Microsoft support for Critical Information Infrastructure Protection

Transcription

1 Security and Protection of Information 2009 Univerzita Obrany Microsoft support for Critical Information Infrastructure Protection Robert Kosla, Lt. Col. (Ret.) Public Safety / National Security Defense Industry Manager Central and Eastern European Headquarters (CEE HQ) IDET 09 -Brno Czech Republic May 09

2 Presentation Questions? What are critical infrastructures? The differences between CIP, CIIP (Critical Information Infrastructure Protection) and cyber security What are the CIP (Critical Infrastructure Protection) policy drivers? Resiliency rules IDET'09 - Brno May

3 Topics Securing Critical Infrastructure Commitments to Critical Information Infrastructure Protection Security related programes for Government/Law Enforcement/Defense Security Intelligence Report v6 (2H CY08 review) IDET'09 - Brno May

4 Public Safety / National Security / Defense (PS/NS/DEF) Microsoft focus Police/Fire Justice Homeland/Internal Security Intelligence Defense Public Safety National Security IDET'09 - Brno May

5 Securing Critical Infrastructure IDET'09 - Brno May

6 CIP/CIIP and Cybersecurity - Understanding the Differences Critical Infrastructures Non-essential IT systems Cybersecurity Critical Information Infrastructure Cross-cutting ICT interdependencies among all sectors Those practices and procedures that enable the secure use and operation of cyber tools and technologies IDET'09 - Brno May

7 CIP Policy Drivers Understanding the policy context is key to success Policy Concerns Policy Responses IDET'09 - Brno May

8 Complexity and Critical Infrastructures Policy Decision Maker Source: modified from Guarding Our Future Protecting Our Nation s Infrastructure Toffler Associates 2008 IDET'09 - Brno May

9 Threats Facing Global Operations Exponential Growth of IDs Identity and access management challenging Increasingly Sophisticated Malware Anti-malware alone is not sufficient Number of Digital IDs mainframe client/server B2E B2C B2B mobility Internet Number of variants from over 7,000 malware families (1H07) Pre-1980s 1980s 1990s 2000s Crime On The Rise Largest segment by $ spent on defense Source: Microsoft Security Intelligence Report (January June 2007) Attacks Getting More Sophisticated Traditional defenses are inadequate National Interest Personal Gain Personal Fame Curiosity Largest area by $ lost Vandal Thief Largest area by volume Trespasser Author Spy Fastest growing segment User GUI Applications Drivers O/S Hardware Physical Examples: Spyware Rootkits Application attacks Phishing/Social engineering Script-Kiddy Amateur Expert Specialist IDET'09 - Brno May

10 Increasing reliance on innovative technologies DOS ERA Early Mid 80s GUI ERA Late 80s Mid 90s TECHNOLOGIES Mouse GUI LANs INTERNET ERA Mid 90s XML/SOAP HTTP/HTML SMTP Clients Web Browsers Mobile Telephony Gaming CLIENT+CLOUD Mid 00s - future Parallel Programming Live Platform Natural UI Robotics Search Social Networkin Virtual Worlds Internet Gaming. PC Architecture MS-DOS Spreadsheets Word Processors Work productivity User Empowerment and Creativity EXPERIENCES AND EXPECTATIONS IDET'09 - Brno May

11 Fostering Trustworthy Infrastructures Security Privacy Reliabili ty Busines s Practice s IDET'09 - Brno May

12 Shaping innovative CIP approaches IDET'09 - Brno May

13 Resiliency Rules 7 Steps for Critical Infrastructure Protection IDET'09 - Brno May

14 CIP Goals Establishing Clear Goals is Central to Success Policy Elements Critical Infrastructure Importance Critical Infrastructure Risks CIP Policy Goal/Statement Sample Statement Critical information infrastructures (CII) provide the essential services that support modern information societies and economies. Some CII support critical functions and essential services so vital that the incapacitation, exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being. CII exploitation, or destruction, through natural disaster, technological failure, accidents or intentional attacks could have a debilitating effect on national security and economic well-being. Prevent or minimize disruptions to critical information infrastructures, no matter the source, and thereby help to protect the people, the economy, essential human and government services, and the national security. In the event disruptions do occur, they should be infrequent, of minimal duration, and manageable. Public-Private Implementation Implementing the National CIIP framework includes government entities as well as voluntary public-private partnerships involving corporate and nongovernmental organizations. IDET'09 - Brno May

15 Define Roles - understanding roles and objectives promotes trust and efficiency CIIP Coordinator (Executive Sponsor) Public-Private Partnerships Infrastructure Owners and Operators Law Enforcement Sector- Specific Agency Computer Emergency Response Team IT Vendors and Solution Providers Government Shared Private IDET'09 - Brno May

16 Identify and Prioritize Critical Functions Collaborate to understand Interdependencies Critical Function Infrastructure Element Supply Chain Supply Chain Key Resource Critical Function Infrastructure Element Supply Chain Key Resource Critical Function Infrastructure Element Supply Chain Key Resource Supply Chain Supply Chain Establish an open dialogue to understand the critical functions, infrastructure elements, and key resources necessary for: delivering essential services, maintaining the orderly operations of the economy, and helping to ensure public safety. Supply Chain Supply Chain Supply Chain Supply Chain IDET'09 - Brno May

17 Establish and Exercise Emergency plans - Improve Operational Coordination Public- and private-sector organizations alike can benefit from developing joint plans for managing emergencies, including recovering critical functions in the event of significant incidents, including but not limited to: natural disasters terrorist attacks technological failures accidents. Emergency response plans can mitigate damage and promote resiliency. Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented. Testing and exercising emergency response plans promotes trust, understanding, and greater operational coordination among public- and private-sector organizations. Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions. IDET'09 - Brno May

18 Create Public-Private Partnerships - Collaboration is key to protecting critical infrastructure Voluntary public-private partnerships Promote trusted relationships needed for information sharing and collaborating on difficult problems Leverage the unique skills of government and private sector organizations Provide the flexibility needed to collaboratively address today s dynamic threat environment IDET'09 - Brno May

19 Build Security & Resiliency into Infrastructure - Security is a continuous process Building security and resiliency into infrastructure operations Critical Functions (Global, National, Local) Security Controls Infrastructure Operations Fosters increased security and resiliency for the critical functions that support safety, security, and commerce at all levels IDET'09 - Brno May

20 Update and Innovate Technology/Processes - Mitigate threats by keeping technology current and practices innovative Cyber threats are constantly evolving Policymakers, enterprise owners, and infrastructure operators can prepare for changes in the threat landscape by: Monitoring trends Keeping systems updated Maintaining the latest versions of software that have been built for the current threat environment IDET'09 - Brno May

21 Microsoft commitments to CIIP protection Click to edit Master text styles Second level Third level Fourth level Fifth level Trustworthy Infrastructure Programs and Policy

22 Microsoft Citizens Safety Architecture - MCSA Government & Citizenship Initiatives Citizen Safety Partner Solution Ecosystem Mission Operations & Support Mission Operations & Support Intelligence Analysis, Collaboration, & Investigative Support Emergency & Event Management Intelligence Framework Microsoft FusionX Microsoft Single View Platform Eagle Incident Response Citizen Safety Architecture Reusable IP & Know How IDET'09 - Brno May

23 Government Security Program (GSP) Microsoft global initiative to build confidence in the security of the Microsoft platform Provides access to source code for Microsoft products, including Windows and Office Provide technical information Provide access to development staff. Yearly technological workshops in Redmond Allow feedback on current products In-depth Technical information and guidance on security Allows to provide feedback and influence future product design (mainly on security guidance and tools) IDET'09 - Brno May

24 Security Cooperation Program (SCP) A worldwide program providing a structured way for government agencies responsible for computer incident response, protection of critical infrastructure, and computing safety to collaborate with Microsoft in the area of IT security Includes incident response, information exchange, and public outreach components Main benefits Public/private partnership in incident response and information exchange can help decrease risk to national security, economic strength, and social welfare from attacks on the country s IT infrastructure IDET'09 - Brno May

25 Computer Online Forensic Evidence Extractor (COFEE) - support for Law Enforcement On the 15 th of April 2009, Microsoft announced the signing of an agreement with INTERPOL for the rollout and implementation of the Computer Online Forensic Evidence Extractor (COFEE) tool for field use by INTERPOL and its affiliated regional agencies for the purposes of fighting cybercrime. The tool will be provided by Microsoft free of charge and distributed by INTERPOL to 187 countries around the world as part of INTERPOL s Global Security Initiative, with technical support, validation and training to be provided by University College Dublin s School of Computer Science and Informatics. COFEE is a Microsoft-developed application that uses common digital forensics tools to help officers at the scene of a crime, regardless of their technical expertise, in gathering volatile evidence of live computer activity that would otherwise be lost in a traditional offline forensic analysis. That announcement is the latest example of Microsoft s ongoing commitment to helping to create a safer, more trusted Internet experience for everyone, not just Microsoft s customers. IDET'09 - Brno May

26 Microsoft CIP Exercise Participation Cyber Storm I (2006) & Cyber Storm II (2008) LiveWire (2003) TOPOFF series US DoD Silver Links (Canada) Strong Angel III (international) Regional Exercises Purple Crescent series(gulf Coast US) Blue Cascades series (Pacific NW US) Amber Waves (MidWest US) IDET'09 - Brno May

27 Critical Infrastructure Exercises Guide Leverages Microsoft's CIP team experiences in CIP Exercise programs Reinforces Key Principles: Resilience encompasses prevention, response and recovery Exercises develop robust operational response Public/Private Partnerships are essential Interdependencies cannot be ignored Captures a Process for Developing and Conducting CI exercises Provides a resource for: Microsoft field advisors Government elites Public and Private sector practitioners who want to conduct an exercise IDET'09 - Brno May

28 Designing for resilience Co-chaired by Phil Reitinger from Microsoft and Janne Uusilehto from Nokia Consists of six members: EMC, Juniper, Microsoft, Nokia, SAP, and Symantec Dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods Published two papers to improve software security Software Assurance: An Overview of Current Industry Best Practices Fundamental Practices for Secure Software Design and Development Establishing an International Advisory Board IDET'09 - Brno May

29 Coordinating operational response Industry Consortium for the Advancement of Security on the Internet ICASI enhances the global security landscape by driving excellence and innovation in security response practices; and by enabling its members to proactively collaborate to analyze, mitigate, and resolve multi-vendor, global security challenges Made up of five companies currently: Cisco, IBM, Intel, Juniper, Microsoft Developing operational coordination and thought leadership products The Unified Security Incident Response Plan (USIRP) A new paper on security response planning IDET'09 - Brno May

30 Creating a more trustworthy Internet Core Security Components Identity Claims Authentication Authorization Access Control Mechanisms Audit I+4A Trusted Data Trusted Stack Trusted People Trusted Software Trusted Hardware Secure Foundation SDL and SD3 Integrated Protection Defense in Depth Threat Mitigation IDET'09 - Brno May

31 How Microsoft protects its own Critical Infrormation Infrastructure Global Security Oparational Centers GSOC s IDET'09 - Brno May

32 Microsoft Global Security Operational Centers (GSOC) Americas EMEA Asia

33 GSOC Complex Environment Microsoft s Integrated Security Solution includes the following core infrastructure components: Access Control (ACN) and Alarm Environment 8,400 proximity card readers 180,000 active records 25,000,000 access and security related events/transaction per month Communications 300 end users for RF over IP 1700 Voice over IP capable duress intercoms Video Environment 600 video recorders 8,000 cameras 4,100 Other Devices Duress or intrusion Environmental Biometric Fire Life Safety Systems Regulatory compliance for UL Certified Central Station Business reporting through 330 dedicated panels

34 GSOC Key Design Principles Nine key principles drove the design and development of Microsoft s GSOC Integrated Security Solution: Off-the-shelf applications Use of Microsoft products Remotely managed IP devices Defense in depth Deterrence value Remote monitoring Precision response Forensics/ investigative model Interoperability

35 GSOC Key Functional Components Alarm Monitoring and Access Control Environment Video Environment Fire & Life Safety Systems Radio over IP (RoIP) 911 Monitoring Emergency Alerts Consistent Policies & Procedures Global Event Notification Site-Specific Data Management Geographic Mapping Internal Communications Investigative Case Management Radio over IP Dispatch

36 Microsoft Security Intelligence Report volume 6 July-December 2008 (2H08) IDET'09 - Brno May

37 Social Engineering as a Weapon Rogue security software infections spiked in 2H08 Microsoft products removed rogue security software from more than 10 million computers in 2H08 IDET'09 - Brno May

38 Rogue Security Software Profiting from Fear and Trust Some rogue security software families mimic genuine Windows security warnings Clicking Recommendations initiates a registration and purchase process IDET'09 - Brno May

39 Rogue Security Software Profiting from Fear and Trust Some variants of Win32/FakeXPA display fake blue screen error messages IDET'09 - Brno May

40 Rogue Security Software Profiting from Annoyance Some rogue security software families employ intrusive pop-up messages to persuade the user to purchase IDET'09 - Brno May

41 Social Engineering as a Weapon Microsoft Internet Safety Enforcement Team (ISET) partners with governments, law enforcement, and industry partners worldwide Several legal cases initiated against the creators and distributors of rogue security software For full details of these legal actions please refer to the full Security Intelligence Report volume 6 document IDET'09 - Brno May

42 Malicious and Potentially Unwanted Software Global Infection Counts The 25 locations with the most computers cleaned by Microsoft anti-malware desktop products in 2H08 Country/Region Computers Cleaned in 2H08 United States 13,245,712 China 3,558,033 United Kingdom 2,225,016 France 1,815,639 Brazil 1,654,298 Spain 1,544,623 Korea 1,368,857 Germany 1,209,461 Italy 978,870 Canada 916,263 Mexico 915,605 Turkey 768,939 Country/Region Computers Cleaned in 2H08 Netherlands 641,053 Russia 604,598 Taiwan 466,929 Australia 464,707 Japan 417,269 Poland 409,532 Portugal 337,313 Sweden 287,528 Belgium 267,401 Denmark 224,021 Norway 203,952 Colombia 164,986 Switzerland 163,156 IDET'09 - Brno May

43 Security Vulnerability Disclosures Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-microsoft products, 2H03-2H IDET'09 - Brno May H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08 43

44 Malicious And Potentially Unwanted Software Geographic trends by location Significant differences in threat patterns worldwide Threat categories worldwide and in the eight locations with the most infected computers, by incidence, among all computers cleaned by Microsoft desktop anti-malware products, 2H08 60% 50% Misc. Trojans 40% 30% Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Adware Worms 20% 10% Password Stealers & Monitoring Tools Backdoors Malware 0% Exploits WW Spyware IDET'09 - Brno May 2009 United States China United Kingdom France Brazil Spain Korea Germany 44

45 Malicious And Potentially Unwanted Software Infection rates by country/region in 2H08 IDET'09 - Brno May

46 40% 35% 30% 25% 20% 15% 10% 5% Malicious And Potentially Unwanted Software Category Trends Computers cleaned by threat category, in percentages, 2H06-2H08 Misc. Trojans Trojan Downloaders & Droppers Misc. Potentially Unwanted Software Adware Worms Password Stealers & Monitoring Tools Backdoors Malware Exploits 0% Spyware 2H06 1H07 2H07 1H08 2H08 Circular markers denote malicious software, square markers denote potentially unwanted software IDET'09 - Brno May

47 Threats Spam Trends and Statistics Inbound messages blocked by Forefront Online Security for Exchange content filters, by category, during the last six weeks of 2H08 Malware ; 1,8% 419 Scam; 1,9% Fraudulent Diplomas; 2,8% Financial ; 3,1% Phishing ; 1,6% Get Gambling ; Rich 1,1% Quick ; 1,7% Stock ; 0,6% Software ; 0,5% Dating/Sexually Explicit Material; 5,2% Image only; 7,3% Pharmacy - sexual; 10,0% Pharmacy - non sexual; 38,6% Non-pharmacy product ads; 23,6% IDET'09 - Brno May

48 Malicious Site Analysis Phishing sites by coutry/region by percentage of all phishing sites worldwide in 2H08 IDET'09 - Brno May

49 Malicious Site Analysis Malware hosting sites by coutry/region by percentage of all malware hosting sites worldwide in 2H08 IDET'09 - Brno May

50 Analysis of Drive-By Download Pages Example of a Drive-By Download Attack IDET'09 - Brno May

51 Analysis of Drive-By Download Pages Geographic Distribution of Drive-by Download Pages IDET'09 - Brno May

52 Malicious and Potentially Unwanted Software Strategies, mitigations, and countermeasures (1/3) Use an up-to-date anti-malware product from a known, trusted source Keep your operating system up to date Consider upgrading to the most recent versions of software you use Consider disabling autorun functionality Consider using a user account which does not have administrator privileges for your daily work Use passwords for any network share you configure Avoid opening attachments or clicking links in or instant messages that are received unexpectedly IDET'09 - Brno May

53 Malicious and Potentially Unwanted Software Strategies, mitigations, and countermeasures (3/3) Download and use the Malicious Software Removal Tool (MSRT) Support new legislation to help take legal action against criminals Use the Microsoft Security Assessment Tool Keep yourself up to date about emerging threats IDET'09 - Brno May

54 Malicious and Potentially Unwanted Software Strategies, mitigations, and countermeasures (2/3) Use a mail client that suppresses active content and blocks unintentional of executable attachments Use a robust spam filter to guard against fraudulent and dangerous If you receive an from a bank or commerce site, visit their site using a pre-bookmarked link or by typing in the link from your monthly statement Deploy inbound and outbound authentication to protect against spoofing and forgery Online gamers are at risk from malware that tries to steal their game assets or credentials IDET'09 - Brno May

55 Software Vulnerability Disclosures Adjust risk management processes to ensure that operating systems and applications are protected Security Risk Management Guide for IT professionals is available complianceandpolicies/secrisk/default.mspx Free prescriptive guides for IT professionals default.mspx Participate in IT security communities Example: The Microsoft IT Pro Security Zone community Subscribe to the Microsoft Security Newsletter default.mspx IDET'09 - Brno May

56 Time for Summary... IDET'09 - Brno May

57 Summary Microsoft is not just a desktop software provider We actively participate in Critical Information Infrastructure Protection efforts Government/Law Enforcement/Defense bodies may use Government Security Program and Security Cooperation Program Microsoft Internet Safety Enforcement Team (ISET) partners with governments, law enforcement, and industry partners worldwide Main Microsoft focus: Trusworthy Computing (TwC), Citizens Safety Architecture (Intelligence Framework, Single View Platform, Eagle) IDET'09 - Brno May

58 Quiz questions What is a name of Microsoft forensic package that will be avaible free of charge for 187 INTERPOL member countries? What Microsoft programes are used by Government/Law Enforcement/Defense bodies to assess applications corectness (via source code analysis) and information assurance/security incident response cooperation? What is a name of Microsoft bi-annual report covering internet safety based on analysis information collected globally from Malware Software Removal Tool and ForeFront? IDET'09 - Brno May

59 Microsoft support for Critical Information Infrastructure Protection Services Edge Microsoft Innovations Drive - Comprehensive CIIP Approach Server Applications Information Protection Client and Server OS Identity Management Systems Management Active Directory Federation Services (ADFS) Guidance IDET'09 - Brno May 2009 Developer Tools 59

60 Thank you Questions? Contact: Phone: IDET'09 - Brno May