Seminar 4A - Effective Security Practices

1
Seminar 4A - Effective Security Practices

• Eoghan Casey, Security Consultant
• Jack Suess, CIO, UMBC

2
Seminar Agenda

• EDUCAUSE/I2 Security Task Force initiatives
• The Effective Security Practices Guide (ESPG)
• The effective practices solutions (EPS)
  database
• Questions and Break
• Case Studies
• U. California, Berkeley - Preliminary risk
  assessment establishing a computer security
  group and policy
• UMBC - Basic risk assessment techniques for GLB
• Georgia Tech - Comprehensive risk assessment
• RIT - Outside vulnerability assessment
• Questions and Feedback

3
Introduction to Security Task Force

• Formed in July 2000
• Current Co-chairs
• Jack Suess, UMBC
• Gordon Wishon, University of Notre Dame
• Executive Committee of CIOs, Security
  Professionals, and Professional Staff
• EDUCAUSE Internet2 Staff Support
• Coordination with Higher Education IT Alliance
• ACE, AAU, NASULGC, AASCU, NAICU, AACC, etc.
• Security Discussion Group

4
2002 Accomplishments

• Developed the Framework for Action
• Organized 4 Workshops Funded by NSF
• Higher Education Values Principles for Security
• Security Architecture Policy
• Security in Research Environments
• Higher Education IT Security Summit
• Higher Education Contribution to the National
  Strategy to Secure Cyberspace
• Coordinated or Conducted Outreach Programs

5
Framework for Action

• Make IT security a higher and more visible
  priority in higher education
• Do a better job with existing security tools,
  including revision of institutional policies
• Design, develop, and deploy improved security for
  future research and education networks
• Raise the level of security collaboration among
  higher education, industry, and government
• Integrate higher education work on security into
  the broader national effort to strengthen
  critical infrastructure

6
2003 Accomplishments

• Web Resource www.educause.edu/security
• Research and Educational Networking Information
  Sharing and Analysis Center (REN-ISAC) at
  Indiana University
• ACE Letter to Presidents
• Commissioned White Paper on Legal Issues
• 1st Annual Security Professionals Workshop
• Coordinated or Conducted Outreach Programs
• Authored Leadership Book on Security

7
Message to Presidents

• Set the tone
• Insist on community-wide awareness and
  accountability.
• Establish responsibility for campus-wide
  Cybersecurity at the cabinet level.
• Ask for a periodic Cybersecurity risk assessment
  that identifies the most important risks to your
  institution. Manage these risks in the context of
  institutional planning and budgeting.
• Request updates to your Cybersecurity plans on a
  regular basis in response to the rapid evolution
  of the technologies, vulnerabilities, threats,
  and risks.
• David Ward
• President, American Council on Education

8
The National Strategy to Secure Cyberspace

• The National Strategy encourages colleges and
  universities to secure their cyber systems by
  establishing some or all of the following as
  appropriate
• one or more Information Sharing and Analysis
  Centers to deal with cyber attacks and
  vulnerabilities
• point-of-contact to Internet service providers
  and law enforcement officials in the event that
  the schools IT systems are discovered to be
  launching cyber attacks
• model guidelines empowering Chief Information
  Officers (CIOs) to address cybersecurity
• one or more sets of best practices for IT
  security and,
• model user awareness programs and materials.

9
Strategic Goals

• The Security Task Force received a grant from
  National Science Foundation to identify and
  implement a coordinated strategy for computer and
  network security for higher education. The
  following strategic goals have been identified
• Education and Awareness
• Standards, Policies, and Procedures
• Security Architecture and Tools
• Organization, Information Sharing, and Incident
  Response

10
Current Projects and Initiatives

• Education and Awareness Initiative
• Annual Security Professionals Workshop
• Legal Issues and Institutional Policies
• Risk Assessment Method and Tools
• Effective Security Practices Guide
• Research and Development Initiatives
• Research and Educational Networking Information
  Sharing Analysis Center
• Vendor Engagement and Partnerships

11
Research and Education Networking (REN) ISAC at
Indiana University

• REN-ISAC can view network traffic among
  universities on Internet2
• This provides a window into what is happening on
  higher education networks (e.g. Slammer or Nachi
  traffic)
• The REN-ISAC is associated with the Indiana NOC
  and has 7x24 expertise on site.
• They have access to DHS and the other 12 industry
  ISACs for early warning information
• Visit www.ren-isac.net

12
Vendor Engagement

• Vendor practices have a significant impact on
  higher education security
• Educause established the Corporate CyberSecurity
  Forum to develop linkages with the vendor
  community. Members include - Microsoft, IBM,
  Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and
  SCT
• Task force visited Microsoft in September to
  explain the needs of higher education. Microsoft
  has been very responsive to suggestions.

13
Identifying Higher Education Security Issues and
Needs

• Over the last 2 years the NSF, Educause, and I2
  have funded workshops, performed surveys (ECAR),
  and held open meetings at regional and national
  conferences to identify issues and needs.
• We are now in the process of putting together
  working groups that will continue to build on the
  initial progress we have made.
• In your appendixes are findings from NSF Security
  Architecture workshop, Effective Practices
  workshop, and the Security At Line Speed (S_at_LS)
  workshop.

14
Key Issues Identified the Past Two Years

• The following needs were consistently highlighted
• Policy and procedures
• Risk and vulnerability assessment
• Security architecture design
• Network and host security implementation
• Intrusion and virus detection and prevention
• Incident response
• Encryption, authentication, and authorization
• Education, training, and awareness

15
Security at Line Speed (S_at_LS)

• Purpose - How does higher education balance
  security and performance requirements. This
  report should be required reading before a major
  network security overhaul.
• The report identified 18 network and 8 host-based
  techniques for security and briefly summarized
  the performance and operational impacts of each
  (pg. 9-13)
• The report details a few of these techniques and
  presents some generic case studies that highlight
  innovative use of these techniques.
• I hope to see the Effective Practices group
  helping to better describe many of these
  solutions, many of which are open source but can
  be technical challenging to implement.

16
Effective Security Practices Guide (ESPG)for
Higher Education Institutions

• Balancing Security with Open, Collaborative
  Networking
• http//www.educause.edu/security/guide

17
Why Not Identify Best Practices

• Higher education is too diverse in mission and
  size for a single best practice to be effective.
• Even within a small group of like institutions
  few would identify what they are doing now as
  Best Practices. Everyone felt there is room for
  improvement in what they are doing!
• Threats are rapidly changing and these effective
  practices may have a limited shelf life. What
  might work today may be useless next year.

18
ESPG Overview

• Practical approaches to preventing, detecting,
  and responding to security problems
• Community driven and serving
• University ISOs and supporting staff
• Codify experiences of experts
• Examples of success
• Potential models to follow
• Provide for various types of institutions
• Modular resource
• Flexibility in presentation implementation

19
ESPG Design and Development
Future contributions
Categories keyword searches
Structured presentation
Seed case studies
Past workshops, discussions community vetting
Suitability, editing, notification update
20
Core Subject Areas

• Policy
• Education, Training and Awareness
• Risk Analysis and Management
• Security Architecture Design
• Network and Host Vulnerability Assessment
• Network and Host Security Implementation
• Intrusion and Virus Detection
• Incident Response
• Encryption, Authentication Authorization
• Addendum university vendor resources

21
ESPG Highlights
Evolution of Security Practices
22
Evolution of Security Practices

• It is not possible to jump to the most effective
  practices
• Cant scan for policy violations without policies
• Cant develop policies without mature security
  standards
• Some practices require significant human
  resources
• Intrusion detection
• Incident response
• Some practices become more effective over time
• Technical support becomes more effective with
  supporting tools, security policies and
  architecture

23
Effective Practices Contributors and Ranking

• Penn State
• Purdue
• U Alabama
• UC Berkeley
• UCONN
• U Maryland, BC
• U Washington
• U Wisc, Madison
• Virginia Tech
• Yale University

• Bethune-Cookman
• Brown
• Cornell
• CSUSB
• GA Tech
• GWU
• Indiana University
• MSCD
• Notre Dame
• NC AT

24
Online Demonstration

• http//www.educause.edu/security/guide

25
Risk Analysis

• The most effective security practice

26
Types of Risk

• Strategic Risk
• Financial Risk
• Legal Risk
• Operational Risk
• Reputation Risk
• Qayoumi, Mohammad H. Mission Continuity
  Planning Strategically Assessing and Planning
  for Threats to Operations, NACUBO (2002).
• National Research Council CSTB Report
  Cybersecurity Today and Tomorrow Pay Now or Pay
  Later (2002)

27
Ideal Risk Analysis Management

• Knowledge of all relevant regulations
• Training and awareness of staff
• Developing plans to audit individual units for
  compliance
• Developing and implementing a code of conduct for
  the organization
• Establishing control mechanisms to ensure
  compliance
• Qayoumi, Mohammad H. Mission Continuity
  Planning Strategically Assessing and Planning
  for Threats to Operations, NACUBO (2002).

28
Vulnerability Assessment

• Need policies in place and buy-in
• Organization-wide assessment is a rarity
• Not enough time or resources
• Targeted scanning
• Critical systems or particular group
• Tactical scanning
• New vulnerability publicized
• Intruder backdoor
• Self-service/Automation
• Indianas Scannager Purdue's Nessus Scanning
  Cluster
• Routine scans automatically run delivered
• Contact info and trust help with notification

29
Security Architecture Design

• University is comprised of different groups
• Need internal and external defense
• Risk vulnerability assessments guide security
  design
• Guide presents alternatives with pros cons
• Router filtering, Firewall, VLAN
• Bandwidth management
• Monitoring (e.g., IDS, NetFlow, central logging)
• VPN
• Wireless LANs
• Scalable host security
• Some application database guidelines

30
Security Implementation

• Different groups require different approaches
• Be flexible, use a combination of approaches
• Self-service necessary, not sufficient
• Do not put too much on average user
• Use what comes with box existing tools
• Automate updates when possible
• Use network-based solutions (e.g., e-mail
  filtering)
• Give free security support initially
• Penalties for persistent failures (public health)
• Contact info and trust help with implementation

31
Incident Response

• Policies
• Privacy and Data retention and access
• Procedures
• Who to contact in specific situations
• Employee lockout if necessary
• Evidence preservation
• Prepare systems for evidence collection
• Response Team
• Include legal, HR PR
• Require training and tools
• Contact info and trust help with incident response

32
Other Subject Areas

• Intrusion virus detection
• Host-based versus network-based
• Encryption authentication
• PGP versus S/MIME
• Public Key Infrastructure
• Central account management
• Directory services
• Middleware

33
Example Format

• 2-5 pages, technical audience
• Summary of ROI when applicable
• Background
• Description
• Benefits
• Shortcomings
• Future plans
• References

34
Bethune-Cookman

• Perimeter Cisco PIX with NAT
• 1600 hosts
• ResNet on VLAN outside DMZ
• Problem Blocked multicast traffic
• Interfered with Access Grid node
• Created work around with Cisco
• GRE tunnel on PIX
• reconfigure internal external routers

35
Cornell

• Using ACL's on edge routers
• Opt-in, custom filters (within reason)
• Protecting 140 departments
• Protection from internal Internet
• Uses existing infrastructure
• Low added expense or training
• Does not impact entire campus

36
Metro State College Denver

• LANDesk on 2000 computers
• configuration asset management
• software metering
• 2 standard Windows images
• 1 for faculty staff, 1 for student labs
• Costly but effective
• Commuter campus gt no ResNet

37
Notre Dame IDS

• 8 Snort sensors
• 4 at the Internet border
• 4 in the core
• SnortCenter
• central configuration management
• ACID with modifications
• Additional scripts
• archiving e-mail alerting

38
Yale logger.pl

• Daily summary of NT Security Logs
• Failed attempts on many machines
• Incident Response individual account activity

39
BREAK
40
Risk Analysis

• The most effective security practice given that
  no one has infinite resources and must prioritize
  work.

41
Risk Analysis Overview

• Risk Threats x Vulnerability x Impact
• Need to weigh prioritize risks to develop
  strategy
• Threats
• Intruders, insiders, accidents, natural disasters
• Vulnerabilities
• Weaknesses in design, implementation, or
  operation
• Impact
• Level of harm to the institution

42
Practical Risk Analysis in HE

• Preliminary Risk Analysis (year 1)
• Gathering allies, data and support
• Risk Analysis of Critical Processes (year 2)
• Concentrating on high risk areas
• Institution-wide Risk Analysis (year 3)
• Broadening view to include the whole institution

43
Risk Analysis Management

• Need to prioritize risks and develop strategy
• Starting from scratch
• Appoint a person to justify and drive risk
  assessment
• Gather data and allies, especially auditors
• Challenges in higher education
• Lack of resources and centralized control
• Different groups value different things
• Example models (STAR, OCTAVE)

44
UC Berkeley

• Preliminary Risk Assessment
• Supported by CIO (Jack McCredie)
• Appointed working group (IT audit)
• Overcame internal resistance
• Lack of funds was a major barrier
• CIO used existing resources
• Outcomes
• Overview of risks
• Dedicated IT security group
• Basic security policy

45
Berkeley - Keys to Success

• Management commitment and support
• Gathered allies
• involved auditor
• Report
• important from educational and political
  standpoint
• helped develop consensus security strategy
• Departments that tax themselves
• hire their own IT support staff

46
Berkeley - Pitfalls Future Plans

• Lack of funding has delayed progress
• Lack of technical expertise
• giving each group responsibility for defending
  selves
• many groups lack the necessary expertise and
  funding
• Future plans minimum standards policy
• goal disconnect systems that do not meet policy
• important things are hardest to manage (e.g.,
  patching)
• goal professional support everywhere

47
U of Maryland, Baltimore County

• Risk Analysis of Critical Process
• Financial Aid
• Adapted STAR model
• Focus on process and information flow
• Reduced analysis time
• Relate risk analysis to business process and
  drivers
• Outcomes
• Improved security
• Regulatory compliance

48
Overview of UMBC Risk Assessment for
Gramm-Leach-Bliley (GLB)

• Focus of risk assessment was primarily Financial
  Aid department.
• We had a limited time-frame in which to implement
  this assessment due to compliance deadlines
• Risk assessment focused on the specific
  requirements in (GLB) and did not encompass other
  risk threats

49
Step 1. Met with Key Staff

• Financial aid director mapped out business
  processes and procedures (half-day)
• Director of Business Computing mapped out the
  software and hardware systems supporting
  financial aid (2 hours)
• IT coordinators mapped out network and LAN
  services supporting financial aid (2 hours)

50
Step 2. Model the Information and Communication
Flows

• From the information provided we developed a
  matrix identifying the information flows between
  source and destination systems
• To aid understanding and validation of this
  matrix we developed a picture identifying the
  processes and flow of information
• We met with key staff from step 1 and validated
  the model design

51
(No Transcript)
52
Step 3. Develop Risk Review

• Key risk components for each entry with X
• Likelihood
• Vulnerability
• Impact
• Each is assigned a value
• (0) minimal
• (1) potentially a problem
• (2) High
• Multiply the three values, focus on any area
  where risk value is gt 1.

53
Step 4. Present Risk Review and Develop
Mitigation Plan

• Meet with the key staff identified in step 1 and
  present the findings for validation
• Discuss strategies for mitigating identified
  risks and the potential impact on business
  processes
• For UMBC, primary risks were associated with the
  use and storage of non-public information (NPI)
  on desktops in financial aid.

54
UMBC GLB Risk Mitigation Recommendations

• Upgrade to Windows 2000, require authenticated
  login to each workstation
• Configuration policy will auto-update patches and
  installs firewall
• All files and databases containing (NPI) must be
  located on our Novell servers -- no local
  storage.
• Financial Aid should be among the first to move
  to our new protected network VLAN this summer.
• Working with IT Steering on the issue of emailing
  NPI information (should/can this be prohibited
  without encryption)

55
GA Tech

• Institution-wide risk analysis
• Conducted by audit department
• Includes IT and non-IT resources and processes
• Repeated periodically to monitor progress
• Outcomes
• Security strategy
• Improved awareness of institution-wide risks
• Regulatory compliance

56
GA Tech Overview

• Assessment includes non-IT risks
• general policies, telecomm, insurance
  liabilities, human resources, regulatory
  compliance, health and safety
• accuracy of financial records
• Thorough assessment of IT systems
• security logical, physical, and management
• FERPA
• deals with protection of information separately

57
GA Tech Assessing IT Risks

• Logical security
• Environmental and physical controls
• Data stewardship
• Management and maintenance
• Backup and recovery
• Training, S/W licensing, documentation
• Web site operations and development

58
Rochester Institution of Technology

• Outsourcing security posture/risk assessment
• Institution-wide evaluation by objective
  outsiders
• Interviews with all departments
• Vulnerability assessment of critical systems
• Evaluation and reporting of results
• Outcomes
• Report of weaknesses and proposed solutions

59
RIT Overview

• RIT pre-selected the methodology to use - Infosec
  Assessment Methodology developed by the NSA
• They identified a vendor with experience in this
  methodology.
• They selected the summer to do the assessment.
  Realized there is no best time to do this.
• Assessment consisted of
• Document collection (1 month)
• On-site interviews (1 week)
• External scanning and analysis (3 weeks)

60
RIT Process

• Consultants requested documentation on
  procedures, systems and processes
• Consultants developed a question bank and met
  with key deans, directors, and VPs.
• Scanning was coordinated with system
  administrators and did not include DoS.
• Scheduling and communication were a challenge.
  Interview process took considerable time from
  security staff
• Communicating results can be challenging. Keeping
  people from being defensive is a challenge

61
RIT Results

• Demonstrated executive leadership felt security
  was important
• Gained insight into groups that had not
  documented practices or considered security
• Many findings were common sense but helped to
  push these changes more broadly
• Identified certain practices that were
  non-compliant
• Negatives
• Cost, effort required of internal staff to
  facilitate, focused too heavily on IT systems not
  business processes

62
Effective Practices Working Group

• Group of security practitioners that will solicit
  and review effective practices, make
  presentations at regional conferences, and
  provide assistance
• Convene bi-weekly through a conference call
• Work closely with SALS_at_ to utilize research
  findings and recommendations (early adopter)
• A long-range goal for me is to develop common
  criteria for tracking security incidents and use
  those metrics to begin to gauge the benefit of
  different effective practices (before vs.. after)

63
Questions and Discussion?

• Jack Suess
• jack_at_umbc.edu
• Eoghan Casey
• eco_at_corpus-delicti.com