310 likes | 569 Views
Information Security: Where to Begin?. January 12, 2005 Kathleen K. Roberts Principal – MBA, Information Systems kathleen@isecuresolutions.com Sanina Shen Engineer – MS, CISSP, PMP sanina@isecuresolutions.com iSecure Solutions 1611 Arran Way Dresher, PA 19025 (215) 641-1396 (Office)
E N D
Information Security: Where to Begin? January 12, 2005 Kathleen K. Roberts Principal – MBA, Information Systems kathleen@isecuresolutions.com Sanina Shen Engineer – MS, CISSP, PMP sanina@isecuresolutions.com iSecure Solutions 1611 Arran Way Dresher, PA 19025 (215) 641-1396 (Office) (215) 641-1396 (FAX) www.isecuresolutions.com Copyright [Kathleen K. Roberts] [2005]. This paper is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Final Presentation V2.W
Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey
Information Security Definitions Security Triad • Confidentiality – ensuring that the information is protected from unauthorized and/or unintentional disclosure and use. • Integrity – assuring the accuracy, completeness and reliability of information and systems from unauthorized and/or unintentional modification. • Availability – ensuring reliability and timely access to data and resources for authorized users.
Security Trends in Higher Education • Information Security • Beginning to See: • Establishment of a University Information Security Office • Hiring of a University Information Security Officer • Activities Underway by Information Security Office: • Development of security policy • Implementation of security architecture • Monitoring of security • Formal incident response processes and creation of CSIRT • Development of security awareness and training programs
Security Trends in Higher Education (continued) • Characteristics of Leading Information Security Colleges and Universities: • View information security as a major opportunity for leadership • Implementing security policies, procedures and guidelines • Conducting institutional risk assessments on a regular basis • Investing in staff and tools • Increasing “community” awareness with ongoing training • Designing, developing and deploying secure communication and information systems • Inserting confidentiality and privacy language in vendor contract documents • Requiring secure products from vendors
Security Basics • Engage executive leadership - support, resources and communication • Select a standard as benchmark based on industry best practices • The ISO 17799 Standard (www.iso17799-web.com) • ISSA-GAISP (Information System Security Association-Generally Accepted Information Security Principles) • Baseline your institution’s security posture and readiness • Evaluate security policies against industry standards • Conduct vulnerability assessment scans and re-test regularly • Determine the security standards for your organization • i.e. account blocked after 3 failed log-in attempts, passwords changed every 90 days • Examine the physical security situation • Formalize incident response procedures • Create and conduct security education and awareness classes • Start up and support an information security knowledge community
Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey
Executive Leadership Support of Security Policies and Program • Engage leadership – CIO, president and provost • Areas where support is essential • Budget for overall security program • Security personnel • Enforcement of policies • Incident response involvement and coordination • Ensure inclusion into higher ed mission and strategic plan • Educate on importance and need for security program • Statistics of security breaches and growing visibility • Federal and state regulation • Institution’s reputation • Provide updates on a regular basis • Establish regular status meetings • Provide ongoing reports and provide added value information
Basic Information Security Policy Inventory for Higher Education Key: H=High Usage by College & Univ., M=Medium Usage by College & Univ,, * =Covered in Appropriate Use Policy
Policy Enforcement Approaches Unlike corporate or government sectors, higher education requires a more delicate balance to effectively enforce policies: • Fear of being caught and punishment • Clearly communicate consequences of policy violation in student, staff and faculty handbooks • Include policy requirements in institution’s code of conduct to obtain ID • Post warnings on websites and install observation technology • Use of existing technology • Require secure password with specific requirements for network access • Use online quiz requiring reading of critical points in handbook to obtain account • Usage requirement • Incorporate policy requirements into network access usage agreements • Embarrassment by association - publish list of offenders • Post on website or in newspaper
Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey
Overview of Vulnerability Assessments • Definition: Vulnerability management is the discovery of weaknesses in a security profile, the determination of the risk and the elimination of these defects to reduce the window of opportunity in which an exploit could impact the institution. • Focus of Vulnerability Assessments • Identify vulnerabilities in key resources • Determine acceptable risk • Fix weaknesses before attacker code can be developed to exploit the vulnerability • “The Laws of Vulnerabilities” per Gerhard Eschelbeck, CTO of Qualys • Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity • Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis • Persistence: The lifespan of some vulnerabilities is unlimited • Exploitation: 80% of vulnerability exploits are available within 60 days of the vulnerability release
Sample of Network Vulnerability AssessmentHigh Level Summary Findings
Value of Vulnerability Assessments • Best Practices of Vulnerability Management • Classify: prioritize assets based on “mission critical” value to the institution • Measure: determine effectiveness of efforts by setting goals of reduced vulnerabilities and faster mitigation • Integrate: include the intelligence gained in scans with other security info • Audit: use metrics to evaluate effectiveness of efforts for ongoing improvement • Benefit of Conducting Vulnerability Assessments • Aids communication and facilitates decision making by integrating information from various parts of the institution • Enhances productivity of security team by creating a structure, pooling knowledge and building “in-house” expertise • Allows security to become part of the institutional culture by allowing institutional departments to take more of the responsibility for ensuring an adequate and appropriate level of security • Increase security awareness by actively involving a larger number of individuals • Provides a consistent and measurable approach to patching and upgrade management
Vulnerability Assessment Tools • To select the best tool(s) for your institution, must determine and prioritize requirements • Technical quality of the solution including degree of intrusiveness • Ease of use including deployability • Reporting capabilities • Support including ongoing research to keep vulnerability database updated • Price tag • Evaluate and select “best in class” tools • Several vendors we considered: • Foundstone - Foundscan Scanner • GFI LANguard - Network Security Scanner • Internet Security Systems (ISS) - Internet Scanner • Nessus – Nessus Scanner • Qualys - QualysGuard • All tools must be reviewed and tested • Consider having several vulnerability scanners in your toolbox
Vulnerability Assessment Preparation • Collect source documents • Current network architecture diagram to understand subnets and connections • Existing security policies and guidelines • Inventory of critical hardware and software with pertinent information • Listing of key applications with pertinent information • Read background info and discuss with subject matter expert • Review all documents to understand environment • Develop a draft test plan and obtain approval of plan and schedule • Schedule scans during slow time so no negative impact • Perform tests, assign tasks and log results • Document vulnerabilities, analyze data and make recommendations • Finalize documentation into a report or presentation
Scanning Approaches Select the best approach for your environment • Conducting a campus wide vulnerability assessment • Good for a baseline risk assessment • Will produce too many vulnerabilities to deal with • Requires much time and many resources to conduct and sift through data • Scan all high priority devices • Select “Mission Critical” servers and hosts to scan • Remediate only the severity 5 and 4 vulnerabilities • Scan entire network for a few specific vulnerabilities • Select the SANS Top 20 vulnerabilities to scan for • Scan for a specific newly announced vulnerability • Compare current assessment with a previous baseline • Requires a baseline to be in place • Only view deviations from the baseline which reduces the number of identified vulnerabilities
Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey
Security Awareness Program • Importance of Education and Awareness Program • People are the greatest source of IT security issues • Insiders cause the majority of security breaches • Most insider breaches are caused by: • Lack of awareness of threats • Assuming others are handling • Lack of knowledge on how to address • Security is low priority • Components • Define the target audience • Tailor the message to meet the needs of each audience • Delivery methods must be tailored to each group’s needs • Meetings, handbooks, web site, email alerts, adding to new student orientation, workshops, seminars, articles, videos, posters • Make it fun but keep the message short and simple though current and realistic • Repetition is key
Business Continuity Planning • May be Part of an Overall Security Plan • Includes a back up plan • Includes a disaster recovery plan • Conduct practice drills to test plan and readiness • Backup, Recovery and Restoration • Documented processes • Critical backup files stored on-site and off-site • Data backup/recovery/restoration plans developed and periodically tested • Business Continuity Planning (BCP) • Involves the entire institution • Keep department or college in business • Manual processes documented • “Cookbook” checklists and steps • Cross training of staff to ensure operational continuity of critical systems and applications
Create a CSIRT Computer Security Incident Response Team (CSIRT) • Form Team • Determine representation and team membership required • Solicit senior management support including CIO, provost and president • Required to handle all incidents that occur • Activities • Write mission statement and goals • Document incident response procedures • Create escalation list and contact information chain including law enforcement contacts for out of hours incidents • Additional support resources • http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html
Value of Physical Security • Remember Physical Security – no longer just the night guard who carries a flashlight • Security includes natural disasters, fires, floods, intruders and power supplies. • Administrative Controls • Facility Management • Sensitive data or papers laying around? • Neat and orderly computing rooms • Technical Controls • Temperature / humidity controls • Fire suppression equipment • UPS (Uninterruptible power supply) • Physical Controls • Locks / combination / card swipe doors • Lighting • Fences
Agenda • Introduction (5 mins.) • Review definitions and framework • Provide insights into higher ed Information security trends • Share security basics • IT Security Policies (10 mins.) • Ensure executive leadership support • Review commonly used higher ed policies • Share several different enforcement approaches • Vulnerability Assessments (10 mins.) • Overview and value of assessments • Evaluate and prepare to use assessment tools • Share scanning approaches • Other Security Topics (10 mins.) • Importance of a security awareness program • Create a business continuity plan including a CSIRT • Examine physical security • Conclusion (5 mins.) • Be aware of regulatory requirements • Begin the journey
Conclusion • Complying with Regulatory Requirements • Gramm-Leach-Bliley (GLB) Act and the Federal Trade Commission’s Safeguards Rule • Need for a documented Information Security Plan • Other • Family Educational Rights and Privacy Act (FERPA) • California’s Senate Bill 1386 • Health Insurance Portability and Accountability Act (HIPAA) • Begin the Journey Success is a journey not a destination. The doing is usually more important than the outcome. Arthur Ashe