2 Copyright Statement Copyright Eoghan Casey and Jack Suess, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
3 Seminar Agenda EDUCAUSE/I2 Security Task Force initiatives The Effective Security Practices Guide (ESPG) –The effective practices & solutions (EPS) database Questions and Break Case Studies –U. California, Berkeley - Preliminary risk assessment & establishing a computer security group and policy –UMBC - Basic risk assessment techniques for GLB –Georgia Tech - Comprehensive risk assessment –RIT - Outside vulnerability assessment Questions and Feedback
4 Introduction to Security Task Force Formed in July 2000 Current Co-chairs: –Jack Suess, UMBC –Gordon Wishon, University of Notre Dame Executive Committee of CIO’s, Security Professionals, and Professional Staff EDUCAUSE & Internet2 Staff Support Coordination with Higher Education IT Alliance –ACE, AAU, NASULGC, AASCU, NAICU, AACC, etc. Security Discussion Group
5 2002 Accomplishments Developed the Framework for Action Organized 4 Workshops Funded by NSF –Higher Education Values & Principles for Security –Security Architecture & Policy –Security in Research Environments –Higher Education IT Security Summit Higher Education Contribution to the National Strategy to Secure Cyberspace Coordinated or Conducted Outreach Programs
6 Framework for Action Make IT security a higher and more visible priority in higher education Do a better job with existing security tools, including revision of institutional policies Design, develop, and deploy improved security for future research and education networks Raise the level of security collaboration among higher education, industry, and government Integrate higher education work on security into the broader national effort to strengthen critical infrastructure
7 2003 Accomplishments Web Resource: www.educause.edu/security Research and Educational Networking Information Sharing and Analysis Center (REN-ISAC) at Indiana University ACE Letter to Presidents Commissioned White Paper on Legal Issues 1 st Annual Security Professionals Workshop Coordinated or Conducted Outreach Programs Authored Leadership Book on Security
8 Message to Presidents Set the tone: –Insist on community-wide awareness and accountability. Establish responsibility for campus-wide Cybersecurity at the cabinet level. Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting. Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks. David Ward President, American Council on Education
9 The National Strategy to Secure Cyberspace The National Strategy encourages colleges and universities to secure their cyber systems by establishing some or all of the following as appropriate: –one or more Information Sharing and Analysis Centers to deal with cyber attacks and vulnerabilities; –point-of-contact to Internet service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks; –model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity; –one or more sets of best practices for IT security; and, –model user awareness programs and materials.
10 Strategic Goals The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization, Information Sharing, and Incident Response
11 Current Projects and Initiatives Education and Awareness Initiative Annual Security Professionals Workshop Legal Issues and Institutional Policies Risk Assessment Method and Tools Effective Security Practices Guide Research and Development Initiatives Research and Educational Networking Information Sharing & Analysis Center Vendor Engagement and Partnerships
12 Research and Education Networking (REN) ISAC at Indiana University REN-ISAC can view network traffic among universities on Internet2 This provides a window into what is happening on higher education networks (e.g. Slammer or Nachi traffic) The REN-ISAC is associated with the Indiana NOC and has 7x24 expertise on site. They have access to DHS and the other 12 industry ISAC’s for early warning information Visit www.ren-isac.net
13 Vendor Engagement Vendor practices have a significant impact on higher education security Educause established the Corporate CyberSecurity Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT Task force visited Microsoft in September to explain the needs of higher education. Microsoft has been very responsive to suggestions.
14 Identifying Higher Education Security Issues and Needs Over the last 2 years the NSF, Educause, and I2 have funded workshops, performed surveys (ECAR), and held open meetings at regional and national conferences to identify issues and needs. We are now in the process of putting together working groups that will continue to build on the initial progress we have made. In your appendixes are findings from NSF Security Architecture workshop, Effective Practices workshop, and the Security At Line Speed (S@LS) workshop.
15 Key Issues Identified the Past Two Years The following needs were consistently highlighted –Policy and procedures –Risk and vulnerability assessment –Security architecture design –Network and host security implementation –Intrusion and virus detection and prevention –Incident response –Encryption, authentication, and authorization –Education, training, and awareness
16 Security at Line Speed (S@LS) Purpose - How does higher education balance security and performance requirements. This report should be required reading before a major network security overhaul. The report identified 18 network and 8 host-based techniques for security and briefly summarized the performance and operational impacts of each (pg. 9-13) The report details a few of these techniques and presents some generic case studies that highlight innovative use of these techniques. I hope to see the Effective Practices group helping to better describe many of these solutions, many of which are open source but can be technical challenging to implement.
17 Effective Security Practices Guide (ESPG) for Higher Education Institutions Balancing Security with Open, Collaborative Networking http://www.educause.edu/security/guide
18 Why Not Identify Best Practices Higher education is too diverse in mission and size for a single best practice to be effective. Even within a small group of like institutions few would identify what they are doing now as “Best Practices.” Everyone felt there is room for improvement in what they are doing! Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year.
19 ESPG Overview Practical approaches to preventing, detecting, and responding to security problems Community driven and serving –University ISOs and supporting staff –Codify experiences of experts Examples of success –Potential models to follow –Provide for various types of institutions Modular resource –Flexibility in presentation & implementation
20 ESPG Design and Development ESP database Core materials Case study submission process Future contributions Seed case studiesPast workshops, discussions & community vetting Categories & keyword searches Structured presentation Suitability, editing, notification & update
21 Core Subject Areas Policy Education, Training and Awareness Risk Analysis and Management Security Architecture Design Network and Host Vulnerability Assessment Network and Host Security Implementation Intrusion and Virus Detection Incident Response Encryption, Authentication & Authorization Addendum: university & vendor resources
22 ESPG Highlights Evolution of Security Practices
23 Evolution of Security Practices It is not possible to jump to the most effective practices –Can’t scan for policy violations without policies –Can’t develop policies without mature security standards Some practices require significant human resources –Intrusion detection –Incident response Some practices become more effective over time –Technical support becomes more effective with supporting tools, security policies and architecture
24 Effective Practices: Contributors and Ranking Bethune- Cookman Brown Cornell* CSUSB GA Tech GWU Indiana University MSCD Notre Dame NC A&T ● Penn State ● Purdue* ● U Alabama ● UC Berkeley ● UCONN ● U Maryland, BC ● U Washington ● U Wisc, Madison ● Virginia Tech* ● Yale University
26 Risk Analysis The most effective security practice
27 Types of Risk Strategic Risk Financial Risk Legal Risk Operational Risk Reputation Risk Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002). National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)
28 Ideal Risk Analysis & Management Knowledge of all relevant regulations Training and awareness of staff Developing plans to audit individual units for compliance Developing and implementing a code of conduct for the organization Establishing control mechanisms to ensure compliance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
29 Vulnerability Assessment Need policies in place and buy-in Organization-wide assessment is a rarity –Not enough time or resources Targeted scanning –Critical systems or particular group Tactical scanning –New vulnerability publicized –Intruder backdoor Self-service/Automation –Indiana’s “Scannager” & Purdue's Nessus Scanning Cluster –Routine scans automatically run & delivered Contact info and trust help with notification
30 Security Architecture Design University is comprised of different groups –Need internal and external defense –Risk & vulnerability assessments guide security design Guide presents alternatives with pros & cons –Router filtering, Firewall, VLAN –Bandwidth management –Monitoring (e.g., IDS, NetFlow, central logging) –VPN –Wireless LANs –Scalable host security Some application & database guidelines
31 Security Implementation Different groups require different approaches –Be flexible, use a combination of approaches Self-service necessary, not sufficient –Do not put too much on average user Use what comes with box & existing tools Automate updates when possible Use network-based solutions (e.g., e -mail filtering) Give free security support initially Penalties for persistent failures (public health) Contact info and trust help with implementation
32 Incident Response Policies –Privacy and Data retention and access Procedures –Who to contact in specific situations –Employee lockout if necessary –Evidence preservation Prepare systems for evidence collection Response Team –Include legal, HR & PR –Require training and tools Contact info and trust help with incident response
33 Other Subject Areas Intrusion & virus detection –Host-based versus network-based Encryption & authentication –PGP versus S/MIME –Public Key Infrastructure –Central account management –Directory services –Middleware
34 Example Format 2-5 pages, technical audience Summary of ROI when applicable Background Description Benefits Shortcomings Future plans References
35 Bethune-Cookman Perimeter Cisco PIX with NAT –1600 hosts –ResNet on VLAN outside DMZ Problem: Blocked multicast traffic –Interfered with Access Grid node Created work around with Cisco –GRE tunnel on PIX –reconfigure internal & external routers
36 Cornell Using ACL's on “edge” routers –Opt-in, custom filters (within reason) –Protecting 140 departments –Protection from internal & Internet Uses existing infrastructure –Low added expense or training Does not impact entire campus
37 Metro State College Denver LANDesk on 2000 computers –configuration & asset management –software metering 2 standard Windows images –1 for faculty & staff, 1 for student labs Costly but effective Commuter campus => no ResNet
38 Notre Dame IDS 8 Snort sensors –4 at the Internet border –4 in the core SnortCenter –central configuration management ACID with modifications Additional scripts –archiving & e-mail alerting
39 Yale logger.pl Daily summary of NT Security Logs Failed attempts on many machines Incident Response: individual account activity
41 Risk Analysis The most effective security practice given that no one has infinite resources and must prioritize work.
42 Risk Analysis Overview Risk = Threats x Vulnerability x Impact –Need to weigh & prioritize risks to develop strategy Threats –Intruders, insiders, accidents, natural disasters Vulnerabilities –Weaknesses in design, implementation, or operation Impact –Level of harm to the institution
43 Practical Risk Analysis in HE 1)Preliminary Risk Analysis (year 1) ● Gathering allies, data and support Risk Analysis of Critical Processes (year 2) ● Concentrating on high risk areas Institution-wide Risk Analysis (year 3+) ● Broadening view to include the whole institution
44 Risk Analysis & Management Need to prioritize risks and develop strategy Starting from scratch –Appoint a person to justify and drive risk assessment –Gather data and allies, especially auditors Challenges in higher education –Lack of resources and centralized control –Different groups value different things Example models (STAR, OCTAVE)
45 UC Berkeley Preliminary Risk Assessment Supported by CIO (Jack McCredie) –Appointed working group (IT & audit) –Overcame internal resistance Lack of funds was a major barrier –CIO used existing resources Outcomes –Overview of risks –Dedicated IT security group –Basic security policy
46 Berkeley - Keys to Success Management commitment and support Gathered allies –involved auditor Report –important from educational and political standpoint –helped develop consensus security strategy Departments that tax themselves –hire their own IT support staff
47 Berkeley - Pitfalls & Future Plans Lack of funding has delayed progress Lack of technical expertise –giving each group responsibility for defending selves –many groups lack the necessary expertise and funding Future plans: minimum standards policy –goal: disconnect systems that do not meet policy –important things are hardest to manage (e.g., patching) –goal: professional support everywhere
48 U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis time –Relate risk analysis to business process and drivers Outcomes –Improved security –Regulatory compliance
49 Overview of UMBC Risk Assessment for Gramm-Leach- Bliley (GLB) Focus of risk assessment was primarily Financial Aid department. We had a limited time-frame in which to implement this assessment due to compliance deadlines Risk assessment focused on the specific requirements in (GLB) and did not encompass other risk threats
50 Step 1. Met with Key Staff Financial aid director mapped out business processes and procedures (half-day) Director of Business Computing mapped out the software and hardware systems supporting financial aid (2 hours) IT coordinators mapped out network and LAN services supporting financial aid (2 hours)
51 Step 2. Model the Information and Communication Flows From the information provided we developed a matrix identifying the information flows between source and destination systems To aid understanding and validation of this matrix we developed a picture identifying the processes and flow of information We met with key staff from step 1 and validated the model design
53 Step 3. Develop Risk Review Key risk components for each entry with X –Likelihood –Vulnerability –Impact Each is assigned a value: –(0) minimal –(1) potentially a problem –(2) High Multiply the three values, focus on any area where risk value is > 1.
54 Step 4. Present Risk Review and Develop Mitigation Plan Meet with the key staff identified in step 1 and present the findings for validation Discuss strategies for mitigating identified risks and the potential impact on business processes For UMBC, primary risks were associated with the use and storage of non-public information (NPI) on desktops in financial aid.
55 UMBC GLB Risk Mitigation Recommendations Upgrade to Windows 2000, require authenticated login to each workstation Configuration policy will auto-update patches and installs firewall All files and databases containing (NPI) must be located on our Novell servers -- no local storage. Financial Aid should be among the first to move to our new protected network VLAN this summer. Working with IT Steering on the issue of emailing NPI information (should/can this be prohibited without encryption)
56 GA Tech Institution-wide risk analysis Conducted by audit department –Includes IT and non-IT resources and processes –Repeated periodically to monitor progress Outcomes –Security strategy –Improved awareness of institution- wide risks –Regulatory compliance
57 GA Tech Overview Assessment includes non-IT risks –general policies, telecomm, insurance liabilities, human resources, regulatory compliance, health and safety –accuracy of financial records Thorough assessment of IT systems –security: logical, physical, and management FERPA –deals with protection of information separately
58 GA Tech Assessing IT Risks Logical security Environmental and physical controls Data stewardship Management and maintenance Backup and recovery Training, S/W licensing, documentation Web site operations and development
59 Rochester Institution of Technology Outsourcing security posture/risk assessment Institution-wide evaluation by objective outsiders –Interviews with all departments –Vulnerability assessment of critical systems –Evaluation and reporting of results Outcomes –Report of weaknesses and proposed solutions
60 RIT Overview RIT pre-selected the methodology to use - Infosec Assessment Methodology developed by the NSA They identified a vendor with experience in this methodology. They selected the summer to do the assessment. Realized there is no best time to do this. Assessment consisted of –Document collection (1 month) –On-site interviews (1 week) –External scanning and analysis (3 weeks)
61 RIT Process Consultants requested documentation on procedures, systems and processes Consultants developed a question bank and met with key deans, directors, and VP’s. Scanning was coordinated with system administrators and did not include DoS. Scheduling and communication were a challenge. Interview process took considerable time from security staff Communicating results can be challenging. Keeping people from being defensive is a challenge
62 RIT Results Demonstrated executive leadership felt security was important Gained insight into groups that had not documented practices or considered security Many findings were common sense but helped to push these changes more broadly Identified certain practices that were non-compliant Negatives –Cost, effort required of internal staff to facilitate, focused too heavily on IT systems not business processes
63 Effective Practices Working Group Group of security practitioners that will solicit and review effective practices, make presentations at regional conferences, and provide assistance Convene bi-weekly through a conference call Work closely with SALS@ to utilize research findings and recommendations (early adopter) A long-range goal for me is to develop common criteria for tracking security incidents and use those metrics to begin to gauge the benefit of different effective practices (before vs.. after)
64 Questions and Discussion? Jack Suess –firstname.lastname@example.org Eoghan Casey –email@example.com@corpus-delicti.com Presentation is available at http://userpages.umbc.edu/~jack/talks/EPS G.htm