University of Alaska System and UAF Information Technology Security Review 2007 The CH2M HILL - Coalfire Systems Team The CH2M HILL Team delivers industry-leading Information Technology (IT) security services. The Team has delivered more than 300 IT security assessments and remediation planning engagements to clients, including recent projects for: University environments, including the University of Colorado and California systems States of Colorado, Florida, Iowa, Oregon, and Oklahoma County and City governments in multiple states U.S. Department of Energy, Centers for Disease Control and Prevention Hundreds of banks and financial institutions Hospitals and health insurance companies ATTWP_101_1 Apply methodologies that enable transfer of knowledge and enhance client capability for ongoing IT security programs Compliance Trends A Brief History of Regulatory Time 2000Present 1970-1980 Privacy Act of 1974 Foreign Corrupt Practice Act of 1977 1980-1990 Computer Security Act of 1987 COPPA USA Patriot Act 2001 EC Data Privacy Directive 1990-2000 CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II EU Data Protection NERC 1200 (2003) HIPAA CISP FDA 21CFR Part 11 Payment Card Industry C6-Canada (PCI) GLBA California Individual Privacy SB1386 State Privacy Laws Project Overview Project activities for the Information Security Review included: Evaluate the University’s business practices and procedures. Make recommendations for improving business processes. Ensure adequate controls are in place to protect Confidentiality, Integrity, and Availability. Identify vulnerabilities, determine their risks, and make recommendations to resolve or mitigate those risks. Project methodology Internal and External Vulnerability Scans. System Baseline analysis. Interviews with Critical Business owners. Compare findings against a set of Common Control Objectives. Areas reviewed included Data Management Policies and Practices, the IT Security Program, Networks, Identity Management Directory, Authentication and Authorization Services, Database, Application Development/Support, Windows and Unix Servers, Desktop Support, Data Center Operations, Help Desk, and Telephony. COBIT Maturity Model COBIT Maturity Model Level 1 Control objective documented in a security policy Level 2 Security controls documented as procedures Current Level of the University Control Design Adequacy Level 3 Procedures have been implemented Level 4 Procedures and security controls are tested and reviewed Level 5 Procedures and security controls are fully integrated into a comprehensive program Control Effectiveness Vulnerability Scans Project activities for the Information Security Review included: Internal scans were used to evaluate the effectiveness of controls from threats internal to the University (employee or contractor). External scans were conducted to assess the University’s vulnerabilities from an untrusted network, such as the Internet. UAF provided CH2M HILL with a list of 137 systems to assess. Hosts were grouped into Windows and Unix systems, and reports were generated separately. Level Urgent Critical High Medium Low Vulnerability/Possible Vulnerability Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors. Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host. Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mailrelaying. Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities. Vulnerability Scans (Internal) Unix Group 1 Vulnerability Possible Vulnerability Informational Findings Urgent 0 1 N/A Critical 2 5 N/A Risk Levels High 5 13 0 Medium 16 4 5 Low 2 0 22 Urgent 4 2 N/A Critical 9 4 N/A Risk Levels High 19 7 13 Medium 28 6 71 Low 4 5 103 Windows Vulnerability Possible Vulnerability Informational Findings Vulnerability Scans (External) Unix Group 1 Vulnerability Possible Vulnerability Informational Findings Urgent 0 9 N/A Critical 1 10 N/A Risk Levels High 9 13 0 Medium 11 4 1 Low 3 0 3 Urgent 0 1 N/A Critical 1 5 N/A Risk Levels High 5 11 0 Medium 11 3 1 Low 2 0 3 Windows Vulnerability Possible Vulnerability Informational Findings Vulnerability Scans Recommendations Document any known suspicious ports for future scans. Focus on High, Critical, and Urgent vulnerabilities first. Only support strong encryption protocols (SSLv3, SSHv2, 3DES, AES, etc.) Never use default SNMP strings (Public, Private) Ensure all applications are part of a vulnerability management program, not just OS’s. If patches cannot be deployed on schedule, document the business justification. Conduct periodical (typically quarterly) network scans, both Internal and External (Nessus, Qualys, NeXpose, Retina, ISS, GFI, etc.) Establish a secure baseline configuration (CIS Benchmarks, NSA, DISA, Vendors) Common Controls Definition Each area was assessed against a set of 42 common control objectives. Each control objective was mapped to regulatory requirements, best practices, and guidelines: ISO 17799 (International Organization for Standards) COBIT 4.0 (Control Objectives for IT and Related Technology HIPAA (Health Insurance Portability and Accountability Act) NIST 800 (National Institute of Standards and Technology) GLBA (Gramm-Leach-Bliley Act ) PCI DSS (Payment Card Industry Data Security Standard) Common Controls Recommendations 42 Control Objectives Reviewed Low Risk – 10 areas meeting control objectives Network admins have implemented appropriate security practices Avoid access creep, maintain appropriate service levels, and conduct regular system maintenance. Medium Risk – 31 areas partially meeting control objectives Missing one or more elements vs full compliance Correct by conducting a comprehensive risk assessment, establishing additional security policies, and creating a business continuity plan based on a business impact analysis. No “quick fixes” and requires long term commitments High Risk – 1 area did not meet control objectives (Media Disposition and Sanitization) Lacking an information classification program, sensitive data inventories, and destruction standards for all media University may not be able to detect if sensitive data is compromised or lost, or to minimize the potential impact of a data breach. Action To Date Done or in process 7 of 32 Identified Risks to be resolved by January, 2008 Action plan for remaining 25 in process Media disposition and sanitization options under review To be done External security reviews for UAA and UAS Place vulnerability scans and other security reviews on a regular schedule Identify where regulation or policy may be needed Security Program Resource Impact Heroic Period Security dependent on Individuals. Limited documentation, training and testing. Migration Intensive effort applied to conduct risk assessment, develop policies, deploy controls, and establish accountability. Sustaining Period Security dependent on processes and controls Security Premium • Documentation • Training • Policies and Procedures • Audit and Reporting • Testing Function Growth • Growth in users • Expansion of applications • Extended services Budget $ 2003 2005 2007 2009 Time 2011 2013 2015