how to create an it security program tracy mitrano steve schuster r. david vernon copyright tracy...
TRANSCRIPT
How to Create an IT How to Create an IT Security ProgramSecurity Program
Tracy MitranoTracy MitranoSteve SchusterSteve SchusterR. David VernonR. David Vernon
Copyright Tracy Mitrano, Steven Schuster and David Vernon, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
OutlineOutline
History History The policy componentThe policy component Security office todaySecurity office today
Setting the StageSetting the Stage
Why worry?Why worry? Increased reliance on IT to support the Increased reliance on IT to support the
teaching, research and business teaching, research and business functions of Cornellfunctions of Cornell
Nature of the IT tools being usedNature of the IT tools being used Operating systemsOperating systems Cornell as an ISPCornell as an ISP IP networksIP networks Vast application suites Vast application suites
Why Worry …Why Worry …
National scrutinyNational scrutiny Post 9/11Post 9/11
Recording industry / copyright issuesRecording industry / copyright issues Higher education as a “scapegoat” …Higher education as a “scapegoat” … Peer pressure (Educause, I2, University Peer pressure (Educause, I2, University
presidents …)presidents …) HIPAA, FERPA … HIPAA, FERPA … General liability specter of changing lawsGeneral liability specter of changing laws And, of course, increase in attacks …And, of course, increase in attacks …
What do Our Peers Think a What do Our Peers Think a Security Program Should Security Program Should
Do?Do?
Surveyed Members of the Common Surveyed Members of the Common Solution group.Solution group. R1 / Ivy …R1 / Ivy …
What are your “top 10” Information What are your “top 10” Information Technology Security service needs?Technology Security service needs?
1) Information Technology 1) Information Technology Security Audits / Security Audits /
AssessmentsAssessments Vulnerability scanning Vulnerability scanning System hardware and application System hardware and application
architecture reviewarchitecture review Patch statusPatch status Open E-mail relay notificationOpen E-mail relay notification
2) Information Technology 2) Information Technology Security Tool Provisioning Security Tool Provisioning
Virus software distribution Virus software distribution Firewall software distribution / firewall Firewall software distribution / firewall
hardware provisioninghardware provisioning Custom security tool kit developmentCustom security tool kit development Secure network (VPN) servicesSecure network (VPN) services Secure machine room services (Collocation)Secure machine room services (Collocation) Central E-mail filtering (Spam and virus)Central E-mail filtering (Spam and virus)
3) Incident Response3) Incident Response
Coordination and information Coordination and information dissemination dissemination Internal & external partiesInternal & external parties
Damage control / isolation Damage control / isolation Forensic analysisForensic analysis ResolutionResolution Post incident reviewPost incident review
4) 4) Information Technology Information Technology Security AwarenessSecurity Awareness
Classes / TrainingClasses / Training TechnicalTechnical ExecutiveExecutive General patronGeneral patron
Publications (Online and paper)Publications (Online and paper) SpeakersSpeakers Alerts: – virus / worm notifications.Alerts: – virus / worm notifications. ConsultingConsulting
TechnicalTechnical ExecutiveExecutive
5) Intrusion Detection5) Intrusion Detection
Network monitoringNetwork monitoring Network and central application Network and central application
log examination log examination
6) Authentication / 6) Authentication / Authorization Services Authorization Services
Certificate signing / authorityCertificate signing / authority Cryptographic key handling / Cryptographic key handling /
escrowescrow Access controlAccess control
7) Information Technology 7) Information Technology Policy Enforcement and Policy Enforcement and
Abuse Response.Abuse Response. Copyright infringement notificationCopyright infringement notification Response to abuse of applications / Response to abuse of applications /
hardware hardware Authority to enforce policy via Authority to enforce policy via
technical means and university technical means and university governancegovernance Formalized liaison role with legal / Formalized liaison role with legal /
and select university authorities. and select university authorities.
And Finally -And Finally -
8) Security Related Internet 8) Security Related Internet Standards WorkStandards Work
9) Information Technology Policy 9) Information Technology Policy DevelopmentDevelopment
10) Contingency Planning10) Contingency Planning Disaster recoveryDisaster recovery
Business continuity Business continuity
Within CornellWithin Cornell
List is not unexpectedList is not unexpected Nice outline of ideal service scopeNice outline of ideal service scope However what is “obvious” is not However what is “obvious” is not
always simple …always simple … Nature of Cornell’s decentralized control Nature of Cornell’s decentralized control
of ITof IT Nature of IT technologyNature of IT technology Budget constraints, etcBudget constraints, etc Demand for new servicesDemand for new services
Cornell GuidanceCornell Guidance
Security TaskforceSecurity Taskforce Charged by VP of ITCharged by VP of IT Examine current structures and Examine current structures and
recommend changes if needed.recommend changes if needed. Members included:Members included:
JA, CU Police, Legal Council,JA, CU Police, Legal Council, Audit Office, Audit Office, Financial systems, Policy advisor, FABIT, CCD’s, Financial systems, Policy advisor, FABIT, CCD’s, Planning Information & Policy Analysis, OIT and Planning Information & Policy Analysis, OIT and CIT.CIT.
Taskforce Concluded Taskforce Concluded
Create an Information Technologies Create an Information Technologies Security Office Security Office
Appoint an Information Technologies Appoint an Information Technologies Security Officer to direct the ITSO Security Officer to direct the ITSO
Merge CIT virus, abuse and security Merge CIT virus, abuse and security functions under the ITSO functions under the ITSO
Office would be charged to …Office would be charged to …
•Be the locus of information technology security at Cornell. •Have formal authority to act on the University’s behalf to assure adoption of relevant University Policy and appropriate response to IT threats that could act to violate University policies or laws.
•Identify campus-wide IT security needs.
•Act to coordinate campus-wide information technology security services. •Provide proactive services, such as education and monitoring for network anomalies. •Provide reactive services, such as incident response and damage control.
•Enable coordinated response from key University agents, such as Cornell Police, Audit, JA, Legal Counsel and other related parties.
•Act as an interface with external agents, such as local, state and federal law enforcement.
•Work in close partnership with campus agents responsible for policy and infrastructure development.
•Work to optimize institutional investment in IT tools to assure broad utility, such as authentication, authorization and encryption applications.
•Be a diplomatic liaison to assure best response from within a highly decentralized campus.
RecapRecap
Security LocusSecurity Locus CollaborativeCollaborative PartneringPartnering ProactiveProactive EducatingEducating Diplomat – (But with just enough Diplomat – (But with just enough
“teeth”…)“teeth”…)
However What is “Obvious” However What is “Obvious” is Not Always Simple – is Not Always Simple –
Revisited.Revisited. GivenGiven
Limited resourcesLimited resources Smart independent departmentsSmart independent departments Workforce planningWorkforce planning Nature of IP, poor default OS security, E-mail ...Nature of IP, poor default OS security, E-mail ... National pressures National pressures And a strong desire not to “throw the baby out And a strong desire not to “throw the baby out
with the bathwater.”with the bathwater.” What do we do?What do we do?
First StepsFirst Steps
Taskforce perspective is correctTaskforce perspective is correct Hire a director!Hire a director!
““Top Ten” list as a service targetTop Ten” list as a service target Triage – identify areas of greatest risksTriage – identify areas of greatest risks Form guidance groupsForm guidance groups
ExecutiveExecutive Taskforce members Taskforce members
OperationalOperational Technical talent throughout CornellTechnical talent throughout Cornell
First Steps Continued …First Steps Continued …
Work within the Cornell policy process to Work within the Cornell policy process to identify the balance between evasive identify the balance between evasive control and users expectations for privacy control and users expectations for privacy and open access.and open access.
Leverage national relationshipsLeverage national relationships Computer Policy and LawComputer Policy and Law I2/ Educause I2/ Educause Other national resources (CERT…)Other national resources (CERT…)
First Steps Continued …First Steps Continued …
Embrace the notion of desktop Embrace the notion of desktop stewardshipstewardship Principle problem at Cornell todayPrinciple problem at Cornell today Assume that the Internet is and will Assume that the Internet is and will
always be insecurealways be insecure Story of CIT and desktop stewardshipStory of CIT and desktop stewardship
Oh Yes, and …Oh Yes, and …
P2P / CopyrightP2P / Copyright EducationEducation
Pervasive mobile devices / wirelessPervasive mobile devices / wireless Registry / Network AuthenticationRegistry / Network Authentication
Digital asset managementDigital asset management Control of digital assets outside of Cornell’s domainControl of digital assets outside of Cornell’s domain
FingerprintingFingerprinting Authorization / Authentication outside of Cornell’s Authorization / Authentication outside of Cornell’s
domaindomain Expectation to be a national leaderExpectation to be a national leader
Need to balance with internal demandsNeed to balance with internal demands
Closing ThoughtsClosing Thoughts
Recognition of current workRecognition of current work DepartmentsDepartments CIT & the office of the VP of IT (OIT)CIT & the office of the VP of IT (OIT)
CIT Security, Abuse and Virus supportCIT Security, Abuse and Virus support OIT Policy programOIT Policy program
Ponder the value of net billing Ponder the value of net billing generated awarenessgenerated awareness
The “Workforce Planning” contextThe “Workforce Planning” context
Closing Thoughts …Closing Thoughts …
Balance, Balance, Balance …Balance, Balance, Balance … Challenge may shift over timeChallenge may shift over time Formal authority (Nice to have, but Formal authority (Nice to have, but
ideally should never be needed.)ideally should never be needed.) Ramifications of ad-hoc IT securityRamifications of ad-hoc IT security Campus desires more support, but Campus desires more support, but
the program will fail without the the program will fail without the support of campussupport of campus
Cornell’s Security Cornell’s Security Program:Program:
The Policy ComponentThe Policy Component
Tracy MitranoTracy Mitrano
Director of IT PolicyDirector of IT Policy
Computer Policy and Law ProgramComputer Policy and Law Program
Policy: Big “P” and Little “p”Policy: Big “P” and Little “p”
Big PBig P National arenaNational arena EDUCAUSE’s position on FBI’s petition to the FCC EDUCAUSE’s position on FBI’s petition to the FCC
to extend CALEA to data networksto extend CALEA to data networks National security policyNational security policy
Little PLittle P Institutional policyInstitutional policy IT security policies: a piece of a larger wholeIT security policies: a piece of a larger whole IT security policies not the same thing as IT security policies not the same thing as
national security national security
Policy Picture at CornellPolicy Picture at Cornell
University Policy OfficeUniversity Policy Office Centralized office for a decentralized Centralized office for a decentralized
institutioninstitution http://www.univco.cornell.edu/policy/current.http://www.univco.cornell.edu/policy/current.
htmlhtml Formulation and Issuance of university Formulation and Issuance of university
policypolicy http://www.univco.cornell.edu/policy/pop.htmlhttp://www.univco.cornell.edu/policy/pop.html
Volume 5: Information TechnologiesVolume 5: Information Technologies http://www.cit.cornell.edu/oit/policy/drafts/http://www.cit.cornell.edu/oit/policy/drafts/
Security ofInformation Technology
Resources
Responsible Use ofInformation Technology
Resources
EncryptionKey Escrow
Recording and Registrationof Domain Names
ReportingSecurityIncidents
NetworkRegistry
Authentication and Authorization
Access toElectronic
Privacy of Networkand Network
FlowLogs
Use of EncryptionEscrowKeys
Mass ElectronicMailing
Network Registry
Color Key
Bright Green: ExistingUniversity Policy
Turquoise: Existing Policy,scheduled for revision
Light Green: EPRGapproved, scheduled forpromulgation early 2004
Light Yellow: PAGapproved, schedule for
EPRG review early 2004Tan: Impact Statementapproved, drafting with
stakeholdersBright Blue: OIT drafting
impact statement
Four Policies for IT SecurityFour Policies for IT Security
Escrow of Encryption KeysEscrow of Encryption Keys http://www.univco.cornell.edu/policy/eek.for.htmlhttp://www.univco.cornell.edu/policy/eek.for.html
Reporting Security IncidentsReporting Security Incidents http://www.univco.cornell.edu/policy/http://www.univco.cornell.edu/policy/
SECREP.for.june1.htmlSECREP.for.june1.html Security of Information Technology ResourcesSecurity of Information Technology Resources
http://www.univco.cornell.edu/policy/SEC.for.htmlhttp://www.univco.cornell.edu/policy/SEC.for.html Network RegistryNetwork Registry
http://www.univco.cornell.edu/policy/NR.for.htmlhttp://www.univco.cornell.edu/policy/NR.for.html
Escrow of Encryption KeysEscrow of Encryption Keys
Cornell University expects stewards, Cornell University expects stewards, custodians, and users of institutional custodians, and users of institutional
administrative data who deploy administrative data who deploy software or algorithmic programs for software or algorithmic programs for encryption to establish procedures encryption to establish procedures
ensuring that the university has ensuring that the university has access to all such records and data.access to all such records and data.
Reporting Security IncidentsReporting Security Incidents
Users of Information Technology Users of Information Technology devices connected to the Cornell devices connected to the Cornell network must report all electronic network must report all electronic security incidents promptly and to security incidents promptly and to
the appropriate party or office.the appropriate party or office.
Security of Information Security of Information Technology ResourcesTechnology Resources
Cornell University expects all Cornell University expects all individuals using information individuals using information
technology devices connected to the technology devices connected to the Cornell network to take appropriate Cornell network to take appropriate measures to manage the security of measures to manage the security of
those devices.those devices.
Network RegistryNetwork Registry
Cornell University requires network Cornell University requires network administrators or users to register all administrators or users to register all devices (including wireless hubs and devices (including wireless hubs and switches) connected to the Cornell switches) connected to the Cornell network in a continuously updated network in a continuously updated
central CIT network registry service.central CIT network registry service.
ConclusionConclusion
IT security policy is a piece of the IT policy IT security policy is a piece of the IT policy puzzle, which is itself another piece of the puzzle, which is itself another piece of the
larger whole of university policy designed to larger whole of university policy designed to preserve and protect institutional assets and preserve and protect institutional assets and
interests, comply with all applicable laws, interests, comply with all applicable laws, and contribute to the citizenship experience and contribute to the citizenship experience of membership to the university community.of membership to the university community.
http://http://www.cit.cornell.edu/oit/policy/framework.htmlwww.cit.cornell.edu/oit/policy/framework.html
Cornell’s Security Cornell’s Security Program:Program:
The Security Office TodayThe Security Office Today
Steve SchusterSteve Schuster
ObjectivesObjectives
What is an effective security What is an effective security program?program?
Describe the broad elements of the Describe the broad elements of the Cornell IT Security OfficeCornell IT Security Office Discuss current prioritiesDiscuss current priorities Outline some specific efforts and Outline some specific efforts and
servicesservices Some emerging lessons learnedSome emerging lessons learned
An Effective IT Security An Effective IT Security Program Must:Program Must:
Aid in the establishment of security Aid in the establishment of security policiespolicies that are that are enforceable, understandable and implementableenforceable, understandable and implementable
TrainTrain faculty, staff and students with respect to IT security faculty, staff and students with respect to IT security policies and their responsibilities to protect IT resources and policies and their responsibilities to protect IT resources and datadata
Implement an Implement an infrastructureinfrastructure that enforces the principles that enforces the principles articulated in the policies and protects the IT resources and articulated in the policies and protects the IT resources and data within the institutiondata within the institution
Implement sound Implement sound risk assessmentrisk assessment practices to identify IT practices to identify IT security risks and vulnerabilities within the IT infrastructuresecurity risks and vulnerabilities within the IT infrastructure
Provide Provide monitoring and analysismonitoring and analysis of the infrastructure to of the infrastructure to identify unauthorized activitiesidentify unauthorized activities
Develop appropriate analysis and Develop appropriate analysis and response proceduresresponse procedures to to efficiently respond and effectively manage IT security incidentsefficiently respond and effectively manage IT security incidents
Develop Develop business continuitybusiness continuity plans that ensure the plans that ensure the appropriate availability of critical IT resources appropriate availability of critical IT resources
Security Program ElementsSecurity Program Elements
Security is a process – not a product
Security Policy and User
Awareness
Security Policy and User
Awareness
Secure InfrastructureImplementation
Secure InfrastructureImplementation
Business Continuity And
Disaster Recovery
Business Continuity And
Disaster Recovery
Continuous Risk Assessment &Penetration Testing
Continuous Risk Assessment &Penetration Testing
Security MonitoringAnd
Analysis
Security MonitoringAnd
Analysis
Incident ResponseProcesses
And Procedures
Incident ResponseProcesses
And Procedures
Responsible use, acceptable behavior and expected results
Building security and services into the infrastructure
Risks assessments performed regularlyWithin the infrastructure
Monitoring of processing components, network characteristis and intrusion detection systems
Complementary infrastructure, process and procedures
Clean andConsistent
Security Policy and Security Policy and AwarenessAwareness
Support for the Development of Support for the Development of University PoliciesUniversity Policies Reporting of Security IncidentsReporting of Security Incidents Security of IT ResourcesSecurity of IT Resources Network RegistryNetwork Registry Authentication/AuthorizationAuthentication/Authorization
Security Policy and Security Policy and AwarenessAwareness
Support for the Development of Support for the Development of University PoliciesUniversity Policies
Security Education ProgramSecurity Education Program Travelers of the Electronic Highway Travelers of the Electronic Highway
(TEH)(TEH) General user awarenessGeneral user awareness Support of local service providersSupport of local service providers
Security Policy and Security Policy and AwarenessAwareness
Support for the Development of Support for the Development of University PoliciesUniversity Policies
Security Education ProgramSecurity Education Program University Best Practices GuidelinesUniversity Best Practices Guidelines
Security configurations Security configurations Security incident response methodsSecurity incident response methods
Security Policy and Security Policy and AwarenessAwareness
Support for the Development of Support for the Development of University PoliciesUniversity Policies
Security Education ProgramSecurity Education Program University Best Practices GuidelinesUniversity Best Practices Guidelines Technical Response to LegislationTechnical Response to Legislation
HIPAAHIPAA FERPAFERPA GLBGLB
Security InfrastructureSecurity Infrastructure
Network infrastructuresNetwork infrastructures Participate in the emerging uses and Participate in the emerging uses and
capabilities of Cornell’s computing capabilities of Cornell’s computing infrastructures (LAN, WLAN, Dial-up, infrastructures (LAN, WLAN, Dial-up, public labs, etc)public labs, etc)
Security InfrastructureSecurity Infrastructure
Network infrastructuresNetwork infrastructures Security ApplicationsSecurity Applications
Anti-Virus Anti-Virus Personal firewallsPersonal firewalls ScanningScanning System analysis/forensicsSystem analysis/forensics
Security InfrastructureSecurity Infrastructure
Network infrastructuresNetwork infrastructures Security ApplicationsSecurity Applications Authentication/AuthorizationAuthentication/Authorization
University authentication requirementsUniversity authentication requirements Risk assessmentRisk assessment
Security InfrastructureSecurity Infrastructure
Network infrastructuresNetwork infrastructures Security ApplicationsSecurity Applications Authentication/AuthorizationAuthentication/Authorization Network Access Control (Firewalls)Network Access Control (Firewalls)
Restricted addressingRestricted addressing Edge ACL’s (push security closer to the Edge ACL’s (push security closer to the
edge)edge) Traditional firewall service (still not there)Traditional firewall service (still not there)
Security InfrastructureSecurity Infrastructure
Network infrastructuresNetwork infrastructures Security ApplicationsSecurity Applications Authentication/AuthorizationAuthentication/Authorization Network Access Control (Firewalls)Network Access Control (Firewalls) Direct Department SupportDirect Department Support
Specific security or incident related issuesSpecific security or incident related issues Secure architecture developmentSecure architecture development
Business Continuity and Business Continuity and Disaster RecoveryDisaster Recovery
Participate in current BC/DR Participate in current BC/DR development effortsdevelopment efforts Ensure current efforts included system Ensure current efforts included system
compromise and infections as compromise and infections as addressable eventsaddressable events
Business Continuity and Business Continuity and Disaster RecoveryDisaster Recovery
Participate in current BC/DR Participate in current BC/DR development effortsdevelopment efforts
Develop BC/DR plans that includeDevelop BC/DR plans that include Identification of critical assetsIdentification of critical assets Processes and procedures to be followed Processes and procedures to be followed
when compromise occurs on a critical when compromise occurs on a critical resourceresource
Risk AssessmentsRisk Assessments
Central Security Assessments Central Security Assessments Service or infrastructure assessments Service or infrastructure assessments
(wireless, IP, etc)(wireless, IP, etc) Network and System ScanningNetwork and System Scanning
Risk AssessmentsRisk Assessments
Central Security AssessmentsCentral Security Assessments System scanning at time of System scanning at time of
registrationregistration Scan student systems upon registrationScan student systems upon registration Limit or revoke network access upon Limit or revoke network access upon
unclean scanunclean scan
Risk AssessmentsRisk Assessments
Central Security AssessmentsCentral Security Assessments System scanning at time of System scanning at time of
registrationregistration Promote and support for localized Promote and support for localized
scanningscanning Distribute scanning software to local Distribute scanning software to local
support providerssupport providers Train support providers as necessaryTrain support providers as necessary
Security Monitoring and Security Monitoring and AnalysisAnalysis
Development of Automated ReportsDevelopment of Automated Reports Processing of network management logsProcessing of network management logs Network usage reportsNetwork usage reports Net alarmsNet alarms Billing alertsBilling alerts
Security Monitoring and Security Monitoring and AnalysisAnalysis
Development of Automated ReportsDevelopment of Automated Reports Intrusion Detection Intrusion Detection
Network Based Anomaly Detection (NBAD)Network Based Anomaly Detection (NBAD) For central operation and some distributed viewsFor central operation and some distributed views More easily operationalized than IDSMore easily operationalized than IDS
NIDSNIDS Some local IDS for critical systems or Some local IDS for critical systems or
infrastructuresinfrastructures Operations and response is more difficult hereOperations and response is more difficult here
Security Monitoring and Security Monitoring and AnalysisAnalysis
Development of Automated ReportsDevelopment of Automated Reports Intrusion Detection Intrusion Detection Honey PotHoney Pot
Use of some “empty” networks for Use of some “empty” networks for scanning identificationscanning identification
Some early experience with honey pot Some early experience with honey pot operationsoperations
Security Monitoring and Security Monitoring and AnalysisAnalysis
Development of Automated ReportsDevelopment of Automated Reports Intrusion Detection Intrusion Detection Honey PotHoney Pot Identification and response to Identification and response to
specific events or system behaviorspecific events or system behavior Algorithms to identify worm infected Algorithms to identify worm infected
systemssystems
Incident ResponseIncident Response
Backline SupportBackline Support NOCNOC Help DeskHelp Desk NUBBNUBB
Incident ResponseIncident Response
Backline SupportBackline Support University IT Operational ProceduresUniversity IT Operational Procedures
Operational procedures with CU PoliceOperational procedures with CU Police Operational procedures with Federal Operational procedures with Federal
AgenciesAgencies
Incident ResponseIncident Response
Backline SupportBackline Support University IT Operational Procedures University IT Operational Procedures Direct Support for Departments as Direct Support for Departments as
necessarynecessary IdentificationIdentification AnalysisAnalysis ResponseResponse
Incident ResponseIncident Response
Backline SupportBackline Support University IT Operational Procedures University IT Operational Procedures Direct Support for Departments as Direct Support for Departments as
necessarynecessary Support for University-Wide Security Support for University-Wide Security
Incident Response mechanismsIncident Response mechanisms Virus response Virus response
A Growing Set of Lessons A Growing Set of Lessons LearnedLearned
Community trust is paramountCommunity trust is paramount It’s OK to crawl before you walk… before you It’s OK to crawl before you walk… before you
run…run… All elements described above should move All elements described above should move
together at the same pacetogether at the same pace The distributed nature of our environment does The distributed nature of our environment does
not need to mean less security but rather a not need to mean less security but rather a different security strategydifferent security strategy
Consolidating security operations and security Consolidating security operations and security budget provide both leverage and budget provide both leverage and accountabilityaccountability
QuestionsQuestions
?