IT Security

1
IT Security
Tom Davis, CISSP University IT Security
Officer Office of the Vice President for
Information Technology
2
Agenda

• IT Security Overview
• IT Security Office (ITSO)
• IT Policies
• Network Security Controls
• Incident Response
• A Career in IT Security

3
Agenda

• IT Security Overview
• IT Security Office (ITSO)
• IT Policies
• Network Security Controls
• Incident Response
• A Career in IT Security

4
IT Security Objectives

• Availability
• Ensure that IT resources are available when
  needed
• Integrity
• Ensure that data is reliable and correct
• Confidentiality
• Ensure that only those authorized have access

5
Why Attack Universities?

• Large number of networked devices
• High-speed, high-capacity networks
• Diverse hardware and software packages deployed
• New technologies deployed before matured
• Varied physical system locations
• Varied system administration practices

6
Agenda

• IT Security Overview
• IT Security Office (ITSO)
• IT Policies
• Network Security Controls
• Incident Response
• A Career in IT Security

7
ITSO Overview
Michael McRobbie VP/CIO
Mark Bruhn IT Policy Officer/ Contracts
Agreements Officer
Admin Asst
Tom Davis IT Security Officer
Merri Beth Lavagnino Deputy IT Policy Officer
Stacie Wiegand Data Administrator Info Mgt Officer
Marge Abels Disaster Recovery Program Manager
4 Security Engineers 2 Security Analysts
Cross-Unit Recovery Planning Team
Information Technology Security Office
Global Directory Services Team
Incident Response Coordinator
Computer Accounts Manager
3 Data Analysts
Technical Investigators
6 Accounts Administrators
8
ITSO Services

• Provide IT security awareness and education
• Provide IT security guidelines and standards
• Provide security consulting and review
• Maintain production services
• Investigate and document IT security incidents

9
Agenda

• IT Security Overview
• IT Security Office (ITSO)
• IT Policies
• Network Security Controls
• Incident Response
• A Career in IT Security

10
IT-01 (Use of IT Resources)

• http//www.itpo.iu.edu/IT01.html
• ... use of Indiana University technology
  resources is restricted to purposes related to
  the university's mission of education, research,
  and public service.
• Incidental personal use is an accepted and
  appropriate benefit ... (but that use) must never
  have an adverse impact on uses of technology and
  information resources in support of the
  Universitys missions.

11
IT-07 (Privacy of IT Resources)

• http//www.itpo.iu.edu/IT07.html
• Stored computer information, voice and data
  network communications, and personal computers
  may not be accessed by someone other than the
  person to whom the computer account in which the
  information has been stored is assigned ...
  outside of the provisions of this policy.

12
IT-12 (Security of IT Resources)

• http//www.itpo.iu.edu/IT12.html
• Indiana University organizational units
  (campuses, departments, offices, affiliated
  agencies, etc.) operating technology resources
  are responsible for ensuring that those systems
  are managed securely.

13
IT-19 (Extending the Network)

• http//www.itpo.iu.edu/IT19.html
• Layer 2 devices may not be used to extend the
  University network beyond the room containing the
  data jack to which they are attached.
• Layer 3 IP devices are often complex and
  difficult and time consuming to manage,
  individual departments are not permitted to
  deploy these services independently. Deployment
  of these services and devices will be controlled
  by and coordinated with UITS.
• Individual departments are not permitted to
  independently deploy remote access services,
  Virtual Private Networks or dial-in modem
  services.

14
IT-20 (Wireless Networking)

• http//www.itpo.iu.edu/IT20.html
• University Information Technology Services
  (UITS) will manage all wireless hubs, except
  those that are mobile, temporary, or
  serially-connected.
• Only UITS-installed and managed wireless hubs
  will be allowed in Residence Halls. Students in
  the Residence Halls are not permitted to install
  their own wireless networking equipment.
• All UITS-managed wireless hubs will be connected
  via the VPN-secured system, unless a specific
  exception is granted by University Information
  Technology Policy Office (ITPO).

15
Agenda

• IT Security Overview
• IT Security Office (ITSO)
• IT Policies
• Network Security Controls
• Incident Response
• A Career in IT Security

16
Network Controls - Prevention

• Firewalls
• packet filtering (router ACLs)
• stateful inspection
• application proxy
• not the solution to everything!
• host-based security still extremely important

17
Network Controls - Prevention

• Intrusion Detection
• signature based
• anomaly based (neural networks)
• can also be host-based
• false positives are an issue

18
Network Controls - Prevention

• Vulnerability Scanning
• ISS Internet Scanner
• Nessus
• Nmap
• Virtual Private Networks (VPNs)
• encrypted remote access
• also used at IU for wireless access

19
Network Controls - Detection

• Network Monitoring
• ethereal, tcpdump, etc.
• relationship to IT-07 policy
• Network Flows
• generated by routers
• source and destination IP address and port
• protocol (UDP, TCP, etc.)
• size of flow

20
Network Controls - Detection

• ARP Table Entries
• Address Resolution Protocol (MAC to IP)
• useful for finding stolen devices
• Authentication Logs
• username
• date and time stamp
• source IP address

21
Agenda

• IT Security Overview
• IT Security Office (ITSO)
• IT Policies
• Network Security Controls
• Incident Response
• A Career in IT Security

22
Incident Response

• Assistance in coordinating appropriate technical
  investigation of security breaches
• Assistance in packaging technical security
  information for IU governance agencies, IU legal
  counsel, law enforcement, prosecutors, university
  administration, etc.
• Common and consistent incident response

23
Total Reported Incidents
24
System Break-in Incidents
25
Virus Incidents
26
Agenda

• IT Security Overview
• IT Security Office (ITSO)
• IT Policies
• Network Security Controls
• Incident Response
• A Career in IT Security

27
A Day in the Life

• Peaceful bliss...
• followed by an all out attack!
• 24 x 7 x 365
• pager, cell, remote access

28
Reactive

• Constantly on the look-out
• newsgroups, mailing lists, vendor bulletins
• Answering questions
• How do I secure xyz?
• Can I send a file via e-mail unencrypted?
• Putting out fires

29
Proactive

• Shoring up the network defense
• Networking monitoring
• Training and Education for sysadmins
• Virus awareness campaigns
• Vulnerability scanning
• Prairie Doggin it!

30
Skill Requirements

• Solid understanding of networking
• Ethernet, TCP, UDP, routers, switches, etc.
• In-depth experience in at least one programming
  language
• C first, Perl a close second
• Specialization in a single operating system
• expand to others later

31
Skill Requirements

• File system knowledge desirable
• ext2fs, ext3fs, XFS (Linux)
• UFS (BSD unices)
• NTFS, FAT32 (Windows)
• Prioritization skills needed

32
Skill Requirements

• Diplomacy a must
• Propeller-head mentality needed
• with a dose of paranoia...
• Aptitude to learn!
• always asked to review new technologies
• difficult to hire staff with the aforementioned
  skills and security knowledge

33
Professional Certifications

• SANS Global Information Assurance Center (GIAC)
  Certifications
• Certified Information Security Manager (CISM)
  Certification
• Certified Information Systems Security
  Professional (CISSP) Certification

34
GIAC Certifications

• GIACs purpose is to provide assurance that a
  certified individual holds the appropriate level
  of knowledge and skill necessary for a
  practitioner in key areas of information
  security.
• http//www.giac.org/
• Requirements
• Successfully complete a practical/research paper
• Successfully complete one or two exams

35
GIAC Certifications

• More technical than the others
• Certifications offered in several programs
• Security Essentials Certification (GSEC)
• Certified Firewall Analyst (GCFW)
• Certified Intrusion Analyst (GCIA)
• Certified Incident Handler (GCIH)
• Certified Forensics Analyst (GCFA)
• Certified Windows Security Administrator (GCNT)
• Certified UNIX Security Administrator (GCUX)
• Information Security Officer Basic (GISA)
• Systems and Network Auditor (GSNA)

36
CISM Certifications

• CISM is designed to provide executive management
  with assurance that those earning the designation
  have the required knowledge and ability to
  provide effective security management and
  consulting.
• http//www.isaca.org/
• Requirements
• Adhere to a code of professional ethics
• Minimum of 5 years of information security work
  (at least 3 in information security management)
• Successfully complete the CISM exam

37
CISM Certifications

• The CISM exam covers five areas
• Information Security Governance
• Risk Management
• Information Security Program Management
• Information Security Management
• Response Management

38
CISSP Certifications

• CISSP Certification was designed to recognize
  mastery of an international standard for
  information security and understanding of a
  Common Body of Knowledge (CBK).
• http//www.isc2.org/
• Requirements
• Subscribe to the (ISC)2 Code of Ethics
• Have a minimum 4 years of direct full-time
  security professional work experience
• Successfully complete the CISSP exam

39
CISSP Certifications

• The CISSP exam covers ten domains
• Access Control Systems Methodology
• Applications Systems Development
• Business Continuity Planning
• Cryptography
• Law, Investigation Ethics
• Operations Security
• Physical Security
• Security Architecture Models
• Security Management Practices
• Telecommunications, Network Internet Security

40
Summary

• Its a dangerous world out there!
• Policies are the foundation upon which technical
  security solutions are implemented
• The security profession is hectic but rewarding
  and challenging
• Job opportunities are out there for qualified
  applicants
• Professional certifications definitely help

41
Questions?