Total BS Security: Business-based Systems Security
description
Transcript of Total BS Security: Business-based Systems Security
MID/jpl 04/21/23 1 © 1999 by James P. Litchko
Total BS Security:
Business-basedSystems
Security
Jim [email protected](703) 528-0334 ext. 310
MID/jpl 04/21/23 2 © 1999 by James P. Litchko
Presentation
• An Approach– Business and Holistic
• Attitudes– Ours and Theirs
• Solutions– Case Studies
• Opinions– Mine
• Questions– Anytime
MID/jpl 04/21/23 3 © 1999 by James P. Litchko
Typical Evolving Network
Internet or other
Clients
Partners
Corporate System
MID/jpl 04/21/23 4 © 1999 by James P. Litchko
“Secure Brick” Theory
Operations Security
Manager
Profit Loss
Demand Supply
MID/jpl 04/21/23 5 © 1999 by James P. Litchko
Approach . . . talk about their business
• What is your business?– Services and products
• How do you operate?– Processes for selling and providing
• Who does what?– Responsibilities and information flow
• How do you measure success?– Customer satisfaction, profit, market share, etc.
• What is your system’s architecture?– Components, connections, capabilities, and cultures
MID/jpl 04/21/23 6 © 1999 by James P. Litchko
PromotionalWeb Server
TransactionSystem
ServiceSystem
Integrity
AvailabilityConfidentialityIntegrityAuthentication
Clients
PartnersConfidentialityVisibility
AvailabilityBrowserImpatient
Security Requirements
Internet or other
Business/
?Productivity
82% required no additional security products
MID/jpl 04/21/23 7 © 1999 by James P. Litchko
Attitudes and Perceptions:
• Sailor-on-liberty Philosophy– I want it fast, free and friendly
• Security only costs money– True, but . . . .
• The most secure solution has– best GUI– largest market share– relationship and trust
• Transparent to the user– Accept when . . .
MID/jpl 04/21/23 8 © 1999 by James P. Litchko
Attitudes and Perceptions:
• Sailor-Proof– If it is to hard they will find away around it
• KISS Principle– Education is the best bang for the buck– Increases ownership for solving security problems
• SNMP is the standard– Not a smoking gun . . . . a bleeding wound is needed.
• What is the aspirin for security:– firewalls, VPN, PKI, IDS, . . . . . .?– Technology will solve all of our problems!– Email monitoring problem solution was policy.
MID/jpl 04/21/23 9 © 1999 by James P. Litchko
Which Authentication is best?• Password?• Time-based?• Challenge and Response?• Event-based?• Biometrics?• Public Key?• VPN?• IDS?
MID/jpl 04/21/23 10 © 1999 by James P. Litchko
Problem• Subscription Information Service Provider• Web site distribution• Computer illiterate users• Sharing passwords• $40,000 loss per month• What is the solution?
MID/jpl 04/21/23 11 © 1999 by James P. Litchko
Security and Business Math
Profit:
Loss:
Net:
Before
$ 50B
$ 4.5B
$ 46.5B
After
$ 50B
$ 1.0B
$ 49.0B
Better Idea?
$
$
$
MID/jpl 04/21/23 12 © 1999 by James P. Litchko
Internetor WAN
PromotionalWeb Server
Read Only
Firewall
Firms
Clients
Firewall
SupportOperations
TransactionSystem
MID/jpl 04/21/23 13 © 1999 by James P. Litchko
Internetor WAN
PromotionalWeb Server
Read OnlyFirewall
Firms
Clients
IP Encryption
IP Encryption
SupportOperations
TransactionSystem
MID/jpl 04/21/23 14 © 1999 by James P. Litchko
Internetor WAN
PromotionalWeb Server
Read OnlyFirewall
Firms
Clients
IP Encryption
IP Encryption
SSL Encryption
SupportOperations
TransactionSystem
MID/jpl 04/21/23 15 © 1999 by James P. Litchko
Internetor WAN
PromotionalWeb Server
Read OnlyFirewall
Clients
IP Encryption
IP Encryption
SSL Encryption
IntrusionDetection Systems and
Assurance Testing
“In God we trust.Everyone else we monitor.”
MID/jpl 04/21/23 16 © 1999 by James P. Litchko
Internetor WAN
PromotionalWeb Server
Read OnlyFirewall
Firms
Clients
IP Encryption
IP Encryption
SSL Encryption BackupsBackups
Backups
SurfWeb Filter
SupportOperations
TransactionSystem
What business is this?
MID/jpl 04/21/23 17 © 1999 by James P. Litchko
Summary
• Based security on business first
• Practical solutions, not just technical
• Security is a business risk