1 / 18

Information Assurance Management

Information Assurance Management. Telecommunications and Information Security Workshop 2000. TISW 2000. National Telecommunications Information Agency (NTIA) Richard Clark, NSC, National Coordinator for Security, Infrastructure Protection and Counter-Terrorism.

oriel
Télécharger la présentation

Information Assurance Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Assurance Management Telecommunications and Information Security Workshop 2000

  2. TISW 2000 • National Telecommunications Information Agency (NTIA) • Richard Clark, NSC, National Coordinator for Security, Infrastructure Protection and Counter-Terrorism. • Attacks and reporting are up...Disney, Ikea, all hit in the last few weeks.

  3. TISW 2000 • 5 Trends is vulnerabilities: • Good News: B2B is driving down prices and increasing production... • Bad News: You are only as secure as the least secure partner... • Deregulation of Electrical Power requires a vast new information exchange system to manage...

  4. TISW 2000 • VoIP convergence: retains all the vulnerabilities of both voice systems and IP...How is this to be secured? • Expansion of wireless networks-We are slow to put in place...watch others for vulnerabilities. By 2003, 165 million anonymous connections... • Broadband - We are becoming more reliant on it...privacy rights are in jeopardy.

  5. TISW 2000 • 5 things Industry can contribute: • People - “Cyber Corps” pay for undergrad and graduate degrees in InfoSec. Money to stimulate academia to start degree programs. • Share information - Telecom, Banking now, Power sector by the end of the year. • Horizontal distributed attack warning • 90% of successful attacks are the result of failure to install available patches. DOE and DOD working secure push to force patch installation.

  6. TISW 2000 • Standards - Not the role of government to create standards...they will not regulate Cyber Space. • All Banks must achieve Cyber security • Health Care soon to follow • Visa standards required for all its venders • Generally accepted - varies by industry

  7. TISW 2000 • Next generation of telecom infrastructure with security built in and seamless use • Government R&D money to be used to identify gaps where market forces are not working • Policy questions: Do we have to preserve privacy or anonymity? Or can we have both? Or neither? • Continuity - non-partisan, not interrupted by changes in administrations.

  8. TISW 2000 • Michael Jacobs - DepDir InfoSec NSA • Information Assurance Counter-measures Triad: • Technology • Policy and procedures • Awareness, training & education • Stability is required for effective security

  9. TISW 2000 • Only three counter-measures available to protect those infrastructures: • Cyber security awareness and education • Strong Crypto • Good security-enabled commercial information technology.

  10. TISW 2000 • Howard Schmidt - Corporate Security Officer for Microsoft. • Old comm adage: GIGO • New Comm adage: GIGO...garbage in Gospel out...Said on the Net...must be true! • New exposure to risk in every new device • Looming issues...

  11. TISW 2000 • Digital Divide - Have’s vs. Have nots • Spectrum management - wireless • Privacy • Encryption and export controls • Taxation and jurisdiction • Security of broadband persistent connections

  12. TISW 2000 • NITA panel discussions • Engineer security from the start • Administer the network securely • Test the system - configuration management • Respond to known weaknesses - have a plan! • Incentive to be part of the system - move SysAdmin from IT to Security • 2-element authentication vs. Strong passwords • for root or Admin access

  13. TISW 2000 • Common server tasks set to specific users • Programmatic practices • Best Practices • PEN-TEST • Firewalls • URL Blocking • Anti-virus • Secure Authentication

  14. TISW 2000 • Emergency Response Program • Open source monitoring • Event correlation & analysis • CERT • Forensic team • Cyber Insurance • Actuarial base won’t meet needs • Assessment -Security Program Elements

  15. TISW 2000 • Protect • Detect • Respond • Collapse of the Internet? • Yes! At the nodes of the search engines

  16. TISW 2000 • How to influence the Board? • IDS outside the Firewall • Fiduciary responsibility to stockholders • Personal, financial risk • Exposure and Risk • Foreseeability • Due care and diligence

  17. TISW 2000 • DDoS - failure to exercise due diligence • Link liability • Like Y2K requirements, you must be able to prove your infosec security procedures • Process in place - not just things! • HIPAA...”anticipated threats or hazards to security or integrity of customer records and information...”

  18. TISW 2000 • SEC using the same language • Banking regs the same • Due diligence - document, document, document! • Anticipate & Avoid vs. Respond and React

More Related