Securing the Kansas Criminal Justice Information System KCJIS

1
Securing the Kansas Criminal Justice Information
System (KCJIS)

• Ron Rohrer, IT Director
• Norma Jean Schaefer, ITC/ISO
• Kansas Bureau of Investigation

2
What is KCJIS?

• 10 million multiple agency project
• 5 year implementation plan starting 1996
• Major Objectives
• Internet/TCP/IP
• Web technology
• Images (mug shots, fingerprints, crime photos)
• Electronic data collection and dissemination

3
What are the advantages to local jurisdictions?

• Faster - from 4.8K to minimum 56K
• Electronic images such as fingerprints, mug
  shots, crime scene photos
• Electronic abstracts (viewable or printed) (time
  reduced from 6 weeks to 5 minutes)
• Web browser access (low cost)
• Hot file availability

4
What was the KBIs Challenge?

• Internet

5
Why choose the Internet?

• Provides a cost-effective alternative to private,
  dedicated leased lines for long distance data and
  image transfer.
• Kansas Estimated Cost Avoidance
• 1.5 million to state
• 1 million to users

6
What were and are the cost to KCJIS users?

• Prior System
• 4,000 users
• 250 agencies
• 13,000/annually

• New System
• 15,000 users
• 750 agencies
• 800/1st year
• 500/Years 2 3

7
What is the KBIs Internet Concern?

• SECURITY

8
Why worry about security?

• Moved from a more secure, dedicated SNA network
  to a TCP/IP based network.
• KBI LAN has a direct connect to the Internet.
• Using open system architecture.
• Dealing with sensitive data.
• FBI requirement - no state was previously
  approved.

9
What are the KBI Security Objectives?

• Protect all devices and data at the KBI.
• Protect data transmissions over a public carrier.
• Identify the specific device used in transaction.
• Identify the specific user of KCJIS.
• Monitor for intrusion.
• Analyze network vulnerability.

10
CheckPoints Firewall-1

• Protects devices and data on KBI LAN.
• Control In and Out-bound traffic and used to
  create VPN.
• Redundant hardware
• StoneBeat - Software for high availability
• Chrysalis-ITS encryption cards

11
Checkpoint - SecuRemote

• Client-side encryption software.
• Creates a Virtual Private Network (VPN).
• Encrypts ALL data from the desktop to the
  firewall.
• Free for desktops.

12
Entrust Technologies, Inc.

• KCJIS is its own Certificate Authority.
• Utilizes PKI.
• Provides access control.
• State purchased 2,500 certificates.
• Publishes users certificates in a LDAP server.

13
Security Dynamics - SecurID

• Strong user authentication.
• Two factor authentication. Something you know
  (PIN) and something you have (Token).
• Generates unpredictable, one-time-only access
  codes that change every 60 seconds.
• High-availability configuration.

14
Security Dynamics - SecurID

• Used to authenticate to each KCJIS server.
• All KCJIS users will require token.
• Grow to 15,000 users.
• Lower administration.
• 4,000 tokens purchased by the state.

15
Internet Security Systems

• RealSecure
• Automated, real-time intrusion detection and
  response system.
• Interprets hostile activity by recognizing attack
  traffic patterns and alerts KBI administrator.
• Attack can be logged, recorded for later playback
  and/or terminated automatically.
• Can dynamically reconfigure firewall based on
  security policy.

16
Internet Security Systems

• Internet Scanner
• Allows KBI administrators to proactively seek out
  internal system vulnerabilities.
• Identifies and reports exploitable system
  weaknesses.
• This includes these and much more
• password weaknesses
• operating system configuration
• file permissions.
• Review your policies every 6 months.

17
Recap objectives and products

• Protect all devices and data at KBI.
• CheckPoint - Firewall-1
• Protect data transmissions over a public carrier.
• CheckPoint - SecuRemote
• Identify the specific user of KCJIS.
• Security Dynamics - SecurID tokens

18
Recap objectives and products

• Identify the specific device used in transaction.
• Entrust PKI - certificates
• Monitor for intrusion.
• ISS - RealSecure
• Analyze network vulnerability.
• ISS - Internet Security Scanner

19
What was the security budget and actual cost?

• Budget
• 18,000
• 1 firewall
• No additional employees

• Actual Cost
• 485,000 (747,500)
• 21 firewalls
• No additional employees
• 6 security products
• 200,000 for tokens
• 62,500 for certificates

20
What additional security steps has KBI employed?

• Controlled access to building and computer lab.
• Redundant servers
• All KBI employees will be trained continuously on
  use and access of the network and personal
  computers.
• All KBI employees will sign network security and
  acceptable use policies.

21
Where is the KBI today?

• The KBI is the only agency FBI approved to
  transmit Criminal Justice information over the
  Internet. (started 19 months ago)
• All criminal justice agencies, regardless of
  size, are able to access the KBI and federal
  databases.
• Implemented security policies and training 26
  months ago.

22
Conclusion

• Is the KBI secure today? Tomorrow?
• Our objective is to make it so time consuming
  and expensive for unauthorized persons to enter
  our network, that they will go somewhere else.
• The KBI was attacked (formal agreements) in June
  1999 by 20 SEARCH students. Although some KBI
  employees were socially engineered, the students
  were not able to enter our network.

23
Conclusion

• Is using the Internet worth the risk? YES!
• Every criminal justice agency, no matter how
  small, and every authorized user, can access
  NCIC, NLETS and specific KBI databases simply by
  having an Internet service provider and a web
  browser.

24

• They that can give up essential liberty to
  obtain a little temporary safety deserve neither
  liberty or safety.
• Benjamin Franklin
• They that can give up essential security to
  obtain a little temporary access deserve neither
  security or access.
• KBI

25
KBI Security Philosophy

• A good security plan will address security
  objectives and policies. Our mind set is that we
  really do not have a security system, rather an
  on-going security plan and direction. Our
  security system is simply where we are at any
  given moment.
• - Ron Rohrer, KBI