Security@IU Mark Bruhn Indiana University IT Policy Officer 1 • January 1997 - Michael McRobbie arrives as the first CIO at Indiana University • March 1997 – self-proclaimed “privacy advocate” finds 2760 records of personal info via an gopher-http gateway • Posts them to his web site • Notifies major media outlets • Information Security Officer was in buried in Administrative Computing department • No incident response capability existed 2 • Subsequent actions: • University Computer Security Task Force appointed • University Computer Security Office created with an interim Director • One of the best technicians available assigned to the UCSO immediately • External reviews (company and peer) commissioned • Interim IT Policy Officer appointed • External reviews: • No real surprises • Peer review recommended permanent IT Policy and Security Offices • Developed an action plan • CIO presented the action plan to the President, who directed that it be implemented 3 • Offices created in August 1998: • Positioned in the Office of the Vice President and CIO, not in computing department • Several new staff positions created, including two high-level “officers” • IT Policy Officer reports to the CIO, and is a member of OVPIT executive management • IT Security Officer reports to the IT Policy Officer, but with dotted-line to the CIO 4 • IT Policy Office • 14 full-time staff variously responsibly for • Policy development • Incident response • Identification, authentication, authorization services • Enterprise directory • Disaster recovery • IT Security Office • 7 full-time staff responsible for • Maintaining a wide-breadth and specific indepth technical expertise • Developing security resources for technicians • Developing/maintaining tools for technicians • Security consulting • Security reviews on request 5 University Information Technology Policy Office Office of the Vice President for Information Technology Michael McRobbie September 2001 VP/CIO Mark Bruhn IT Policy Officer/ Contracts & Agreements Officer Admin Asst Tom Davis IT Security Officer Disaster Recovery Program Manager Data Administrator Info Mgt Officer Cross-Unit Recovery Planning Team Global Directory Services Team 1 Lead Data/ Applications Analyst 2 Senior Data/ Applications Analysts Merri Beth Lavagnino Deputy IT Policy Officer Computer Accounts Manager Incident Response Coordinator 6 Accounts Administrators Technical Investigators 2 Principal Security Engineers 3 Lead Security Engineers 1 Senior Security Analysts Information Technology Security Office 6 • February 2001 – Bursar’s Office • Technician inadvertently allowed anon FTP • Gigabytes of bootleg movies and music stashed by unknown individuals • A file of personal data amongst these media files, and was downloaded • In May 2001, Trustees pass a resolution directing VP/CIO to take steps to improve security • Proactive • Reactive 7 • June 2001 – School of Music • Web server exploited via known vulnerability • School was collecting personal information from prospective students • Data was stored in directory accessible to the intruder • June 2001, CIO directed University units to eliminate unnecessary files of sensitive information and to secure the rest • By December 2001, 55 major units indicated projects underway or projects completed • Creating an enterprise directory • Permits applications to access central secure store of person information instead of maintaining distributed stores • “Translate service” permits departments to store username instead of SSN and convert as required 8 • • • • Developed issues list Developed strategy Developed talking points CIO and ITPO/ITSO use all opportunities to discuss security issues with various constituencies • Key is to translate vulnerabilities and issues into INSTITUTIONAL RISKS • Role for CIO and IT Policy Officer • Security Officer many times mostly technical (which is a good thing) and not schmoozy • But, key person is the CIO (if organizationally positioned correctly): • • • • Especially if also an academic Understands technology Understands business/mission Has the attention of executive administration 9 • Published general best practices documents: • • • • • Best Practices for Security IT Resources • Best Practices for Handling Sensitive Electronic Information (long and short) Deliver formal technician seminars which include general information and technical security (partner with computing department and Human Resources Management) Deliver non-credit technician Security Education/Certification courses, which are already proving very popular (partner with computing department; plans to make these mandatory) Deliver an enhanced suite of technician support tools (for vulnerabilities assessment, anti-virus, advisory service, etc.) Made available many technician/user how-to guides 10 Purchased: • • • • • • Intrusion Detection: Shadow Style Securing Linux: Step-byStep Solaris Security: Stepby-Step Windows NT Security: Step-by-Step Windows 2000 Security: Step by Step Windows 2000 Vulnerabilities and Solutions Locally developed: Handle a system compromise Install and Use SSH Install and Use TCP Wrappers Obtain a certificate for an IUbased web server Prevent mail relay abuse Protect against viruses Protect your home PC Protect your IIS web server Protect your laptop computer Recover from a System Compromise Secure your personal computer accounts Secure your Windows FTP server Secure your Windows NT system Secure your Windows 95/98 system Secure your UNIX system 11 • Eliminated several insecure email communications protocols; working to eliminate all • Developed “virtual private network”, which provides for authentication and encryption for: • Connections from off-campus • On-campus wireless networks • Commissioned a group to develop a comprehensive enterprise firewalling proposal, with specific selfdefense goals: • A large portion of the ~65,000 networked IU systems support campus functions and do not need to be visible to the Internet • On the remaining systems, only certain services (e.g., web pages) need to be visible to the Internet • IUB Halls of Residence student computers need special protection from external influences; services that students provide to the Internet must be limited • Security consulting engagements to projects and systems within UITS and departments increasing dramatically 12 • • • Placement of a firewall at the edge of the IU network to protect workstations and local servers from many types of attacks. Departmental servers providing services beyond the IU network would exist on a separate Class B network than workstations. Servers on this network would be registered and hardened and would be protected via router ACLs. Servers residing in the UITS machine rooms on each campus would use a separate firewall with unique rule sets for each server. 13 • Created new IT policies: • Use of Indiana University Information Technology Resources • Sanctions for Misuse or Abuse of Indiana University Technology Resources • Eligibility to Use Indiana University Technology Resources • Privacy of University Information Technology Resources • Information Technology Facilitative/Fair Usage Policy • Security of University IT Resources • Network and Computer Accounts Administration • Extending the Network • Wireless Networking • Use of Electronic Mail • Policy on Use of Email for Mass Communications • Created Deputy IT Policy Officer based at IUPUI; affords more presence there and at regional campuses 14 • Web-based scanner management interface • ISS and Nessus as scan engines • Several scan engines • Scans are required and automatically executed for OVPIT systems • Scans are requested by administrators, security staff, or auditors • Web-based incident tracking system • Incidents are triaged by full-time IRC, and other handled by that person or assigned 15