Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University of California David Walker Jacqueline Craig Office of the President University of California © Copyright Regents of the University of California Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors.

Information Resources and Communications University of California, Office of the President University of California System Distributed Autonomy 10 campuses 5 medical centers 3 national laboratories

Information Resources and Communications University of California, Office of the President University of California System Abundant Opportunity for Security Breaches 200,00 students 53,000 academic employees 117,000 staff Number of Network nodes? 500,000?

Information Resources and Communications University of California, Office of the President University of California in the News Security breaches involving highly sensitive information  Stolen laptop 98,000 records  Exploit of known vulnerability 800,000+ records  System compromise 387,000 records

Information Resources and Communications University of California, Office of the President UC President demands solutions University-wide Security Workgroup Formed  Professors  Vice Chancellors and Deans  General Counsel  Security Officers  Chief Information Officers and Directors

Information Resources and Communications University of California, Office of the President Security Workgroup Recommendations Leadership actions to achieve accountability University-wide communication, security education and training Stronger IT security policies  Minimum connectivity standards and guidelines Risk assessment guidelines and mitigation  Focus on both academic and administrative strategies Campus-based encryption strategies Improved security incident guidelines

Information Resources and Communications University of California, Office of the President Recommendations for Campus Strategies Encryption Forensics  Incident Response  Audit Logs

Information Resources and Communications University of California, Office of the President Encryption

Information Resources and Communications University of California, Office of the President Encryption “...encryption is the process of obscuring information to make it unreadable without special knowledge.” - Wikipedia  In general, the “special knowledge” is an encryption key. Encryption is a powerful tool, but not a panacea. Encryption at the University of California: Overview and Recommendations

Information Resources and Communications University of California, Office of the President Things You Can Do with Data There are three things you can do with data  Store  Transmit  Process

Information Resources and Communications University of California, Office of the President Things You Can Protect with Encryption

Information Resources and Communications University of California, Office of the President Encryption for Data Storage Restricted data should be encrypted when stored in a location that does not have appropriate physical security and access controls.  Whole disk encryption (mobile devices)  File encryption  Database encryption Potential need for encrypted backups  Key management

Information Resources and Communications University of California, Office of the President Encryption for Data Transmission Restricted data should be encrypted when it is transmitted across an untrusted network, and very few networks can be trusted. For example,  File transfers  Electronic mail  Network printer communication  Remote file services  Virtual private network (VPN)

Information Resources and Communications University of California, Office of the President Key Management Improper loss or disclosure of encryption keys can result in improper loss or disclosure of data. Must consider:  Access to data in the event of lost keys  Improper disclosure of keys  Unique responsibilities of people charged with custody of keys

Information Resources and Communications University of California, Office of the President International Considerations for Encryption Some governments (e.g., China, Korea, and Israel) regulate the import and use of encryption technology. The United States regulates the export of encryption software source code.

Information Resources and Communications University of California, Office of the President Selected Recommendations for Encryption - 1 All copies of restricted data must be assessed.  Shadow copies  Spreadsheets  Backups Implement “whole disk” encryption for mobile devices.

Information Resources and Communications University of California, Office of the President Selected Recommendations for Encryption - 2 Network printer communication should be encrypted, and the printer should be in a secure location. Network file service communication should be encrypted. (e.g., WebDAV) Campuses should implement central key management infrastructures.

Information Resources and Communications University of California, Office of the President Incident Response

Information Resources and Communications University of California, Office of the President Incident Response problem management or security incident?  workflow plan  communication plan security breach or unauthorized disclosure?  system compromise  software design/configuration errors  stolen equipment  user (operator) error

Information Resources and Communications University of California, Office of the President

Information Resources and Communications University of California, Office of the President Incident Response Initial Steps  communicate to appropriate staff, team, others as required  maintain a log of actions  secure the area/facility  determine need for forensics analysis collect forensic information  regain control and analyze See

Information Resources and Communications University of California, Office of the President Investigations and Notification Determination Forensics  Use of vendor service to ensure chain-of- evidence? Establish a standing agreement to facilitate instant services  Audit log analysis Logs are a more likely source of information. Challenge: find congruence to track the path.

Information Resources and Communications University of California, Office of the President Log Management

Information Resources and Communications University of California, Office of the President Log Management Most components of an IT infrastructure are capable of producing logs chronicling their activity over time.  Application logs  System logs  Network device logs  Change management logs  Other logs (surveillance, physical access, etc.) Log Management for the University of California: Issues and Recommendations

Information Resources and Communications University of California, Office of the President Log Management Overview

Information Resources and Communications University of California, Office of the President Uses for Logs Useful both for long-term baseline analysis and incident investigation  Access  Change Monitoring  Cost Allocation  Malfunction  Resource Utilization  Security Events  User Activity

Information Resources and Communications University of California, Office of the President Application Log Content  The business operation that was requested  Whether the request was accepted or denied  The time and date the operation was performed  Who initiated the operation  System and network resources used  Any information needed for business process controls  Client hardware and software characteristics

Information Resources and Communications University of California, Office of the President System Log Content  The server operation that was requested  Whether the request was accepted or denied  The time and date the operation was performed (Start and end times, or duration, may be appropriate for long operations.)  Who and/or what system initiated the operation  System and network resources used

Information Resources and Communications University of California, Office of the President Network Device Log Content  Network (IP) addresses of the end points  Service identifiers (port numbers) for each of the end points  Whether the flow was accepted or denied  Date, time, and duration of the flow  Number of packets and bytes used by the flow

Information Resources and Communications University of California, Office of the President Log Record Life-Cycle Management Logs are University records, subject to the requirements of the University Records Management Program to ensure that they are “...appropriately managed and preserved, and can be retrieved as needed.” Retention periods must balance the following  confidentiality of specific individuals' activities  the need to support investigations  the cost of retaining the records

Information Resources and Communications University of California, Office of the President Functions of a Log Management Infrastructure  move log records into the infrastructure  provide secure storage for the records  implement record retention policies  facilitate access to log records  provide analysis tools that enable correlations among records from multiple sources  protect the chain of evidence for the possibility that log records are used in legal proceedings

Information Resources and Communications University of California, Office of the President Selected Recommendations for Log Management - 1 A network time protocol should be used to enable relation of log records from multiple sources. Procedures should be in place to ensure that baseline analyses reviewed on a regular and timely basis.

Information Resources and Communications University of California, Office of the President Selected Recommendations for Log Management - 2 For investigations, preparations should be made to perform ad hoc queries against multiple sources of information, based on criteria such as the following:  Source(s) of the log records  Time  Network address  Application or service  User