Security In the Real World
Carnegie Mellon Qatar
October 31, 2010
Mary Ann Blair
Director of Information Security
Computing Services
Information Security Office (ISO)
www.cmu.edu/iso
Abstract
The Information Security Office (ISO) at Carnegie Mellon was created in
response to various internal and external drivers and subsequently
shaped by numerous requirements and opportunities, all within the
context of a world class research university. In this talk, Director of
Information Security Mary Ann Blair, discusses how the fundamental
concepts of information security are addressed by the ISO’s
programs and services, what the ISO prevents, detects, and
responds to on a regular basis, and how organizational culture
impacts information security programming.
Information Security Office
www.cmu.edu/iso
2
What information security addresses
C No unintentional
release of information
I No unauthorized
data modification or
inconsistency
A Reliable & timely
access to authorized
information and
resources
Information Security Office
www.cmu.edu/iso
3
What information security addresses
Vulnerabilities
& Threats Controls Cost
Confidentiality
?
?
?
e
c
n
a
r
e
l
o
T
k
s
i
Integrity
?
?
?
R
&
e
r
u
t
l
u
C
l
a
n
o
i
t
a
Availability ganiz
?
?
?
Or
Information Security Office
www.cmu.edu/iso
4
BoT
ory
lat ce
n
gu
Re mplia
Co
Re
pu
tat
ion
Whose problem is it?
CIO
ISO
Computing Services
Departmental Computing
se
pri
S,
te r ty
En curi rk, O pp
Se two B, A
Ne ce, D
r vi
Se
Se
cu
Us re
e
President &
Management Team
Everyone Else
Information Security Office
www.cmu.edu/iso
5
Establishing the Enterprise Security Function
“Carnegie Mellon is an internationally
recognized leader in computer security
.... Yet the university as an enterprise
lacks a coordinated and sustainable
information security program to address
the vulnerabilities and risks arising from
its own use of information technology. “
-- Developing a Coordinated and Sustainable Information Security
Program for Carnegie Mellon: A Joint Proposal by Computing
Services and Administrative Computing and Information Services
Information Security Office
www.cmu.edu/iso
6
Approved October 2003
“The Information Security and Policy
Office (ISAPO) will have responsibility
for the definition and implementation of
enterprise-wide information security
efforts at Carnegie Mellon. It will be led
by the Director of Information Security
and will report to the Chief Information
Officer (CIO).”
Information Security Office
www.cmu.edu/iso
7
Information Security Roadmap
Acceptable Risk
Current State
Security Gap
No Security
Undefined Risk Tolerance
Unassayed assets
Incident Response
Non-savvy Users
Default Open
Highly Distributed (esp. data)
Policy Light
Uncertain Defense
Best Effort
Information Security Office
www.cmu.edu/iso
Desired State
Defined Risk Tolerance
Managed Assets
Incident Prevention
Skilled User Partners
Default Deny
Optimum Centralization
Policy Rich
Defense-in-Depth
24x7x365 Global SLE
8
Other Cultural Markers & Competing Priorities
• Management
– Stay out of the headlines
– One year to “make progress on governance”
– Balance costs…prevention/response
• Internal
– Stay out of our way (e.g. no firewalls, academic freedom)
– Make security ‘easy’ and transparent
• External
–
–
–
–
Protect copyright above all else
Comply, comply, comply
2,249 new vulnerabilities 80% easily exploitable*
Home users – 86% of targeted attacks*
* Symantec Internet Threat Report Vol. X. September 2006
Information Security Office
www.cmu.edu/iso
9
Surveying the Culture: Preexisting Myths
• We can’t implement firewalls.
• We can’t achieve defense in-depth.
• We can’t centrally mandate and enforce
more security requirements.
Are we really that different?
Information Security Office
www.cmu.edu/iso
10
Founding the ISO
Information Security Office
www.cmu.edu/iso
11
ISO Organization
Vice Provost & CIO
Computing Services
Joel Smith
Executive Director
Computing Services
Carrie Regenstein
Office of
General Counsel
Mary Jo Dively
Director of Information Security
Mary Ann Blair
Incident Response
Coordinator
John Lerchey
Security Engineering
& Operations Manager
Bill O’Malley
Security Engineer
Ted Pham
Security Engineer
Jason Carr
Security Engineer
Allison MacFarlan
Security Engineer
Chris Ries
Policy & Compliance
Coordinator
Doug Markiewicz
Information Security Office
www.cmu.edu/iso
Training & Awareness
Coordinator
Wiam Younes
12
ISO Services
Incident Response
1.
2.
3.
4.
5.
6.
7.
8.
9.
Security Engineering
Incident Detection/Response
Policy Enforcement
DMCA Response (i.e. copyright infringement)
e-Discovery Support
Evidence Collection
Legal/Law Enforcement Interface
Immediate Access Revocation
Missing Student Search
Content Search/Production
1. Policy Development (including procedures, standards,
guidelines)
2. Compliance Coordination (e.g. HIPAA data security)
3. Security/Compliance Assessment
4. Regulation Tracking
5. Contract Review
Future
6. Self Assessment
Policy and Compliance
1. Intrusion Prevention/Detection/Response (e.g. phishing blocks)
2. Network & Host Forensics
3. Security Tools & Technologies
a.
b.
c.
d.
e.
Identity Finder
First Connect
NeXpose Scanner
Snort Intrusion Monitor
RSA Secure ID
4. Risk IQ (i.e. define our attack surface)
5. Attack and Penetration Testing
6. Security Consulting
7. Certificate Authority
8. Threat Mitigation
9. Research Data Support
Future
10. Proxy Services
11. Log Monitoring
1. Security Awareness & Training
2. Security Alerts
3. Compliance Training/Certification
4. ISO Website Maintenance
5. Communication & Documentation
Training and Awareness
Information Security Office
www.cmu.edu/iso
13
Training and Awareness
Information Security Office
www.cmu.edu/iso
14
Training and Awareness Programming
Content
•
•
•
•
Policies and procedures
General security concepts
and issues
Skills e.g. securing your laptop,
tools
Current threats and action items
Delivery
Method
Timing
Information Security Office
www.cmu.edu/iso
15
Training and Awareness Programming
Content
• Web Self-Service (Pull)
• Mass Mail (Push)
• Events/Seminars
• Videos & Games
• Promotional Products
Delivery
Method
Timing
Information Security Office
www.cmu.edu/iso
16
Training and Awareness Programming
ide
ard
Sc
he
Cla dule
ss d
Po
Vio licy
lati
on
Bo
Timing
e
m
o
lc
We ck
Ba
On
ion
NCSAM
ak
e
r
b
t
Ou
nt
nta
t
F ir s
Inc
Or
ie
tC
onn
ec
t
Content
Information Security Office
www.cmu.edu/iso
Delivery
Method
17
Training and Awareness Futures
• Online compliance & awareness training
(e.g. C@CM)
• Increased collaboration with security
research partners (e.g. PhishGuru)
• Increased info sharing via security points
of contact
Information Security Office
www.cmu.edu/iso
18
Information Security Policy
Published
Under Development
Policies
-Information Security Policy
-Information Security Roles &
Responsibilities
-Computing Policy
-GLBA Info. Sec. Program Policy
- HIPAA Security Policy
- Computing Policy (Overhaul)
Standards
None
-Site to Site VPN Standards
Procedures
-Responding to a Compromised Comp.
-Requesting Access to Data for
Research
-Employee Termination Procedure
- Self Assessment Tools for complying
with Guidelines for Data Protection
Guidelines
-Appropriate Use of Admin. Access
-Bulk Email Distribution
-Copyright Violations
-Data Sanitization and Disposal
-Instant Messaging Security and Usage
-Mobile Device Security and Usage
-Password Management
-Web Server Security
-Windows Administrator Accounts
• Guidelines for Data Classification
(RFC)
• Guidelines for Data Protection (RFC)
-Guidelines for Data Handling
-Guidelines for Data Sanitization &
Disposal
-Procedures for Responding to a Security
Breach
-Procedures for Policy Exception
Handling
-Guidelines for Data Retention
Information Security Office
www.cmu.edu/iso
19
Compliance
•
Maintain understanding of IT regulatory requirements
– State: 46 state data breach laws, other security/privacy laws, e.g. SSN
handling laws
– Federal: FERPA (Student), GLBA (Financial), HIPAA (Health)
– International: Privacy laws of Australia, Greece, Japan, Portugal, Qatar
– Industry Standards: COBIT, ISO 27000 Series, PCI DSS
•
Coordinate compliance review activities
– Currently focused on compliance with federal regulations (e.g. HIPAA)
– Shared responsibility among all ISO members
•
Partner with research administration
– Institutional Review Board (IRB): Review requests for access to Comp
Srvcs’ electronic data for research
– Office of Sponsored Programs: Restricted research technology control
plans
•
Ad-hoc review of 3rd party contracts for security/privacy provisions
Information Security Office
www.cmu.edu/iso
20
Incident Response & Policy Enforcement
Network Suspensions
Information Security Office
www.cmu.edu/iso
21
Incident Response Process
Information Security Office
www.cmu.edu/iso
22
Forensic Examination
• Chain of Custody
• Write-Blocked Disk Imaging (Disk-to-Disk,
Encase)
• Analysis (Encase, Sleuthkit, Identity
Finder)
• Network Traffic Analysis (Argus)
• Log Correlation & Analysis
• Malware Analysis
Information Security Office
www.cmu.edu/iso
23
Other IR Responsibilities
• ISO frequently conducts “emergency
suspension” of accounts
• ISO performs missing student searches using
digital bread crumbs
• ISO works with law enforcement to execute
subpoena requests
Information Security Office
www.cmu.edu/iso
24
Incident Detection/Prevention
Attacks
Detection
Prevention
• IDS (Border)
• Argus
• Firewalls (SII)
•
•
Ingress
Egress
• Border blocks
• Service blocks (e.g. mail reply to)
Vulnerabilities
• NeXpose
• WebInspect
•
<- ISO Patch
•
<Threat
• Environmental Inventory
• NetScan
• Nessus
• Argus
• IDS
• Password strength testing
• A&P Tests
• Firewalls (mitigate, not prevent)
• NeXpose
Check Tool ->
Monitoring ->
• FirstConnect
• Security Architecture(s)
• Consulting
Compromises
• IDS
• Argus
• System/service log monitoring
•
<- Strong
• By preventing attacks and
vulnerabilities
• Reduce the effect by earlier detection
Authentication ->
• Sound forensics
Information Security Office
www.cmu.edu/iso
25
Challenges: Attackers and Attack Surface
Networks
Applications
•578 subnets
•Wireless and Wired
•Cisco, Aruba, Xirrus
•ASP, JSP, PHP, Perl, C, Java
•Oracle, MySQL, SQLServer, Ingres, Interbase
•Tomcat, JRUN, JBOSS
•Custom and Commercial
•Open and Closed Source
•30,188 PHP attacks
•240 SQL Injection attempts
Systems
Accounts
•15,314 active IP addresses on campus
•
Windows, Linux, HP-UX, Solaris, etc.
•4,187 Web servers
•
Apache, IIS, Tomcat, Netscape, etc.
•4,473 SSH servers
•465 FTP servers
•331 Database servers
•
Oracle, MySQL, MS-SQL, Ingres, etc.
•1,707 FTP attacks
•1,220 Web include file attacks
•28,579 Andrew accounts
•Double that for AD
•Add in application accounts
•1,509,553 SSH attacks
•130,996 SQLServer SA attacks
Information Security Office
www.cmu.edu/iso
26
A Typical (Partial) Weekday
Information Security Office
www.cmu.edu/iso
27
IDS Console
Color
Sev
Alert
What to do about it
Red
Critical
Yes
Possibly an incident, requires through investigation
Yellow
Caution Yes
Possibly an incident, requires some investigation,
high probability of a false positive
White
Normal
No
Does not require a through investigation however
could be an incident. High probability of false positive
Turquo RENise
ISAC
No
Comes from REN-ISAC's rulesets. Some
false positives, requires investigation
Light
Blue
No
Ignore these rules, they are the lowest priority
No
These rules are inserted for testing. They
generally have a high false positive rate
but are sometimes accurate
Purple
Ignore
Testing
Information Security Office
www.cmu.edu/iso
28
Executable downloads, by URL
Information Security Office
www.cmu.edu/iso
29
Incidents are sent to NetNotify
This is part of a NetNotify page. The incident generates an e‐mail to the owner.
D
d
Information Security Office
www.cmu.edu/iso
30
Vulnerability Scanning Console
• Nexpose
• Distributed view to departmental
administrators
• Centralized view to ISO
Information Security Office
www.cmu.edu/iso
31
Environmental Inventory
• Passive network monitoring
• Intelligence console
• Query-able asset information
Information Security Office
www.cmu.edu/iso
32
SecEng Challenges
•
•
•
•
•
•
•
•
•
IDS covers only a portion of the network
IDS is prone to false-positives
Vulnerability data is prone to false-positives
Vulnerability data isn’t in the “right” hands
Limited data about high risk assets
Correlation is key
A&P tests and consults are ad-hoc and hit-and-miss
Incident investigation is time consuming
Detection is far more difficult than prevention
Information Security Office
www.cmu.edu/iso
33
Security Engineering Roadmap
2004
2005
2006
2007
Detection
{Bandwidth
{NN
{NetScan
{Argus
2008
2009
2010
Prevention
{IDS (limited)
{Custom Argus
{Border IDS
{Custom IDS
Console
{A&P Testing
{FirstConnect
{Identity Finder
{Architecture
{SII
{Proxies
{Firewalls
{2-Factor
{NeXpose
{WebInspect
{DB Scanning
{Code Auditing
{EnvInv
{Forensics
{Vulnerability
Announcements
{Expanded IDS
{Network
Architecture
Information Security Office
www.cmu.edu/iso
{SEIM Tool
{Central
Logging
{Host IDS
{PKI
{CIS Toolkit
{Border
Blocking
{Clean Access
{Systems
Architecture
{Security
Portal
{Distributed
Firewalls
{IPS
{SSDLC
{Anomaly
detection
{Application
Architecture
{ Campus
Proxies
{Expand OTP
34
Information Security Office
www.cmu.edu/iso
35
SII: Principles in Action
•
•
•
•
•
•
•
•
•
•
•
•
•
Network isolation for production systems
Limited ingress and egress traffic
Configuration management & change control
Role based access control e.g. only system administrators in production network
Standardization of operating systems, DBMS, Coding
–
Implement key principles (only necessary services, deny access by default,
implement firewalls, input cleansing, etc.
Automated build processes for ‘secure by default’
Automated server and service provisionion (Future)
–
It should ask the person to describe the systems, and it would be smart
enough to provision OS, software, firewall rules, network placement, etc.
Standardized security control profiles
Robust and centralized logging (On Going)
Automated monitoring, i.e. alerting, response (On Going)
Hurdles for custom approaches
Multi-factor authentication
Encryption used whenever required or appropriate.
Information Security Office
www.cmu.edu/iso
36
How Others Can Help
•
Help reduce the attack surface
– Apply “Default Protect”, “Defense in Depth” and “Least Privilege”
– Standardize
– Implement life-cycles that include decommissioning
•
•
•
•
•
•
Start implementing security at the design stage
Make actions auditable and measurable
Understand roles and responsibilities
Track and control changes
Use encryption where feasible and necessary
Know their own computing environment.
– What’s ‘normal’?
– PII?
•
Think like an attacker
– Assume that external systems and networks are insecure
•
If concerned, stop! Report it. Don’t try to diagnosis or fix it. Preserve
forensic evidence.
Information Security Office
www.cmu.edu/iso
37
Changing the Culture by Debunking Myths
We are not so very different
• We can’t implement firewalls. We can,
– just not at the traditional border.
• We can’t achieve defense in-depth. We can,
– just not in the traditional places.
• We can’t centrally mandate and enforce more
security requirements…We can,
– with far more collaboration and creativity
– more distributed authority and communication
– well articulated use cases and tools.
Information Security Office
www.cmu.edu/iso
38
Thank you
Questions/Comments Welcomed
mc4t@andrew.cmu.edu
Information Security Office
www.cmu.edu/iso
39