Security Defending your Customers from Themselves

1
Security Defending your Customers from
Themselves

• StateNets Annual Meeting
• February, 2004

2
Security, what do we do?

• What do we do to protect ourselves?
• What do we do to protect our customers?
• What do we do to our customers?
• If this is where we are today, where should we be
  tomorrow?

3
What do we do to protect ourselves?

• Physical security
• Backup and TEST RESTORES!
• Internal awareness
• Monitor most appropriate lists
• Membership in security organizations
• Configuration control
• Protected circuits
• Tripwire OS and configuration files
• Evaluate and Patch OS
• Change control

4
What do we do to protect ourselves?

• Limit access
• Size-appropriate connections limit DoS, DDoS
  participation
• Require SSH for shell accounts
• Radius authentication/access logs
• Disable unused services
• Packet filtering software firewalls
• Enforce complex, limited-life passwords

5
What do we do to protect ourselves?

• Monitor and Maintain
• Intrusion detection for core systems
• Network scanners
• READ THE LOGS! Logcheck
• Follow-up

6
What do we do to protect ourselves?

• Disaster Recovery/Risk Profile
• Carrier-class or Enterprise-class equipment
• Vendor maintenance understand Acts of God
  clauses
• Document recovery procedures/responsibilities
• Sponsor/Bill Payers understand and accept risks

7
What do we do for our customers?

• Managed services web and mail hosting
• Virus filtering for managed mail services
• Spam filtering for managed mail services
• Remote Vulnerability Assessment
• Awareness/Education
• Formal training
• Customer advisories

8
What do we do for our customers?

• Incidence Response
• Monitored endpoints at customer edge
• Proactive connectivity and performance monitoring
• Reactive security monitoring
• Provide customer network tools
• Netflow
• MRTG
• NetHealth
• looking glass utilities

9
What do we do to our customers?

• Acceptable Use Policy
• reasonable efforts
• Access lists
• Block offending servers, connection
• Block outside attacks
• Open Relay Scans

10
If this is where we are today, where do think we
should be tomorrow?

• Proactive security measures
• Better intrusion detection, automatic
  notification
• Security policy
• Require desktop virus scanning
• Central security services
• Cross institution authentication

11
If this is where we are today, where do think we
should be tomorrow?

• Customer Services
• Security Operations Center
• Enhanced Advisory Services (awareness of new
  developments before formal public advisories,
  enhanced information sharing)
• Managed Firewall Service
• Managed Intrusion Detection
• Managed Event Response
• On-site vulnerability/audit services

12
MOREnet Security Link

• http//www.more.net/security/index.html