P1251328626hBgtw

1
Internet Security How Much is Enough? Orange
Beach, Alabama May 23, 2000 Steve Miksell
ITSC
2
Internet Security
How much is enough?
2
3
Agenda

• Introduction
• Threats, Risks and Vulnerabilities
• Risk Reduction I (Tools)
• Risk Reduction II (End-to-End Solutions)
• Risk Reduction III (An On-Going Process)
• Conclusion

4
Internet Benefits and The Role of Security
Internet Access (Benefits to Users and Staff)
SESA Cost Savings (Client Savings/ Agency Savings)

• Household access
• Personal Computer
• Other devices
• Third party access
• Community-based organization
• Libraries
• Agencies
• Schools
• Ease-of-use

• Ability to save agency costs
• Accuracy of information and transactions
• Cost of Internet hardware and software design and
  implementation
• Cost of multiple modes of operation

Security and Privacy

• Security Required to Assure Confidence Allowing
  Benefits to be Realized
• Costs to Achieve this will affect bottom line

5
UI Internet Security Issues
Availability
Privacy and Confidentiality
Financial and Data Integrity
6
Security -- Package or Process
Universal Security Package (1 size fits all)
Solution is an ongoing process tailored to
the environment and application
7
Security Program Activities
8
Key Elements of a Security Program

• People
• Management
• Staff

Policies Procedures
Tools
9
Computer Misuse and Abuse
(USA TODAY from FBI and CSI Institute Surveys)
10
Agenda

• Introduction
• Threats, Risks and Vulnerabilities
• Risk Reduction I (Tools)
• Risk Reduction II (End-to-End Solutions)
• Risk Reduction III (An Ongoing Process)
• Conclusion

11
Threats, Vulnerabilities, Risks
Vulnerability
Threat
Risk
12
Internet Threats
13
Web Server Vandalism
WWW.Site.State.XX.US

• Vandalized Web Sites (a small sample)
• NASA
• DOJ
• KKK
• Greenpeace
• CIA

Welcome from the Commissioner.
14
Denial of Service
15
Release of Confidential Information
Legitimate user, who provides confidential
information to the SESA.
Hacker pretends to be someone else, obtaining
confidential information, such as wage records
or UI claim status from the SESA.
16
Fraud Over the Internet
Dishonest individuals submit fraudulent claims,
using anonymity of the Internet to hide their
identity.
17
Agenda

• Introduction
• Threats, Risks and Vulnerabilities
• Risk Reduction I (Tools)
• Risk Reduction II (End-to-End Solutions)
• Risk Reduction III (An On-Going Process)
• Conclusion

18
Security Services (Tools and Techniques)

• TOOLS
• Firewalls
• Intrusion Detection
• Virus Detection
• Authentication Mechanisms (e.g., PKI)
• Virtual Private Networks
• ...

• Techniques
• Server Lockdown
• Log Analysis
• Incident Handling Procedures
• Security Policies
• Risk Assessments
• ...

19
UI Issues and IT Security Services
Confidentiality
Integrity
Availability
Good Product/ NO Fit
System Configuration
Firewalls
Accountability
Architecture
Non-Repudiation
Monetary and Privacy Issues
Threats posed by those who might commit fraud.
Authentication
Identification
Incident Mgmt.
Access Control
Administration
20
Agenda

• Introduction
• Threats, Risks and Vulnerabilities
• Risk Reduction I (Tools)
• Risk Reduction II (End-to-End Solutions)
• Risk Reduction III (An Ongoing Process)
• Conclusion

21
Threats Points of Vulnerability
Internet Access Exposes Personal and Monetary
Information
Threat Vandals
Threat Malicious Users
Threat Snoops, Data Modifiers
Threat Snoops, Data Modifiers
Threat Imposters
Client Side
Communications Path
Server Side
22
Server Side SecurityLegacy Operational Data
Mainframes

• Security Services
• System Configuration
• Access Control
• Identification Authentication
• Accountability
• Facility Security
• Software Import Control

Servers
23
Server Side Security

• Security Services
• Administrative Procedures
• Physical Personnel Security
• Architecture

• Firewalls
• Incident Handling
• Training

Your LAN
External LAN/ Internet
Service A
?
Unauthorized
Authorized
Service X
?
Email
Service A
?
Audit Logs
Service X
?
24
Server Side SecurityThe Web Server

• Security Services
• System Configuration
• Access Control
• Identification Authentication
• Accountability
• Non-Repudiation
• Facility Security
• Software Import Control
• Incident Management

The World
UI Data
25
Secure Communication
Client Side
Client Side
Remote Site
Communications Path (Internet)
Server Side (Intranet)
Security Service Encrypted pipe (VPN) between
firewalls
26
Client Side Security

• Security Services (Applied to Browsers, Platforms
  and Individuals)
• System Configuration
• Identification Authentication
• Encryption
• Software Import Control
• Access Control via Passwords
• Non-Repudiation
• USER TRAINING

27
Agenda

• Introduction
• Threats, Risks and Vulnerabilities
• Risk Reduction I (Tools)
• Risk Reduction II (End-to-End Solutions)
• Risk Reduction III (An Ongoing Process)
• Conclusion

28
Security in the Life Cycle of(SESA UI)
Internet Applications
Plan What will be done for Security?
Design How will It Be Done?
Implement Building the Application to
incorporate Security
Operate Running the Application Securely
29
Planning Elements

• Key Issues
• Claimant Signatures Required?
• Use of PKI, SSN or Other Authentication
  techniques?
• Hours of Operation
• Contingency Plans
• Information Handling Policies
• Security Policy
• Privacy Policy
• Discipline Policies
• Legal Procedures
• Incident Handling
• Security Planning
• Risk Understanding

• Staff Involvement
• UI Director
• Business Managers
• IT Managers
• Operations Managers
• Quality Control
• Legal Counsel

30
Policy Conflict Resolution
Cost
Ease of Use
Security
Compatibility
Laws Guidelines
31
Internet AuthenticationA Major Policy Challenge
User convenience must be balanced with privacy
and fraud prevention
If its too hard to prove Im ME, I wont bother
to use the Internet
INTERNET
Solutions exist, but their selection and
implementation involve cost/certainty/convenience
tradeoffs and will require clear policy
guidelines.
32
Spectrum of Authentication Options
Assume that knowledge of Name and SSN
authenticate user and allow immediate access
to Wage Data
ESTABLISH Blind Authentication Procedures that
1) Protect Privacy 2) Fully exploit Internet
capabilities to eliminate the need for
direct staff support
Require Certificates or other Stringent
Authentication Procedures PKI or Biometrics
NEVER release Sensitive over the Internet
Safe but Restrictive
Higher Risk but User Friendly
33
Design Elements

• Key Issues
• Secure Architecture
• Security Requirements
• Privacy Requirements
• Allocation of functions to Hardware/Software/Proce
  dures
• Firewall policy
• Encryption
• Virus Protection
• Forms Design
• System Impact
• Audit Requirements
• Security Design Reviews
• Risk Reduction

• Staff Involvement
• Business Managers
• IT Managers/Staff
• Operations Managers
• Quality Control

34
Implementation Elements

• Key Issues
• Secure Server Configuration
• Firewall Configuration
• Security Testing
• Virus Software
• Security Training
• Risk Assessment

• Staff Involvement
• IT Managers/Staff
• Operations Managers/Staff
• Quality Control

35
Operational Elements

• Key Issues
• Update virus software
• Monitor security alerts
• Apply patches for security bugs
• Update access control lists
• Monitor audit data
• Report incidents to management
• Continually verify server integrity
• Continually verify web page integrity
• Periodic Risk Assessment -- particularly as the
  environment changes

• Staff Involvement
• Operations Staff
• IT Staff
• Management

36
Agenda

• Introduction
• Threats, Risks and Vulnerabilities
• Risk Reduction I (Tools)
• Risk Reduction II (End-to-End Solutions)
• Risk Reduction III (An Ongoing Process)
• Conclusion

37
To Answer the Original Question ...

• How Much Security is Enough?
• Other Questions Must be Answered...
• What is the application?
• What level of risks can be tolerated?
• What are costs vs. risks?

38
Web Server Application

• Website -- Set up as Standalone Server with No
  Links to Other SESA Assets
• Services -- Providing PUBLIC SESA and UI
  Information to the General Population, Including
  Links to External Resources
• Threats Include
• Vandalism (Graffiti and False Information or
  Links)
• Denial of Service

Monitoring Administration Server Lockdown
39
Web Server Security

• Threshold Security
• Server Lockdown
• Monitoring
• Backups
• Contingency Plan

• Enhanced Security
• Server Certificate
• Intrusion Detection
• Firewall
• Automated Alerts
• Automatic Shutdown

40
UI Initial Claims Application
Administration
Administration

• Data Collection Combined with Distribution of
  Private Information

Access Accountability
Firewall

• Threats
• Imposters Submitting False Information
• Increased chance of Privacy
  Violations
• On the Internet
• On the Server
• On Other SESA computers
• Increased Impact of Vandalism/Graffiti

Encryption
Identification Authentication
Identification Authentication
41
UI Claims

• Threshold Security
• Life Cycle Process
• Comprehensive Policies
• Access Controls and Reasonable Authentication
• Point Solutions with End-to-end Security
  Integration
• Periodic Assessment

• Enhanced Security
• All of the threshold security services at
  significantly enhanced levels

42
The Original Question -- How Much Security is
Enough?

• Enough security to reduce risk to a level you are
  comfortable with.
• Steps to achieving that comfort level
• Understanding the Application
• Understanding the Risks
• Mitigating Risks through a continuous process of
  security awareness

43
Extra Credit Topics

• Interesting URLs
• Personnel Security
• DDOS
• PKI
• Securing Applications
• ITSC Contacts

44
Further Reading(Some Interesting Security
URLs)

• Government Sites
• NIST (csrc.nist.gov)
• Private Organizations
• SANS (www.sans.org)
• SlashDot (www.slashdot.com)
• ISS (www.iss.net)
• (www.counterpane.com)
• (www.needguide.com)

45
An Approach to Personnel Security

• Strong Authentication
• Intrusion Detection
• Encryption of Key Databases
• Audit and Close Security Holes
• NOT -- Single Administrator with Universal Access
• Background Checks
• Strong Written Policies
• Training -- Policies, Expectations, Consequences
• Control and Monitoring of Sensitive Data
• from Network World, May 8, 2000

46
Observations on Personnel Security

• Security tools and procedures are not a
  substitute for trusted employees
• Employee background checks need to be
  appropriate to the nature of the job
• Onerous Unneeded Security is Self Defeating
• Expensive
• Morale Busters
• Workarounds will be found
• Effective Security is a Team Effort -- Dont
  alienate the Team

47
Distributed Denial of Service(From WebCast
Presented by ISS on February 16, 2000)
48
Securing a UI E-Commerce Transaction through PKI
Is signature valid?
Signature OK
Certification Authority
Internet
6. Verify signers credentials 7. Digitally sign
response 8. Send Response
Encrypted claim
Signature OK
Is signature valid?
Encrypted claim
1. Complete claim form 2. Digitally sign claim 3.
Encrypt Transaction
4. Decrypt claim 5. Check Validity 9. Process
claim
UI Office/SESA
Claimant
PKI - Public Key Infrastructure
49
Public Key Infrastructure
PKI
Certification Authority (CA)

• Management
• Certificate Authorities to validate integrity of
  public keys by
• Issuing Certificates
• Validating Certificates
• Revoking Certificates
• Cooperating with other CAs
• Assigning Responsibility and Liability

• Technical
• Browser, Server and E-mail software to support
• Key Generation
• Symmetric Encryption
• Public/private Key Encryption
• Secure Key Storage
• Digital Signature Creation/Verification

PKI Initiatives
Utah Digital Signature Program Access
Certificates for Electronic Services
(ACES) Corporate PKIs - example, Texas
Instrument, US West
PKI Support
Commercial CAs - Verisign, Digital Signature
Trust PKI Tool Development - Verisign, Entrust,
RSA
50
Internet Application Processes
51
Securing the Processes
52
ITSC Contacts

• ITSC Web Site http//www.itsc.state.md.us
• Steve Miksell smiksell_at_itsc.org Phone
  301.982.1116
• Henry James, Executive Director of the ITSC
  hjames_at_itsc.org