450 likes | 546 Views
Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base Joshua Drummond, Security Architect Neil Matatall, Security Programmer/Analyst Marina Arseniev, Associate Director of Enterprise Architecture University of California, Irvine. About us….
E N D
Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base Joshua Drummond, Security Architect Neil Matatall, Security Programmer/Analyst Marina Arseniev, Associate Director of Enterprise Architecture University of California, Irvine
About us… • Located in Southern California • Year Founded: 1965 • Enrollment: over 24K students • 1,400 Faculty (Academic Senate) • 8,300 Staff • 6,000 degrees awarded annually • Carnegie Classification: Doctoral/Research – Extensive • Extramural Funding - 311M in 2005-2006 • Undergoing significant enrollment growth
Security Status Across Higher Ed?http://www.privacyrights.org • 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants. • 5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft. • 4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen. • 3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address.
We do a lot…SDLC and Change Management • Security requirements and design reviews from get-go. • Code reviews • Developers reuse security components • Automated nightly code and application security scanning • Scheduled network & configuration vulnerability scanning • Consolidated storage of sensitive data, database model reviews of personal identity data • Concurrency and stress testing to detect thread security
Still had problems • Urgent call from our director: • Have you patched server X? • Is Server Y behind a firewall? • Did Server Y have any Credit Card information stored? • Is the database encrypted? • When was the last time a security review of Application X was done? • Peter The Anteater is on vacation! • Peter is now at Google! • Different answers from different people. • Little confidence that information is current.
Not enough… • Many security layers meant many documents owned by many people • Scattered checklists, spreadsheets, and diagrams not accessible • Host IP change = document update nightmare. • New server? Update how many firewalls? • Missing information, such as whom to contact • Proprietary knowledge departed with staff turnover Spreadsheet Hell!
What we learned … • Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate. • Explored different approaches and tools – both vendor and open source. • Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase. • Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository.
Objectives • Quickly respond to threats. • Organize, consolidate, and centralize security procedures and facts about layers of security. • Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc • Track security checklists • Track code, database, and security reviews, results and follow-up • Track oversight functions for secure development, acquisition, maintenance, operations and decommissioning.
Agenda • Background on Ontologies and Protégé • Realized value - demonstration of our knowledgebase and reports • How to implement this in your organization • Summary • Useful URLs and Q&A
Background Book Ontology • What is an Ontology? • “An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge. Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “ • Supports inheritable properties (is-a) • Attributes of an object can be complex objects themselves (rich). Nestable… Writing Short Story Historical Novel Classic Medieval Modern
Stanford University’s Protégé • Allows easy modeling and creation of ontology • Auto generates forms for collecting and capturing information based on ontology and class definitions. • “Reverse slots” allow rich linking ability and automatic updates of changing relationships. • Remember the removal of the server and associated updates of firewall rules?
Stanford University’s Protégé • Generates an HTML view of knowledge and ontology. • Can be exported in XML format • generate reports in other formats and for specific audiences, without storing redundant data. • Multi-user capable • Highly Scaleable • Simulations have handled over 5 million objects • Open source at http://protege.stanford.edu/ • Java API to program against • Under active development (last release Aug 24, 2007)
Agenda • Background on Ontologies and Protégé • Realized value - demonstration of our knowledgebase and reports • How to implement it in your organization • Summary • Useful URLs and Q&A
Realized Value: Auto-generated Reports from Protégé • Network Inventory Report • By Host Name • By IP Address • Firewall Rules Report • By Firewall • By Host Name • By IP Address • Personal Identity Database Report • By Server • By Database • Personal Identity Datafile Report • By Server • Application Report • Includes developed and vendor applications
Before and After - Firewalls Unix Sys Admin Windows Sys Admin Department Firewall Admin Campus Border Firewall Admin Database Admin
Agenda • Background on Ontologies and Protégé • Realized value - demonstration of our knowledgebase and reports • How to implement it in your organization • Summary • Useful URLs and Q&A
How to Implement in your Organization… • Step 1: Inventory existing spreadsheets and documents • Step 2: Identify information you want to track centrally. • Step 3: Design your ontology (or copy ours) • Step 4: Assign roles – who updates, who views • Step 5: Capture information • Step 6: Add any customizations to Protégé • Step 7: Create secured reports for various audiences
Updates • 3 ways to update your knowledge base • Desktop Client / Local Project • Only one person can update at a time • Must have access to project file • Web Server • Multi-User, access anywhere • Interface has its weaknesses • Client / Server • Best of both worlds • Must have desktop client installed
Updates – Client / Server • Use built-in client-server mode for multi-user updates • Grant access to individual users • Support for role-based permissions • Updates are propagated in near-real-time • BE CAREFUL! • Everything is stored in plain text
Customizations • Modified the existing HTML Export plug-in to change the structure of the output HTML • Encrypt Sensitive Values • List Instances before Slots on Class pages • Made string attributes that are URLs actual hyperlinks • Add line breaks between multiple Slot values
Automation • Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports • Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI • edu.uci.adcom.protege.ProjectXmlExport • edu.uci.adcom.protege.ProjectHtmlExport
Using XSLT for Reports • Replicate exactly and replace former spreadsheets with the same functionality • Created canned reports for specific views on knowledge • XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML • Then again from the “simple” XML to multiple HTML views for each report • XSL and CSS are flexible and can be modified to customize presentation of data
Putting it all together • Ant script is used to tie everything together • Can be easily scheduled to generate reports
Metrics – Firewall Management Before • Border, Police, Financial Services, Windows OS, and Server Firewall • Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total) • 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets. After • Centralized inventory of knowledge about firewall rules • Zero spreadsheets • 3 custom reports – HTML and Excel • Centralize maintenance of single repository across organizational units • No redundancy
Metrics – Network and Data Inventory Before • White Boards and Documents • Partial Network Inventory • Unpatched servers on whiteboard • 4 units keeping redundant or out of sync information in private locations • Limited access - personal computers • Sensitive data locations unclear • Servers with no virus protection or backed up After • New information - that didn’t exist • Integrated database, network, and application information • Zero spreadsheets • 9 custom reports –HTML and Excel • Centralize maintenance of repository across organizational units • Access to repository extended to 60 individuals based on privileges • Clearer view of potential holes in security for analysis and proactive planning • Sensitive data tracked • 40 data files • 50 database fields • Added 40 hosts to backup and anti-virus scanning procedure
Future Plans • Continue to evolve the ontology to include more attributes and relationships • Continue capturing and updating new information • Automate capture of information with tools • Create an plugin for encrypting sensitive information • Create a slot-based authorization plugin • Generate checklists intelligently based on attributes • Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment. • Create notifications about potential trouble spots • A personal identity database field that has not been encrypted.
Q&A • AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440 • Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu • XML/XSLT processing - http://xerces.apache.org • Ant - http://ant.apache.org