1 / 38

WEBCAST SCHEDULE

WEBCAST SCHEDULE. Today’s event will run one hour long. Here are the expected times for each segment of the webcast: :00 – :05: Moderator introduces the speaker and discusses the details of the webcast. :05- :25: Speaker delivers a PowerPoint presentation on the webcast topic.

wanda
Télécharger la présentation

WEBCAST SCHEDULE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WEBCAST SCHEDULE Today’s event will run one hour long. Here are the expected times for each segment of the webcast: • :00 – :05: Moderator introduces the speaker and discusses the details of the webcast. • :05- :25: Speaker delivers a PowerPoint presentation on the webcast topic. • :25- :35: Moderator and speaker engage in a brief Q&A on the topic. • :35- :60: The speaker responds to questions submitted by the audience. You can submit questions to the speaker at any time during the event. Just click on the “Ask a Question” button in the lower left corner of your screen.

  2. TECHNICAL FAQs Here are answers to the most common technical problems users encounter during a webcast: Q: Why can’t I hear the audio part of the webcast? A: Try increasing the volume on your computer. Q: I just entered the webcast and do not see the slide that the speaker is referring to. What should I do? A: The slides are constantly being pushed to your screen. You should refresh (hit F5) to view the latest slide. Q: In what time zone do the webcasts take place? A: The TechTarget webcasts all occur on Eastern Daylight Saving Time (UTC/GMT - 4 hours). After Oct. 27, 2002, the webcasts will occur on Eastern Standard Time (UTC/GMT – 5 hours). If your question is still not answered, please click the “Ask a Question” button in the lower left corner of your screen and submit your problem. A technical support person will respond immediately. You can also visit the Broadcast Help page for more information or to test your browser compatibility. Click here: http://help.yahoo.com/help/bcst/

  3. Trick or Treat:What has Microsoft delivered in Trustworthy Computing? Roberta Bragg

  4. What do these words say to you? • Microsoft marketing • Microsoft finally “gets it” • Microsoft Moratorium – Writing secure code • Palladium • TCPA? (Trusted Computing Platform Alliance) • Trusted Computing Base • Survivable Networks

  5. How Microsoft defines Trustworthy Computing “For computers to be taken for granted, they must always be available wherever and whenever people need them, they must reliably protect personal information from misuse and give people control over how their data is used, and they must be unfailing secure. We call this concept Trustworthy Computing.” Bill Gates, April 2002 “The Trustworthy Computing Initiative is a label for a whole range of advances that have to be made for people to be as comfortable using devices powered by computers and software as they are today using a device that is powered by electricity.” Craig Mundie, CTO, May 2002.

  6. Let’s look at one of Bill Gates’ examples of a trustworthy system The Public Telephone Network (I think we’re going to find that it’s less “trustworthy” than we think.) Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  7. A lesson – PTN/Internet(Schneider, Building Trustworthy Systems) • Similarities to Internet • No entity owns or manages entirely, nor can have complete picture of • Large number of subsystems • Complexity driven by • interfaces at boundaries of subsystems • demand for advanced services • Complexity means operator errors

  8. PTN vulnerabilities • Backhoe fading – solved by redundancy • Cost pressures; competition vs. old monopoly means less robustness • New technology means fewer physical links necessary for higher levels of traffic (failure of single link = higher repercussions) • Less backup capacity, as leased from others • Designed for few companies, inherit trust in access to switches; now many companies, non-trusted interconnections between switches Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  9. Attacks on the PTN • Mostly, up till this time, toll fraud • Threat growing • More operations support systems (OSS) and more interconnections of them • Increased skill of attackers • More Signaling System 7 (SS7) interconnections to new phone companies (takes less to do so)

  10. New types of PTN attacks • Routing attack • eaves dropping from interoffice trunks • view or alter route tables of switches • manual control possible • Database attacks • OSSs manage databases (toll-free numbers, call forwarding, message delivery) • control = possible deception, abuse • change speed dialing; re-route • subscribers choice of long-distance (slamming)

  11. Electronic banking Electronic stock buying Electronic voting Online medical databases E-mail Schedule E-commerce Patient records Competitive information Proprietary information Let’s return to why a trustworthy “system” is a premium issue in computing.

  12. Technology PDAs Smart phones Wireless access Different software models Mobile code Web services Availability Wireless access points at coffee shops Public kiosks And… Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  13. Needed: A trustworthy computing infrastructure It does what we want (and only what we want) when we want it to, regardless of attack or design flaw.

  14. Trustworthiness – a holistic definition • Confidentiality • Correctness/integrity • Reliability: fault tolerance • Availability • Survivability • Security • Privacy • Safety

  15. An example – FAA 5 layers of protection Personnel Physical Compartmentalization & information systems security Site-specific adaptation Redundancy Awareness and Execution Architecture / Engineering

  16. A history lesson • The myth of the Trusted Computing Base • security meant confidentiality (keeping secrets) • accomplished via access control – LaPadula model/Orange book • specialized equipment • Today – must use COTS • Integrity, availability are equally important • Common criteria addresses this, but … • TCB = combination hardware and software trusted to enforce security policies.

  17. More of the myth • TCB is line drawn in sand sandbox. • once breached battle is lost • easily attacked by using an unforeseen method • How can you have a trusted computing base when computing is distributed? • machines, data storage, communications • plug-and-play – Who really knows what software is running on a specific machine? • And where: reliance on familiar systems decreases learning curve for would-be attackers – the monoculture effect

  18. Report card on the industry • Affordable products – PKI, biometrics, smart cards • IBM ThinkPad's with onboard hardware storage and generation of cryptographic keys & security subsystem • Smart phones limitations on downloadable software • Explosion in software security products • Increased spending on security products • Continued forecasts Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  19. And still, software is poorly written – WHY? Why do we still get bug reports? • Market pressures • Lack of discipline • Brilliance! = perfection • The need for “friendliness” • Focus on features/function • Public perception = reality • It takes a long time to effect a change • (There’s a lot of existing code…)

  20. Why aren’t systems hardened, protected and patched? • Market pressures • Lack of discipline • Brilliance! = perfection/security • Lack of sharing (changing now) • Focus on features/function/technology • Public perception = reality • Ignorance of impact on bottom line • Security features! = security

  21. Trustworthy computing future • Central policy that’s deployed without significant work by administrators • Computers that can self-diagnose and heal themselves • Computers that can administer other computers • Programming tools that reduce complexity and increase flexibility • Increased accountability of Internet users/providers • Increased knowledge, study of the interaction between sociology and technology • More reliable systems with longer time between hardware failure • Increased reliance on crypto to encrypt files, protection communications and authenticate access • Higher importance to security over features – security becomes the features that sell

  22. What is happening NOW • Industry • Microsoft • You Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  23. What Microsoft has done/will do • Training for secure coding • Use of outsiders • Internal/external programs for security • Publication of results • New products • Framework for trustworthy computing

  24. Writing secure code initiative • Work stoppage and code review • Training for all • Code hygiene • 76 days, 8000 programmers • Then SQL, Exchange, SMS • $10 million!!! • Changes in .NET • Turn off & lower privileges of 30 services by default • IIS not loaded by default, when it is static Web server • Other products • Outlook in Office 2002 default settings, improvements • XP SP1

  25. Use of outsiders • Threat modeling, threat analysis • Increased access to source code • Promise to publish nexxus of Palladium Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  26. Programs for security • Strategic Technology Protection Program (STPP) – get secure, stay secure • Security liaison for each product group (responsible for security of code) • Architect security into products at design • Security clinics – training for administrators • SMS value pack • Microsoft Security Response Center • Secure Windows Initiative • 866-PC SAFETY – virus hotline • Security operations guides

  27. Publication of results • Uncovering “bugs” in code and releasing security bulletins and patches • Security operations guides • Baseline security analyzer • New tools and improved tools • Work with industry groups on Web services security issues

  28. New products/sample code • SUS • Base Line Security Analyzer • Improved tools • URLScan • IISLock • SMS feature pack • XML filter example code (install on ISA – secure Web services; protects XML Web services from unauthorized access and DOS attacks) – inspect incoming SOAP and XML data

  29. Palladium • Run only trusted code that is physically isolated, protected and inaccessible to rest of system (curtained memory) (sealed storage) • Attestation – code that digitally signs data PC • Files encrypted with code specific to each PC (useless if stolen or copied) • Users can operate in “realms” vaults – keep private and public info separate • New chip and design changes to CPU, chipsets and peripherals • Not a part of boot process

  30. Palladium • Will not require DRM • Stores keys in hardware • Trusted operating root or nexxus – will publish source code for examination; the kernel of Palladium; the software for the Palladium hardware • Security Support Component (SSC) – hardware module does cryptographic operations and stores cryptographic keys; at least one RSA private key and AES symmetric key are never exported from the chip • Machine owners (organizations, single owners) are in charge of what runs and is monitored

  31. Redefinition – framework for trustworthy computing • Secure by design • Secure by default • Secure in deployment • patching • recovery • intrusion detection • automatic corrective action 1 Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  32. What others are doing • TCPA – Trusted Computing Platform Alliance – a specification • Le Grande – technology for Prescott chip; anti-piracy features; protection from hacks, DRM? • IBM’s onboard cryptographic chip and security suite • New Phoenix BIOS – secure version, designed to prevent intruders from signing on to computer or accessing remotely • Carnegie Mellon University – Sustainable Computing Consortium

  33. Your report card • More security researchers • Awareness is high • Buying security products • purchase of encryption products up 86% over last three years • projection for security spending is up • Still not patching • Still not using provided tools • Still not supporting employees with advanced security training

  34. Trustworthy people? • The factor that secure software and hardware-based security subsystems cannot entirely deal with • Policy and people are as important as product • Trustworthiness is holistic Submit a question anytime by clicking on the Ask a Question link in the bottom left corner of your presentation screen.

  35. What you can do • Insist on secure software • purchase products that follow sound principles in product development and are responsive to vulnerability reports • Insist on integrated hardware devices that do not preclude “our” control • Put your own house in order • Support initiatives

  36. Resources • Building trustworthy systems: An FAA perspective – www.dacs.dtic.mil/awareness/newsletters/stn4-3/trustworthy.html • Is the trusted computing base concept fundamentally flawed? – John McLean, Center for High Assurance Computer Systems, Naval Research Laboratory • Building trustworthy systems: Lessons from the PTN and Internet – Schneider, Bellovin, Inouye, IEEE Internet Computing, 1999 • Trust in cyberspace – www.nap.edu/readingroom/books/trust • Get on the mailing list for Palladium info – pdinfo@microsoft.com with “subscribe” in the subject line • TCPA spec www.trustedcomputing.org

  37. Questions? Click on the Ask a Question link in the lower left corner of your screen to ask Roberta Bragg a question about this webcast. You can also e-mail Roberta at Freouwebbe@msn.com or find her on SearchWin2000.com’s security experts page.

  38. Feedback Thank you for your participation. Did you like this webcast topic? Would you like us to host other events similar to this one? Send your feedback on this event and ideas for other topics to editor@searchWin2000.com.

More Related