empowering users with a proactive security strategy lance d. jordan gsec, director & bob gerdes,...
TRANSCRIPT
Empowering Users With A Proactive Security Strategy
Lance D. Jordan GSEC, Director & Bob Gerdes, Project Manager
Rutgers University Computing Services
Information Protection & Security
Educause Mid-Atlantic Regional Conference
January 13, 2004
Copyright January 2004, Lance Jordan and Bob Gerdes. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
Agenda About Rutgers University The Mission The Challenges Problem statement Strategy Situational Awareness Vulnerability Scanning Tenable Console & Pilot Project RUScan architecture Evaluation & Feedback Future Uses Summary
About Rutgers University
Newark (Exit 15W)10K+ students
New Brunswick/Piscataway(Exit 9)5 campuses35K+ studentsCamden (Exit 5)
5K+ students
500+ buildings40K+ hosts60K+ users345 Mbps
Public UniversityFounded 1766$1Bil+ Budget270 Degree programs130 Research InstitutesAAU Member
About Rutgers University-IT Organization @ RU
R u tg e rs U n ive ris ty Co m p utin g S e rv ices
A d m in s tra tive Co m pu ting T e le co m m u n ica tio ns In fo rm a tio n P ro tec tion
N e w B ru n sw ick N e w a rk C a m d en
C a m p u s Co m pu ting
E xe cu tive D ire c to r
A ca de m ic A d m in is tra tive
D e pa rtm e n ts
200 + FTEs
300+ FTEs600-800 Students
The Mission
Develop and execute a strategy for an effective university-wide information protection and computer security program
Be proactive rather than reactive
Increase and sustain user security awareness
Improve business continuity planning
The Challenges What do we really understand about our
computing environment?• Stable & competent central IT staff
– Departmental staff varying skill sets– Not centrally managed
• Large untrained & transient user population• Transient work force (student workers)• Numerous vendor products & Multiple Operating Systems• Open & highly distributed computing systems• Competing priorities & projects• Collaborative process• Expectation of privacy• Ease of access to information
Q: How to provide users with better information that enables them to set priorities in resolving computer security problems?
A: Better security through better intelligence & better tools
Problem Statement
“Forewarned is forearmed…”Ben Franklin
Pick a model– People, Processes. Technology
– SWOT
– Defense in depth, etc.
Develop/Refine Computing Policies Conduct Security Self Evaluation & Risk
Assessment– http://rusecure.rutgers.edu/sec_plan/baseline_I
T_sec_cklst.php
Strategy-Planning
Strategy-Planning
Organize Computer Incident Response team – Setup info sharing capability– Develop procedures & processes, etc.– Be flexible
Create information sharing listservs Plan centralized data BU & BCP
– Vendors?
Account creation process w/ strong password enforcement
Authentication/ Authorization/Access (RADIUS/KERBEROS/LDAP)
User Awareness program
VPN
Develop OS Patching strategy
Use secure protocols (SSL, SSH, Secure FTP)
Install Anti-spoofing on routers
Vulnerability Assessments thru Scanning
Strategy-Prevention
Anti-virus software (University site license)
Filtering at central email servers & desktops
SPAM Filtering on central servers
Firewalls
LAN-based and host-based
IDS
Syslog/Event log for IDS & FW
Strategy-Detection
Notification & follow-up process After-hours contact list Preserve evidence Patch or “burn and rebuild” Statistical trending Lessons-learned
Strategy-Reaction/Recovery
Situational AwarenessIt is all about the decision cycle. You don’t have to be the best or the fastest; just a step ahead of the threat or less vulnerable than the other guy
Hacker advantages:InitiativeNo boundariesTime
Your advantages:Knowledge of your environment & cultureKnowledge of the location of critical assets & informationAbility to adjust policyWhat needs to be available vs. confidential (data, services,etc.)
Situational Awareness-How do you become aware ...?
SANS Top 10/20 Incidents.org
Bugtraq
MS Technet
Your favorite OS Vendor
AV alerts
Firewall alertsIDS data
Vulnerability scanningdata
CERT.orgSlashdot
The merging of vulnerability scanning data with IDS data is part of the answer– An active and dedicated vulnerability scanning
program develops a database of history– Combined with IDS data correlates what is
vulnerable to active attacks– Helps to assess hackers intent & where to
reduce your profile– Sets priority of work for sys admin
Situational Awareness-Lots of data…What is useful?
Options initially limited by funding– SAINT (freeware version)
• 3 months behind fee version
– SARA• SANS Top 10…later Top 20
• Code Red Test
• Established regular scans (avoided DoS & Buffer Overflow side effects)
Short history of vulnerability scanning @ RU
SARA – Major progress with buy-in from departments
regarding weak passwords and open file shares– Distributed process– Reports easy to understand; including
remediation instructions– Abuse incidents dropped off for a few months– When incidents began to increase little
correlation with vulnerabilities
Short history of vulnerability scanning @ RU…..
Nessus– SANS Top 20– Needed to provide additional options for
departmental scans– Began to establish scan alerts– Needed to simplify managing scans across
multiple scanners– Needed to reduce false positives
Short history of vulnerability scanning @ RU…..
Separate project had evaluated IDS technology– Proprietary hardware and software with steep learning
curve– High false positive rate– Looked for an alternative
Discovered white papers about a product that tied IDS with vulnerability scanning data– Combined Nessus results with IDS results to reduce false
positives– Capable of managing several distributed Nessus scanners– Provided departments the capability to conduct their own
scans
Finding Tenable
Pilot Project Created a test plan that would evaluate all of the Tenable
features
Set target date of June 2003 university-wide scan to test Tenable
Identified training needs and other needs (IDS setup or Nessus setup)
Held several coordination sessions Recruited partner departments to participate
– Wanted a mix of departments with and without network-based firewalls
– Needed some departments to setup IDSs
ID Task Name Start End DurationJan 2004
8 9 10 11 12 13 14 15 16 17 18 19 20 21
1 10d1/21/20041/8/2004Task 1
2 3d1/12/20041/8/2004Task 3
3 8d1/19/20041/8/2004Task 4
4 10d1/21/20041/8/2004Task 5
Lots of moving parts– Setting up Linux for Snort or Nessus– Connecting IDS– Connecting Nessus scanners
Learning curve– Pulling all the parts together– Accounts-philosophy-in departments– Creating/cloning scan policies
• All but DoS– Report generation – Departments
• Initiating scans• Browsing reports• Remediation process
– Automated alerts based on IDS/Vulnerability match for the same IP using CVE/BID #s
Evaluation & Feedback
June scan went well Able to review summary results for all Able to shift time from managing tools to
managing process Special purpose scans for MS Blaster &
Nachi completed in one business day (2 Class B public & 3 class B private)
Evaluation & Feedback…..
Use asset tags to establish future scans or analysis Generalize IDS alerts Incorporate departmental requirements into scan
alerts (Highlight progress on patching & AV) Offer self-service scan for users Offer additional reporting formats
– Increase scan alerts – One-liners with flags
• Flags can be used to prioritize efforts• CSV format
Potential Uses in the future
Empowering users with a proactive security strategy– Create a plan and execute your plan– Understand your environment– Team/Partnership effort
• People, processes & technology • Central & distributed• Network/App Dev/Departments
– Find/Create/Buy tools to enhance situational awareness– Not a trivial investment
• Servers/people/software costs
– Push/Pull technology and intelligence for users• There is a balance driven by user community
– Be flexible
Summary