Seminar 4A - Effective Security Practices - PowerPoint PPT Presentation

1 / 63
About This Presentation
Title:

Seminar 4A - Effective Security Practices

Description:

Seminar 4A - Effective Security Practices Eoghan Casey, Security Consultant Jack Suess, CIO, UMBC Seminar Agenda EDUCAUSE/I2 Security Task Force initiatives The ... – PowerPoint PPT presentation

Number of Views:298
Avg rating:3.0/5.0
Slides: 64
Provided by: userpage5
Category:

less

Transcript and Presenter's Notes

Title: Seminar 4A - Effective Security Practices


1
Seminar 4A - Effective Security Practices
  • Eoghan Casey, Security Consultant
  • Jack Suess, CIO, UMBC

2
Seminar Agenda
  • EDUCAUSE/I2 Security Task Force initiatives
  • The Effective Security Practices Guide (ESPG)
  • The effective practices solutions (EPS)
    database
  • Questions and Break
  • Case Studies
  • U. California, Berkeley - Preliminary risk
    assessment establishing a computer security
    group and policy
  • UMBC - Basic risk assessment techniques for GLB
  • Georgia Tech - Comprehensive risk assessment
  • RIT - Outside vulnerability assessment
  • Questions and Feedback

3
Introduction to Security Task Force
  • Formed in July 2000
  • Current Co-chairs
  • Jack Suess, UMBC
  • Gordon Wishon, University of Notre Dame
  • Executive Committee of CIOs, Security
    Professionals, and Professional Staff
  • EDUCAUSE Internet2 Staff Support
  • Coordination with Higher Education IT Alliance
  • ACE, AAU, NASULGC, AASCU, NAICU, AACC, etc.
  • Security Discussion Group

4
2002 Accomplishments
  • Developed the Framework for Action
  • Organized 4 Workshops Funded by NSF
  • Higher Education Values Principles for Security
  • Security Architecture Policy
  • Security in Research Environments
  • Higher Education IT Security Summit
  • Higher Education Contribution to the National
    Strategy to Secure Cyberspace
  • Coordinated or Conducted Outreach Programs

5
Framework for Action
  • Make IT security a higher and more visible
    priority in higher education
  • Do a better job with existing security tools,
    including revision of institutional policies
  • Design, develop, and deploy improved security for
    future research and education networks
  • Raise the level of security collaboration among
    higher education, industry, and government
  • Integrate higher education work on security into
    the broader national effort to strengthen
    critical infrastructure

6
2003 Accomplishments
  • Web Resource www.educause.edu/security
  • Research and Educational Networking Information
    Sharing and Analysis Center (REN-ISAC) at
    Indiana University
  • ACE Letter to Presidents
  • Commissioned White Paper on Legal Issues
  • 1st Annual Security Professionals Workshop
  • Coordinated or Conducted Outreach Programs
  • Authored Leadership Book on Security

7
Message to Presidents
  • Set the tone
  • Insist on community-wide awareness and
    accountability.
  • Establish responsibility for campus-wide
    Cybersecurity at the cabinet level.
  • Ask for a periodic Cybersecurity risk assessment
    that identifies the most important risks to your
    institution. Manage these risks in the context of
    institutional planning and budgeting.
  • Request updates to your Cybersecurity plans on a
    regular basis in response to the rapid evolution
    of the technologies, vulnerabilities, threats,
    and risks.
  • David Ward
  • President, American Council on Education

8
The National Strategy to Secure Cyberspace
  • The National Strategy encourages colleges and
    universities to secure their cyber systems by
    establishing some or all of the following as
    appropriate
  • one or more Information Sharing and Analysis
    Centers to deal with cyber attacks and
    vulnerabilities
  • point-of-contact to Internet service providers
    and law enforcement officials in the event that
    the schools IT systems are discovered to be
    launching cyber attacks
  • model guidelines empowering Chief Information
    Officers (CIOs) to address cybersecurity
  • one or more sets of best practices for IT
    security and,
  • model user awareness programs and materials.

9
Strategic Goals
  • The Security Task Force received a grant from
    National Science Foundation to identify and
    implement a coordinated strategy for computer and
    network security for higher education. The
    following strategic goals have been identified
  • Education and Awareness
  • Standards, Policies, and Procedures
  • Security Architecture and Tools
  • Organization, Information Sharing, and Incident
    Response

10
Current Projects and Initiatives
  • Education and Awareness Initiative
  • Annual Security Professionals Workshop
  • Legal Issues and Institutional Policies
  • Risk Assessment Method and Tools
  • Effective Security Practices Guide
  • Research and Development Initiatives
  • Research and Educational Networking Information
    Sharing Analysis Center
  • Vendor Engagement and Partnerships

11
Research and Education Networking (REN) ISAC at
Indiana University
  • REN-ISAC can view network traffic among
    universities on Internet2
  • This provides a window into what is happening on
    higher education networks (e.g. Slammer or Nachi
    traffic)
  • The REN-ISAC is associated with the Indiana NOC
    and has 7x24 expertise on site.
  • They have access to DHS and the other 12 industry
    ISACs for early warning information
  • Visit www.ren-isac.net

12
Vendor Engagement
  • Vendor practices have a significant impact on
    higher education security
  • Educause established the Corporate CyberSecurity
    Forum to develop linkages with the vendor
    community. Members include - Microsoft, IBM,
    Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and
    SCT
  • Task force visited Microsoft in September to
    explain the needs of higher education. Microsoft
    has been very responsive to suggestions.

13
Identifying Higher Education Security Issues and
Needs
  • Over the last 2 years the NSF, Educause, and I2
    have funded workshops, performed surveys (ECAR),
    and held open meetings at regional and national
    conferences to identify issues and needs.
  • We are now in the process of putting together
    working groups that will continue to build on the
    initial progress we have made.
  • In your appendixes are findings from NSF Security
    Architecture workshop, Effective Practices
    workshop, and the Security At Line Speed (S_at_LS)
    workshop.

14
Key Issues Identified the Past Two Years
  • The following needs were consistently highlighted
  • Policy and procedures
  • Risk and vulnerability assessment
  • Security architecture design
  • Network and host security implementation
  • Intrusion and virus detection and prevention
  • Incident response
  • Encryption, authentication, and authorization
  • Education, training, and awareness

15
Security at Line Speed (S_at_LS)
  • Purpose - How does higher education balance
    security and performance requirements. This
    report should be required reading before a major
    network security overhaul.
  • The report identified 18 network and 8 host-based
    techniques for security and briefly summarized
    the performance and operational impacts of each
    (pg. 9-13)
  • The report details a few of these techniques and
    presents some generic case studies that highlight
    innovative use of these techniques.
  • I hope to see the Effective Practices group
    helping to better describe many of these
    solutions, many of which are open source but can
    be technical challenging to implement.

16
Effective Security Practices Guide (ESPG)for
Higher Education Institutions
  • Balancing Security with Open, Collaborative
    Networking
  • http//www.educause.edu/security/guide

17
Why Not Identify Best Practices
  • Higher education is too diverse in mission and
    size for a single best practice to be effective.
  • Even within a small group of like institutions
    few would identify what they are doing now as
    Best Practices. Everyone felt there is room for
    improvement in what they are doing!
  • Threats are rapidly changing and these effective
    practices may have a limited shelf life. What
    might work today may be useless next year.

18
ESPG Overview
  • Practical approaches to preventing, detecting,
    and responding to security problems
  • Community driven and serving
  • University ISOs and supporting staff
  • Codify experiences of experts
  • Examples of success
  • Potential models to follow
  • Provide for various types of institutions
  • Modular resource
  • Flexibility in presentation implementation

19
ESPG Design and Development
Future contributions
Categories keyword searches
Structured presentation
Seed case studies
Past workshops, discussions community vetting
Suitability, editing, notification update
20
Core Subject Areas
  • Policy
  • Education, Training and Awareness
  • Risk Analysis and Management
  • Security Architecture Design
  • Network and Host Vulnerability Assessment
  • Network and Host Security Implementation
  • Intrusion and Virus Detection
  • Incident Response
  • Encryption, Authentication Authorization
  • Addendum university vendor resources

21
ESPG Highlights
Evolution of Security Practices
22
Evolution of Security Practices
  • It is not possible to jump to the most effective
    practices
  • Cant scan for policy violations without policies
  • Cant develop policies without mature security
    standards
  • Some practices require significant human
    resources
  • Intrusion detection
  • Incident response
  • Some practices become more effective over time
  • Technical support becomes more effective with
    supporting tools, security policies and
    architecture

23
Effective Practices Contributors and Ranking
  • Penn State
  • Purdue
  • U Alabama
  • UC Berkeley
  • UCONN
  • U Maryland, BC
  • U Washington
  • U Wisc, Madison
  • Virginia Tech
  • Yale University
  • Bethune-Cookman
  • Brown
  • Cornell
  • CSUSB
  • GA Tech
  • GWU
  • Indiana University
  • MSCD
  • Notre Dame
  • NC AT

24
Online Demonstration
  • http//www.educause.edu/security/guide

25
Risk Analysis
  • The most effective security practice

26
Types of Risk
  • Strategic Risk
  • Financial Risk
  • Legal Risk
  • Operational Risk
  • Reputation Risk
  • Qayoumi, Mohammad H. Mission Continuity
    Planning Strategically Assessing and Planning
    for Threats to Operations, NACUBO (2002).
  • National Research Council CSTB Report
    Cybersecurity Today and Tomorrow Pay Now or Pay
    Later (2002)

27
Ideal Risk Analysis Management
  • Knowledge of all relevant regulations
  • Training and awareness of staff
  • Developing plans to audit individual units for
    compliance
  • Developing and implementing a code of conduct for
    the organization
  • Establishing control mechanisms to ensure
    compliance
  • Qayoumi, Mohammad H. Mission Continuity
    Planning Strategically Assessing and Planning
    for Threats to Operations, NACUBO (2002).

28
Vulnerability Assessment
  • Need policies in place and buy-in
  • Organization-wide assessment is a rarity
  • Not enough time or resources
  • Targeted scanning
  • Critical systems or particular group
  • Tactical scanning
  • New vulnerability publicized
  • Intruder backdoor
  • Self-service/Automation
  • Indianas Scannager Purdue's Nessus Scanning
    Cluster
  • Routine scans automatically run delivered
  • Contact info and trust help with notification

29
Security Architecture Design
  • University is comprised of different groups
  • Need internal and external defense
  • Risk vulnerability assessments guide security
    design
  • Guide presents alternatives with pros cons
  • Router filtering, Firewall, VLAN
  • Bandwidth management
  • Monitoring (e.g., IDS, NetFlow, central logging)
  • VPN
  • Wireless LANs
  • Scalable host security
  • Some application database guidelines

30
Security Implementation
  • Different groups require different approaches
  • Be flexible, use a combination of approaches
  • Self-service necessary, not sufficient
  • Do not put too much on average user
  • Use what comes with box existing tools
  • Automate updates when possible
  • Use network-based solutions (e.g., e-mail
    filtering)
  • Give free security support initially
  • Penalties for persistent failures (public health)
  • Contact info and trust help with implementation

31
Incident Response
  • Policies
  • Privacy and Data retention and access
  • Procedures
  • Who to contact in specific situations
  • Employee lockout if necessary
  • Evidence preservation
  • Prepare systems for evidence collection
  • Response Team
  • Include legal, HR PR
  • Require training and tools
  • Contact info and trust help with incident response

32
Other Subject Areas
  • Intrusion virus detection
  • Host-based versus network-based
  • Encryption authentication
  • PGP versus S/MIME
  • Public Key Infrastructure
  • Central account management
  • Directory services
  • Middleware

33
Example Format
  • 2-5 pages, technical audience
  • Summary of ROI when applicable
  • Background
  • Description
  • Benefits
  • Shortcomings
  • Future plans
  • References

34
Bethune-Cookman
  • Perimeter Cisco PIX with NAT
  • 1600 hosts
  • ResNet on VLAN outside DMZ
  • Problem Blocked multicast traffic
  • Interfered with Access Grid node
  • Created work around with Cisco
  • GRE tunnel on PIX
  • reconfigure internal external routers

35
Cornell
  • Using ACL's on edge routers
  • Opt-in, custom filters (within reason)
  • Protecting 140 departments
  • Protection from internal Internet
  • Uses existing infrastructure
  • Low added expense or training
  • Does not impact entire campus

36
Metro State College Denver
  • LANDesk on 2000 computers
  • configuration asset management
  • software metering
  • 2 standard Windows images
  • 1 for faculty staff, 1 for student labs
  • Costly but effective
  • Commuter campus gt no ResNet

37
Notre Dame IDS
  • 8 Snort sensors
  • 4 at the Internet border
  • 4 in the core
  • SnortCenter
  • central configuration management
  • ACID with modifications
  • Additional scripts
  • archiving e-mail alerting

38
Yale logger.pl
  • Daily summary of NT Security Logs
  • Failed attempts on many machines
  • Incident Response individual account activity

39
BREAK
40
Risk Analysis
  • The most effective security practice given that
    no one has infinite resources and must prioritize
    work.

41
Risk Analysis Overview
  • Risk Threats x Vulnerability x Impact
  • Need to weigh prioritize risks to develop
    strategy
  • Threats
  • Intruders, insiders, accidents, natural disasters
  • Vulnerabilities
  • Weaknesses in design, implementation, or
    operation
  • Impact
  • Level of harm to the institution

42
Practical Risk Analysis in HE
  • Preliminary Risk Analysis (year 1)
  • Gathering allies, data and support
  • Risk Analysis of Critical Processes (year 2)
  • Concentrating on high risk areas
  • Institution-wide Risk Analysis (year 3)
  • Broadening view to include the whole institution

43
Risk Analysis Management
  • Need to prioritize risks and develop strategy
  • Starting from scratch
  • Appoint a person to justify and drive risk
    assessment
  • Gather data and allies, especially auditors
  • Challenges in higher education
  • Lack of resources and centralized control
  • Different groups value different things
  • Example models (STAR, OCTAVE)

44
UC Berkeley
  • Preliminary Risk Assessment
  • Supported by CIO (Jack McCredie)
  • Appointed working group (IT audit)
  • Overcame internal resistance
  • Lack of funds was a major barrier
  • CIO used existing resources
  • Outcomes
  • Overview of risks
  • Dedicated IT security group
  • Basic security policy

45
Berkeley - Keys to Success
  • Management commitment and support
  • Gathered allies
  • involved auditor
  • Report
  • important from educational and political
    standpoint
  • helped develop consensus security strategy
  • Departments that tax themselves
  • hire their own IT support staff

46
Berkeley - Pitfalls Future Plans
  • Lack of funding has delayed progress
  • Lack of technical expertise
  • giving each group responsibility for defending
    selves
  • many groups lack the necessary expertise and
    funding
  • Future plans minimum standards policy
  • goal disconnect systems that do not meet policy
  • important things are hardest to manage (e.g.,
    patching)
  • goal professional support everywhere

47
U of Maryland, Baltimore County
  • Risk Analysis of Critical Process
  • Financial Aid
  • Adapted STAR model
  • Focus on process and information flow
  • Reduced analysis time
  • Relate risk analysis to business process and
    drivers
  • Outcomes
  • Improved security
  • Regulatory compliance

48
Overview of UMBC Risk Assessment for
Gramm-Leach-Bliley (GLB)
  • Focus of risk assessment was primarily Financial
    Aid department.
  • We had a limited time-frame in which to implement
    this assessment due to compliance deadlines
  • Risk assessment focused on the specific
    requirements in (GLB) and did not encompass other
    risk threats

49
Step 1. Met with Key Staff
  • Financial aid director mapped out business
    processes and procedures (half-day)
  • Director of Business Computing mapped out the
    software and hardware systems supporting
    financial aid (2 hours)
  • IT coordinators mapped out network and LAN
    services supporting financial aid (2 hours)

50
Step 2. Model the Information and Communication
Flows
  • From the information provided we developed a
    matrix identifying the information flows between
    source and destination systems
  • To aid understanding and validation of this
    matrix we developed a picture identifying the
    processes and flow of information
  • We met with key staff from step 1 and validated
    the model design

51
(No Transcript)
52
Step 3. Develop Risk Review
  • Key risk components for each entry with X
  • Likelihood
  • Vulnerability
  • Impact
  • Each is assigned a value
  • (0) minimal
  • (1) potentially a problem
  • (2) High
  • Multiply the three values, focus on any area
    where risk value is gt 1.

53
Step 4. Present Risk Review and Develop
Mitigation Plan
  • Meet with the key staff identified in step 1 and
    present the findings for validation
  • Discuss strategies for mitigating identified
    risks and the potential impact on business
    processes
  • For UMBC, primary risks were associated with the
    use and storage of non-public information (NPI)
    on desktops in financial aid.

54
UMBC GLB Risk Mitigation Recommendations
  • Upgrade to Windows 2000, require authenticated
    login to each workstation
  • Configuration policy will auto-update patches and
    installs firewall
  • All files and databases containing (NPI) must be
    located on our Novell servers -- no local
    storage.
  • Financial Aid should be among the first to move
    to our new protected network VLAN this summer.
  • Working with IT Steering on the issue of emailing
    NPI information (should/can this be prohibited
    without encryption)

55
GA Tech
  • Institution-wide risk analysis
  • Conducted by audit department
  • Includes IT and non-IT resources and processes
  • Repeated periodically to monitor progress
  • Outcomes
  • Security strategy
  • Improved awareness of institution-wide risks
  • Regulatory compliance

56
GA Tech Overview
  • Assessment includes non-IT risks
  • general policies, telecomm, insurance
    liabilities, human resources, regulatory
    compliance, health and safety
  • accuracy of financial records
  • Thorough assessment of IT systems
  • security logical, physical, and management
  • FERPA
  • deals with protection of information separately

57
GA Tech Assessing IT Risks
  • Logical security
  • Environmental and physical controls
  • Data stewardship
  • Management and maintenance
  • Backup and recovery
  • Training, S/W licensing, documentation
  • Web site operations and development

58
Rochester Institution of Technology
  • Outsourcing security posture/risk assessment
  • Institution-wide evaluation by objective
    outsiders
  • Interviews with all departments
  • Vulnerability assessment of critical systems
  • Evaluation and reporting of results
  • Outcomes
  • Report of weaknesses and proposed solutions

59
RIT Overview
  • RIT pre-selected the methodology to use - Infosec
    Assessment Methodology developed by the NSA
  • They identified a vendor with experience in this
    methodology.
  • They selected the summer to do the assessment.
    Realized there is no best time to do this.
  • Assessment consisted of
  • Document collection (1 month)
  • On-site interviews (1 week)
  • External scanning and analysis (3 weeks)

60
RIT Process
  • Consultants requested documentation on
    procedures, systems and processes
  • Consultants developed a question bank and met
    with key deans, directors, and VPs.
  • Scanning was coordinated with system
    administrators and did not include DoS.
  • Scheduling and communication were a challenge.
    Interview process took considerable time from
    security staff
  • Communicating results can be challenging. Keeping
    people from being defensive is a challenge

61
RIT Results
  • Demonstrated executive leadership felt security
    was important
  • Gained insight into groups that had not
    documented practices or considered security
  • Many findings were common sense but helped to
    push these changes more broadly
  • Identified certain practices that were
    non-compliant
  • Negatives
  • Cost, effort required of internal staff to
    facilitate, focused too heavily on IT systems not
    business processes

62
Effective Practices Working Group
  • Group of security practitioners that will solicit
    and review effective practices, make
    presentations at regional conferences, and
    provide assistance
  • Convene bi-weekly through a conference call
  • Work closely with SALS_at_ to utilize research
    findings and recommendations (early adopter)
  • A long-range goal for me is to develop common
    criteria for tracking security incidents and use
    those metrics to begin to gauge the benefit of
    different effective practices (before vs.. after)

63
Questions and Discussion?
  • Jack Suess
  • jack_at_umbc.edu
  • Eoghan Casey
  • eco_at_corpus-delicti.com
Write a Comment
User Comments (0)
About PowerShow.com