410 likes | 547 Views
Effective Implementations of a Security Program and Security Plan. Tim Flynn Scott Genung. Stefan Wahe Gary DeClute. Outline. What Problem were we trying to solve with a Security Program/Plan What is a Security Program/Plan Deliverables and Implementation
E N D
Effective Implementations of a Security Program and Security Plan Tim Flynn Scott Genung Stefan Wahe Gary DeClute
Outline • What Problem were we trying to solve with a Security Program/Plan • What is a Security Program/Plan • Deliverables and Implementation • Where are we now and where are we going? • What have we learned? • Discussion Effective Implementations of a Security Program and Plan
The Problem? • Reactive vs. Proactive • Lack of Documented Standards, Procedures and Guidelines • Increasing number laws and regulations “We weren’t rowing in the same direction” Effective Implementations of a Security Program and Plan
What is the problem? • “we felt the pain” (August 2003 – August 2004) • 4 major DoS attacks that impacted performance and disrupted network connectivity for most users throughout campus (nearly 3,000 infections total) • multitudes of email borne threats that impacted the performance of the campus mail system and caused the University to be blacklisted by other email domains • the University spent approximately $750K during the 2003-2004 academic year in clean up efforts Effective Implementations of a Security Program and Plan
What is the problem? • anatomy of an attack: Sasser (April 2004) • 600+ virus infected systems detected within 3 days of outbreak (there were around 15K nodes at the time) • 500+ systems removed to combat DoS volume and to try and contain threats • all environments had exploited hosts (not just a student problem); all environments felt the impact • many users were unable to consistently access the Internet during finals week • some electronic exams had to be rescheduled Effective Implementations of a Security Program and Plan
What is the problem? of the 600+ systems that were identified on ISUnet with Sasser in April 2004 Effective Implementations of a Security Program and Plan
What is a Security Program? • An Information Technology Security Program (ITSP) is an administrative program that provides the policy and procedural framework for building and maintaining a secure information system Effective Implementations of a Security Program and Plan
What is a security plan? • a security plan encompasses … • what specific things will be done to defend against current and future security threats (knowing that no one technology can defend against all threats) • what are the impacts of these changes upon the systems and the users of them • what is the timeframe of these changes and how are they dependent upon each other • procedures for identifying how the plan will be enacted and how the University will react to future threats Effective Implementations of a Security Program and Plan
Deliverables and Implementation Framework of Program: • System Definition and Description • Identifies Roles of Actors and their Responsibilities • Identifies procedures, process andguidelines for actors to follow to meet their responsibilities. Effective Implementations of a Security Program and Plan
Deliverables and Implementation The first section of the template assists in collecting a description of the system: System Description • System Name • Responsible Organization • Information Contacts • System Architecture • System Environment Assignment of Security Responsibility • Management Assignments • Security Manager Responsibilities • Security Administrator Assignments • Application Developer Assignments • Supporting Staff • Users Applicable Laws, Regulations and Policies • Identify Laws, Regulations and Policies Effective Implementations of a Security Program and Plan
Review of Controls Risk Management Security Program Management Authorization to Process Life Cycle Security Business Continuity Human Resources Documentation Awareness & Training Data Integrity Operations Information Handling Physical Security Incident Response HW & SW Maintenance Access Controls Audit Trails Technical Authentication and Authorization Effective Implementations of a Security Program and Plan
Deliverables and Implementation Effective Implementations of a Security Program and Plan
Deliverables and Implementation • Documented procedures, process and guidelines for system actors to follow in order to comply with their responsibilities • Documented results: • Risk Management Report • Log Report • Access Control Audit • Schedule of when tasks and responsibilities should be completed. • Also known al the Master Schedule Effective Implementations of a Security Program and Plan
Deliverables and Implementation The Master Schedule Effective Implementations of a Security Program and Plan
Deliverables and Implementation Five Steps to Success • System Definition and Assessment • Identify Gaps • Provide Recommendations • Planning an Implementation • On-Going Assessment (Master Schedule) Effective Implementations of a Security Program and Plan
Deliverables and Implementation • lessons learned from prior DoS attacks • once a threat penetrated the perimeter defenses of the network, there was little to prevent it from spreading and creating impact • inconsistent defenses within the network created entry points for security threats to emerge • substantial variation in the degree of host defenses created environments that were heavily impact while others were not • quickly identifying the behavior of the threat was key to defending against it Effective Implementations of a Security Program and Plan
Deliverables and Implementation • emerging themes • cannot predict type or impact of threats before they emerge • insufficient visibility to threats once they appear • insufficient defenses in place to counter these threats (they need to be integrated directly into the network model) • inconsistent defenses within the network create entry points where threats can then emerge within and then impact the interior Effective Implementations of a Security Program and Plan
Deliverables and Implementation • guiding principles to a security plan • visibility: the need to see clear evidence of a security event in a timely manner • defense in depth: the need to implement a combination of technologies that can defend against a multitude of threats at different layers within the network • consistency: all environments on network must have same level of defense to prevent a security threat from gaining a foothold within the perimeter of the network Effective Implementations of a Security Program and Plan
ISUnet security enhancement plan (28 initiatives) hire a security engineer early warning notification enhanced service provider connectivity introduce perimeter firewalling create a DMZ enhance VPN implementation enhance DNS enhance QoS policies introduce IPS enhance anti-spoofing techniques implement vLAN restructuring implement zone based filtering and firewalling segregate experimental networks implement CoA (Conditions of Access) implement a SIMS implement backbone enhancements enhance directory authentication implement identity management enhance registration systems enhance rogue device detection enhance wireless security enhance statistics implement vulnerability scanning consider network admission control implement automated system quarantines enhance anti-virus and anti-spam for email enhance email security implement SMTP authentication Deliverables and Implementation Effective Implementations of a Security Program and Plan
Status and Next Steps • Being Implemented in: • Public Health Information Network • University Directory Service • Identified Gaps: • Security Awareness Training • Media Disposal • Identifying next system/departmentfor implementation Effective Implementations of a Security Program and Plan
Status and Next Step • focus on top 7 initiatives • introducing IPS (Intrusion Prevention System) technology • implementing CoA (Conditions of Access) • enhancing registration systems for ResNet • enhancing email security • implementing vulnerability scanning • hiring a security engineer • implementing vLAN restructuring Effective Implementations of a Security Program and Plan
Status and Next Step • introducing IPS (began 8/04) • goal: to identify AND block threat traffic to reduce impact upon the network • IPS same as IDS, but also blocks threat traffic • placed at the perimeter and key points within the backbone of the campus network • address the largest source of potential threats. • traffic passing from each ResNet environment to the network backbone • traffic passing from the WAN to the network backbone • somewhat effective against zero day threats Effective Implementations of a Security Program and Plan
management console views from UnityOne appliances from Tipping Point Effective Implementations of a Security Program and Plan
Status and Next Step • CoA (Conditions of Access) (8/04) • need for a policy • goal: create an environment where host based defenses are consistent • required the use of the University’s site licensed AV solution for ALL systems that connect to the network. • required the use of automatic OS updating for critical patches Effective Implementations of a Security Program and Plan
Status and Next Step • enhanced registration systems (began 8/04) • goal: use existing registration systems to automate a process for enforcing CoA • ResNet • built on top of registration system • user agrees to CoA • installation and setup of anti-virus software • apply OS patches and configure automatic updating • shortcomings: • one time only enforcement • ineffective against zero day threats • must be monitored Effective Implementations of a Security Program and Plan
Status and Next Step • enhanced email security • goal: stop email based threats from passing to, from, and within the campus network • policy and process to register campus and departmental email systems and require AV filtering. • perimeter email filters (completed) • designed to prevent email borne threats from being exchanged between the Internet and the campus network • interior email filters (could not complete) • designed to prevent email borne threats from being exchanged between systems within the campus network Effective Implementations of a Security Program and Plan
Status and Next Step • vulnerability scanning • goal: • locate systems that are vulnerable to known exploits in order to prevent them from affecting others. • enforce the CoA policy • Nessus is used to scan for unapplied MS patches when possible Effective Implementations of a Security Program and Plan
Status and Next Step • hiring a security engineer (5/05) • goal: dedicated resource focused on proactive and reactive aspects of network and host based security • coordinate and share information. • develop consistent methods and practices. • first step towards a centralized security office. • due to budget constraints existing positions were reclassified to create the position Effective Implementations of a Security Program and Plan
Status and Next Step • implementing vLAN restructuring (began 2/05) • goal: place like systems in like environments so that security rules can effectively be applied AND maintained • separation of address space types • to reduce scope of impact of future threats • to allow for the introduction of new defensive techniques (ex: IP source guard) • to simplify the development and maintenance of security policies Effective Implementations of a Security Program and Plan
Status and Next Step • beyond IPS: the need for NBAD (spring 2005) • NBAD (Network Based Anomaly Detection) • IPS is signature based (with very limited anomaly detection) • IPS cannot defend against zero day attacks that did not target known (signatured) vulnerabilities • goal: need a system that can track application volume per local or remote host and then report on deviation from baseline volumes (this is NBAD) • take advantage of NetFlow export data • can identify systems that exhibit major behavioral changes • can issue shuns or null routes to immediately react to threats Effective Implementations of a Security Program and Plan
management console views from StealthWatch Effective Implementations of a Security Program and Plan
Status and Next Step • beyond registration systems • port based authentication • user (802.1x) or machine based authentication each time the system touches the network • goal: log who connected when and where (may be a CALEA compliance requirement) • currently are testing as a replacement to VMPS • generic NAC (Network Admission Control) • goal: automate enforcement of CoA each time user touches network (instead of just when registration occurs) • researching technologies and products Effective Implementations of a Security Program and Plan
Lessons Learned • Implementation takes time • Need for Resources (People) • Cultural Shift • Need for Governance • Risk Management Processes Effective Implementations of a Security Program and Plan
Lessons Learned • need to be proactive, monitoring is not enough. • threats are emerging too fast • NAC • all initiatives need to be based in policy. • problems -> policies -> initiatives Effective Implementations of a Security Program and Plan
Discussion Questions Effective Implementations of a Security Program and Plan