Information Security Analysis and Solutions Group iSecure Solutions Proprietary 1 Information...

Proprietary1 Information Security Analysis and Solutions

Group iSecure Solutions

Information Security: Where to Begin?

January 12, 2005

Kathleen K. RobertsPrincipal – MBA, Information [email protected]

Sanina ShenEngineer – MS, CISSP, [email protected]

iSecure Solutions1611 Arran WayDresher, PA 19025(215) 641-1396 (Office)(215) 641-1396 (FAX)www.isecuresolutions.com

Final Presentation V2.W

Copyright [Kathleen K. Roberts] [2005]. This paper is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.



Agenda Introduction (5 mins.)

– Review definitions and framework

– Provide insights into higher ed Information security trends

– Share security basics

IT Security Policies (10 mins.)– Ensure executive leadership support

– Review commonly used higher ed policies

– Share several different enforcement approaches

Vulnerability Assessments (10 mins.)– Overview and value of assessments

– Evaluate and prepare to use assessment tools

– Share scanning approaches

Other Security Topics (10 mins.)– Importance of a security awareness program

– Create a business continuity plan including a CSIRT

– Examine physical security

Conclusion (5 mins.)– Be aware of regulatory requirements

– Begin the journey



Information Security Definitions

Security Triad

Confidentiality – ensuring that the information is protected from unauthorized and/or unintentional disclosure and use.

Integrity – assuring the accuracy, completeness and reliability of information and systems from unauthorized and/or unintentional modification.

Availability – ensuring reliability and timely access to data and resources for authorized users.



Information Security Framework

Implement

Plan

Monitor

Evaluate

Develop the policies, procedures and guidelines

Design and implement the security components to fulfill policies, procedures and guidelines

Monitor to ensure the security components protect the information systems

Evaluate the effectiveness of the security measures by performing gap analyses, vulnerability assessment, and penetration test.

Continue with the cyclical process:1.) Updating the policies, procedures and guidelines 2.) Adjusting the security mechanisms 3.) Performing gap analyses, vulnerability assessments, and penetration tests.

Security Operations Process Flow



Security Trends in Higher Education Information Security

− Beginning to See:» Establishment of a University Information Security

Office

» Hiring of a University Information Security Officer

– Activities Underway by Information Security Office:» Development of security policy

» Implementation of security architecture

» Monitoring of security

» Formal incident response processes and creation of CSIRT

» Development of security awareness and training programs



Security Trends in Higher Education (continued)

Characteristics of Leading Information Security Colleges and Universities:- View information security as a major opportunity for leadership

- Implementing security policies, procedures and guidelines

- Conducting institutional risk assessments on a regular basis

- Investing in staff and tools

- Increasing “community” awareness with ongoing training

- Designing, developing and deploying secure communication and information systems

- Inserting confidentiality and privacy language in vendor contract documents

- Requiring secure products from vendors



Security Basics Engage executive leadership - support, resources and communication

Select a standard as benchmark based on industry best practices

– The ISO 17799 Standard (www.iso17799-web.com)

– ISSA-GAISP (Information System Security Association-Generally Accepted Information Security Principles)

Baseline your institution’s security posture and readiness

– Evaluate security policies against industry standards

– Conduct vulnerability assessment scans and re-test regularly

– Determine the security standards for your organization

» i.e. account blocked after 3 failed log-in attempts, passwords changed every 90 days

– Examine the physical security situation

Formalize incident response procedures

Create and conduct security education and awareness classes

Start up and support an information security knowledge community



Executive Leadership Support of Security Policies and Program Engage leadership – CIO, president and provost

Areas where support is essential– Budget for overall security program

– Security personnel

– Enforcement of policies

– Incident response involvement and coordination

Ensure inclusion into higher ed mission and strategic plan

Educate on importance and need for security program– Statistics of security breaches and growing visibility

– Federal and state regulation

– Institution’s reputation

Provide updates on a regular basis– Establish regular status meetings

– Provide ongoing reports and provide added value information



Basic Information Security Policy Inventory for Higher Education

Type of Policy Priority GLBA FERPA HIPAACA SB 1358

Appropriate Use of Institutional Assets HCopyright Policy HE-mail Policy * HPassword Protection Policy * H XAccess Control Policy * HVirus Protection Policy * H X XWireless Communication Policy HIncident Handling and Reporting Policy H X X XMass Mailing/Broadcast Policy * HPrivacy Policy H X X XBus.Continuity/Disaster Recovery Plan M X XWeb Policy including Web Advertising MObscene Materials Policy* MConfidentiality Policy M X X X XRemote Access Policy M

Key: H=High Usage by College & Univ., M=Medium Usage by College & Univ,, * =Covered in Appropriate Use Policy



Policy Enforcement ApproachesUnlike corporate or government sectors, higher education requires a

more delicate balance to effectively enforce policies:

Fear of being caught and punishment– Clearly communicate consequences of policy violation in student, staff and faculty

handbooks

– Include policy requirements in institution’s code of conduct to obtain ID

– Post warnings on websites and install observation technology

Use of existing technology– Require secure password with specific requirements for network access

– Use online quiz requiring reading of critical points in handbook to obtain account

Usage requirement– Incorporate policy requirements into network access usage agreements

Embarrassment by association - publish list of offenders– Post on website or in newspaper



Overview of Vulnerability Assessments Definition: Vulnerability management is the discovery of weaknesses in a

security profile, the determination of the risk and the elimination of these defects to reduce the window of opportunity in which an exploit could impact the institution.

Focus of Vulnerability Assessments– Identify vulnerabilities in key resources

– Determine acceptable risk

– Fix weaknesses before attacker code can be developed to exploit the vulnerability

“The Laws of Vulnerabilities” per Gerhard Eschelbeck, CTO of Qualys

– Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity

– Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis

– Persistence: The lifespan of some vulnerabilities is unlimited

– Exploitation: 80% of vulnerability exploits are available within 60 days of the vulnerability release



Sample of Network Vulnerability AssessmentHigh Level Summary Findings

0

10

20

30

40

50

60

70

80

90

Number of

Vulnerabilities

Vulnerabilities Scan Results by Server

Severity level 1 (Low)

Severity level 2

Severity level 3

Severity level 4

Severity level 5 (High)



Summary of Vulnerabilities



Detailed Scan Results (Part 1)



Detailed Scan Results (Part 2)



Port Scan Results



Value of Vulnerability Assessments

Best Practices of Vulnerability Management– Classify: prioritize assets based on “mission critical” value to the institution

– Measure: determine effectiveness of efforts by setting goals of reduced vulnerabilities and faster mitigation

– Integrate: include the intelligence gained in scans with other security info

– Audit: use metrics to evaluate effectiveness of efforts for ongoing improvement

Benefit of Conducting Vulnerability Assessments– Aids communication and facilitates decision making by integrating information

from various parts of the institution

– Enhances productivity of security team by creating a structure, pooling knowledge and building “in-house” expertise

– Allows security to become part of the institutional culture by allowing institutional departments to take more of the responsibility for ensuring an adequate and appropriate level of security

– Increase security awareness by actively involving a larger number of individuals

– Provides a consistent and measurable approach to patching and upgrade management



Vulnerability Assessment Tools To select the best tool(s) for your institution, must determine and

prioritize requirements – Technical quality of the solution including degree of intrusiveness

– Ease of use including deployability

– Reporting capabilities

– Support including ongoing research to keep vulnerability database updated

– Price tag

Evaluate and select “best in class” tools– Several vendors we considered:

» Foundstone - Foundscan Scanner

» GFI LANguard - Network Security Scanner

» Internet Security Systems (ISS) - Internet Scanner

» Nessus – Nessus Scanner

» Qualys - QualysGuard

All tools must be reviewed and tested

Consider having several vulnerability scanners in your toolbox



Vulnerability Assessment Preparation

Collect source documents– Current network architecture diagram to understand subnets and connections

– Existing security policies and guidelines

– Inventory of critical hardware and software with pertinent information

– Listing of key applications with pertinent information

Read background info and discuss with subject matter expert– Review all documents to understand environment

Develop a draft test plan and obtain approval of plan and schedule– Schedule scans during slow time so no negative impact

Perform tests, assign tasks and log results– Document vulnerabilities, analyze data and make recommendations

Finalize documentation into a report or presentation



Scanning Approaches Select the best approach for your environment

Conducting a campus wide vulnerability assessment– Good for a baseline risk assessment

– Will produce too many vulnerabilities to deal with

– Requires much time and many resources to conduct and sift through data

Scan all high priority devices – Select “Mission Critical” servers and hosts to scan

– Remediate only the severity 5 and 4 vulnerabilities

Scan entire network for a few specific vulnerabilities– Select the SANS Top 20 vulnerabilities to scan for

– Scan for a specific newly announced vulnerability

Compare current assessment with a previous baseline– Requires a baseline to be in place

– Only view deviations from the baseline which reduces the number of identified vulnerabilities



Security Awareness Program Importance of Education and Awareness Program

– People are the greatest source of IT security issues

– Insiders cause the majority of security breaches

– Most insider breaches are caused by:

» Lack of awareness of threats

» Assuming others are handling

» Lack of knowledge on how to address

» Security is low priority

Components– Define the target audience

– Tailor the message to meet the needs of each audience

– Delivery methods must be tailored to each group’s needs

» Meetings, handbooks, web site, email alerts, adding to new student orientation, workshops, seminars, articles, videos, posters

– Make it fun but keep the message short and simple though current and realistic

– Repetition is key



Business Continuity Planning May be Part of an Overall Security Plan

– Includes a back up plan

– Includes a disaster recovery plan

– Conduct practice drills to test plan and readiness

Backup, Recovery and Restoration – Documented processes

– Critical backup files stored on-site and off-site

– Data backup/recovery/restoration plans developed and periodically tested

Business Continuity Planning (BCP)– Involves the entire institution

– Keep department or college in business

– Manual processes documented

– “Cookbook” checklists and steps

– Cross training of staff to ensure operational continuity of critical systems and applications



Create a CSIRT

Computer Security Incident Response Team (CSIRT)

Form Team

– Determine representation and team membership required

– Solicit senior management support including CIO, provost and president

– Required to handle all incidents that occur

Activities

– Write mission statement and goals

– Document incident response procedures

– Create escalation list and contact information chain including law enforcement contacts for out of hours incidents

Additional support resources– http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html



Value of Physical Security Remember Physical Security – no longer just the night guard who

carries a flashlight

Security includes natural disasters, fires, floods, intruders and power supplies.

– Administrative Controls» Facility Management

» Sensitive data or papers laying around?

» Neat and orderly computing rooms

– Technical Controls» Temperature / humidity controls

» Fire suppression equipment

» UPS (Uninterruptible power supply)

– Physical Controls» Locks / combination / card swipe doors

» Lighting

» Fences



Conclusion Complying with Regulatory Requirements

– Gramm-Leach-Bliley (GLB) Act and the Federal Trade Commission’s Safeguards Rule

» Need for a documented Information Security Plan

– Other» Family Educational Rights and Privacy Act (FERPA)» California’s Senate Bill 1386» Health Insurance Portability and Accountability Act (HIPAA)

Begin the JourneySuccess is a journey not a destination. The doing is usually more important than the outcome.

Arthur Ashe



Questions

Information Security Analysis and Solutions Group iSecure Solutions Proprietary 1 Information...

Documents

Transcript of Information Security Analysis and Solutions Group iSecure Solutions Proprietary 1 Information...