Managing Security the Intelligent Way:

Moving from Spreadsheets to a Knowledge Base

Joshua Drummond, Security Architect

Neil Matatall, Security Programmer/Analyst

Marina Arseniev, Associate Director of Enterprise Architecture

University of California, Irvine

University of California, Irvine

• Located in Southern California• Year Founded:  1965• Enrollment: over 24K students• 1,400 Faculty (Academic Senate)• 8,300 Staff• 6,000 degrees awarded annually• Carnegie Classification:  Doctoral/Research – Extensive• Extramural Funding - 311M in 2005-2006• Undergoing significant enrollment growth

Our Security Status? http://www.privacyrights.org

– 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information.

– 35,000 in December, 2006: The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion -- including names,SSNs, home addresses, phone numbers and e-mail addresses.

– 11,000 in February, 2007: Names, grades, and SSNs were posted on an unprotected Web site after summer session in 1999. College stopped using SSNs as students IDs in 2002.

– 65,000 - February, 2007: A programming error resulted in personal information of individuals being exposed on the University's Web site. Included were names, addresses, SSNs, and in some cases credit card numbers.

Security is Multi-layer

U serIden tity M anagem ent

A u then tica tionE duca tion

N etw ork /W ebA ccoun t A dm in

F irew a lls , E ncryp tionLogg ing/A ud iting

A p plicationA u tho riza tionLogg ing /A ud it

T est T oo ls

D ataA u tho riza tionLogg ing /A ud it

E ncryp tion ,Inven to ry

O p era tio nsB ackups ( inc l o ff-s ite)

Logg ing /A ud itD isaste r R ecove ry

P o licies , S tan d ard s , P ro ced ures , T ech n ica l R efe ren ce A rch itec tu reA pp roved T oo ls and L ifecyc le

E xcep tions by A pp rovalR egu la rly rev iew ed

We do a lot today…SDLC and Change Management

• Security requirements and design reviews from get-go.• Code reviews of all security and database code • Developers reuse security components

– Single-signon, authorization API, user identity objects

• Automated nightly code and application security scanning – Jtest, AppScan, Nessus, database security scanning

• Scheduled network & configuration vulnerability scanning – Firewall rules, Foundstone, Sophos virus scans, Tripwire

• Consolidated storage of sensitive data, database model reviews of personal identity data

• Concurrency and stress testing to detect thread security– Jmeter, OpenSTA (100s of concurrent virtual test user load)

REPEAT, REPEAT, and REPEAT…

Still had problems

• Urgent call from our director:– Have you patched the server with X?– Is Server Y behind a firewall?– Did Server Y have any Credit Card information stored?– Is the database encrypted?– When was the last time a security review of Application X was done?

• Dana Doe is on vacation! Don’t know!• Different answers from different people!• Little confidence that information is current.• Spreadsheet Hell!

– Too many checklists, spreadsheets, and documents– Host IP change introduces document update nightmare.– If a server is added, remember to add it to the firewall rules in

multiple spreadsheets. How about scanning tools?– Missing information, such as whom to contact for problem.– Scattered information in documents outside of Excel on multiple file

systems, whiteboards, obscure and owned by and accessible to different people

Objectives

• Needed to better organize, consolidate, and centralize security policy and procedures.

• Needed to manage “preventative security maintenance” more consistently and efficiently, with less redundancy…– Security checklists and rules– Security reviews and their results, track

enforcement and followup– Oversight functions for secure development,

acquisition, maintenance and operations.

Agenda

• Background on Ontologies and Protege

• Realized value - demonstration of our knowledgebase and reports

• How to implement it in your organization

• Summary

• Useful URLs and Q&A

Background

• What is an Ontology?– “An ontology describes the concepts

and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge. Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “

– Supports inheritable properties (is-a)– Attributes of an object can be

complex objects themselves (rich). Nestable…

Writing

Short StoryHistorical

Novel

Classic Medieval Modern

Book Ontology

Stanford University’s Protégé Knowledgebase and Ontology Tool

• Allows easy modeling and creation of ontology• Auto generates forms for collecting and capturing information

based on ontology and class definitions.• “Reverse slots” allow rich linking ability and automatic

updates of changing relationships.– Remember the removal of the server and associated updates of firewall

rules?

• Generates an HTML view of knowledge and ontology.• Can use an XML plug-in

– generate reports in other formats and for specific audiences, without storing redundant data.

• Currently used for UCI Enterprise Architecture Repository• Open source at http://protege.stanford.edu/

Protégé GUI

Protégé – Knowledge Capture

HIPAA?

Protégé – Application Instances

Protégé – Authentication Instances

Protégé – Authorization Instances

Protégé – Patching Procedures

Protégé – Query Capability

Agenda

• Background on Ontologies and Protege

• Realized value - demonstration of our knowledgebase and reports

• How to implement it in your organization

• Summary

• Useful URLs and Q&A

Realized Value: Autogenerated Reports from Protege

• Network Inventory Report – By Host Name – By IP Address

• Firewall Rules Report – By Firewall – By Host Name – By IP Address

• Personal Identity Database Report – By Server – By Database

• Personal Identity Datafile Report – By Server

Before and After - Firewalls

Unix Sys Admin

Windows Sys AdminDepartment Firewall Admin

Campus Border Firewall Admin

Report: Network Inventory

Reports: Personal Identity Database by Server

Using Protégé to Capture Reviews

Using Protégé to Capture Reviews

Agenda

• Background on Ontologies and Protege

• Realized value - demonstration of our knowledgebase and reports

• How to implement it in your organization

• Summary

• Useful URLs and Q&A

How to Implement in your Organization…

• Step 1: Inventory existing spreadsheets and documents related to security.

• Step 2: Identify information you want to track centrally. What is important or critical? Do that first.

• Step 3: Design your ontology (or copy ours)• Step 4: Assign roles – who updates, who views• Step 5: Capture information• Step 6: Add any customizations to Protégé• Step 7: Create secured reports for various audiences

– Validate reports and usefulness of collected information with stakeholders.

How - Our Ontology

How - Protégé Customizations

• Although editing of knowledge base is done centrally through the Protégé desktop client, we wanted to automate the generation of all report output

• Wrote two custom Java classes that use the Protégé API to emulate actions usually done through GUI to be done through an automated command line script instead

– edu.uci.adcom.protege.ProjectXmlExport– edu.uci.adcom.protege.ProjectHtmlExport

• Modified the existing HTML Export plug-in to change the structure of the output HTML

– List Instances before Slots on Class pages– Made string attributes that are URLs actual hyperlinks– Add line breaks between multiple Slot values

Using Protégé to Capture Reviews

How – Using XSLT for Reports

• Replicate exactly and replace former spreadsheets with the same functionality

• Created canned reports for specific views on knowledge • XSLT is used to transform XML export of entire

knowledge base to report specific “simple” XML• Then again from the “simple” XML to multiple HTML

views for each report or Excel Spreadsheet• XSL and CSS are flexible and can be modified to

customize presentation of data

Reports: Personal Identity Datafile by Server

How - Putting it all together

• Ant script is used to tie everything together and make it easily scheduled from command line

After

• Rich inventory of knowledge, including firewall rules and network inventory

• New information - that didn’t exist • Zero spreadsheets• 10 custom reports – both HTML and

Excel• Centralize maintenance of single

repository across organizational units• Access based on privileges • 60 individuals in the organization have a

clear view of potential holes in security for analysis and proactive planning

• Sensitive data tracked– 35 data files– 50 database fields

• Tracking versions of 12 major applications for patch management

• Added 5 hosts to backup and anti-virus scanning procedure

Before• Firewalls

– Border, Police, Financial Services, Windows OS, and Server Firewall

– Each firewall had its own spreadsheet (5 spreadsheets total)

– 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets.

• White Boards– Partial Network Inventory– Unpatched servers on whiteboard

• 4 units keeping redundant or out of sync information in private locations

• Limited access - personal computers• Sensitive data locations unclear• No version management of applications• Servers with no virus protection or backed up

Metrics

Future Plans

• Continue to evolve the ontology to include more attributes and relationships

• Continue capturing and updating new information• Look into using the Protégé Web-based front-end with a JDBC

backend to support multi-user updates and views.• Generate checklists intelligently based on attributes for reviews

– Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment.

• Generate more canned reports.• Write queries that proactively determine potential trouble spots

– A personal identity database field that has not been encrypted.

– An application review that requires follow-up on security vulnerabilities

Q&A

• AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440

• Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu

• XML/XSLT processing - http://xerces.apache.org

• Ant - http://ant.apache.org