Information Technology at Emory The Building Blocks for Security at Emory University Jay D. Flanagan...

Information Technology at EmoryThe Building Blocks for Security at Emory UniversityJay D. FlanaganSecurity Team LeadTechnical ServicesCopyright Jay D. Flanagan 2004.

This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Information Technology at Emory

Information Technology DivisionTechnical Services



Past Security at Emory

• RACF on Mainframe• Virus Scanning – Dr. Solomon• Application Security• Individual / department security

measures



Initial Changes

• Hiring a dedicated security person– Handling only security issues

• Putting together a security team– Developing the security goals and

objectives

• Creating a security architecture– Road map for new security initiatives

• Funding new security initiatives– Security initiatives implementation



New Security Initiatives• Firewalls• Virus Scanning• Incident Response• Web authentication / authorization• Vulnerability Scanning• Spam Detection• Digital Certificates• Security Awareness / Communication• Intrusion Detection / Prevention (IDS / IPS)• Network Registration• HIPAA / Other Federal Regulations



Firewalls



Firewalls

• Implemented Checkpoint FW-1(3)– School of Public Health – Border– Trusted Core

• Implemented Checkpoint VPN-1(1)– Remote Access to Trusted Core

• Secure Remote Client



Firewalls• School of Public Health (SPH)

– Implemented for research grant– Protects all SPH machines– Tweaked on a regular basis

• Border– Protects entire university– Protects against major vulnerabilities and hacks

• NetBios• SQL Vulnerabilities• Forces SMTP traffic to our virus scanners• Blocks all internet access to our resnet subnets

– Tweaked on a regular basis



Firewalls• Trusted Core

– Protects sensitive data• PeopleSoft Data

– SSN’s• HR Data

– SSN’s• Financial Data

– Payroll– Credit Cards

• Student Data– FERPA Regulations

• HIPAA Entities– HIPAA Regulations

– Restricted rule set• Block everything, allow only specific access

– Utilizes a DMZ for public access machines• DMZ Firewall rules very restricted except for specific access ports

– Access into Trusted Core only via the DMZ or secure remote client



Virus Scanning

• Implemented new virus scanning services– Email virus scanning– Desktop virus scanning– Server virus scanning



Virus Scanning

• Email virus scanning– All email coming into and going out of

Emory is scanned for viruses• Over 80 email servers on campus• Outgoing must be set to

SMTP.service.emory.edu• Utilizing Trend Micro’s Virus Wall

– Set up for hourly updates– During the MyDoom Virus incident, Virus Wall

caught 864,000 viruses, of which 859,000 were MyDoom



Virus Scanning

• Desktop/Server virus scanning– Purchased more robust desktop and

server virus scanning client• Symantec Norton Anti-Virus

– Licensed for office/school and home use – Updated automatically daily– More often as necessary manually

• Recommend server protection be implemented on sensitive data servers

– Server and desktop product are the same



Incident Response

• Over the last several months security incidents have increased dramatically

• Types of incidents handled include:– Copyright– Hacks and hack attempts– Compromised machines– Viruses– Spam– Other



Incident Response

Security Incidents

0

20

40

60

80

100

120

140

160

Sep Oct Nov Dec Jan Feb



Incident Response

Incidents by Type

0

10

20

30

40

50

60

70

80

Sep Oct Nov Dec Jan Feb

Copyright

Hacks/Attempts

Spam

Virus

Other



Incident Response

• Coordination is vital across campus– All school and department local support

representatives are part of the incident response team

• Implemented an incident response process– Incidents are received via many means,

including:• Email – [email protected],

[email protected]• Phone – Help Desk



Incident Response– Incident information is passed to the Security Team– Security Team researches incident, creates help

desk ticket and logs incident• IP address information• MAC address information• Netbios information

– Security forwards ticket to Network Communications team

• Capture Mac address (if not previously found)• Finds location (if possible)• Disables port or access to internet• Updates and sends ticket back to Security Team



Incident Response

– Security Team forwards ticket to school or department representative (local support) who will handle cleaning machine

– Once machine is cleaned, Security Team is notified. Security• Updates log• Notifies NetCom to re-enable port / IP

address• Closes help desk ticket



Web Authentication/Authorization

• Netegrity Siteminder – Chosen after a lengthy evaluation of

web authentication/authorization products

– Utilizes LDAP directories• Integrated with our Healthcare LDAP

– Protecting upwards of 38 applications with more coming online every day

– Allows for distributed administration



Vulnerability Scanning• Currently utilizing ISS Internet Scanner

– Proactively scan over 100 machines on a monthly, bi-monthly or quarterly basis

– Scan machines after security incidents – Scan network on an irregular basis to

check for vulnerabilities– Scan machines as part of Security audits– Recommend regular scanning of machines

storing sensitive data– Implementing the Nessus Scanning tool for

more complete scanning coverage



Spam Detection• Implemented Spam detection in November 2003

– Utilizing Trend Micro’s Spam Prevention Service (SPS)• Can handle over 50 messages a second• Has over 90% success rate• For the week of April 12th through April 18th,

2,531,941emails passed through our Spam scanners. Of these 2,531,941 emails 1,806,723 (71%) were marked as Spam.

– Scanning all incoming email for spam• Looking to scan outgoing email in the future• Looking to scan other school / department email in the future

– Statistics have determined that over 70% of current email coming into Emory is Spam



Digital Certificates

• Implemented VeriSign’s digital certificate service– Over 20 certificates in service on various

servers• PeopleSoft• Web Servers• Finance• HR

– Allows 128 bit encryption for these server’s applications



Security Awareness/Communication

• Updated and more relevant Security Web Pages– Created Security Awareness Page

• http://security.it.emory.edu• Includes updated information on vulnerabilities, and

viruses• Includes statistics from our virus scanners and spam

scanners as well as the total number of security incidents for that month

• Includes important links to vulnerability and virus vendors as well as other important security issues




• Regularly meet with school and department heads– Discuss current security projects and

implementations– Discuss Security awareness issues– Working with school and department heads

to get on team meeting agendas to do a security awareness presentation

– Security Audits• Audit schools and departments for security

issues, and recommend how to fix the problems




• Security Posters– Created and distributed security posters across

campus to promote security awareness

• Security Brochures– Created and distributed security brochures across

campus to promote security awareness– Brochures will be included in mailing to new

students– Brochures will be handed out during security

awareness presentations




• Student Newspaper Articles– Running full page security awareness

ads in our student newspaper, the Emory Wheel

• Back to School Orientations– Doing security awareness

presentations at our back to school orientations each fall




• Information Security Awareness Mini-Conference– Had the first annual security awareness mini-

conference at Emory on April 14, 2004.– Over 110 people attended the presentations

• Security awareness• Legal issues• HIPAA• Other University awareness issues



Intrusion Detection / Prevention

• Evaluated multiple products– ISS RealSecure– Symantec’s Manhunt– Tipping Point’s Unity One– Reflex Security’s Interceptor

• Chose Tipping Point’s Unity One• Implemented scanners at border and Trusted

Core Firewalls• After initial implementation, may look to

implement more IPS on host machines



Network Registration

• Using NetReg open source code• Being written in-house• Tying a network id to a mac address• Working to tie vulnerability and patch

scanning into the tool (Nessus)• Initially only students will be required

to register (Resnet)– Future would include all users+



HIPAA/Other Govt. Regulations

• Part of the HIPAA implementation team– Working with other university teams to protect

HIPAA entities.• Trusted Core Firewall will be utilized to protect a

majority of these entities• Policies can be utilized to implement rules not

included in the protection of the firewall

• Looking at other new Government regulations– What do we need to do to implement and be in

compliance • Family Education Rights and Privacy Act (FERPA)• Gramm-Leach-Bliley Act (GLBA)• Patriot Act• Sarbanes-Oxley



Summary

• Created a security architecture• Implemented new security initiatives

offering many new services• Implemented better means of

communication and awareness across the university

• Always looking at ways to improve processes



Contact Information

• Email: [email protected]• Phone: 404-727-4962



Questions?

Information Technology at Emory The Building Blocks for Security at Emory University Jay D. Flanagan...

Documents

Transcript of Information Technology at Emory The Building Blocks for Security at Emory University Jay D. Flanagan...