Transcript Slide 1
The Whole/Hole of Security
Public (DoD) v. Corporate
Carl Bourland
US Army Judge Advocate General’s Corps
1. System Administrator Training
Security must be in place from the “cradle to the
grave” for every system
Server consolidation can open up secure systems to
potential vulnerabilities
System Administrator shortcuts sometimes
compromise good security
_____________________________________________
Department of Defense requires a two week training
certification and background check on all system
administrators
2. End User Training
Security training should be required before initial
access and reoccurring thereafter
Users can defeat millions of dollars of security just
be giving away their password
Most users are “just trying to be helpful”
Management needs “a favor”
_____________________________________________
Department of Defense requires security training
pertinent to the user’s system before a password is
issued and annually thereafter
3. Defense in Depth
Use multiple security measures to secure your
system
There is no one product that implements good
information security
Firewalls, Intrusion Detection Systems, AntiVirus Software, Access Control Lists, Data
Backups, Software Patches
_______________________________________
Department of Defense requires software
patches and compliancy verification
4. Offsite Systems
Examples: Laptops, PDAs, Wireless Devices
These systems may be compromised offsite and then
be brought inside the network
By nature people do not report lost equipment
immediately
_______________________________________
The Department of Defense regulates the use of
wireless and infrared technologies
5. Vulnerability Assessments
Scan systems from the inside and outside to test
security and patch security issues
Consider an outside company to do the assessment to
obtain a unbiased assessment
_____________________________________________
Department of Defense require annual vulnerability
assessments and provides software for security
officers to conduct assessments on a more frequent
basis
6. Stringent Policies
User policies must be easy to understand
Concise
Clear
User policies should provide consequences for not
following the policies
All personnel should be subject to the policies
_____________________________________________
Military personnel may be court-martialed for not
following regulations and policies, DoD civilians
risk losing their jobs
7. Incident Response Plans
Users should know how to react when their system
acts abnormal
System Administrators should know what
procedures to take during an incident
Organizations should have a disaster recovery plan
and test it periodically
_____________________________________________
The Department of Defense has layers of computer
emergency response teams in place to handle
information security incidents
8. System Documentation and
Standardization
System security should be documented
Consider a formal acceptance of the security of all
systems
Standardization of security configurations is the key
to security
_______________________________________
Department of Defense requires a formal
Certification and Accreditation of all information
systems
9. Prevention\Detection
Prevention is ideal, but detection is a must
You cannot prevent all attacks
Those attacks that you cannot prevent, must be
detected in time to defend against them
Plans are based on threats, value of the information,
and the costs of securing the data
_____________________________________________
Firewalls and Intrusion Detection Systems are
located at all entry points to the DoD network
10. Passwords or Certificates
User IDs and passwords are still the most common
authentication mechanism
All passwords can be broken given enough time and
resources, complex passwords or lengthy passphases
are the key to good security
(PKI) Certificate authentication allows encryption,
non-repudiation, and digital signatures
_____________________________________________
The DoD is implementing a enterprise wide PKI
system
Questions