1

Seminar 4A - Effective Security Practices

Eoghan Casey, Security Consultant

Jack Suess, CIO, UMBCEDUCAUSE Mid-Atlantic Regional Conference - Baltimore, MD

January 13, 2004

1

Copyright Statement

• Copyright Eoghan Casey and Jack Suess, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

1

Seminar Agenda

• EDUCAUSE/I2 Security Task Force initiatives• The Effective Security Practices Guide (ESPG)

– The effective practices & solutions (EPS) database

• Questions and Break• Case Studies

– U. California, Berkeley - Preliminary risk assessment & establishing a computer security group and policy

– UMBC - Basic risk assessment techniques for GLB– Georgia Tech - Comprehensive risk assessment– RIT - Outside vulnerability assessment

• Questions and Feedback

1

Introduction to Security Task Force

• Formed in July 2000• Current Co-chairs:

– Jack Suess, UMBC– Gordon Wishon, University of Notre Dame

• Executive Committee of CIO’s, Security Professionals, and Professional Staff

• EDUCAUSE & Internet2 Staff Support• Coordination with Higher Education IT Alliance

– ACE, AAU, NASULGC, AASCU, NAICU, AACC, etc.

• Security Discussion Group

1

2002 Accomplishments

• Developed the Framework for Action• Organized 4 Workshops Funded by NSF

– Higher Education Values & Principles for Security– Security Architecture & Policy– Security in Research Environments– Higher Education IT Security Summit

• Higher Education Contribution to the National Strategy to Secure Cyberspace

• Coordinated or Conducted Outreach Programs

1

Framework for Action

• Make IT security a higher and more visible priority in higher education

• Do a better job with existing security tools, including revision of institutional policies

• Design, develop, and deploy improved security for future research and education networks

• Raise the level of security collaboration among higher education, industry, and government

• Integrate higher education work on security into the broader national effort to strengthen critical infrastructure

1

2003 Accomplishments

• Web Resource: www.educause.edu/security• Research and Educational Networking

Information Sharing and Analysis Center (REN-ISAC) at Indiana University

• ACE Letter to Presidents• Commissioned White Paper on Legal Issues• 1st Annual Security Professionals Workshop• Coordinated or Conducted Outreach

Programs• Authored Leadership Book on Security

1

Message to Presidents

• Set the tone: – Insist on community-wide awareness and accountability.

• Establish responsibility for campus-wide Cybersecurity at the cabinet level.

• Ask for a periodic Cybersecurity risk assessment that identifies the most important risks to your institution. Manage these risks in the context of institutional planning and budgeting.

• Request updates to your Cybersecurity plans on a regular basis in response to the rapid evolution of the technologies, vulnerabilities, threats, and risks.

David WardPresident, American Council on Education

1

The National Strategy to Secure Cyberspace

• The National Strategy encourages colleges and universities to secure their cyber systems by establishing some or all of the following as appropriate:– one or more Information Sharing and Analysis

Centers to deal with cyber attacks and vulnerabilities;

– point-of-contact to Internet service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks;

– model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity;

– one or more sets of best practices for IT security; and,

– model user awareness programs and materials.

11

Strategic Goals

The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified:

• Education and Awareness• Standards, Policies, and Procedures• Security Architecture and Tools• Organization, Information Sharing, and Incident

Response

11

Current Projects and Initiatives

• Education and Awareness Initiative• Annual Security Professionals Workshop• Legal Issues and Institutional Policies• Risk Assessment Method and Tools • Effective Security Practices Guide• Research and Development Initiatives• Research and Educational Networking

Information Sharing & Analysis Center• Vendor Engagement and Partnerships

11

Research and Education Networking (REN) ISAC at

Indiana University• REN-ISAC can view network traffic among

universities on Internet2• This provides a window into what is happening

on higher education networks (e.g. Slammer or Nachi traffic)

• The REN-ISAC is associated with the Indiana NOC and has 7x24 expertise on site.

• They have access to DHS and the other 12 industry ISAC’s for early warning information

• Visit www.ren-isac.net

11

Vendor Engagement

• Vendor practices have a significant impact on higher education security

• Educause established the Corporate CyberSecurity Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT

• Task force visited Microsoft in September to explain the needs of higher education. Microsoft has been very responsive to suggestions.

11

Identifying Higher Education Security Issues and Needs

• Over the last 2 years the NSF, Educause, and I2 have funded workshops, performed surveys (ECAR), and held open meetings at regional and national conferences to identify issues and needs.

• We are now in the process of putting together working groups that will continue to build on the initial progress we have made.

• In your appendixes are findings from NSF Security Architecture workshop, Effective Practices workshop, and the Security At Line Speed (S@LS) workshop.

11

Key Issues Identified the Past Two Years

• The following needs were consistently highlighted– Policy and procedures– Risk and vulnerability assessment– Security architecture design– Network and host security implementation– Intrusion and virus detection and prevention– Incident response– Encryption, authentication, and authorization– Education, training, and awareness

11

Security at Line Speed (S@LS)

Purpose - How does higher education balance security and performance requirements. This report should be required reading before a major network security overhaul.

• The report identified 18 network and 8 host-based techniques for security and briefly summarized the performance and operational impacts of each (pg. 9-13)

• The report details a few of these techniques and presents some generic case studies that highlight innovative use of these techniques.

• I hope to see the Effective Practices group helping to better describe many of these solutions, many of which are open source but can be technical challenging to implement.

11

Effective Security Practices Guide (ESPG)

for Higher Education Institutions

Balancing Security with Open, Collaborative Networking

http://www.educause.edu/security/guide

11

Why Not Identify Best Practices

• Higher education is too diverse in mission and size for a single best practice to be effective.

• Even within a small group of like institutions few would identify what they are doing now as “Best Practices.” Everyone felt there is room for improvement in what they are doing!

• Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year.

11

ESPG Overview

• Practical approaches to preventing, detecting, and responding to security problems

• Community driven and serving– University ISOs and supporting staff– Codify experiences of experts

• Examples of success– Potential models to follow– Provide for various types of institutions

• Modular resource– Flexibility in presentation & implementation

11

ESPG Design and Development

ESP database

Corematerials

Case studysubmission

process

Futurecontributions

Seed case studiesPast workshops,discussions &

community vetting

Categories & keyword searches

Structuredpresentation

Suitability, editing,notification & update

11

Core Subject Areas

• Policy• Education, Training and Awareness• Risk Analysis and Management• Security Architecture Design• Network and Host Vulnerability Assessment• Network and Host Security Implementation• Intrusion and Virus Detection• Incident Response• Encryption, Authentication & Authorization• Addendum: university & vendor resources

11

ESPG Highlights

Evolution of Security Practices

11

Evolution of Security Practices

• It is not possible to jump to the most effective practices– Can’t scan for policy violations without policies– Can’t develop policies without mature security

standards• Some practices require significant human resources

– Intrusion detection– Incident response

• Some practices become more effective over time– Technical support becomes more effective with

supporting tools, security policies and architecture

11

Effective Practices: Contributors and Ranking

• Bethune-Cookman

• Brown• Cornell*• CSUSB• GA Tech• GWU• Indiana University• MSCD• Notre Dame• NC A&T

● Penn State● Purdue*● U Alabama● UC Berkeley● UCONN● U Maryland, BC● U Washington● U Wisc, Madison● Virginia Tech*● Yale University

11

Online Demonstration

http://www.educause.edu/security/guide

11

Risk Analysis

The most effective security practice

11

Types of Risk

• Strategic Risk• Financial Risk• Legal Risk• Operational Risk• Reputation Risk

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

National Research Council CSTB Report: Cybersecurity Today and Tomorrow: Pay Now or Pay Later (2002)

11

Ideal Risk Analysis & Management

• Knowledge of all relevant regulations• Training and awareness of staff• Developing plans to audit individual units

for compliance• Developing and implementing a code of

conduct for the organization• Establishing control mechanisms to ensure

compliance

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

11

Vulnerability Assessment

• Need policies in place and buy-in• Organization-wide assessment is a rarity

– Not enough time or resources

• Targeted scanning– Critical systems or particular group

• Tactical scanning– New vulnerability publicized– Intruder backdoor

• Self-service/Automation– Indiana’s “Scannager” & Purdue's Nessus Scanning

Cluster– Routine scans automatically run & delivered

• Contact info and trust help with notification

11

Security Architecture Design

• University is comprised of different groups– Need internal and external defense– Risk & vulnerability assessments guide security

design• Guide presents alternatives with pros & cons

– Router filtering, Firewall, VLAN– Bandwidth management– Monitoring (e.g., IDS, NetFlow, central logging)– VPN– Wireless LANs– Scalable host security

• Some application & database guidelines

11

Security Implementation

• Different groups require different approaches– Be flexible, use a combination of approaches

• Self-service necessary, not sufficient– Do not put too much on average user

• Use what comes with box & existing tools• Automate updates when possible• Use network-based solutions (e.g., e-mail

filtering)• Give free security support initially• Penalties for persistent failures (public health)• Contact info and trust help with implementation

11

Incident Response

• Policies– Privacy and Data retention and access

• Procedures– Who to contact in specific situations– Employee lockout if necessary– Evidence preservation

• Prepare systems for evidence collection• Response Team

– Include legal, HR & PR– Require training and tools

• Contact info and trust help with incident response

11

Other Subject Areas

• Intrusion & virus detection– Host-based versus network-based

• Encryption & authentication– PGP versus S/MIME– Public Key Infrastructure– Central account management– Directory services– Middleware

11

Example Format

• 2-5 pages, technical audience• Summary of ROI when applicable• Background• Description• Benefits• Shortcomings• Future plans• References

11

Bethune-Cookman

• Perimeter Cisco PIX with NAT– 1600 hosts– ResNet on VLAN outside DMZ

• Problem: Blocked multicast traffic– Interfered with Access Grid node

• Created work around with Cisco– GRE tunnel on PIX– reconfigure internal & external routers

11

Cornell

• Using ACL's on “edge” routers– Opt-in, custom filters (within reason)– Protecting 140 departments– Protection from internal & Internet

• Uses existing infrastructure– Low added expense or training

• Does not impact entire campus

11

Metro State College Denver

• LANDesk on 2000 computers– configuration & asset management– software metering

• 2 standard Windows images– 1 for faculty & staff, 1 for student labs

• Costly but effective• Commuter campus => no ResNet

11

Notre Dame IDS

• 8 Snort sensors– 4 at the Internet border– 4 in the core

• SnortCenter– central configuration management

• ACID with modifications• Additional scripts

– archiving & e-mail alerting

11

Yale logger.pl

• Daily summary of NT Security Logs• Failed attempts on many machines• Incident Response: individual account activity

11

BREAK

11

Risk Analysis

The most effective security practice given that no one has infinite resources and must prioritize

work.

11

Risk Analysis Overview

• Risk = Threats x Vulnerability x Impact– Need to weigh & prioritize risks to develop

strategy• Threats

– Intruders, insiders, accidents, natural disasters

• Vulnerabilities– Weaknesses in design, implementation, or

operation• Impact

– Level of harm to the institution

11

Practical Risk Analysis in HE

1)Preliminary Risk Analysis (year 1)● Gathering allies, data and support

• Risk Analysis of Critical Processes (year 2)● Concentrating on high risk areas

• Institution-wide Risk Analysis (year 3+)● Broadening view to include the whole

institution

11

Risk Analysis & Management

• Need to prioritize risks and develop strategy

• Starting from scratch– Appoint a person to justify and drive risk

assessment– Gather data and allies, especially auditors

• Challenges in higher education– Lack of resources and centralized control– Different groups value different things

• Example models (STAR, OCTAVE)

11

UC Berkeley

• Preliminary Risk Assessment• Supported by CIO (Jack McCredie)

– Appointed working group (IT & audit)– Overcame internal resistance

• Lack of funds was a major barrier– CIO used existing resources

• Outcomes– Overview of risks– Dedicated IT security group– Basic security policy

11

Berkeley - Keys to Success

• Management commitment and support• Gathered allies

– involved auditor• Report

– important from educational and political standpoint

– helped develop consensus security strategy• Departments that tax themselves

– hire their own IT support staff

11

Berkeley - Pitfalls & Future Plans

• Lack of funding has delayed progress• Lack of technical expertise

– giving each group responsibility for defending selves

– many groups lack the necessary expertise and funding

• Future plans: minimum standards policy– goal: disconnect systems that do not meet policy– important things are hardest to manage (e.g.,

patching)– goal: professional support everywhere

11

U of Maryland, Baltimore County

• Risk Analysis of Critical Process– Financial Aid

• Adapted STAR model– Focus on process and information flow– Reduced analysis time– Relate risk analysis to business process and

drivers• Outcomes

– Improved security– Regulatory compliance

11

Overview of UMBC Risk Assessment for Gramm-Leach-

Bliley (GLB)• Focus of risk assessment was primarily

Financial Aid department.• We had a limited time-frame in which to

implement this assessment due to compliance deadlines

• Risk assessment focused on the specific requirements in (GLB) and did not encompass other risk threats

11

Step 1. Met with Key Staff

• Financial aid director mapped out business processes and procedures (half-day)

• Director of Business Computing mapped out the software and hardware systems supporting financial aid (2 hours)

• IT coordinators mapped out network and LAN services supporting financial aid (2 hours)

11

Step 2. Model the Information and Communication Flows

• From the information provided we developed a matrix identifying the information flows between source and destination systems

• To aid understanding and validation of this matrix we developed a picture identifying the processes and flow of information

• We met with key staff from step 1 and validated the model design

11

11

Step 3. Develop Risk Review

• Key risk components for each entry with X– Likelihood– Vulnerability– Impact

• Each is assigned a value:– (0) minimal– (1) potentially a problem– (2) High

• Multiply the three values, focus on any area where risk value is > 1.

11

Step 4. Present Risk Review and Develop Mitigation Plan

• Meet with the key staff identified in step 1 and present the findings for validation

• Discuss strategies for mitigating identified risks and the potential impact on business processes

• For UMBC, primary risks were associated with the use and storage of non-public information (NPI) on desktops in financial aid.

11

UMBC GLB Risk Mitigation Recommendations

• Upgrade to Windows 2000, require authenticated login to each workstation

• Configuration policy will auto-update patches and installs firewall

• All files and databases containing (NPI) must be located on our Novell servers -- no local storage.

• Financial Aid should be among the first to move to our new protected network VLAN this summer.

• Working with IT Steering on the issue of emailing NPI information (should/can this be prohibited without encryption)

11

GA Tech

• Institution-wide risk analysis• Conducted by audit department

– Includes IT and non-IT resources and processes

– Repeated periodically to monitor progress• Outcomes

– Security strategy– Improved awareness of institution-wide

risks– Regulatory compliance

11

GA Tech Overview

• Assessment includes non-IT risks– general policies, telecomm, insurance liabilities,

human resources, regulatory compliance, health and safety

– accuracy of financial records

• Thorough assessment of IT systems– security: logical, physical, and management

• FERPA– deals with protection of information separately

11

GA Tech Assessing IT Risks

• Logical security• Environmental and physical controls• Data stewardship• Management and maintenance• Backup and recovery• Training, S/W licensing, documentation• Web site operations and development

11

Rochester Institution of Technology

• Outsourcing security posture/risk assessment

• Institution-wide evaluation by objective outsiders– Interviews with all departments– Vulnerability assessment of critical systems– Evaluation and reporting of results

• Outcomes– Report of weaknesses and proposed

solutions

11

RIT Overview

• RIT pre-selected the methodology to use - Infosec Assessment Methodology developed by the NSA

• They identified a vendor with experience in this methodology.

• They selected the summer to do the assessment. Realized there is no best time to do this.

• Assessment consisted of – Document collection (1 month)– On-site interviews (1 week)– External scanning and analysis (3 weeks)

11

RIT Process

• Consultants requested documentation on procedures, systems and processes

• Consultants developed a question bank and met with key deans, directors, and VP’s.

• Scanning was coordinated with system administrators and did not include DoS.

• Scheduling and communication were a challenge. Interview process took considerable time from security staff

• Communicating results can be challenging. Keeping people from being defensive is a challenge

11

RIT Results

• Demonstrated executive leadership felt security was important

• Gained insight into groups that had not documented practices or considered security

• Many findings were common sense but helped to push these changes more broadly

• Identified certain practices that were non-compliant• Negatives

– Cost, effort required of internal staff to facilitate, focused too heavily on IT systems not business processes

11

Effective Practices Working Group

• Group of security practitioners that will solicit and review effective practices, make presentations at regional conferences, and provide assistance

• Convene bi-weekly through a conference call• Work closely with SALS@ to utilize research

findings and recommendations (early adopter)• A long-range goal for me is to develop

common criteria for tracking security incidents and use those metrics to begin to gauge the benefit of different effective practices (before vs.. after)

11

Questions and Discussion?

• Jack Suess– jack@umbc.edu

• Eoghan Casey– eco@corpus-delicti.com

• Presentation is available at http://userpages.umbc.edu/~jack/talks/EPSG.htm