University of Alaska System
and UAF
Information Technology
Security Review
2007
The CH2M HILL - Coalfire Systems Team
The CH2M HILL Team delivers industry-leading Information
Technology (IT) security services.

The Team has delivered more than 300 IT security
assessments and remediation planning engagements to
clients, including recent projects for:
University environments, including the University of Colorado and California systems
States of Colorado, Florida, Iowa, Oregon, and Oklahoma
County and City governments in multiple states
U.S. Department of Energy, Centers for Disease Control and Prevention
Hundreds of banks and financial institutions
Hospitals and health insurance companies

ATTWP_101_1

Apply methodologies that enable transfer of knowledge and enhance client capability for ongoing
IT security programs
Compliance Trends
A Brief History of
Regulatory Time
2000Present
1970-1980
 Privacy Act of 1974
 Foreign Corrupt Practice Act
of 1977
1980-1990
 Computer Security Act of 1987
 COPPA
 USA Patriot Act 2001
 EC Data Privacy
Directive
1990-2000
 CLERP 9
 CAN-SPAM Act
 FISMA
 Sarbanes Oxley (SOX)
 CIPA 2002
 Basel II
 EU Data Protection
 NERC 1200 (2003)
 HIPAA
 CISP
 FDA 21CFR Part 11
 Payment Card Industry
 C6-Canada
(PCI)
 GLBA
 California Individual
Privacy
SB1386
 State Privacy Laws
Project Overview
Project activities for the Information Security Review included:



Evaluate the University’s business practices and procedures. Make recommendations for
improving business processes.
Ensure adequate controls are in place to protect Confidentiality, Integrity, and Availability.
Identify vulnerabilities, determine their risks, and make recommendations to resolve or mitigate
those risks.
Project methodology





Internal and External Vulnerability Scans.
System Baseline analysis.
Interviews with Critical Business owners.
Compare findings against a set of Common Control Objectives.
Areas reviewed included Data Management Policies and Practices, the IT Security Program,
Networks, Identity Management Directory, Authentication and Authorization Services, Database,
Application Development/Support, Windows and Unix Servers, Desktop Support, Data Center
Operations, Help Desk, and Telephony.
COBIT Maturity Model
COBIT Maturity Model
Level 1
Control objective
documented in a
security policy
Level 2
Security controls
documented as
procedures

Current Level
of the University
Control Design Adequacy
Level 3
Procedures have
been implemented
Level 4
Procedures and
security controls
are tested and
reviewed
Level 5
Procedures and
security controls are
fully integrated into a
comprehensive
program
Control Effectiveness
Vulnerability Scans
Project activities for the Information Security Review included:



Internal scans were used to evaluate the effectiveness of controls from threats internal to the
University (employee or contractor).
External scans were conducted to assess the University’s vulnerabilities from an untrusted
network, such as the Internet.
UAF provided CH2M HILL with a list of 137 systems to assess. Hosts were grouped into Windows
and Unix systems, and reports were generated separately.
Level
Urgent
Critical
High
Medium
Low
Vulnerability/Possible Vulnerability
Intruders can easily gain control of the host, which can lead to the compromise of your entire network security.
For example, vulnerabilities at this level may include full read and write access to files, remote execution of
commands, and the presence of backdoors.
Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive
information. For example, vulnerabilities at this level may include full read access to files, potential backdoors,
or a listing of all the users on the host.
Intruders may be able to gain access to specific information stored on the host, including security settings. This
could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include
partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering
rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mailrelaying.
Intruders may be able to collect sensitive information from the host, such as the precise version of software
installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.
Intruders can collect information about the host (open ports, services, etc.) and may be able to use this
information to find other vulnerabilities.
Vulnerability Scans (Internal)
Unix Group 1
Vulnerability
Possible Vulnerability
Informational Findings
Urgent
0
1
N/A
Critical
2
5
N/A
Risk Levels
High
5
13
0
Medium
16
4
5
Low
2
0
22
Urgent
4
2
N/A
Critical
9
4
N/A
Risk Levels
High
19
7
13
Medium
28
6
71
Low
4
5
103
Windows
Vulnerability
Possible Vulnerability
Informational Findings
Vulnerability Scans (External)
Unix Group 1
Vulnerability
Possible Vulnerability
Informational Findings
Urgent
0
9
N/A
Critical
1
10
N/A
Risk Levels
High
9
13
0
Medium
11
4
1
Low
3
0
3
Urgent
0
1
N/A
Critical
1
5
N/A
Risk Levels
High
5
11
0
Medium
11
3
1
Low
2
0
3
Windows
Vulnerability
Possible Vulnerability
Informational Findings
Vulnerability Scans
Recommendations








Document any known suspicious ports for future scans.
Focus on High, Critical, and Urgent vulnerabilities first.
Only support strong encryption protocols (SSLv3, SSHv2, 3DES, AES, etc.)
Never use default SNMP strings (Public, Private)
Ensure all applications are part of a vulnerability management program, not just OS’s.
If patches cannot be deployed on schedule, document the business justification.
Conduct periodical (typically quarterly) network scans, both Internal and External (Nessus, Qualys,
NeXpose, Retina, ISS, GFI, etc.)
Establish a secure baseline configuration (CIS Benchmarks, NSA, DISA, Vendors)
Common Controls
Definition


Each area was assessed against a set of 42 common control objectives.
Each control objective was mapped to regulatory requirements, best practices, and guidelines:
ISO 17799 (International Organization for Standards)
COBIT 4.0 (Control Objectives for IT and Related Technology
HIPAA
(Health Insurance Portability and Accountability Act)
NIST 800 (National Institute of Standards and Technology)
GLBA
(Gramm-Leach-Bliley Act )
PCI DSS (Payment Card Industry Data Security Standard)
Common Controls
Recommendations
 42 Control Objectives Reviewed
 Low Risk – 10 areas meeting control objectives
 Network admins have implemented appropriate security practices
 Avoid access creep, maintain appropriate service levels, and conduct regular system
maintenance.

Medium Risk – 31 areas partially meeting control objectives
 Missing one or more elements vs full compliance
 Correct by conducting a comprehensive risk assessment, establishing additional security
policies, and creating a business continuity plan based on a business impact analysis.
 No “quick fixes” and requires long term commitments

High Risk – 1 area did not meet control objectives (Media Disposition and Sanitization)
 Lacking an information classification program, sensitive data inventories, and destruction
standards for all media
 University may not be able to detect if sensitive data is compromised or lost, or to minimize
the potential impact of a data breach.
Action To Date

Done or in process
7 of 32 Identified Risks to be resolved by January, 2008
Action plan for remaining 25 in process

Media disposition and sanitization options under review

To be done
External security reviews for UAA and UAS
Place vulnerability scans and other security reviews on a regular schedule
Identify where regulation or policy may be needed
Security Program Resource Impact
Heroic Period
Security dependent
on Individuals.
Limited documentation,
training and testing.
Migration
Intensive effort
applied to
conduct risk
assessment,
develop policies,
deploy controls,
and establish
accountability.
Sustaining Period
Security dependent
on processes and
controls
Security
Premium
• Documentation
• Training
• Policies and
Procedures
• Audit and Reporting
• Testing
Function Growth
• Growth in users
• Expansion of
applications
• Extended services
Budget
$
2003
2005
2007
2009
Time
2011
2013
2015