Slide 1

Report
The Whole/Hole of Security
Public (DoD) v. Corporate
Carl Bourland
US Army Judge Advocate General’s Corps
1. System Administrator Training
Security must be in place from the “cradle to the
grave” for every system
 Server consolidation can open up secure systems to
potential vulnerabilities
 System Administrator shortcuts sometimes
compromise good security
_____________________________________________
 Department of Defense requires a two week training
certification and background check on all system
administrators

2. End User Training


Security training should be required before initial
access and reoccurring thereafter
Users can defeat millions of dollars of security just
be giving away their password


Most users are “just trying to be helpful”
Management needs “a favor”
_____________________________________________
 Department of Defense requires security training
pertinent to the user’s system before a password is
issued and annually thereafter
3. Defense in Depth


Use multiple security measures to secure your
system
There is no one product that implements good
information security

Firewalls, Intrusion Detection Systems, AntiVirus Software, Access Control Lists, Data
Backups, Software Patches
_______________________________________
 Department of Defense requires software
patches and compliancy verification
4. Offsite Systems
Examples: Laptops, PDAs, Wireless Devices
 These systems may be compromised offsite and then
be brought inside the network
 By nature people do not report lost equipment
immediately
_______________________________________
 The Department of Defense regulates the use of
wireless and infrared technologies

5. Vulnerability Assessments
Scan systems from the inside and outside to test
security and patch security issues
 Consider an outside company to do the assessment to
obtain a unbiased assessment
_____________________________________________
 Department of Defense require annual vulnerability
assessments and provides software for security
officers to conduct assessments on a more frequent
basis

6. Stringent Policies

User policies must be easy to understand


Concise
Clear
User policies should provide consequences for not
following the policies
 All personnel should be subject to the policies
_____________________________________________
 Military personnel may be court-martialed for not
following regulations and policies, DoD civilians
risk losing their jobs

7. Incident Response Plans
Users should know how to react when their system
acts abnormal
 System Administrators should know what
procedures to take during an incident
 Organizations should have a disaster recovery plan
and test it periodically
_____________________________________________
 The Department of Defense has layers of computer
emergency response teams in place to handle
information security incidents

8. System Documentation and
Standardization
System security should be documented
 Consider a formal acceptance of the security of all
systems
 Standardization of security configurations is the key
to security
_______________________________________
 Department of Defense requires a formal
Certification and Accreditation of all information
systems

9. Prevention\Detection
Prevention is ideal, but detection is a must
 You cannot prevent all attacks
 Those attacks that you cannot prevent, must be
detected in time to defend against them
 Plans are based on threats, value of the information,
and the costs of securing the data
_____________________________________________
 Firewalls and Intrusion Detection Systems are
located at all entry points to the DoD network

10. Passwords or Certificates
User IDs and passwords are still the most common
authentication mechanism
 All passwords can be broken given enough time and
resources, complex passwords or lengthy passphases
are the key to good security
 (PKI) Certificate authentication allows encryption,
non-repudiation, and digital signatures
_____________________________________________
 The DoD is implementing a enterprise wide PKI
system

Questions

similar documents