MID/jpl 04/21/23 1 © 1999 by James P. Litchko

Total BS Security:

Business-basedSystems

Security

Jim Litchkojlitchko@erols.com(703) 528-0334 ext. 310

MID/jpl 04/21/23 2 © 1999 by James P. Litchko

Presentation

• An Approach– Business and Holistic

• Attitudes– Ours and Theirs

• Solutions– Case Studies

• Opinions– Mine

• Questions– Anytime

MID/jpl 04/21/23 3 © 1999 by James P. Litchko

Typical Evolving Network

Internet or other

Clients

Partners

Corporate System

MID/jpl 04/21/23 4 © 1999 by James P. Litchko

“Secure Brick” Theory

Operations Security

Manager

Profit Loss

Demand Supply

MID/jpl 04/21/23 5 © 1999 by James P. Litchko

Approach . . . talk about their business

• What is your business?– Services and products

• How do you operate?– Processes for selling and providing

• Who does what?– Responsibilities and information flow

• How do you measure success?– Customer satisfaction, profit, market share, etc.

• What is your system’s architecture?– Components, connections, capabilities, and cultures

MID/jpl 04/21/23 6 © 1999 by James P. Litchko

PromotionalWeb Server

TransactionSystem

ServiceSystem

Integrity

AvailabilityConfidentialityIntegrityAuthentication

Clients

PartnersConfidentialityVisibility

AvailabilityBrowserImpatient

Security Requirements

Internet or other

Business/

?Productivity

82% required no additional security products

MID/jpl 04/21/23 7 © 1999 by James P. Litchko

Attitudes and Perceptions:

• Sailor-on-liberty Philosophy– I want it fast, free and friendly

• Security only costs money– True, but . . . .

• The most secure solution has– best GUI– largest market share– relationship and trust

• Transparent to the user– Accept when . . .

MID/jpl 04/21/23 8 © 1999 by James P. Litchko

Attitudes and Perceptions:

• Sailor-Proof– If it is to hard they will find away around it

• KISS Principle– Education is the best bang for the buck– Increases ownership for solving security problems

• SNMP is the standard– Not a smoking gun . . . . a bleeding wound is needed.

• What is the aspirin for security:– firewalls, VPN, PKI, IDS, . . . . . .?– Technology will solve all of our problems!– Email monitoring problem solution was policy.

MID/jpl 04/21/23 9 © 1999 by James P. Litchko

Which Authentication is best?• Password?• Time-based?• Challenge and Response?• Event-based?• Biometrics?• Public Key?• VPN?• IDS?

MID/jpl 04/21/23 10 © 1999 by James P. Litchko

Problem• Subscription Information Service Provider• Web site distribution• Computer illiterate users• Sharing passwords• $40,000 loss per month• What is the solution?

MID/jpl 04/21/23 11 © 1999 by James P. Litchko

Security and Business Math

Profit:

Loss:

Net:

Before

$ 50B

$ 4.5B

$ 46.5B

After

$ 50B

$ 1.0B

$ 49.0B

Better Idea?

$

$

$

MID/jpl 04/21/23 12 © 1999 by James P. Litchko

Internetor WAN

PromotionalWeb Server

Read Only

Firewall

Firms

Clients

Firewall

SupportOperations

TransactionSystem

MID/jpl 04/21/23 13 © 1999 by James P. Litchko

Internetor WAN

PromotionalWeb Server

Read OnlyFirewall

Firms

Clients

IP Encryption

IP Encryption

SupportOperations

TransactionSystem

MID/jpl 04/21/23 14 © 1999 by James P. Litchko

Internetor WAN

PromotionalWeb Server

Read OnlyFirewall

Firms

Clients

IP Encryption

IP Encryption

SSL Encryption

SupportOperations

TransactionSystem

MID/jpl 04/21/23 15 © 1999 by James P. Litchko

Internetor WAN

PromotionalWeb Server

Read OnlyFirewall

Clients

IP Encryption

IP Encryption

SSL Encryption

IntrusionDetection Systems and

Assurance Testing

“In God we trust.Everyone else we monitor.”

MID/jpl 04/21/23 16 © 1999 by James P. Litchko

Internetor WAN

PromotionalWeb Server

Read OnlyFirewall

Firms

Clients

IP Encryption

IP Encryption

SSL Encryption BackupsBackups

Backups

SurfWeb Filter

SupportOperations

TransactionSystem

What business is this?

MID/jpl 04/21/23 17 © 1999 by James P. Litchko

Summary

• Based security on business first

• Practical solutions, not just technical

• Security is a business risk