Transcript Slide 1

The Whole/Hole of Security
Public (DoD) v. Corporate
Carl Bourland
US Army Judge Advocate General’s Corps
1. System Administrator Training
Security must be in place from the “cradle to the
grave” for every system
 Server consolidation can open up secure systems to
potential vulnerabilities
 System Administrator shortcuts sometimes
compromise good security
 Department of Defense requires a two week training
certification and background check on all system
2. End User Training
Security training should be required before initial
access and reoccurring thereafter
Users can defeat millions of dollars of security just
be giving away their password
Most users are “just trying to be helpful”
Management needs “a favor”
 Department of Defense requires security training
pertinent to the user’s system before a password is
issued and annually thereafter
3. Defense in Depth
Use multiple security measures to secure your
There is no one product that implements good
information security
Firewalls, Intrusion Detection Systems, AntiVirus Software, Access Control Lists, Data
Backups, Software Patches
 Department of Defense requires software
patches and compliancy verification
4. Offsite Systems
Examples: Laptops, PDAs, Wireless Devices
 These systems may be compromised offsite and then
be brought inside the network
 By nature people do not report lost equipment
 The Department of Defense regulates the use of
wireless and infrared technologies
5. Vulnerability Assessments
Scan systems from the inside and outside to test
security and patch security issues
 Consider an outside company to do the assessment to
obtain a unbiased assessment
 Department of Defense require annual vulnerability
assessments and provides software for security
officers to conduct assessments on a more frequent
6. Stringent Policies
User policies must be easy to understand
User policies should provide consequences for not
following the policies
 All personnel should be subject to the policies
 Military personnel may be court-martialed for not
following regulations and policies, DoD civilians
risk losing their jobs
7. Incident Response Plans
Users should know how to react when their system
acts abnormal
 System Administrators should know what
procedures to take during an incident
 Organizations should have a disaster recovery plan
and test it periodically
 The Department of Defense has layers of computer
emergency response teams in place to handle
information security incidents
8. System Documentation and
System security should be documented
 Consider a formal acceptance of the security of all
 Standardization of security configurations is the key
to security
 Department of Defense requires a formal
Certification and Accreditation of all information
9. Prevention\Detection
Prevention is ideal, but detection is a must
 You cannot prevent all attacks
 Those attacks that you cannot prevent, must be
detected in time to defend against them
 Plans are based on threats, value of the information,
and the costs of securing the data
 Firewalls and Intrusion Detection Systems are
located at all entry points to the DoD network
10. Passwords or Certificates
User IDs and passwords are still the most common
authentication mechanism
 All passwords can be broken given enough time and
resources, complex passwords or lengthy passphases
are the key to good security
 (PKI) Certificate authentication allows encryption,
non-repudiation, and digital signatures
 The DoD is implementing a enterprise wide PKI