Information Technology at Emory The Building Blocks for Security at Emory University Jay D. Flanagan...
-
Upload
kennedy-searls -
Category
Documents
-
view
213 -
download
0
Transcript of Information Technology at Emory The Building Blocks for Security at Emory University Jay D. Flanagan...
Information Technology at EmoryThe Building Blocks for Security at Emory UniversityJay D. FlanaganSecurity Team LeadTechnical ServicesCopyright Jay D. Flanagan 2004.
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Information Technology at Emory
Information Technology DivisionTechnical Services
Past Security at Emory
• RACF on Mainframe• Virus Scanning – Dr. Solomon• Application Security• Individual / department security
measures
Information Technology at Emory
Information Technology DivisionTechnical Services
Initial Changes
• Hiring a dedicated security person– Handling only security issues
• Putting together a security team– Developing the security goals and
objectives
• Creating a security architecture– Road map for new security initiatives
• Funding new security initiatives– Security initiatives implementation
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives• Firewalls• Virus Scanning• Incident Response• Web authentication / authorization• Vulnerability Scanning• Spam Detection• Digital Certificates• Security Awareness / Communication• Intrusion Detection / Prevention (IDS / IPS)• Network Registration• HIPAA / Other Federal Regulations
Information Technology at Emory
Information Technology DivisionTechnical Services
Firewalls
• Implemented Checkpoint FW-1(3)– School of Public Health – Border– Trusted Core
• Implemented Checkpoint VPN-1(1)– Remote Access to Trusted Core
• Secure Remote Client
Information Technology at Emory
Information Technology DivisionTechnical Services
Firewalls• School of Public Health (SPH)
– Implemented for research grant– Protects all SPH machines– Tweaked on a regular basis
• Border– Protects entire university– Protects against major vulnerabilities and hacks
• NetBios• SQL Vulnerabilities• Forces SMTP traffic to our virus scanners• Blocks all internet access to our resnet subnets
– Tweaked on a regular basis
Information Technology at Emory
Information Technology DivisionTechnical Services
Firewalls• Trusted Core
– Protects sensitive data• PeopleSoft Data
– SSN’s• HR Data
– SSN’s• Financial Data
– Payroll– Credit Cards
• Student Data– FERPA Regulations
• HIPAA Entities– HIPAA Regulations
– Restricted rule set• Block everything, allow only specific access
– Utilizes a DMZ for public access machines• DMZ Firewall rules very restricted except for specific access ports
– Access into Trusted Core only via the DMZ or secure remote client
Information Technology at Emory
Information Technology DivisionTechnical Services
Virus Scanning
• Implemented new virus scanning services– Email virus scanning– Desktop virus scanning– Server virus scanning
Information Technology at Emory
Information Technology DivisionTechnical Services
Virus Scanning
• Email virus scanning– All email coming into and going out of
Emory is scanned for viruses• Over 80 email servers on campus• Outgoing must be set to
SMTP.service.emory.edu• Utilizing Trend Micro’s Virus Wall
– Set up for hourly updates– During the MyDoom Virus incident, Virus Wall
caught 864,000 viruses, of which 859,000 were MyDoom
Information Technology at Emory
Information Technology DivisionTechnical Services
Virus Scanning
• Desktop/Server virus scanning– Purchased more robust desktop and
server virus scanning client• Symantec Norton Anti-Virus
– Licensed for office/school and home use – Updated automatically daily– More often as necessary manually
• Recommend server protection be implemented on sensitive data servers
– Server and desktop product are the same
Information Technology at Emory
Information Technology DivisionTechnical Services
Incident Response
• Over the last several months security incidents have increased dramatically
• Types of incidents handled include:– Copyright– Hacks and hack attempts– Compromised machines– Viruses– Spam– Other
Information Technology at Emory
Information Technology DivisionTechnical Services
Incident Response
Security Incidents
0
20
40
60
80
100
120
140
160
Sep Oct Nov Dec Jan Feb
Information Technology at Emory
Information Technology DivisionTechnical Services
Incident Response
Incidents by Type
0
10
20
30
40
50
60
70
80
Sep Oct Nov Dec Jan Feb
Copyright
Hacks/Attempts
Spam
Virus
Other
Information Technology at Emory
Information Technology DivisionTechnical Services
Incident Response
• Coordination is vital across campus– All school and department local support
representatives are part of the incident response team
• Implemented an incident response process– Incidents are received via many means,
including:• Email – [email protected],
[email protected]• Phone – Help Desk
Information Technology at Emory
Information Technology DivisionTechnical Services
Incident Response– Incident information is passed to the Security Team– Security Team researches incident, creates help
desk ticket and logs incident• IP address information• MAC address information• Netbios information
– Security forwards ticket to Network Communications team
• Capture Mac address (if not previously found)• Finds location (if possible)• Disables port or access to internet• Updates and sends ticket back to Security Team
Information Technology at Emory
Information Technology DivisionTechnical Services
Incident Response
– Security Team forwards ticket to school or department representative (local support) who will handle cleaning machine
– Once machine is cleaned, Security Team is notified. Security• Updates log• Notifies NetCom to re-enable port / IP
address• Closes help desk ticket
Information Technology at Emory
Information Technology DivisionTechnical Services
Web Authentication/Authorization
• Netegrity Siteminder – Chosen after a lengthy evaluation of
web authentication/authorization products
– Utilizes LDAP directories• Integrated with our Healthcare LDAP
– Protecting upwards of 38 applications with more coming online every day
– Allows for distributed administration
Information Technology at Emory
Information Technology DivisionTechnical Services
Vulnerability Scanning• Currently utilizing ISS Internet Scanner
– Proactively scan over 100 machines on a monthly, bi-monthly or quarterly basis
– Scan machines after security incidents – Scan network on an irregular basis to
check for vulnerabilities– Scan machines as part of Security audits– Recommend regular scanning of machines
storing sensitive data– Implementing the Nessus Scanning tool for
more complete scanning coverage
Information Technology at Emory
Information Technology DivisionTechnical Services
Spam Detection• Implemented Spam detection in November 2003
– Utilizing Trend Micro’s Spam Prevention Service (SPS)• Can handle over 50 messages a second• Has over 90% success rate• For the week of April 12th through April 18th,
2,531,941emails passed through our Spam scanners. Of these 2,531,941 emails 1,806,723 (71%) were marked as Spam.
– Scanning all incoming email for spam• Looking to scan outgoing email in the future• Looking to scan other school / department email in the future
– Statistics have determined that over 70% of current email coming into Emory is Spam
Information Technology at Emory
Information Technology DivisionTechnical Services
Digital Certificates
• Implemented VeriSign’s digital certificate service– Over 20 certificates in service on various
servers• PeopleSoft• Web Servers• Finance• HR
– Allows 128 bit encryption for these server’s applications
Information Technology at Emory
Information Technology DivisionTechnical Services
Security Awareness/Communication
• Updated and more relevant Security Web Pages– Created Security Awareness Page
• http://security.it.emory.edu• Includes updated information on vulnerabilities, and
viruses• Includes statistics from our virus scanners and spam
scanners as well as the total number of security incidents for that month
• Includes important links to vulnerability and virus vendors as well as other important security issues
Information Technology at Emory
Information Technology DivisionTechnical Services
Security Awareness/Communication
• Regularly meet with school and department heads– Discuss current security projects and
implementations– Discuss Security awareness issues– Working with school and department heads
to get on team meeting agendas to do a security awareness presentation
– Security Audits• Audit schools and departments for security
issues, and recommend how to fix the problems
Information Technology at Emory
Information Technology DivisionTechnical Services
Security Awareness/Communication
• Security Posters– Created and distributed security posters across
campus to promote security awareness
• Security Brochures– Created and distributed security brochures across
campus to promote security awareness– Brochures will be included in mailing to new
students– Brochures will be handed out during security
awareness presentations
Information Technology at Emory
Information Technology DivisionTechnical Services
Security Awareness/Communication
• Student Newspaper Articles– Running full page security awareness
ads in our student newspaper, the Emory Wheel
• Back to School Orientations– Doing security awareness
presentations at our back to school orientations each fall
Information Technology at Emory
Information Technology DivisionTechnical Services
Security Awareness/Communication
• Information Security Awareness Mini-Conference– Had the first annual security awareness mini-
conference at Emory on April 14, 2004.– Over 110 people attended the presentations
• Security awareness• Legal issues• HIPAA• Other University awareness issues
Information Technology at Emory
Information Technology DivisionTechnical Services
Intrusion Detection / Prevention
• Evaluated multiple products– ISS RealSecure– Symantec’s Manhunt– Tipping Point’s Unity One– Reflex Security’s Interceptor
• Chose Tipping Point’s Unity One• Implemented scanners at border and Trusted
Core Firewalls• After initial implementation, may look to
implement more IPS on host machines
Information Technology at Emory
Information Technology DivisionTechnical Services
Network Registration
• Using NetReg open source code• Being written in-house• Tying a network id to a mac address• Working to tie vulnerability and patch
scanning into the tool (Nessus)• Initially only students will be required
to register (Resnet)– Future would include all users+
Information Technology at Emory
Information Technology DivisionTechnical Services
HIPAA/Other Govt. Regulations
• Part of the HIPAA implementation team– Working with other university teams to protect
HIPAA entities.• Trusted Core Firewall will be utilized to protect a
majority of these entities• Policies can be utilized to implement rules not
included in the protection of the firewall
• Looking at other new Government regulations– What do we need to do to implement and be in
compliance • Family Education Rights and Privacy Act (FERPA)• Gramm-Leach-Bliley Act (GLBA)• Patriot Act• Sarbanes-Oxley
Information Technology at Emory
Information Technology DivisionTechnical Services
Summary
• Created a security architecture• Implemented new security initiatives
offering many new services• Implemented better means of
communication and awareness across the university
• Always looking at ways to improve processes
Information Technology at Emory
Information Technology DivisionTechnical Services
Contact Information
• Email: [email protected]• Phone: 404-727-4962