EPSG
advertisement
Seminar 4A - Effective Security Practices Eoghan Casey, Security Consultant Jack Suess, CIO, UMBC 1 Seminar Agenda • EDUCAUSE/I2 Security Task Force initiatives • The Effective Security Practices Guide (ESPG) – The effective practices & solutions (EPS) database • Questions and Break • Case Studies – U. California, Berkeley - Preliminary risk assessment & establishing a computer security group and policy – UMBC - Basic risk assessment techniques for GLB – Georgia Tech - Comprehensive risk assessment – RIT - Outside vulnerability assessment • Questions and Feedback 2 Introduction to Security Task Force • Formed in July 2000 • Current Co-chairs: – Jack Suess, UMBC – Gordon Wishon, University of Notre Dame • Executive Committee of CIO’s, Security Professionals, and Professional Staff • EDUCAUSE & Internet2 Staff Support • Coordination with Higher Education IT Alliance – ACE, AAU, NASULGC, AASCU, NAICU, AACC, etc. • Security Discussion Group 3 2002 Accomplishments • Developed the Framework for Action • Organized 4 Workshops Funded by NSF – – – – Higher Education Values & Principles for Security Security Architecture & Policy Security in Research Environments Higher Education IT Security Summit • Higher Education Contribution to the National Strategy to Secure Cyberspace • Coordinated or Conducted Outreach Programs 4 Framework for Action • Make IT security a higher and more visible priority in higher education • Do a better job with existing security tools, including revision of institutional policies • Design, develop, and deploy improved security for future research and education networks • Raise the level of security collaboration among higher education, industry, and government • Integrate higher education work on security into the broader national effort to strengthen critical infrastructure 5 2003 Accomplishments • Web Resource: www.educause.edu/security • Research and Educational Networking Information Sharing and Analysis Center (REN-ISAC) at Indiana University • ACE Letter to Presidents • Commissioned White Paper on Legal Issues • 1st Annual Security Professionals Workshop • Coordinated or Conducted Outreach Programs • Authored Leadership Book on Security 6 Message to Presidents • • • • Set the tone: – Insist on community-wide awareness and accountability. Establish responsibility for campus-wide Cybersecurity at the cabinet level. Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting. Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks. David Ward President, American Council on Education 7 The National Strategy to Secure Cyberspace • The National Strategy encourages colleges and universities to secure their cyber systems by establishing some or all of the following as appropriate: – one or more Information Sharing and Analysis Centers to deal with cyber attacks and vulnerabilities; – point-of-contact to Internet service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks; – model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity; – one or more sets of best practices for IT security; and, – model user awareness programs and materials. 8 Strategic Goals • • • • The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization, Information Sharing, and Incident Response 9 Current Projects and Initiatives • • • • • • • Education and Awareness Initiative Annual Security Professionals Workshop Legal Issues and Institutional Policies Risk Assessment Method and Tools Effective Security Practices Guide Research and Development Initiatives Research and Educational Networking Information Sharing & Analysis Center • Vendor Engagement and Partnerships 10 Research and Education Networking (REN) ISAC at Indiana University • REN-ISAC can view network traffic among universities on Internet2 • This provides a window into what is happening on higher education networks (e.g. Slammer or Nachi traffic) • The REN-ISAC is associated with the Indiana NOC and has 7x24 expertise on site. • They have access to DHS and the other 12 industry ISAC’s for early warning information • Visit www.ren-isac.net 11 Vendor Engagement • Vendor practices have a significant impact on higher education security • Educause established the Corporate CyberSecurity Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT • Task force visited Microsoft in September to explain the needs of higher education. Microsoft has been very responsive to suggestions. 12 Identifying Higher Education Security Issues and Needs • Over the last 2 years the NSF, Educause, and I2 have funded workshops, performed surveys (ECAR), and held open meetings at regional and national conferences to identify issues and needs. • We are now in the process of putting together working groups that will continue to build on the initial progress we have made. • In your appendixes are findings from NSF Security Architecture workshop, Effective Practices workshop, and the Security At Line Speed (S@LS) workshop. 13 Key Issues Identified the Past Two Years • The following needs were consistently highlighted – – – – – – – – Policy and procedures Risk and vulnerability assessment Security architecture design Network and host security implementation Intrusion and virus detection and prevention Incident response Encryption, authentication, and authorization Education, training, and awareness 14 Security at Line Speed (S@LS) Purpose - How does higher education balance security and performance requirements. This report should be required reading before a major network security overhaul. • The report identified 18 network and 8 host-based techniques for security and briefly summarized the performance and operational impacts of each (pg. 9-13) • The report details a few of these techniques and presents some generic case studies that highlight innovative use of these techniques. • I hope to see the Effective Practices group helping to better describe many of these solutions, many of which are open source but can be technical challenging to implement. 15 Effective Security Practices Guide (ESPG) for Higher Education Institutions Balancing Security with Open, Collaborative Networking http://www.educause.edu/security/guide 16 Why Not Identify Best Practices • Higher education is too diverse in mission and size for a single best practice to be effective. • Even within a small group of like institutions few would identify what they are doing now as “Best Practices.” Everyone felt there is room for improvement in what they are doing! • Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year. 17 ESPG Overview • Practical approaches to preventing, detecting, and responding to security problems • Community driven and serving – University ISOs and supporting staff – Codify experiences of experts • Examples of success – Potential models to follow – Provide for various types of institutions • Modular resource – Flexibility in presentation & implementation 18 ESPG Design and Development Structured presentation Core materials Past workshops, discussions & community vetting Categories & keyword searches Future contributions ESP database Case study submission process Seed case studies Suitability, editing, notification & update 19 Core Subject Areas • • • • • • • • • • Policy Education, Training and Awareness Risk Analysis and Management Security Architecture Design Network and Host Vulnerability Assessment Network and Host Security Implementation Intrusion and Virus Detection Incident Response Encryption, Authentication & Authorization Addendum: university & vendor resources 20 ESPG Highlights Evolution of Security Practices 21 Evolution of Security Practices • It is not possible to jump to the most effective practices – Can’t scan for policy violations without policies – Can’t develop policies without mature security standards • Some practices require significant human resources – Intrusion detection – Incident response • Some practices become more effective over time – Technical support becomes more effective with supporting tools, security policies and architecture 22 Effective Practices: Contributors and Ranking • BethuneCookman • Brown • Cornell* • CSUSB • GA Tech • GWU • Indiana University • MSCD • Notre Dame • NC A&T ● ● ● ● ● ● ● ● ● ● Penn State Purdue* U Alabama UC Berkeley UCONN U Maryland, BC U Washington U Wisc, Madison Virginia Tech* Yale University 23 http://www.educause.edu/security/guide Online Demonstration 24 Risk Analysis The most effective security practice 25 Types of Risk • • • • • Strategic Risk Financial Risk Legal Risk Operational Risk Reputation Risk Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002). National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002) 26 Ideal Risk Analysis & Management • Knowledge of all relevant regulations • Training and awareness of staff • Developing plans to audit individual units for compliance • Developing and implementing a code of conduct for the organization • Establishing control mechanisms to ensure compliance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002). 27 Vulnerability Assessment • Need policies in place and buy-in • Organization-wide assessment is a rarity – Not enough time or resources • Targeted scanning – Critical systems or particular group • Tactical scanning – New vulnerability publicized – Intruder backdoor • Self-service/Automation – Indiana’s “Scannager” & Purdue's Nessus Scanning Cluster – Routine scans automatically run & delivered • Contact info and trust help with notification 28 Security Architecture Design • University is comprised of different groups – Need internal and external defense – Risk & vulnerability assessments guide security design • Guide presents alternatives with pros & cons – Router filtering, Firewall, VLAN – Bandwidth management – Monitoring (e.g., IDS, NetFlow, central logging) – VPN – Wireless LANs – Scalable host security • Some application & database guidelines 29 Security Implementation • Different groups require different approaches – Be flexible, use a combination of approaches • Self-service necessary, not sufficient – Do not put too much on average user • Use what comes with box & existing tools • Automate updates when possible • Use network-based solutions (e.g., e-mail filtering) • Give free security support initially • Penalties for persistent failures (public health) • Contact info and trust help with implementation 30 Incident Response • Policies – Privacy and Data retention and access • Procedures – Who to contact in specific situations – Employee lockout if necessary – Evidence preservation • Prepare systems for evidence collection • Response Team – Include legal, HR & PR – Require training and tools • Contact info and trust help with incident response 31 Other Subject Areas • Intrusion & virus detection – Host-based versus network-based • Encryption & authentication – – – – – PGP versus S/MIME Public Key Infrastructure Central account management Directory services Middleware 32 Example Format • • • • • • • • 2-5 pages, technical audience Summary of ROI when applicable Background Description Benefits Shortcomings Future plans References 33 Bethune-Cookman • Perimeter Cisco PIX with NAT – 1600 hosts – ResNet on VLAN outside DMZ • Problem: Blocked multicast traffic – Interfered with Access Grid node • Created work around with Cisco – GRE tunnel on PIX – reconfigure internal & external routers 34 Cornell • Using ACL's on “edge” routers – Opt-in, custom filters (within reason) – Protecting 140 departments – Protection from internal & Internet • Uses existing infrastructure – Low added expense or training • Does not impact entire campus 35 Metro State College Denver • LANDesk on 2000 computers – configuration & asset management – software metering • 2 standard Windows images – 1 for faculty & staff, 1 for student labs • Costly but effective • Commuter campus => no ResNet 36 Notre Dame IDS • 8 Snort sensors – 4 at the Internet border – 4 in the core • SnortCenter – central configuration management • ACID with modifications • Additional scripts – archiving & e-mail alerting 37 Yale logger.pl • Daily summary of NT Security Logs • Failed attempts on many machines • Incident Response: individual account activity 38 BREAK 39 Risk Analysis The most effective security practice given that no one has infinite resources and must prioritize work. 40 Risk Analysis Overview • Risk = Threats x Vulnerability x Impact – Need to weigh & prioritize risks to develop strategy • Threats – Intruders, insiders, accidents, natural disasters • Vulnerabilities – Weaknesses in design, implementation, or operation • Impact – Level of harm to the institution 41 Practical Risk Analysis in HE 1)Preliminary Risk Analysis (year 1) ● Gathering allies, data and support • Risk Analysis of Critical Processes (year 2) ● Concentrating on high risk areas • Institution-wide Risk Analysis (year 3+) ● Broadening view to include the whole institution 42 Risk Analysis & Management • Need to prioritize risks and develop strategy • Starting from scratch – Appoint a person to justify and drive risk assessment – Gather data and allies, especially auditors • Challenges in higher education – Lack of resources and centralized control – Different groups value different things • Example models (STAR, OCTAVE) 43 UC Berkeley • Preliminary Risk Assessment • Supported by CIO (Jack McCredie) – Appointed working group (IT & audit) – Overcame internal resistance • Lack of funds was a major barrier – CIO used existing resources • Outcomes – Overview of risks – Dedicated IT security group – Basic security policy 44 Berkeley - Keys to Success • Management commitment and support • Gathered allies – involved auditor • Report – important from educational and political standpoint – helped develop consensus security strategy • Departments that tax themselves – hire their own IT support staff 45 Berkeley - Pitfalls & Future Plans • Lack of funding has delayed progress • Lack of technical expertise – giving each group responsibility for defending selves – many groups lack the necessary expertise and funding • Future plans: minimum standards policy – goal: disconnect systems that do not meet policy – important things are hardest to manage (e.g., patching) – goal: professional support everywhere 46 U of Maryland, Baltimore County • Risk Analysis of Critical Process – Financial Aid • Adapted STAR model – Focus on process and information flow – Reduced analysis time – Relate risk analysis to business process and drivers • Outcomes – Improved security – Regulatory compliance 47 Overview of UMBC Risk Assessment for Gramm-Leach-Bliley (GLB) • Focus of risk assessment was primarily Financial Aid department. • We had a limited time-frame in which to implement this assessment due to compliance deadlines • Risk assessment focused on the specific requirements in (GLB) and did not encompass other risk threats 48 Step 1. Met with Key Staff • Financial aid director mapped out business processes and procedures (half-day) • Director of Business Computing mapped out the software and hardware systems supporting financial aid (2 hours) • IT coordinators mapped out network and LAN services supporting financial aid (2 hours) 49 Step 2. Model the Information and Communication Flows • From the information provided we developed a matrix identifying the information flows between source and destination systems • To aid understanding and validation of this matrix we developed a picture identifying the processes and flow of information • We met with key staff from step 1 and validated the model design 50 51 Step 3. Develop Risk Review • Key risk components for each entry with X – Likelihood – Vulnerability – Impact • Each is assigned a value: – (0) minimal – (1) potentially a problem – (2) High • Multiply the three values, focus on any area where risk value is > 1. 52 Step 4. Present Risk Review and Develop Mitigation Plan • Meet with the key staff identified in step 1 and present the findings for validation • Discuss strategies for mitigating identified risks and the potential impact on business processes • For UMBC, primary risks were associated with the use and storage of non-public information (NPI) on desktops in financial aid. 53 UMBC GLB Risk Mitigation Recommendations • Upgrade to Windows 2000, require authenticated login to each workstation • Configuration policy will auto-update patches and installs firewall • All files and databases containing (NPI) must be located on our Novell servers -- no local storage. • Financial Aid should be among the first to move to our new protected network VLAN this summer. • Working with IT Steering on the issue of emailing NPI information (should/can this be prohibited without encryption) 54 GA Tech • Institution-wide risk analysis • Conducted by audit department – Includes IT and non-IT resources and processes – Repeated periodically to monitor progress • Outcomes – Security strategy – Improved awareness of institution-wide risks – Regulatory compliance 55 GA Tech Overview • Assessment includes non-IT risks – general policies, telecomm, insurance liabilities, human resources, regulatory compliance, health and safety – accuracy of financial records • Thorough assessment of IT systems – security: logical, physical, and management • FERPA – deals with protection of information separately 56 GA Tech Assessing IT Risks • • • • • • • Logical security Environmental and physical controls Data stewardship Management and maintenance Backup and recovery Training, S/W licensing, documentation Web site operations and development 57 Rochester Institution of Technology • Outsourcing security posture/risk assessment • Institution-wide evaluation by objective outsiders – Interviews with all departments – Vulnerability assessment of critical systems – Evaluation and reporting of results • Outcomes – Report of weaknesses and proposed solutions 58 RIT Overview • RIT pre-selected the methodology to use - Infosec Assessment Methodology developed by the NSA • They identified a vendor with experience in this methodology. • They selected the summer to do the assessment. Realized there is no best time to do this. • Assessment consisted of – Document collection (1 month) – On-site interviews (1 week) – External scanning and analysis (3 weeks) 59 RIT Process • Consultants requested documentation on procedures, systems and processes • Consultants developed a question bank and met with key deans, directors, and VP’s. • Scanning was coordinated with system administrators and did not include DoS. • Scheduling and communication were a challenge. Interview process took considerable time from security staff • Communicating results can be challenging. Keeping people from being defensive is a challenge 60 RIT Results • Demonstrated executive leadership felt security was important • Gained insight into groups that had not documented practices or considered security • Many findings were common sense but helped to push these changes more broadly • Identified certain practices that were non-compliant • Negatives – Cost, effort required of internal staff to facilitate, focused too heavily on IT systems not business processes 61 Effective Practices Working Group • Group of security practitioners that will solicit and review effective practices, make presentations at regional conferences, and provide assistance • Convene bi-weekly through a conference call • Work closely with SALS@ to utilize research findings and recommendations (early adopter) • A long-range goal for me is to develop common criteria for tracking security incidents and use those metrics to begin to gauge the benefit of different effective practices (before vs.. after) 62 Questions and Discussion? • Jack Suess – jack@umbc.edu • Eoghan Casey – eco@corpus-delicti.com 63
