the risk Avoidance: avoid the risk by not having the asset Contingency: what to do if the risk becomes reality
20 Framework 4: Threat Modeling Structured analysis aimed at: Finding infrastructure vulnerabilities Evaluating security threats Identify countermeasures Originated from software development security threat analysis 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats
21 STRIDE A Technique for Threat Identification (Step 4) Type of Threat Examples Spoofing Forging Email Message Replaying Authentication Tampering Altering data during transmission Changing data in database Repudiation Delete critical data and deny it Purchase product and deny it Information disclosure Expose information in error messages Expose code on web site Denial of Service Flood web service with invalid request Flood network with SYN Elevation of Privilege Obtain Administrator privileges Use assembly in GAC to create acct
22 Threat Tree Inside Attack Enabled Attack domain controller from inside SQL Injection An application doesnโ€™t validate userโ€™s input and allows evil texts Dev Server Unhardened SQL server used by internal developers Messenger Xfer Novice admin uses an instant messenger on a server Trojan Soc Eng Attacker sends a trojan masquerading as network util OR AND AND
23 Current Security Issues
24 Industry Issues for 2005-2006 Without undue generalisation: Mobile security at data layer Malware/spyware Compliance auditing Identity management Patch/update management Application defence Intrusion detection
25 Mobile Security at Data Layer Laptops and PDAs are rarely protected against physical data extraction Encryption with removable keys is very effective, though deployment requires planning and is sometimes cumbersome Smartcards plus EFS or an alternative system, such as PGP etc. can be applied Data recovery needs (legal and practical) complicate the matter greatly
26 Spyware (Malware) Protection 90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & Webroot) Zombies Network bandwidth and CPU degradation Commercial secrets leaked Privacy destroyed 3rd party liability arises Best practice: SpyBot Search and Destroy (www.spybot.info) Microsoft AntiSpyware (in beta) AdAware Limit use of administrative privileges for end-users
27 Compliance Auditing An area of rapid growth, primarily due to Sarbannes/Oxley (โ€œSarboxโ€, or โ€œSoxโ€) and EU Data Privacy regulation In hands of specialised providers, mainly consulting business Microsoft Operations Manager (MOM) can be applied for this purpose
28 Identity Management Heterogeneity of authentication and security measures is a common fact Donโ€™t fight it, integrate it Synchronisation between directories, no matter how different, is becoming a reality with solutions build on systems such as MIIS (Identity Integration Server) Alternatively, converge onto a client-solution, such as smartcards or OTP/tokens
29 Patch and Update Management As of Sept 2005, Microsoft Update is fully functioning, and integrates, at present: Windows OS updates Office SQL Server Exchange More Microsoft products being added over the next months Enterprise solutions, however, will still benefit from a fully-managed software distribution system, such as SMS (Systems Management Server)
30 Application Defence As networks and hosts become well protected, application-level attacks are on the increase Other than for very new in-house applications, development security has rarely been a concern This is a major area of worry from both perspectives of an insider and outside attacks Approaches: Prove itโ€™s safe (threat modelling) Isolate-and-monitor Replace
31 Treating Unproven Applications Until proven to be secure, treat all applications as โ€œevilโ€ Restrict access only to users on need-to-use basis Restrict remote use Isolate to dedicated application servers Restrict servers through IPSec policies to only allow communication that applications explicitly require Monitor usage pattern to establish a baseline and raise alarm when patterns vary Enable stringent auditing Request a formal threat analysis if above restrictions are too severe
32 Intrusion Detection Intrusion Detection Systems (IDS) are still fairly basic, though sophistication grew at network- level detection Honeypots, i.e. monitored vulnerable servers exposed as โ€œbaitโ€ are still very effective, though may pose legal problems
33 Trends for 2006
34 Network Security โ€“ IPv6 A major development for 2006+ will be gradual replacement of IPv4 with IPv6 Amongst many benefits of this move, a crucial introduction of compulsory IPSec6 will provide much needed authentication and confidentiality of data at wire- level Interesting issues still remain to be solved, but now is a very good time to seriously evaluate the technology Windows Vista comes with a new IPv6 stack, as part of the entirely rewritten TCP/IP substrate, called โ€œNext Generation TCP/IPโ€
35 Network Device Port Protection Though long awaited, โ€œ802.1x for wired networksโ€ is off to a confused start, as many basic devices, such as switches, are unlikely to support the technology as expected With new infrastructure this technology might be useful in high-risk areas, especially exposed networks
36 Smartcards While not a new technology, Microsoftโ€™s support in Windows Vista promises a serious approach to solving deployment, manageability and developer issues Infocard specification for developers Alacris acquisition (20 Sept) for smartcard lifecycle management Axalto deal for smartcard infrastructure Windows Vista re-write of smartcard functionality
37 Biometrics Overhyped: be careful and sceptical Useful as a secondary protection of a private encryption key on a smartcard in a controlled environment Advantage: Simple and works in some environments, e.g. immigration control or secondary authentication of staff Weakness: Not useful for at-home, remote etc. applications as no way to ensure it is your real fingerprint, iris, retina etc. being scanned Biometric data can be stolen and can be used to fake identity โ€“ no way to change it later Too many positive and negative false matches
38 Application-level Protection With .NET Framework 2.0 and SQL Server 2005 developers can use a plethora of security technologies โ€“ easily Developers are increasingly seen as responsible for security This extends even to database developers, previously unlikely to engage in cryptography or ACL management It is very important that all in-house and vertical solution- provider application developers undergo security training Refresher courses or workshops are a good idea Community participation helps
39 Summary
40 Summary Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing research and education Security goals oppose those of usability Frameworks enable achieving security goals without facing unexpected costs Network and host protections are fairly mature Developer-oriented solutions to prevent application-level attacks must be employed
41 ยฉ 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.
Welcome Clare Dillon Developer and Platform Group Microsoft Ireland Clare.Dillon@microsoft.com

More Related Content

PPT
Security Overview - Updates and Trends In Detail
MohanArumugam24
ย 
PPTX
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Rishi Singh
ย 
PPTX
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
ย 
PPT
Cybercrime future perspectives
SensePost
ย 
PPT
software-security-intro-220901084730-8ed673b9.ppt
AssadLeo1
ย 
PPTX
Information security trends and concerns
John Napier
ย 
PPT
software-security.ppt
PRALHAD MAGADUM
ย 
PPTX
Phi 235 social media security users guide presentation
Alan Holyoke
ย 
Security Overview - Updates and Trends In Detail
MohanArumugam24
ย 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Rishi Singh
ย 
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
ย 
Cybercrime future perspectives
SensePost
ย 
software-security-intro-220901084730-8ed673b9.ppt
AssadLeo1
ย 
Information security trends and concerns
John Napier
ย 
software-security.ppt
PRALHAD MAGADUM
ย 
Phi 235 social media security users guide presentation
Alan Holyoke
ย 

Similar to Security_Updates_cybersecuirty ppt presentation.ppt (20)

PDF
The Future of Software Security Assurance
Rafal Los
ย 
PPTX
Improving web application security, part i
Kangkan Goswami
ย 
PPTX
Improving web application security, part i
Kangkan Goswami
ย 
PPTX
00. introduction to app sec v3
Eoin Keary
ย 
PPT
Software Security in the Real World
Mark Curphey
ย 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
ย 
PPTX
Vulenerability Management.pptx
ThavaselviMunusamy1
ย 
PDF
Application Security - Your Success Depends on it
WSO2
ย 
PDF
Key elements of security threat
Araf Karsh Hamid
ย 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
ย 
PPTX
Forget cyber, it's all about AppSec
Adrien de Beaupre
ย 
PDF
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
ย 
PPTX
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
ย 
PDF
CNIT 160 4e Security Program Management (Part 5)
Sam Bowne
ย 
PDF
System Security Beyond the Libraries
Eoin Woods
ย 
PPT
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
ย 
PPT
Essentials Of Security
xsy
ย 
PDF
How secure are your systems
City Unrulyversity
ย 
PDF
Failing and Failing Fast in AppDev โ€“ How Do We Keep up in AppSec?
Capgemini
ย 
PPT
Security Of Information Assets and why it matters.ppt
hellasassin
ย 
The Future of Software Security Assurance
Rafal Los
ย 
Improving web application security, part i
Kangkan Goswami
ย 
Improving web application security, part i
Kangkan Goswami
ย 
00. introduction to app sec v3
Eoin Keary
ย 
Software Security in the Real World
Mark Curphey
ย 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
ย 
Vulenerability Management.pptx
ThavaselviMunusamy1
ย 
Application Security - Your Success Depends on it
WSO2
ย 
Key elements of security threat
Araf Karsh Hamid
ย 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
ย 
Forget cyber, it's all about AppSec
Adrien de Beaupre
ย 
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
ย 
Security Incident machnism Security Incident machnismSecurity Incident machni...
karthikvcyber
ย 
CNIT 160 4e Security Program Management (Part 5)
Sam Bowne
ย 
System Security Beyond the Libraries
Eoin Woods
ย 
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
ย 
Essentials Of Security
xsy
ย 
How secure are your systems
City Unrulyversity
ย 
Failing and Failing Fast in AppDev โ€“ How Do We Keep up in AppSec?
Capgemini
ย 
Security Of Information Assets and why it matters.ppt
hellasassin
ย 
Ad

Recently uploaded (20)

PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
ย 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
ย 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
ย 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
ย 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
ย 
PDF
๐Ÿ’ฐ ๐”๐Š๐“๐ˆ ๐Š๐„๐Œ๐„๐๐€๐๐†๐€๐ ๐Š๐ˆ๐๐„๐‘๐Ÿ’๐ƒ ๐‡๐€๐‘๐ˆ ๐ˆ๐๐ˆ ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“ ๐Ÿ’ฐ
GRAB
ย 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
ย 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
ย 
PPTX
artificial intelligence overview of it and more
yafotin445
ย 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
ย 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
ย 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
ย 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
ย 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
ย 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
ย 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
ย 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
ย 
PPTX
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
ย 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
ย 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
ย 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
ย 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
ย 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
ย 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
ย 
innovation process that make everything different.pptx
SoumyadipPaul18
ย 
๐Ÿ’ฐ ๐”๐Š๐“๐ˆ ๐Š๐„๐Œ๐„๐๐€๐๐†๐€๐ ๐Š๐ˆ๐๐„๐‘๐Ÿ’๐ƒ ๐‡๐€๐‘๐ˆ ๐ˆ๐๐ˆ ๐Ÿ๐ŸŽ๐Ÿ๐Ÿ“ ๐Ÿ’ฐ
GRAB
ย 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
ย 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
ย 
artificial intelligence overview of it and more
yafotin445
ย 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
ย 
SAP Ariba Sourcing PPT for learning material
NKKumar16
ย 
tcp ip networks nd ip layering assotred slides
pakadamfdp
ย 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
ย 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
ย 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
ย 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
ย 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
ย 
Introduction about ICD -10 and ICD11 on 5.8.25.pptx
naveenithkrishnan
ย 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
ย 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
ย 
Ad

Security_Updates_cybersecuirty ppt presentation.ppt

  • 1. Security Overview: Trends Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd rafal@projectbotticelli.co.uk
  • 2. 2 Objectives Overview a process-oriented approach to security Discuss the recent trends in approaching security issues
  • 3. 3 Session Agenda Frameworks, Processes and Concepts Issues Trends
  • 4. 4 The Problem We have (more than enough) security technologies, but we do not know how (and if) we are secure
  • 6. 6 Security Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger or threat โ€ฆtherefore, in practice, an impossible goal ๏Œ What can we do then? Be as secure as needed Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafalโ€™s Definition)
  • 7. 7 Adequate Security CERT usefully suggests: โ€œA desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.โ€ โ€“ www.cert.org/governance/adequate.html Risk Appetite โ€“ defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions Relates to risks that must be mitigated and managed Risk Tolerance โ€“ residual risk accepted Relates to risk for which no mitigation would be in place
  • 8. 8 Approaches for Achieving Security Two approaches are needed: Active, dynamic, transient Implemented through behaviour and pattern analysis Passive, static, pervasive Implemented through cryptography
  • 9. 9 Holistic View of Security Security should be: Static + Active Across All Your Assets Based On Ongoing Threat Risk Assessment
  • 10. 10 Framework 1: Defense in Depth Using a layered approach: Increases an attackerโ€™s risk of detection Reduces an attackerโ€™s chance of success Policies, Procedures, & Awareness OS hardening, update management, authentication Firewalls, VPN quarantine Guards, locks, tracking devices, HSM Network segments, IPSec, NIDS Application hardening, antivirus ACL, encryption User education against social engineering Physical Security Perimeter Internal Network Host Application Data
  • 11. 11 Secure Environment A secure environment is a combination of: Hardened hosts (nodes) Intrusion Detection System (IDS) Operating Processes Standard and Emergency Threat Modelling and Analysis Dedicated Responsible Staff Chief Security Officer (CSO) responsible for all Continuous Training Users and security staff โ€“ against โ€œsocial engineeringโ€
  • 12. 12 Framework 2: OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation Carnegie-Mellon University guidance Origin in 2001 Used by US military and a growing number of larger organisations www.cert.org/octave
  • 13. 13 Concept of OCTAVE Workshop-based analysis Collaborative approach Guided by an 18-volume publication Very specific, with suggested timings, personnel selection etc. www.cert.org/octave/omig.html Smaller version, OCTAVE-S, for small and medium organisations www.cert.org/octave/osig.html
  • 14. 14 OCTAVE Process Progressive Series of Workshops Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans
  • 15. 15 Framework 3: Security Risk Analysis A simplified approach, taking into account your assets exposure to security risks Requires: 1. Identifying your assets 2. Assesing risks and their impact, probability and exposure 3. Formulating plans to reduce overall risk exposure
  • 16. 16 Risk Impact Assessment For each asset and risk attach a measure of impact Monetary scale if possible (difficult) or relative numbers with agreed meaning E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) Ex: Asset: Internal MD mailbox Risk: Access to content by press Impact: Catastrophic (5)
  • 17. 17 Risk Probability Assessment Now for each entry measure probability the loss may happen Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9) Ex: Asset: Internal MD mailbox Risk: Access to content by press Probability: Low (0.3)
  • 18. 18 Risk Exposure and Risk List Multiply probability by impact for each entry Exposure = Probability x Impact Sort by exposure High-exposure risks need very strong security measures Lowest-exposure risks can be covered by default mechanisms or ignored Example: Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples
  • 19. 19 Mitigation and Contingency For high-exposure risks plan: Mitigation: Reduce its probability or impact (so exposure) Transfer: Make someone else responsible for the risk Avoidance: avoid the risk by not having the asset Contingency: what to do if the risk becomes reality
  • 20. 20 Framework 4: Threat Modeling Structured analysis aimed at: Finding infrastructure vulnerabilities Evaluating security threats Identify countermeasures Originated from software development security threat analysis 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats
  • 21. 21 STRIDE A Technique for Threat Identification (Step 4) Type of Threat Examples Spoofing Forging Email Message Replaying Authentication Tampering Altering data during transmission Changing data in database Repudiation Delete critical data and deny it Purchase product and deny it Information disclosure Expose information in error messages Expose code on web site Denial of Service Flood web service with invalid request Flood network with SYN Elevation of Privilege Obtain Administrator privileges Use assembly in GAC to create acct
  • 22. 22 Threat Tree Inside Attack Enabled Attack domain controller from inside SQL Injection An application doesnโ€™t validate userโ€™s input and allows evil texts Dev Server Unhardened SQL server used by internal developers Messenger Xfer Novice admin uses an instant messenger on a server Trojan Soc Eng Attacker sends a trojan masquerading as network util OR AND AND
  • 24. 24 Industry Issues for 2005-2006 Without undue generalisation: Mobile security at data layer Malware/spyware Compliance auditing Identity management Patch/update management Application defence Intrusion detection
  • 25. 25 Mobile Security at Data Layer Laptops and PDAs are rarely protected against physical data extraction Encryption with removable keys is very effective, though deployment requires planning and is sometimes cumbersome Smartcards plus EFS or an alternative system, such as PGP etc. can be applied Data recovery needs (legal and practical) complicate the matter greatly
  • 26. 26 Spyware (Malware) Protection 90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & Webroot) Zombies Network bandwidth and CPU degradation Commercial secrets leaked Privacy destroyed 3rd party liability arises Best practice: SpyBot Search and Destroy (www.spybot.info) Microsoft AntiSpyware (in beta) AdAware Limit use of administrative privileges for end-users
  • 27. 27 Compliance Auditing An area of rapid growth, primarily due to Sarbannes/Oxley (โ€œSarboxโ€, or โ€œSoxโ€) and EU Data Privacy regulation In hands of specialised providers, mainly consulting business Microsoft Operations Manager (MOM) can be applied for this purpose
  • 28. 28 Identity Management Heterogeneity of authentication and security measures is a common fact Donโ€™t fight it, integrate it Synchronisation between directories, no matter how different, is becoming a reality with solutions build on systems such as MIIS (Identity Integration Server) Alternatively, converge onto a client-solution, such as smartcards or OTP/tokens
  • 29. 29 Patch and Update Management As of Sept 2005, Microsoft Update is fully functioning, and integrates, at present: Windows OS updates Office SQL Server Exchange More Microsoft products being added over the next months Enterprise solutions, however, will still benefit from a fully-managed software distribution system, such as SMS (Systems Management Server)
  • 30. 30 Application Defence As networks and hosts become well protected, application-level attacks are on the increase Other than for very new in-house applications, development security has rarely been a concern This is a major area of worry from both perspectives of an insider and outside attacks Approaches: Prove itโ€™s safe (threat modelling) Isolate-and-monitor Replace
  • 31. 31 Treating Unproven Applications Until proven to be secure, treat all applications as โ€œevilโ€ Restrict access only to users on need-to-use basis Restrict remote use Isolate to dedicated application servers Restrict servers through IPSec policies to only allow communication that applications explicitly require Monitor usage pattern to establish a baseline and raise alarm when patterns vary Enable stringent auditing Request a formal threat analysis if above restrictions are too severe
  • 32. 32 Intrusion Detection Intrusion Detection Systems (IDS) are still fairly basic, though sophistication grew at network- level detection Honeypots, i.e. monitored vulnerable servers exposed as โ€œbaitโ€ are still very effective, though may pose legal problems
  • 34. 34 Network Security โ€“ IPv6 A major development for 2006+ will be gradual replacement of IPv4 with IPv6 Amongst many benefits of this move, a crucial introduction of compulsory IPSec6 will provide much needed authentication and confidentiality of data at wire- level Interesting issues still remain to be solved, but now is a very good time to seriously evaluate the technology Windows Vista comes with a new IPv6 stack, as part of the entirely rewritten TCP/IP substrate, called โ€œNext Generation TCP/IPโ€
  • 35. 35 Network Device Port Protection Though long awaited, โ€œ802.1x for wired networksโ€ is off to a confused start, as many basic devices, such as switches, are unlikely to support the technology as expected With new infrastructure this technology might be useful in high-risk areas, especially exposed networks
  • 36. 36 Smartcards While not a new technology, Microsoftโ€™s support in Windows Vista promises a serious approach to solving deployment, manageability and developer issues Infocard specification for developers Alacris acquisition (20 Sept) for smartcard lifecycle management Axalto deal for smartcard infrastructure Windows Vista re-write of smartcard functionality
  • 37. 37 Biometrics Overhyped: be careful and sceptical Useful as a secondary protection of a private encryption key on a smartcard in a controlled environment Advantage: Simple and works in some environments, e.g. immigration control or secondary authentication of staff Weakness: Not useful for at-home, remote etc. applications as no way to ensure it is your real fingerprint, iris, retina etc. being scanned Biometric data can be stolen and can be used to fake identity โ€“ no way to change it later Too many positive and negative false matches
  • 38. 38 Application-level Protection With .NET Framework 2.0 and SQL Server 2005 developers can use a plethora of security technologies โ€“ easily Developers are increasingly seen as responsible for security This extends even to database developers, previously unlikely to engage in cryptography or ACL management It is very important that all in-house and vertical solution- provider application developers undergo security training Refresher courses or workshops are a good idea Community participation helps
  • 40. 40 Summary Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing research and education Security goals oppose those of usability Frameworks enable achieving security goals without facing unexpected costs Network and host protections are fairly mature Developer-oriented solutions to prevent application-level attacks must be employed
  • 41. 41 ยฉ 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.
  • 42. Welcome Clare Dillon Developer and Platform Group Microsoft Ireland Clare.Dillon@microsoft.com