Information Security Analysis and Solutions Group iSecure Solutions Proprietary 1 Information...
-
Upload
helena-cameron -
Category
Documents
-
view
214 -
download
0
Transcript of Information Security Analysis and Solutions Group iSecure Solutions Proprietary 1 Information...
Proprietary1 Information Security Analysis and Solutions
Group iSecure Solutions
Information Security: Where to Begin?
January 12, 2005
Kathleen K. RobertsPrincipal – MBA, Information [email protected]
Sanina ShenEngineer – MS, CISSP, [email protected]
iSecure Solutions1611 Arran WayDresher, PA 19025(215) 641-1396 (Office)(215) 641-1396 (FAX)www.isecuresolutions.com
Final Presentation V2.W
Copyright [Kathleen K. Roberts] [2005]. This paper is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Proprietary2 Information Security Analysis and Solutions
Group iSecure Solutions
Agenda Introduction (5 mins.)
– Review definitions and framework
– Provide insights into higher ed Information security trends
– Share security basics
IT Security Policies (10 mins.)– Ensure executive leadership support
– Review commonly used higher ed policies
– Share several different enforcement approaches
Vulnerability Assessments (10 mins.)– Overview and value of assessments
– Evaluate and prepare to use assessment tools
– Share scanning approaches
Other Security Topics (10 mins.)– Importance of a security awareness program
– Create a business continuity plan including a CSIRT
– Examine physical security
Conclusion (5 mins.)– Be aware of regulatory requirements
– Begin the journey
Proprietary3 Information Security Analysis and Solutions
Group iSecure Solutions
Information Security Definitions
Security Triad
Confidentiality – ensuring that the information is protected from unauthorized and/or unintentional disclosure and use.
Integrity – assuring the accuracy, completeness and reliability of information and systems from unauthorized and/or unintentional modification.
Availability – ensuring reliability and timely access to data and resources for authorized users.
Proprietary4 Information Security Analysis and Solutions
Group iSecure Solutions
Information Security Framework
Implement
Plan
Monitor
Evaluate
Develop the policies, procedures and guidelines
Design and implement the security components to fulfill policies, procedures and guidelines
Monitor to ensure the security components protect the information systems
Evaluate the effectiveness of the security measures by performing gap analyses, vulnerability assessment, and penetration test.
Continue with the cyclical process:1.) Updating the policies, procedures and guidelines 2.) Adjusting the security mechanisms 3.) Performing gap analyses, vulnerability assessments, and penetration tests.
Security Operations Process Flow
Proprietary5 Information Security Analysis and Solutions
Group iSecure Solutions
Security Trends in Higher Education Information Security
− Beginning to See:» Establishment of a University Information Security
Office
» Hiring of a University Information Security Officer
– Activities Underway by Information Security Office:» Development of security policy
» Implementation of security architecture
» Monitoring of security
» Formal incident response processes and creation of CSIRT
» Development of security awareness and training programs
Proprietary6 Information Security Analysis and Solutions
Group iSecure Solutions
Security Trends in Higher Education (continued)
Characteristics of Leading Information Security Colleges and Universities:- View information security as a major opportunity for leadership
- Implementing security policies, procedures and guidelines
- Conducting institutional risk assessments on a regular basis
- Investing in staff and tools
- Increasing “community” awareness with ongoing training
- Designing, developing and deploying secure communication and information systems
- Inserting confidentiality and privacy language in vendor contract documents
- Requiring secure products from vendors
Proprietary7 Information Security Analysis and Solutions
Group iSecure Solutions
Security Basics Engage executive leadership - support, resources and communication
Select a standard as benchmark based on industry best practices
– The ISO 17799 Standard (www.iso17799-web.com)
– ISSA-GAISP (Information System Security Association-Generally Accepted Information Security Principles)
Baseline your institution’s security posture and readiness
– Evaluate security policies against industry standards
– Conduct vulnerability assessment scans and re-test regularly
– Determine the security standards for your organization
» i.e. account blocked after 3 failed log-in attempts, passwords changed every 90 days
– Examine the physical security situation
Formalize incident response procedures
Create and conduct security education and awareness classes
Start up and support an information security knowledge community
Proprietary8 Information Security Analysis and Solutions
Group iSecure Solutions
Agenda Introduction (5 mins.)
– Review definitions and framework
– Provide insights into higher ed Information security trends
– Share security basics
IT Security Policies (10 mins.)– Ensure executive leadership support
– Review commonly used higher ed policies
– Share several different enforcement approaches
Vulnerability Assessments (10 mins.)– Overview and value of assessments
– Evaluate and prepare to use assessment tools
– Share scanning approaches
Other Security Topics (10 mins.)– Importance of a security awareness program
– Create a business continuity plan including a CSIRT
– Examine physical security
Conclusion (5 mins.)– Be aware of regulatory requirements
– Begin the journey
Proprietary9 Information Security Analysis and Solutions
Group iSecure Solutions
Executive Leadership Support of Security Policies and Program Engage leadership – CIO, president and provost
Areas where support is essential– Budget for overall security program
– Security personnel
– Enforcement of policies
– Incident response involvement and coordination
Ensure inclusion into higher ed mission and strategic plan
Educate on importance and need for security program– Statistics of security breaches and growing visibility
– Federal and state regulation
– Institution’s reputation
Provide updates on a regular basis– Establish regular status meetings
– Provide ongoing reports and provide added value information
Proprietary10 Information Security Analysis and Solutions
Group iSecure Solutions
Basic Information Security Policy Inventory for Higher Education
Type of Policy Priority GLBA FERPA HIPAACA SB 1358
Appropriate Use of Institutional Assets HCopyright Policy HE-mail Policy * HPassword Protection Policy * H XAccess Control Policy * HVirus Protection Policy * H X XWireless Communication Policy HIncident Handling and Reporting Policy H X X XMass Mailing/Broadcast Policy * HPrivacy Policy H X X XBus.Continuity/Disaster Recovery Plan M X XWeb Policy including Web Advertising MObscene Materials Policy* MConfidentiality Policy M X X X XRemote Access Policy M
Key: H=High Usage by College & Univ., M=Medium Usage by College & Univ,, * =Covered in Appropriate Use Policy
Proprietary11 Information Security Analysis and Solutions
Group iSecure Solutions
Policy Enforcement ApproachesUnlike corporate or government sectors, higher education requires a
more delicate balance to effectively enforce policies:
Fear of being caught and punishment– Clearly communicate consequences of policy violation in student, staff and faculty
handbooks
– Include policy requirements in institution’s code of conduct to obtain ID
– Post warnings on websites and install observation technology
Use of existing technology– Require secure password with specific requirements for network access
– Use online quiz requiring reading of critical points in handbook to obtain account
Usage requirement– Incorporate policy requirements into network access usage agreements
Embarrassment by association - publish list of offenders– Post on website or in newspaper
Proprietary12 Information Security Analysis and Solutions
Group iSecure Solutions
Agenda Introduction (5 mins.)
– Review definitions and framework
– Provide insights into higher ed Information security trends
– Share security basics
IT Security Policies (10 mins.)– Ensure executive leadership support
– Review commonly used higher ed policies
– Share several different enforcement approaches
Vulnerability Assessments (10 mins.)– Overview and value of assessments
– Evaluate and prepare to use assessment tools
– Share scanning approaches
Other Security Topics (10 mins.)– Importance of a security awareness program
– Create a business continuity plan including a CSIRT
– Examine physical security
Conclusion (5 mins.)– Be aware of regulatory requirements
– Begin the journey
Proprietary13 Information Security Analysis and Solutions
Group iSecure Solutions
Overview of Vulnerability Assessments Definition: Vulnerability management is the discovery of weaknesses in a
security profile, the determination of the risk and the elimination of these defects to reduce the window of opportunity in which an exploit could impact the institution.
Focus of Vulnerability Assessments– Identify vulnerabilities in key resources
– Determine acceptable risk
– Fix weaknesses before attacker code can be developed to exploit the vulnerability
“The Laws of Vulnerabilities” per Gerhard Eschelbeck, CTO of Qualys
– Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity
– Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis
– Persistence: The lifespan of some vulnerabilities is unlimited
– Exploitation: 80% of vulnerability exploits are available within 60 days of the vulnerability release
Proprietary14 Information Security Analysis and Solutions
Group iSecure Solutions
Sample of Network Vulnerability AssessmentHigh Level Summary Findings
0
10
20
30
40
50
60
70
80
90
Number of
Vulnerabilities
Vulnerabilities Scan Results by Server
Severity level 1 (Low)
Severity level 2
Severity level 3
Severity level 4
Severity level 5 (High)
Proprietary15 Information Security Analysis and Solutions
Group iSecure Solutions
Summary of Vulnerabilities
Proprietary16 Information Security Analysis and Solutions
Group iSecure Solutions
Detailed Scan Results (Part 1)
Proprietary17 Information Security Analysis and Solutions
Group iSecure Solutions
Detailed Scan Results (Part 2)
Proprietary18 Information Security Analysis and Solutions
Group iSecure Solutions
Port Scan Results
Proprietary19 Information Security Analysis and Solutions
Group iSecure Solutions
Value of Vulnerability Assessments
Best Practices of Vulnerability Management– Classify: prioritize assets based on “mission critical” value to the institution
– Measure: determine effectiveness of efforts by setting goals of reduced vulnerabilities and faster mitigation
– Integrate: include the intelligence gained in scans with other security info
– Audit: use metrics to evaluate effectiveness of efforts for ongoing improvement
Benefit of Conducting Vulnerability Assessments– Aids communication and facilitates decision making by integrating information
from various parts of the institution
– Enhances productivity of security team by creating a structure, pooling knowledge and building “in-house” expertise
– Allows security to become part of the institutional culture by allowing institutional departments to take more of the responsibility for ensuring an adequate and appropriate level of security
– Increase security awareness by actively involving a larger number of individuals
– Provides a consistent and measurable approach to patching and upgrade management
Proprietary20 Information Security Analysis and Solutions
Group iSecure Solutions
Vulnerability Assessment Tools To select the best tool(s) for your institution, must determine and
prioritize requirements – Technical quality of the solution including degree of intrusiveness
– Ease of use including deployability
– Reporting capabilities
– Support including ongoing research to keep vulnerability database updated
– Price tag
Evaluate and select “best in class” tools– Several vendors we considered:
» Foundstone - Foundscan Scanner
» GFI LANguard - Network Security Scanner
» Internet Security Systems (ISS) - Internet Scanner
» Nessus – Nessus Scanner
» Qualys - QualysGuard
All tools must be reviewed and tested
Consider having several vulnerability scanners in your toolbox
Proprietary21 Information Security Analysis and Solutions
Group iSecure Solutions
Vulnerability Assessment Preparation
Collect source documents– Current network architecture diagram to understand subnets and connections
– Existing security policies and guidelines
– Inventory of critical hardware and software with pertinent information
– Listing of key applications with pertinent information
Read background info and discuss with subject matter expert– Review all documents to understand environment
Develop a draft test plan and obtain approval of plan and schedule– Schedule scans during slow time so no negative impact
Perform tests, assign tasks and log results– Document vulnerabilities, analyze data and make recommendations
Finalize documentation into a report or presentation
Proprietary22 Information Security Analysis and Solutions
Group iSecure Solutions
Scanning Approaches Select the best approach for your environment
Conducting a campus wide vulnerability assessment– Good for a baseline risk assessment
– Will produce too many vulnerabilities to deal with
– Requires much time and many resources to conduct and sift through data
Scan all high priority devices – Select “Mission Critical” servers and hosts to scan
– Remediate only the severity 5 and 4 vulnerabilities
Scan entire network for a few specific vulnerabilities– Select the SANS Top 20 vulnerabilities to scan for
– Scan for a specific newly announced vulnerability
Compare current assessment with a previous baseline– Requires a baseline to be in place
– Only view deviations from the baseline which reduces the number of identified vulnerabilities
Proprietary23 Information Security Analysis and Solutions
Group iSecure Solutions
Agenda Introduction (5 mins.)
– Review definitions and framework
– Provide insights into higher ed Information security trends
– Share security basics
IT Security Policies (10 mins.)– Ensure executive leadership support
– Review commonly used higher ed policies
– Share several different enforcement approaches
Vulnerability Assessments (10 mins.)– Overview and value of assessments
– Evaluate and prepare to use assessment tools
– Share scanning approaches
Other Security Topics (10 mins.)– Importance of a security awareness program
– Create a business continuity plan including a CSIRT
– Examine physical security
Conclusion (5 mins.)– Be aware of regulatory requirements
– Begin the journey
Proprietary24 Information Security Analysis and Solutions
Group iSecure Solutions
Security Awareness Program Importance of Education and Awareness Program
– People are the greatest source of IT security issues
– Insiders cause the majority of security breaches
– Most insider breaches are caused by:
» Lack of awareness of threats
» Assuming others are handling
» Lack of knowledge on how to address
» Security is low priority
Components– Define the target audience
– Tailor the message to meet the needs of each audience
– Delivery methods must be tailored to each group’s needs
» Meetings, handbooks, web site, email alerts, adding to new student orientation, workshops, seminars, articles, videos, posters
– Make it fun but keep the message short and simple though current and realistic
– Repetition is key
Proprietary25 Information Security Analysis and Solutions
Group iSecure Solutions
Business Continuity Planning May be Part of an Overall Security Plan
– Includes a back up plan
– Includes a disaster recovery plan
– Conduct practice drills to test plan and readiness
Backup, Recovery and Restoration – Documented processes
– Critical backup files stored on-site and off-site
– Data backup/recovery/restoration plans developed and periodically tested
Business Continuity Planning (BCP)– Involves the entire institution
– Keep department or college in business
– Manual processes documented
– “Cookbook” checklists and steps
– Cross training of staff to ensure operational continuity of critical systems and applications
Proprietary26 Information Security Analysis and Solutions
Group iSecure Solutions
Create a CSIRT
Computer Security Incident Response Team (CSIRT)
Form Team
– Determine representation and team membership required
– Solicit senior management support including CIO, provost and president
– Required to handle all incidents that occur
Activities
– Write mission statement and goals
– Document incident response procedures
– Create escalation list and contact information chain including law enforcement contacts for out of hours incidents
Additional support resources– http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html
Proprietary27 Information Security Analysis and Solutions
Group iSecure Solutions
Value of Physical Security Remember Physical Security – no longer just the night guard who
carries a flashlight
Security includes natural disasters, fires, floods, intruders and power supplies.
– Administrative Controls» Facility Management
» Sensitive data or papers laying around?
» Neat and orderly computing rooms
– Technical Controls» Temperature / humidity controls
» Fire suppression equipment
» UPS (Uninterruptible power supply)
– Physical Controls» Locks / combination / card swipe doors
» Lighting
» Fences
Proprietary28 Information Security Analysis and Solutions
Group iSecure Solutions
Agenda Introduction (5 mins.)
– Review definitions and framework
– Provide insights into higher ed Information security trends
– Share security basics
IT Security Policies (10 mins.)– Ensure executive leadership support
– Review commonly used higher ed policies
– Share several different enforcement approaches
Vulnerability Assessments (10 mins.)– Overview and value of assessments
– Evaluate and prepare to use assessment tools
– Share scanning approaches
Other Security Topics (10 mins.)– Importance of a security awareness program
– Create a business continuity plan including a CSIRT
– Examine physical security
Conclusion (5 mins.)– Be aware of regulatory requirements
– Begin the journey
Proprietary29 Information Security Analysis and Solutions
Group iSecure Solutions
Conclusion Complying with Regulatory Requirements
– Gramm-Leach-Bliley (GLB) Act and the Federal Trade Commission’s Safeguards Rule
» Need for a documented Information Security Plan
– Other» Family Educational Rights and Privacy Act (FERPA)» California’s Senate Bill 1386» Health Insurance Portability and Accountability Act (HIPAA)
Begin the JourneySuccess is a journey not a destination. The doing is usually more important than the outcome.
Arthur Ashe
Proprietary30 Information Security Analysis and Solutions
Group iSecure Solutions
Questions