Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Create an IT Security Program Tracy Mitrano Steve Schuster R. David Vernon Copyright Tracy Mitrano, Steven Schuster and David Vernon, 2004. This.

Similar presentations


Presentation on theme: "How to Create an IT Security Program Tracy Mitrano Steve Schuster R. David Vernon Copyright Tracy Mitrano, Steven Schuster and David Vernon, 2004. This."— Presentation transcript:

1 How to Create an IT Security Program Tracy Mitrano Steve Schuster R. David Vernon Copyright Tracy Mitrano, Steven Schuster and David Vernon, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Outline History History The policy component The policy component Security office today Security office today

3 Setting the Stage Why worry? Why worry? Increased reliance on IT to support the teaching, research and business functions of Cornell Increased reliance on IT to support the teaching, research and business functions of Cornell Nature of the IT tools being used Nature of the IT tools being used Operating systems Operating systems Cornell as an ISP Cornell as an ISP IP networks IP networks Vast application suites Vast application suites

4 Why Worry … National scrutiny National scrutiny Post 9/11 Post 9/11 Recording industry / copyright issues Recording industry / copyright issues Higher education as a “scapegoat” … Higher education as a “scapegoat” … Peer pressure (Educause, I2, University presidents …) Peer pressure (Educause, I2, University presidents …) HIPAA, FERPA … HIPAA, FERPA … General liability specter of changing laws General liability specter of changing laws And, of course, increase in attacks … And, of course, increase in attacks …

5 What do Our Peers Think a Security Program Should Do? Surveyed Members of the Common Solution group. Surveyed Members of the Common Solution group. R1 / Ivy … R1 / Ivy … What are your “top 10” Information Technology Security service needs? What are your “top 10” Information Technology Security service needs?

6 1) Information Technology Security Audits / Assessments Vulnerability scanning Vulnerability scanning System hardware and application architecture review System hardware and application architecture review Patch status Patch status Open relay notification Open relay notification

7 2) Information Technology Security Tool Provisioning Virus software distribution Virus software distribution Firewall software distribution / firewall hardware provisioning Firewall software distribution / firewall hardware provisioning Custom security tool kit development Custom security tool kit development Secure network (VPN) services Secure network (VPN) services Secure machine room services (Collocation) Secure machine room services (Collocation) Central filtering (Spam and virus) Central filtering (Spam and virus)

8 3) Incident Response Coordination and information dissemination Coordination and information dissemination Internal & external parties Internal & external parties Damage control / isolation Damage control / isolation Forensic analysis Forensic analysis Resolution Resolution Post incident review Post incident review

9 4) Information Technology Security Awareness Classes / Training Classes / Training Technical Technical Executive Executive General patron General patron Publications (Online and paper) Publications (Online and paper) Speakers Speakers Alerts: – virus / worm notifications. Alerts: – virus / worm notifications. Consulting Consulting Technical Technical Executive Executive

10 5) Intrusion Detection Network monitoring Network monitoring Network and central application log examination Network and central application log examination

11 6) Authentication / Authorization Services Certificate signing / authority Certificate signing / authority Cryptographic key handling / escrow Cryptographic key handling / escrow Access control Access control

12 7) Information Technology Policy Enforcement and Abuse Response. Copyright infringement notification Copyright infringement notification Response to abuse of applications / hardware Response to abuse of applications / hardware Authority to enforce policy via technical means and university governance Authority to enforce policy via technical means and university governance Formalized liaison role with legal / and select university authorities. Formalized liaison role with legal / and select university authorities.

13 And Finally - 8) Security Related Internet Standards Work 8) Security Related Internet Standards Work 9) Information Technology Policy Development 9) Information Technology Policy Development 10) Contingency Planning 10) Contingency Planning Disaster recovery Disaster recovery Business continuity Business continuity

14 Within Cornell List is not unexpected List is not unexpected Nice outline of ideal service scope Nice outline of ideal service scope However what is “obvious” is not always simple … However what is “obvious” is not always simple … Nature of Cornell’s decentralized control of IT Nature of Cornell’s decentralized control of IT Nature of IT technology Nature of IT technology Budget constraints, etc Budget constraints, etc Demand for new services Demand for new services

15 Cornell Guidance Security Taskforce Security Taskforce Charged by VP of IT Charged by VP of IT Examine current structures and recommend changes if needed. Examine current structures and recommend changes if needed. Members included: Members included: JA, CU Police, Legal Council, Audit Office, Financial systems, Policy advisor, FABIT, CCD’s, Planning Information & Policy Analysis, OIT and CIT. JA, CU Police, Legal Council, Audit Office, Financial systems, Policy advisor, FABIT, CCD’s, Planning Information & Policy Analysis, OIT and CIT.

16 Taskforce Concluded Create an Information Technologies Security Office Create an Information Technologies Security Office Appoint an Information Technologies Security Officer to direct the ITSO Appoint an Information Technologies Security Officer to direct the ITSO Merge CIT virus, abuse and security functions under the ITSO Merge CIT virus, abuse and security functions under the ITSO Office would be charged to … Office would be charged to …

17 Be the locus of information technology security at Cornell. Have formal authority to act on the University’s behalf to assure adoption of relevant University Policy and appropriate response to IT threats that could act to violate University policies or laws. Identify campus-wide IT security needs. Act to coordinate campus-wide information technology security services. Provide proactive services, such as education and monitoring for network anomalies. Provide reactive services, such as incident response and damage control.

18 Enable coordinated response from key University agents, such as Cornell Police, Audit, JA, Legal Counsel and other related parties. Act as an interface with external agents, such as local, state and federal law enforcement. Work in close partnership with campus agents responsible for policy and infrastructure development. Work to optimize institutional investment in IT tools to assure broad utility, such as authentication, authorization and encryption applications. Be a diplomatic liaison to assure best response from within a highly decentralized campus.

19 Recap Security Locus Security Locus Collaborative Collaborative Partnering Partnering Proactive Proactive Educating Educating Diplomat – (But with just enough “teeth”…) Diplomat – (But with just enough “teeth”…)

20 However What is “Obvious” is Not Always Simple – Revisited. Given Given Limited resources Limited resources Smart independent departments Smart independent departments Workforce planning Workforce planning Nature of IP, poor default OS security, ... Nature of IP, poor default OS security, ... National pressures National pressures And a strong desire not to “throw the baby out with the bathwater.” And a strong desire not to “throw the baby out with the bathwater.” What do we do? What do we do?

21 First Steps Taskforce perspective is correct Taskforce perspective is correct Hire a director! Hire a director! “Top Ten” list as a service target “Top Ten” list as a service target Triage – identify areas of greatest risks Triage – identify areas of greatest risks Form guidance groups Form guidance groups Executive Executive Taskforce members Taskforce members Operational Operational Technical talent throughout Cornell Technical talent throughout Cornell

22 First Steps Continued … Work within the Cornell policy process to identify the balance between evasive control and users expectations for privacy and open access. Work within the Cornell policy process to identify the balance between evasive control and users expectations for privacy and open access. Leverage national relationships Leverage national relationships Computer Policy and Law Computer Policy and Law I2/ Educause I2/ Educause Other national resources (CERT…) Other national resources (CERT…)

23 First Steps Continued … Embrace the notion of desktop stewardship Embrace the notion of desktop stewardship Principle problem at Cornell today Principle problem at Cornell today Assume that the Internet is and will always be insecure Assume that the Internet is and will always be insecure Story of CIT and desktop stewardship Story of CIT and desktop stewardship

24 Oh Yes, and … P2P / Copyright P2P / Copyright Education Education Pervasive mobile devices / wireless Pervasive mobile devices / wireless Registry / Network Authentication Registry / Network Authentication Digital asset management Digital asset management Control of digital assets outside of Cornell’s domain Control of digital assets outside of Cornell’s domain Fingerprinting Fingerprinting Authorization / Authentication outside of Cornell’s domain Authorization / Authentication outside of Cornell’s domain Expectation to be a national leader Expectation to be a national leader Need to balance with internal demands Need to balance with internal demands

25 Closing Thoughts Recognition of current work Recognition of current work Departments Departments CIT & the office of the VP of IT (OIT) CIT & the office of the VP of IT (OIT) CIT Security, Abuse and Virus support CIT Security, Abuse and Virus support OIT Policy program OIT Policy program Ponder the value of net billing generated awareness Ponder the value of net billing generated awareness The “Workforce Planning” context The “Workforce Planning” context

26 Closing Thoughts … Balance, Balance, Balance … Balance, Balance, Balance … Challenge may shift over time Challenge may shift over time Formal authority (Nice to have, but ideally should never be needed.) Formal authority (Nice to have, but ideally should never be needed.) Ramifications of ad-hoc IT security Ramifications of ad-hoc IT security Campus desires more support, but the program will fail without the support of campus Campus desires more support, but the program will fail without the support of campus

27 Cornell’s Security Program: The Policy Component Tracy Mitrano Director of IT Policy Computer Policy and Law Program

28 Policy: Big “P” and Little “p” Big P Big P National arena National arena EDUCAUSE’s position on FBI’s petition to the FCC to extend CALEA to data networks EDUCAUSE’s position on FBI’s petition to the FCC to extend CALEA to data networks National security policy National security policy Little P Little P Institutional policy Institutional policy IT security policies: a piece of a larger whole IT security policies: a piece of a larger whole IT security policies not the same thing as national security IT security policies not the same thing as national security

29 Policy Picture at Cornell University Policy Office University Policy Office Centralized office for a decentralized institution Centralized office for a decentralized institution Formulation and Issuance of university policy Formulation and Issuance of university policy Volume 5: Information Technologies Volume 5: Information Technologies

30

31 Four Policies for IT Security Escrow of Encryption Keys Escrow of Encryption Keys Reporting Security Incidents Reporting Security Incidents 1.html 1.html Security of Information Technology Resources Security of Information Technology Resources Network Registry Network Registry

32 Escrow of Encryption Keys Cornell University expects stewards, custodians, and users of institutional administrative data who deploy software or algorithmic programs for encryption to establish procedures ensuring that the university has access to all such records and data.

33 Reporting Security Incidents Users of Information Technology devices connected to the Cornell network must report all electronic security incidents promptly and to the appropriate party or office.

34 Security of Information Technology Resources Cornell University expects all individuals using information technology devices connected to the Cornell network to take appropriate measures to manage the security of those devices.

35 Network Registry Cornell University requires network administrators or users to register all devices (including wireless hubs and switches) connected to the Cornell network in a continuously updated central CIT network registry service.

36 Conclusion IT security policy is a piece of the IT policy puzzle, which is itself another piece of the larger whole of university policy designed to preserve and protect institutional assets and interests, comply with all applicable laws, and contribute to the citizenship experience of membership to the university community. ml ml

37 Cornell’s Security Program: The Security Office Today Steve Schuster

38 Objectives What is an effective security program? What is an effective security program? Describe the broad elements of the Cornell IT Security Office Describe the broad elements of the Cornell IT Security Office Discuss current priorities Discuss current priorities Outline some specific efforts and services Outline some specific efforts and services Some emerging lessons learned Some emerging lessons learned

39 An Effective IT Security Program Must: Aid in the establishment of security policies that are enforceable, understandable and implementable Aid in the establishment of security policies that are enforceable, understandable and implementable Train faculty, staff and students with respect to IT security policies and their responsibilities to protect IT resources and data Train faculty, staff and students with respect to IT security policies and their responsibilities to protect IT resources and data Implement an infrastructure that enforces the principles articulated in the policies and protects the IT resources and data within the institution Implement an infrastructure that enforces the principles articulated in the policies and protects the IT resources and data within the institution Implement sound risk assessment practices to identify IT security risks and vulnerabilities within the IT infrastructure Implement sound risk assessment practices to identify IT security risks and vulnerabilities within the IT infrastructure Provide monitoring and analysis of the infrastructure to identify unauthorized activities Provide monitoring and analysis of the infrastructure to identify unauthorized activities Develop appropriate analysis and response procedures to efficiently respond and effectively manage IT security incidents Develop appropriate analysis and response procedures to efficiently respond and effectively manage IT security incidents Develop business continuity plans that ensure the appropriate availability of critical IT resources Develop business continuity plans that ensure the appropriate availability of critical IT resources

40 Security Program Elements Security is a process – not a product Security Policy and User Awareness Security Policy and User Awareness Secure Infrastructure Implementation Secure Infrastructure Implementation Business Continuity And Disaster Recovery Business Continuity And Disaster Recovery Continuous Risk Assessment & Penetration Testing Continuous Risk Assessment & Penetration Testing Security Monitoring And Analysis Security Monitoring And Analysis Incident Response Processes And Procedures Incident Response Processes And Procedures Responsible use, acceptable behavior and expected results Building security and services into the infrastructure Risks assessments performed regularly Within the infrastructure Monitoring of processing components, network characteristis and intrusion detection systems Complementary infrastructure, process and procedures Clean and Consistent

41 Security Policy and Awareness Support for the Development of University Policies Support for the Development of University Policies Reporting of Security Incidents Reporting of Security Incidents Security of IT Resources Security of IT Resources Network Registry Network Registry Authentication/Authorization Authentication/Authorization

42 Security Policy and Awareness Support for the Development of University Policies Support for the Development of University Policies Security Education Program Security Education Program Travelers of the Electronic Highway (TEH) Travelers of the Electronic Highway (TEH) General user awareness General user awareness Support of local service providers Support of local service providers

43 Security Policy and Awareness Support for the Development of University Policies Support for the Development of University Policies Security Education Program Security Education Program University Best Practices Guidelines University Best Practices Guidelines Security configurations Security configurations Security incident response methods Security incident response methods

44 Security Policy and Awareness Support for the Development of University Policies Support for the Development of University Policies Security Education Program Security Education Program University Best Practices Guidelines University Best Practices Guidelines Technical Response to Legislation Technical Response to Legislation HIPAA HIPAA FERPA FERPA GLB GLB

45 Security Infrastructure Network infrastructures Network infrastructures Participate in the emerging uses and capabilities of Cornell’s computing infrastructures (LAN, WLAN, Dial-up, public labs, etc) Participate in the emerging uses and capabilities of Cornell’s computing infrastructures (LAN, WLAN, Dial-up, public labs, etc)

46 Security Infrastructure Network infrastructures Network infrastructures Security Applications Security Applications Anti-Virus Anti-Virus Personal firewalls Personal firewalls Scanning Scanning System analysis/forensics System analysis/forensics

47 Security Infrastructure Network infrastructures Network infrastructures Security Applications Security Applications Authentication/Authorization Authentication/Authorization University authentication requirements University authentication requirements Risk assessment Risk assessment

48 Security Infrastructure Network infrastructures Network infrastructures Security Applications Security Applications Authentication/Authorization Authentication/Authorization Network Access Control (Firewalls) Network Access Control (Firewalls) Restricted addressing Restricted addressing Edge ACL’s (push security closer to the edge) Edge ACL’s (push security closer to the edge) Traditional firewall service (still not there) Traditional firewall service (still not there)

49 Security Infrastructure Network infrastructures Network infrastructures Security Applications Security Applications Authentication/Authorization Authentication/Authorization Network Access Control (Firewalls) Network Access Control (Firewalls) Direct Department Support Direct Department Support Specific security or incident related issues Specific security or incident related issues Secure architecture development Secure architecture development

50 Business Continuity and Disaster Recovery Participate in current BC/DR development efforts Participate in current BC/DR development efforts Ensure current efforts included system compromise and infections as addressable events Ensure current efforts included system compromise and infections as addressable events

51 Business Continuity and Disaster Recovery Participate in current BC/DR development efforts Participate in current BC/DR development efforts Develop BC/DR plans that include Develop BC/DR plans that include Identification of critical assets Identification of critical assets Processes and procedures to be followed when compromise occurs on a critical resource Processes and procedures to be followed when compromise occurs on a critical resource

52 Risk Assessments Central Security Assessments Central Security Assessments Service or infrastructure assessments (wireless, IP, etc) Service or infrastructure assessments (wireless, IP, etc) Network and System Scanning Network and System Scanning

53 Risk Assessments Central Security Assessments Central Security Assessments System scanning at time of registration System scanning at time of registration Scan student systems upon registration Scan student systems upon registration Limit or revoke network access upon unclean scan Limit or revoke network access upon unclean scan

54 Risk Assessments Central Security Assessments Central Security Assessments System scanning at time of registration System scanning at time of registration Promote and support for localized scanning Promote and support for localized scanning Distribute scanning software to local support providers Distribute scanning software to local support providers Train support providers as necessary Train support providers as necessary

55 Security Monitoring and Analysis Development of Automated Reports Development of Automated Reports Processing of network management logs Processing of network management logs Network usage reports Network usage reports Net alarms Net alarms Billing alerts Billing alerts

56 Security Monitoring and Analysis Development of Automated Reports Development of Automated Reports Intrusion Detection Intrusion Detection Network Based Anomaly Detection (NBAD) Network Based Anomaly Detection (NBAD) For central operation and some distributed views For central operation and some distributed views More easily operationalized than IDS More easily operationalized than IDS NIDS NIDS Some local IDS for critical systems or infrastructures Some local IDS for critical systems or infrastructures Operations and response is more difficult here Operations and response is more difficult here

57 Security Monitoring and Analysis Development of Automated Reports Development of Automated Reports Intrusion Detection Intrusion Detection Honey Pot Honey Pot Use of some “empty” networks for scanning identification Use of some “empty” networks for scanning identification Some early experience with honey pot operations Some early experience with honey pot operations

58 Security Monitoring and Analysis Development of Automated Reports Development of Automated Reports Intrusion Detection Intrusion Detection Honey Pot Honey Pot Identification and response to specific events or system behavior Identification and response to specific events or system behavior Algorithms to identify worm infected systems Algorithms to identify worm infected systems

59 Incident Response Backline Support Backline Support NOC NOC Help Desk Help Desk NUBB NUBB

60 Incident Response Backline Support Backline Support University IT Operational Procedures University IT Operational Procedures Operational procedures with CU Police Operational procedures with CU Police Operational procedures with Federal Agencies Operational procedures with Federal Agencies

61 Incident Response Backline Support Backline Support University IT Operational Procedures University IT Operational Procedures Direct Support for Departments as necessary Direct Support for Departments as necessary Identification Identification Analysis Analysis Response Response

62 Incident Response Backline Support Backline Support University IT Operational Procedures University IT Operational Procedures Direct Support for Departments as necessary Direct Support for Departments as necessary Support for University-Wide Security Incident Response mechanisms Support for University-Wide Security Incident Response mechanisms Virus response Virus response

63 A Growing Set of Lessons Learned Community trust is paramount Community trust is paramount It’s OK to crawl before you walk… before you run… It’s OK to crawl before you walk… before you run… All elements described above should move together at the same pace All elements described above should move together at the same pace The distributed nature of our environment does not need to mean less security but rather a different security strategy The distributed nature of our environment does not need to mean less security but rather a different security strategy Consolidating security operations and security budget provide both leverage and accountability Consolidating security operations and security budget provide both leverage and accountability

64 Questions ?


Download ppt "How to Create an IT Security Program Tracy Mitrano Steve Schuster R. David Vernon Copyright Tracy Mitrano, Steven Schuster and David Vernon, 2004. This."

Similar presentations


Ads by Google