State of the IT Security Program UTHSCH FY04

1
State of the IT Security Program_at_ UTHSC-H
FY04

• Randle Moore
• Chief Information Security Officer

2
Introduction

• Statement of Purpose/Goals
• Organizational Structure of IT Security Program
• What does IT Security do?
• The Why of IT Security
• How are we doing?
• What does it cost?
• How do we compare?
• QA

3
Statement of Purpose

• The purpose of the IT Security Program at
  UTHSC-H is to provide a secure information
  technology infrastructure for schools and
  departments to utilize in the pursuit of the
  institution's goals in research, teaching, and
  healthcare.

4
Goals of IT Security Program

• C Confidentiality
• Ensuring that information is viewed only by
  authorized individuals.
• I Integrity
• Ensuring that data and systems are accurate and
  not modified by unauthorized processes or
  personnel.
• A Availability
• Ensuring that data is available for use when
  needed.

5
Organizational Structure

• IT Security Steering Team
• Consists of representatives from each school/unit
• Responsible for setting security policy/procedure
• Ultimate authority for determining exceptions to
  policy
• IT Security Core Team
• Provide technical guidance to ITS Steering Team
• Determine security solutions to support policy
• IT Security Technical Team
• Provide technical input to the impacts of policy
  or solutions
• Discuss methods of security integration
• IT Security Group

6
ITS Program Components

• Skilled Staff - 5 personnel
• Policies Procedures
• HOOP
• 13 IT Security Policies (www.uth.tmc.edu/itsecurit
  y)
• Risk Assessments
• Vulnerability Inventory
• Disaster Recovery
• HIPAA
• Security Training
• All Employees
• Internal department and IS staff
• E-mail Campaign
• Architecture/Technology
• Redundant hardware (firewalls, IDS/IPS, routers,
  etc.)
• Internal security zones prevent spread of
  infection
• Secure wireless infrastructure
• Anti-virus, desktop firewall software
• SPAM management software
• Patch management tools

• Monitoring and Logging
• Firewall
• IDS/IPS
• Remote Access (Dial-up, VPN)
• MRTG and Packetshaper (track bandwidth
  utilization)
• Data Backups
• Different schedule based on risk assessment
• Incident Handling Reporting
• Auto-alerts allow 24/7 response (staff can
  respond to incidents from home)
• Quarantine plan for virus/worm outbreaks
• Monthly report to DIR and Executive Management
• Maintain Remote Access Security
• VPNs
• Modems
• Business Partner Peering Relationships
• Assist in compliance with federal, state, and UT
  System mandates (TAC 202, FERPA, HIPAA, etc.)

7
The Why of IT Security

• Academic and research endeavors are increasingly
  dependent on information technology.
• Integrating security into the equation helps
  ensure technology can be trusted and is available
  when it is needed.
• Historically, security on the Internet has been
  an afterthought.
• Unfortunately for us, the digital landscape has
  changed.

8
The Why of IT Security

• One new virus for every hour of every day
• P2P file sharing, instant messaging, and IRC are
  significant vectors of infection (7 of top ten
  threats used one or more of these)
• Average time from vulnerability announcement to
  exploit code is under six days
• 30,000 machine bot networks
• Attacks against user system and web applications
  are on the rise

9
The Why of IT Security

• Threat Model
• Malicious Individuals (Hackers/Crackers)
• Disgruntled Employees/Students
• Viruses/Worms SoBig.F, MS Blaster, etc.
• Spyware Gator, Hotbar, NetOptimizer, etc.
• Denial of Service (DoS) Attacks (including
  unauthorized use of resources)
• Organized Crime

10
Why are hackers interested in us?

• Easy target (much more open security posture)
• High-Value target (Lots of bandwidth)
• Illegal file sharing
• DoS attacks
• Visibility (name in the paper)
• Data theft/manipulation
• SSNs
• Patient data
• Research data

11
How are we doing?

• Since the security programs inception, we have
  done a fantastic job of securing the perimeter.
• While the perimeter security must still be
  maintained, focus needs to shift to the internal
  threat, including our business partners.
• Training and security awareness are key.
• Compliance and accountability (requires executive
  backing) are fundamental.

12
Viruses, Worms, and Spyware

• Many devastating virus and worm attacks have
  literally shut down other TMC and UT component
  networks over the past year. (SQL Slammer,
  SoBig.F, MS Blaster, etc.)
• Our network has remained functional with only
  isolated cases of infection, almost entirely
  caused by personnel or students connecting
  laptops infected off-campus
• Spyware continues to be a pervasive problem
  on-campus, due to a lack of user education and
  security controls on the desktops

13
Internal Penetration Test

• Recent assessment by IT Security Team showed
  significant internal problems
• Account Management and Password policies not
  being enforced everywhere
• Too many users have local administrator access
• Improper level of security placed on new
  servers/applications
• Access was achieved to patient data, student
  data, employee data (including SSNs), UTPD alarm
  system server, badging server, HRMS, and over 300
  desktops.
• Lists of passwords were available from many
  systems, including the main University LDAP
  servers.

14
Cost of IT Security Program

• It is easy to see IT Security as a cost center
• Security is typically viewed as a negative
  deliverable (if nothing bad happens)
• Metrics are difficult to develop without
  comparison (we didnt get this, but THEY did)
• Security is not a cost, but a benefit.

15
Why the cost disparity?

• Not all traditional security functions are
  managed by the central IT Security Team
• Disaster Recovery Planning
• Host-based solutions (desktop anti-virus,
  firewall, patching solutions, etc.)
• SPAM Management
• E-mail Virus Scanning
• User Account Management
• Good perimeter defense

16
CIAS Top 3 Barriers

• Resource Allocation Security programs are
  underfunded.
• Based on available data, the UTHSC-H IT Security
  program does not compare favorably to other UT
  components.
• Decentralized IT Decentralization introduces
  significant risk to information systems.
• UTHSC-H has made some progress towards
  centralizing IT, but has some additional work
  left to do in this area.
• Accountability Academic environments are used to
  an open, shared environment with little to no
  accountability for information security.
• This remains a significant problem.

17
Conclusion

• UTHSC-H has a sound IT Security program. To
  date, it has been successful in protecting the
  institutions information resources.
• Constant effort is required to maintain the
  current infrastructure, keep up with emerging
  threats, and to bolster areas needing
  improvement.
• Additional consolidation of IT resources, as well
  as better coordination of IT Security projects is
  needed.

18
Q A
ltRandle.Moore(at)uth.tmc.edugt