1 / 30

Information Security: Where to Begin?

Information Security: Where to Begin?. January 12, 2005 Kathleen K. Roberts Principal – MBA, Information Systems kathleen@isecuresolutions.com Sanina Shen Engineer – MS, CISSP, PMP sanina@isecuresolutions.com iSecure Solutions 1611 Arran Way Dresher, PA 19025 (215) 641-1396 (Office)

bernad
Download Presentation

Information Security: Where to Begin?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security: Where to Begin? January 12, 2005 Kathleen K. Roberts Principal – MBA, Information Systems kathleen@isecuresolutions.com Sanina Shen Engineer – MS, CISSP, PMP sanina@isecuresolutions.com iSecure Solutions 1611 Arran Way Dresher, PA 19025 (215) 641-1396 (Office) (215) 641-1396 (FAX) www.isecuresolutions.com Copyright [Kathleen K. Roberts] [2005]. This paper is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Final Presentation V2.W

  2. Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey

  3. Information Security Definitions Security Triad • Confidentiality – ensuring that the information is protected from unauthorized and/or unintentional disclosure and use. • Integrity – assuring the accuracy, completeness and reliability of information and systems from unauthorized and/or unintentional modification. • Availability – ensuring reliability and timely access to data and resources for authorized users.

  4. Information Security Framework

  5. Security Trends in Higher Education • Information Security • Beginning to See: • Establishment of a University Information Security Office • Hiring of a University Information Security Officer • Activities Underway by Information Security Office: • Development of security policy • Implementation of security architecture • Monitoring of security • Formal incident response processes and creation of CSIRT • Development of security awareness and training programs

  6. Security Trends in Higher Education (continued) • Characteristics of Leading Information Security Colleges and Universities: • View information security as a major opportunity for leadership • Implementing security policies, procedures and guidelines • Conducting institutional risk assessments on a regular basis • Investing in staff and tools • Increasing “community” awareness with ongoing training • Designing, developing and deploying secure communication and information systems • Inserting confidentiality and privacy language in vendor contract documents • Requiring secure products from vendors

  7. Security Basics • Engage executive leadership - support, resources and communication • Select a standard as benchmark based on industry best practices • The ISO 17799 Standard (www.iso17799-web.com) • ISSA-GAISP (Information System Security Association-Generally Accepted Information Security Principles) • Baseline your institution’s security posture and readiness • Evaluate security policies against industry standards • Conduct vulnerability assessment scans and re-test regularly • Determine the security standards for your organization • i.e. account blocked after 3 failed log-in attempts, passwords changed every 90 days • Examine the physical security situation • Formalize incident response procedures • Create and conduct security education and awareness classes • Start up and support an information security knowledge community

  8. Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey

  9. Executive Leadership Support of Security Policies and Program • Engage leadership – CIO, president and provost • Areas where support is essential • Budget for overall security program • Security personnel • Enforcement of policies • Incident response involvement and coordination • Ensure inclusion into higher ed mission and strategic plan • Educate on importance and need for security program • Statistics of security breaches and growing visibility • Federal and state regulation • Institution’s reputation • Provide updates on a regular basis • Establish regular status meetings • Provide ongoing reports and provide added value information

  10. Basic Information Security Policy Inventory for Higher Education Key: H=High Usage by College & Univ., M=Medium Usage by College & Univ,, * =Covered in Appropriate Use Policy

  11. Policy Enforcement Approaches Unlike corporate or government sectors, higher education requires a more delicate balance to effectively enforce policies: • Fear of being caught and punishment • Clearly communicate consequences of policy violation in student, staff and faculty handbooks • Include policy requirements in institution’s code of conduct to obtain ID • Post warnings on websites and install observation technology • Use of existing technology • Require secure password with specific requirements for network access • Use online quiz requiring reading of critical points in handbook to obtain account • Usage requirement • Incorporate policy requirements into network access usage agreements • Embarrassment by association - publish list of offenders • Post on website or in newspaper

  12. Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey

  13. Overview of Vulnerability Assessments • Definition: Vulnerability management is the discovery of weaknesses in a security profile, the determination of the risk and the elimination of these defects to reduce the window of opportunity in which an exploit could impact the institution. • Focus of Vulnerability Assessments • Identify vulnerabilities in key resources • Determine acceptable risk • Fix weaknesses before attacker code can be developed to exploit the vulnerability • “The Laws of Vulnerabilities” per Gerhard Eschelbeck, CTO of Qualys • Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity • Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis • Persistence: The lifespan of some vulnerabilities is unlimited • Exploitation: 80% of vulnerability exploits are available within 60 days of the vulnerability release

  14. Sample of Network Vulnerability AssessmentHigh Level Summary Findings

  15. Summary of Vulnerabilities

  16. Detailed Scan Results (Part 1)

  17. Detailed Scan Results (Part 2)

  18. Port Scan Results

  19. Value of Vulnerability Assessments • Best Practices of Vulnerability Management • Classify: prioritize assets based on “mission critical” value to the institution • Measure: determine effectiveness of efforts by setting goals of reduced vulnerabilities and faster mitigation • Integrate: include the intelligence gained in scans with other security info • Audit: use metrics to evaluate effectiveness of efforts for ongoing improvement • Benefit of Conducting Vulnerability Assessments • Aids communication and facilitates decision making by integrating information from various parts of the institution • Enhances productivity of security team by creating a structure, pooling knowledge and building “in-house” expertise • Allows security to become part of the institutional culture by allowing institutional departments to take more of the responsibility for ensuring an adequate and appropriate level of security • Increase security awareness by actively involving a larger number of individuals • Provides a consistent and measurable approach to patching and upgrade management

  20. Vulnerability Assessment Tools • To select the best tool(s) for your institution, must determine and prioritize requirements • Technical quality of the solution including degree of intrusiveness • Ease of use including deployability • Reporting capabilities • Support including ongoing research to keep vulnerability database updated • Price tag • Evaluate and select “best in class” tools • Several vendors we considered: • Foundstone - Foundscan Scanner • GFI LANguard - Network Security Scanner • Internet Security Systems (ISS) - Internet Scanner • Nessus – Nessus Scanner • Qualys - QualysGuard • All tools must be reviewed and tested • Consider having several vulnerability scanners in your toolbox

  21. Vulnerability Assessment Preparation • Collect source documents • Current network architecture diagram to understand subnets and connections • Existing security policies and guidelines • Inventory of critical hardware and software with pertinent information • Listing of key applications with pertinent information • Read background info and discuss with subject matter expert • Review all documents to understand environment • Develop a draft test plan and obtain approval of plan and schedule • Schedule scans during slow time so no negative impact • Perform tests, assign tasks and log results • Document vulnerabilities, analyze data and make recommendations • Finalize documentation into a report or presentation

  22. Scanning Approaches Select the best approach for your environment • Conducting a campus wide vulnerability assessment • Good for a baseline risk assessment • Will produce too many vulnerabilities to deal with • Requires much time and many resources to conduct and sift through data • Scan all high priority devices • Select “Mission Critical” servers and hosts to scan • Remediate only the severity 5 and 4 vulnerabilities • Scan entire network for a few specific vulnerabilities • Select the SANS Top 20 vulnerabilities to scan for • Scan for a specific newly announced vulnerability • Compare current assessment with a previous baseline • Requires a baseline to be in place • Only view deviations from the baseline which reduces the number of identified vulnerabilities

  23. Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey

  24. Security Awareness Program • Importance of Education and Awareness Program • People are the greatest source of IT security issues • Insiders cause the majority of security breaches • Most insider breaches are caused by: • Lack of awareness of threats • Assuming others are handling • Lack of knowledge on how to address • Security is low priority • Components • Define the target audience • Tailor the message to meet the needs of each audience • Delivery methods must be tailored to each group’s needs • Meetings, handbooks, web site, email alerts, adding to new student orientation, workshops, seminars, articles, videos, posters • Make it fun but keep the message short and simple though current and realistic • Repetition is key

  25. Business Continuity Planning • May be Part of an Overall Security Plan • Includes a back up plan • Includes a disaster recovery plan • Conduct practice drills to test plan and readiness • Backup, Recovery and Restoration • Documented processes • Critical backup files stored on-site and off-site • Data backup/recovery/restoration plans developed and periodically tested • Business Continuity Planning (BCP) • Involves the entire institution • Keep department or college in business • Manual processes documented • “Cookbook” checklists and steps • Cross training of staff to ensure operational continuity of critical systems and applications

  26. Create a CSIRT Computer Security Incident Response Team (CSIRT) • Form Team • Determine representation and team membership required • Solicit senior management support including CIO, provost and president • Required to handle all incidents that occur • Activities • Write mission statement and goals • Document incident response procedures • Create escalation list and contact information chain including law enforcement contacts for out of hours incidents • Additional support resources • http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html

  27. Value of Physical Security • Remember Physical Security – no longer just the night guard who carries a flashlight • Security includes natural disasters, fires, floods, intruders and power supplies. • Administrative Controls • Facility Management • Sensitive data or papers laying around? • Neat and orderly computing rooms • Technical Controls • Temperature / humidity controls • Fire suppression equipment • UPS (Uninterruptible power supply) • Physical Controls • Locks / combination / card swipe doors • Lighting • Fences

  28. Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey

  29. Conclusion • Complying with Regulatory Requirements • Gramm-Leach-Bliley (GLB) Act and the Federal Trade Commission’s Safeguards Rule • Need for a documented Information Security Plan • Other • Family Educational Rights and Privacy Act (FERPA) • California’s Senate Bill 1386 • Health Insurance Portability and Accountability Act (HIPAA) • Begin the Journey Success is a journey not a destination. The doing is usually more important than the outcome. Arthur Ashe

  30. Questions

More Related