Cybersecurity Briefing Deck

Similar documents
15_3oracle

06_ÀÌÀçÈÆ¿Ü0926

APOGEE Insight_KR_Base_3P11

Security Overview

1.장인석-ITIL 소개.ppt

<BCADBFEFC1F6B9E6BAAFC8A3BBE7C8B85FBAAFC8A3BBE C1FD2831B1C7292E687770>

ORANGE FOR ORACLE V4.0 INSTALLATION GUIDE (Online Upgrade) ORANGE CONFIGURATION ADMIN O

Portal_9iAS.ppt [읽기 전용]

슬라이드 제목 없음

08SW

PowerChute Personal Edition v3.1.0 에이전트 사용 설명서

0125_ 워크샵 발표자료_완성.key

rv 브로슈어 국문

Copyright 2012, Oracle and/or its affiliates. All rights reserved.,.,,,,,,,,,,,,.,...,. U.S. GOVERNMENT END USERS. Oracle programs, including any oper

F1-1(수정).ppt

±èÇö¿í Ãâ·Â


PWR PWR HDD HDD USB USB Quick Network Setup Guide xdsl/cable Modem PC DVR 1~3 1.. DVR DVR IP xdsl Cable xdsl Cable PC PC DDNS (

PowerPoint 프레젠테이션

歯3이화진

<30362E20C6EDC1FD2DB0EDBFB5B4EBB4D420BCF6C1A42E687770>

vm-웨어-앞부속

Product A4

ecorp-프로젝트제안서작성실무(양식3)

<353020B9DAC3E1BDC42DC5ACB6F3BFECB5E520C4C4C7BBC6C3BFA1BCADC0C720BAB8BEC820B0EDB7C1BBE7C7D7BFA120B0FCC7D120BFACB1B82E687770>

Analyst Briefing

Service-Oriented Architecture Copyright Tmax Soft 2005

미래 서비스를 위한 스마트 클라우드 모델 수동적으로 웹에 접속을 해야만 요구에 맞는 서비스를 받을 수 있었다. 수동적인 아닌 사용자의 상황에 필요한 정보를 지능적으로 파악 하여 그에 맞는 적합한 서비스 를 제공할 수 새로운 연구 개발이 요구 되고 있다. 이를 위하여,

이제는 쓸모없는 질문들 1. 스마트폰 열기가 과연 계속될까? 2. 언제 스마트폰이 일반 휴대폰을 앞지를까? (2010년 10%, 2012년 33% 예상) 3. 삼성의 스마트폰 OS 바다는 과연 성공할 수 있을까? 지금부터 기업들이 관심 가져야 할 질문들 1. 스마트폰은

: Symantec Backup Exec System Recovery 8:

vm-웨어-01장

Backup Exec

歯I-3_무선통신기반차세대망-조동호.PDF

USB USB DV25 DV25 REC SRN-475S REC SRN-475S LAN POWER LAN POWER Quick Network Setup Guide xdsl/cable Modem PC DVR 1~3 1.. DVR DVR IP xdsl Cable xdsl C

Intro to Servlet, EJB, JSP, WS

Citrix Workload Balancing 2.1 설치 가이드

소개 TeraStation 을 구입해 주셔서 감사합니다! 이 사용 설명서는 TeraStation 구성 정보를 제공합니다. 제품은 계속 업데이트되므로, 이 설명서의 이미지 및 텍스트는 사용자가 보유 중인 TeraStation 에 표시 된 이미지 및 텍스트와 약간 다를 수

산업백서2010표지

untitled

chapter4

Microsoft PowerPoint - XP Style

SchoolNet튜토리얼.PDF

Assign an IP Address and Access the Video Stream - Installation Guide

< BFCFB7E15FC7D1B1B9C1A4BAB8B9FDC7D0C8B85F31352D31BCF6C1A4C8AEC0CE2E687770>

2013<C724><B9AC><ACBD><C601><C2E4><CC9C><C0AC><B840><C9D1>(<C6F9><C6A9>).pdf

DR-M140 사용 설명서

Voice Portal using Oracle 9i AS Wireless

¨ìÃÊÁ¡2

¹Ìµå¹Ì3Â÷Àμâ

BSC Discussion 1

월간 CONTENTS 3 EXPERT COLUMN 영화 점퍼 와 트로이목마 4 SPECIAL REPORT 패치 관리의 한계와 AhnLab Patch Management 핵심은 패치 관리, 왜? 8 HOT ISSUE 2016년에 챙겨봐야 할 개인정보보호

10방송통신서비스_내지최종

AGENDA 모바일 산업의 환경변화 모바일 클라우드 서비스의 등장 모바일 클라우드 서비스 융합사례

내용물 시작 3 구성품 4 MDA200 기본 사항 5 액세서리 6 헤드셋 연결 7 탁상 전화기: 연결 및 통화 8 탁상 전화기(표준) 8 탁상 전화기+ HL10 거치대와 전원 공급 장치(별도 구매) 10 탁상 전화기+ EHS 케이블 12 컴퓨터: 연결 및 통화 13 컴

ODS-FM1


Office 365, FastTrack 4 FastTrack. Tony Striefel FastTrack FastTrack

디지털포렌식학회 논문양식

PowerPoint Presentation

06_±è¼öö_0323


about_by5

10X56_NWG_KOR.indd

solution map_....

Copyright 2012, Oracle and/or its affiliates. All rights reserved.,,,,,,,,,,,,,.,..., U.S. GOVERNMENT END USERS. Oracle programs, including any operat

歯CRM개괄_허순영.PDF

PCServerMgmt7

<4D F736F F D205B4354BDC9C3FEB8AEC6F7C6AE5D3131C8A35FC5ACB6F3BFECB5E520C4C4C7BBC6C320B1E2BCFA20B5BFC7E2>

istay

P2WW HNZ0

MOD360: Microsoft Virtualization 360A Panel Discussion on Microsoft’s Virtualization Strategy

CDP_Korean-00

PowerPoint 프레젠테이션

K7VT2_QIG_v3

슬라이드 1

SW¹é¼Ł-³¯°³Æ÷ÇÔÇ¥Áö2013

02이승민선생_오라클.PDF


UDP Flooding Attack 공격과 방어

User Guide

DW 개요.PDF

04-다시_고속철도61~80p

歯1.PDF

00내지1번2번

CLX8380_KR.book

<332EC0E5B3B2B0E62E687770>

Microsoft PowerPoint - 3.공영DBM_최동욱_본부장-중소기업의_실용주의_CRM

정진명 남재원 떠오르고 있다. 배달앱서비스는 소비자가 배달 앱서비스를 이용하여 배달음식점을 찾고 음식 을 주문하며, 대금을 결제까지 할 수 있는 서비 스를 말한다. 배달앱서비스는 간편한 음식 주문 과 바로결제 서비스를 바탕으로 전 연령층에서 빠르게 보급되고 있는 반면,

20, 41..,..,.,.,....,.,, (relevant).,.,..??.,

°í¼®ÁÖ Ãâ·Â

2011´ëÇпø2µµ 24p_0628

Mstage.PDF

- 2 -

untitled

PowerPoint 프레젠테이션


레이아웃 1

< FC1A4BAB8B9FDC7D D325FC3D6C1BEBABB2E687770>

목차 데모 홖경 및 개요... 3 테스트 서버 설정... 4 DC (Domain Controller) 서버 설정... 4 RDSH (Remote Desktop Session Host) 서버 설정... 9 W7CLIENT (Windows 7 Client) 클라이얶트 설정

1224_2008forecast.hwp

Transcription:

Introduction to Desktop security

CNCI (Comprehensive National Cybersecurity Initiative), 2009.3 2009 년 3 월, 미국의 DHS(Department of Homeland Security) 는포괄적국가사이버안전정책발표 사이버침해사고에대한사후대응전략에서사전예방중심으로변환 12 개핵심전략으로구성되었으며, 비밀로분류된국가안보에관한대통령명령 23(NSPD54/HSPD23) 을근거로하고있고내용의일부만공개 핵심기술 FDCC(Federal Desktop Core Configuration): 연방기관내업무용데스트탑 PC 및노트북보안강화 TIC(Trusted Internet Connection): 연방기관간인터넷경로보안체제강화 Einstein 프로그램 : 연방기관간인터넷통신감시체제구축 TI C 연방기관과외부와의모든트래픽을점검 연방정부의모든 PC 의보안성검토 FDCC 적용 교통부 TI C Einstein 센서 인터넷 국무부 재무부 TI C 이상징후 4,300 여개의외부인터넷과의연결점을 100 개미만으로축소 국토안보부 2

1 From Unmanaged To Managed Patch and deploy current OS and all applications Restrict administrative privileges No user should run as local admin on their workstation, even administrators Domain admins should never logon to workstations or member servers in the domain (only on domain controllers) Service accounts with high privileges are a risk Whitelist applications

3 ( 대다수 ) 사용자는일반사용자권한으로실행 보안설정과정책적용 사용이승인되지않은애플리케이션을로컬관리자가추가하는것을허락하지않음 서비스계정에대한강한통제 도메인관리자에대한강한통제 원하는구성에서벗어나는지능동적으로감시

4 베이스라인유지 무엇이 규범 인지인식하고이를주기적으로집행 정책의명확성 데이터보호가지상목표!

기존환경 안전한 PC 관리환경 특징 : 중요정보보관및공무수행 좀비 PC 등침입경로 중요정보유출 그룹별보안정책관리 보안프로그램관리 운영체제보안관리 보안패치관리 보안정책및관리서버 ( 중앙통제 ) 문제해결 사용자 ( 비전문가 ) 에의한관리 취약한윈도우설정 보안프로그램관리소홀 보안관리서버 ( 전문가 ) 에의한관리

SW 배포및 PC 관리인프라부실 보안팀의과도한제한 전체적인절차와표준부재 무언가잘못되기만하면 lockdown 에책임을전가 사용자는흔히시스템을개인자산으로간주 Lockdown 시도에대한막후방해와저항 Lockdown 을피하기위해대안제품사용 오작동하는기존애플리케이션교체비용 6

9 1. 관리자권한제거 2. 좋은평가를받는보안정책표준개발및구현 3. 감시와능동적수정으로 lockdown 상황유지

8 미연방정부 US DoD STIGs(Security Technical Implementation Guides) US Air Force, SDC(Standard Desktop Configuration) Standardized locked-down configuration (XP SP2) DISA(Defense Information Systems Agency) Gold Disk Standard 국립표준기술연구소 (NIST) Federal Desktop Core Configuration(FDCC) US Government Configuration Baseline(USGCB) - 연방기관에서사용하는모든업무용 PC와노트북에동일한보안설정을강제적용하여동일한보안수준유지 - 동일규격의제품제작으로조달비용및소용시간감소 Microsoft security guidance Security Compliance Manager(SCM) 에포함되어있음

9 실제사용환경기반, 대규모배포 미공군 550,000 데스크톱과랩톱표준화 이론에머문정책이아님 Active Directory 도메인에들여올수있는그룹정책객체들 (Group Policy Objects, GPOs) 이제공됨 경제적이유 FISMA 스코어카드와연계됨 규정준수 집행방법이제공됨 Security Content Automation Protocol (SCAP)

1 문서화되고입증된데스크톱보안설정의업계표준 제정협력기관 Microsoft NIST Defense Information Systems Agency National Security Agency 미예산관리국 (OMB) 의요구 700개이상의설정을명시적으로정의 처음에는윈도우 7을위한설정으로시작 현재는윈도우 XP와윈도우비스타를위한설정도정의됨

( 대다수 ) 사용자는일반사용자권한으로실행 수신방화벽 On 파일과프린터공유 Off 무선네트워크 Off IE8 보호모드 On 암호길이 12 에서 15 문자로설정 ActiveX 컨트롤, 서명되지않은드라이버, 통제가능 1

1 표준사용자계정요구 관리자들은별도의관리자계정을가짐 사용자가최소권한만으로실행하므로프로세스도최소의권한만으로실행 낮은권한의프로세스는침해가발생하더라도시스템이미치는손상이적음 LUA는애플리케이션개발에큰영향을미침

잠재적보안위험성 PC 보안강화 15

2

1 한 GPO 는컴퓨터구성, 사용자구성두섹션으로구성 보안베이스라인도컴퓨터설정과사용자설정을가짐 컴퓨터와사용자설정을분리할필요가있을수있음

FDCC 팀에서 100 회가넘는참여 다양한전문분야에서일하는 22명의컨설턴트 프로그램관리자 여러전문도구출시 LGPO tool 로컬시스템에서 GPO 실험 LUA Buglight 주로윈도우 XP용애플리케이션대상 IEZoneAnalyzer IE security zone 비교 Security Configuration Manager Microsoft Security Guidance SCAP 커맨드릿 기타다양한주제로발표와토의 2

데스크톱보안강화는시스템을 lockdown 에서출발 USGCB 는 lockdown 된시스템에기초하여안전한데스크톱환경을추구하는보안지침 USGCB 는그룹정책을집행할수있는잘구축된디렉터리서비스에의해가장효과적으로실현됨 기존애플리케이션의호환성이핵심적문제 Microsoft 는 FDCC/USGCB 의핵심기여자및협력자

2 NIST USGCB site The United States Government Configuration Baseline Microsoft USGCB site http://www.microsoft.com/industry/government/solutions/usgcb/default.aspx USGCB Tech Blog http://blogs.technet.com/b/fdcc/ SCAP validated tools http://nvd.nist.gov/scapproducts.cfm Microsoft Trustworthy Computing http://www.microsoft.com/about/twc/

Introduction to BYOD security

What is BYOD (Bring Your Own Device)? Recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources. Globally, 88% of executives report employees are using their personal computing technologies for business purposes today* Globally, 62% of executives say they are now have or are planning to have a BYOD program for smartphones and tablets* * Gartner: Using Peer-to-Peer communities to Drive BYOD self-support; Aug 3, 2012

BYOD blurs the line between enterprise and personal computing, which significantly complicates the job of governance, risk, and compliance management Defining a security policy Enforcing security policies Information on devices Interactions with the cloud Unmanaged connections to the internal network Source: http://www.cioupdate.com/technology-trends/byod-byoc-may-change-everything-about-security.html

Pros For businesses Reduced Cost (employee devices) Employees take care of personal devices Embracing newer technologies For employees Empowerment Work with preferred technology Exclusive control over features Cons For businesses Company information less secure Administrative effort Increase Cost (Infrastructure & Administrative) May need to pay for phone service for the devices Compliance, Legal & HR Considerations For employees May not fully control their devices Out-of-pocket expense Responsible for device maintenance

What personal devices are employees bringing to work? Personal computers (Windows, Mac OS X, others)

Trust Risk Access Employee influences Company influences Employee manages Company manages Employee purchases Company purchases Source: http://blogs.msdn.com/b/arnoha/archive/2012/04/09/a-framework-for-byod-byoc.aspx Freedom

Benefits: Agility Productivity Happier end users Technology issues: Devices Limit mobile-device access Deploy device policies Control device access Manage remote devices Data Classify the company s intellectual property (IP) Prevent data leaks Encrypt business data Network Protect IP from devices Quarantine devices Control access to company content from unmanaged devices Applications Access applications from any device Objective: use any device anytime, anywhere Challenge: regardless of ownership, make everything just work, and ensure that intellectual property is protected Cloud services Virtual desktop FIREWALL DATA SERVERS

Too many identities and credentials Potential damage to corporate network by infected devices Access from compromised or hacked accounts Denial of service (DoS) and other attacks on corporate resources exposed over the Internet Password brute force or account lockout DoS attacks Expired or changed password leads to prompts by several apps Unintentional exposure to HBI corporate data and services Credentials exposure Expired or changed password leads to prompts by several apps Corporate data lands in consumer services (SkyDrive, Dropbox) and on devices that can be lost Hard to determine whether the authorization policy is working as intended

Windows 8 enterprise scenarios How can Windows 8 and Windows Server 2012 help enable a secure BYOD scenario? More specifically, how can they help protect a company s information and assets?

Windows 8 enterprise scenarios Support a mobile workforce * On any device certified for use with Windows 7 or Windows 8

Helps protect the OS volume XXXXX XXXXX

XXXXX Helps protect the data drive XXXXX

Windows To Go: Your portable workspace A consistent Windows 8 experience on any device with Windows To Go Systems Management Tools App-V Folder redirection App-V Booting from internal hard drive 01100111 11010011 11001001 10001001 Folder redirection App-V FIREWALL Folder redirection Booting from external USB drive 01100111 11010011 11001001 10001001 BitLocker

RemoteFX delivers a consistently rich user experience to users over Remote LAN Desktop or WAN (irrespective of deployment model) Virtualization Host Server Manager RemoteFX Corporate LAN Remote Desktop Web Access Remote Desktop Gateway Internet or WAN Hardware and Software GPUs Remote Desktop Connection Rich multimedia Broker USB Redirection SQL Remote Desktop Database Session Host Multi Touch WAN acceleration Single Sign On Remote Desktop Licensing

Powered by Windows Server 2012 Remote Desktop Services Corporate office Desktop sessions Pooled VMs Personal VMs Branch office FIREWALL Home Library / Coffee house 1 platform 1 experience 3 deployment choices Efficient management Best value for VDI Rich experience online everywhere

Managed Unmanaged System Center 2012 Configuration Manager Unify user management across devices through Windows Intune integration Automatically deliver applications in the most appropriate format for each device Support for Windows 8 and Mac OS Unified console to manage on-premises and cloud-based devices with Windows Intune Windows Intune Help secure and manage devices through the cloud Provision applications to devices without requiring a full domain join Windows Server 2012 Improve VDI user experience over WAN links for branch offices and remote users Simplify VDI configuration and management to reduce VDI storage costs Apply automatic and manual classification of files to tag data across the organization Control access to files to apply safety-net policies for information governance

Centralized management across platforms

Determine user access rights, and then deliver based on device type Same user, same app, different device

Server Manager Remote Desktop virtualization host Remote Desktop Web Access Remote Desktop Connection Broker Virtual desktop collection SQL database Remote Desktop session host Remote Desktop Gateway Remote Desktop licensing Session collection

USER EMPOWERMENT Mobility Choice of personal devices Social networking Whatever I want just make it work IT CONTROLS Cost Reliability Security Efficiency I would like to, but there are limitations RISK AND COMPLIANCE

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.