1 / 12

Security Issues

Security Issues. ITEC Advisory Council Steve Lovaas August 13, 2008. Updates on Security Tools and Tactics. Utimaco SafeGuard Enterprise edition AppScan SSN Re-scan and purge. Utimaco SafeGuard Enterprise. Review: State conducted a bid for encrypting all laptops

keenan
Download Presentation

Security Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Issues ITEC Advisory Council Steve Lovaas August 13, 2008

  2. Updates on Security Tools and Tactics • Utimaco SafeGuard Enterprise edition • AppScan • SSN Re-scan and purge

  3. Utimaco SafeGuard Enterprise • Review: • State conducted a bid for encrypting all laptops • Utimaco won the bid, significant discount on their full suite of encryption products • We waited for their enterprise edition to mature; not all modules are integrated yet • We’re starting with full-disk encryption

  4. Utimaco SafeGuard Enterprise (cont.) • Architecture: • Database server stores policies • Web server (IIS) provides client interface (proxy) to database for policy changes • Management server(s) • Client • Crypto keys control management access, user sign-in • Key recovery possible: user calls in

  5. Utimaco SafeGuard Enterprise (cont.) • Full-disk encryption • Protects “data at rest” – protects the data on the drive if a laptop (or lab machine) walks away • Available for Windows XP and Vista (not 64-bit) • Mac and Linux clients eventually • “Pre-Boot Authentication” – inserts itself into the Boot process, hands credentials to Windows • As with ANY encryption product, use caution and back up before encrypting

  6. Utimaco SafeGuard Enterprise (cont.) • Ready to go! • Hammering out client purchase/distribution details (RamTech) • For small deployments (just a few laptops), we’ll get you a CD with client and config files, and it’s a simple install • For broader deployments, ACNS can show AD administrators how to set up domain OU’s to help automate installation and encryption • Look for an official announcement with final pricing this week

  7. Utimaco SafeGuard Enterprise (cont.) • Support and the future • For general questions regarding the product, help with installation, or key recovery, contact Steve Lovaas or Mike Willard via: • Email: sgn_help@colostate.edu • Phone: (Steve) 297-3707 (Mike) 491-4651 • As more units deploy the software, we will train the CTSS help desk to provide product support • We will be investigating modules for individual file encryption and multi-user access for file servers, as those modules are released for the enterprise edition

  8. AppScan • Review • Purchased in 2007 from WatchFire (which was bought by IBM) • Scans web applications for a number of vulnerabilities (including SQL injection) • Results are good, but very detailed • Can be overwhelming – Scott Dawson working with web admins • Working to simplify and streamline the testing and analysis process • Continuing to evaluate the market and the risks • Please contact us if you’d like a scan

  9. SSN Re-scan and Purge • Review • Spring 2008 effort was effective, but short notice made it difficult to plan for that much work • Our policies require annual re-scanning • In the spring, we promised that next time we would begin the discussion early regarding tactics, procedures, and tools • So now’s the time to start thinking about some things… tactics, procedures, tools

  10. SSN Re-scan and Purge (cont.) • Tactics • Just servers? All computers? Where are the bodies? • Involve users? Have IT staff do the scans? • Procedures • How to report and deal with results? • What other procedures need to be in place first? • Tools • Spider 3 was in beta last time, we didn’t want the risk • Spider 3 is production, includes self-service functions • Other commercial tools exist

  11. Summary • Utimaco SafeGuard Enterprise • Full-disk encryption for XP, Vista • Ready to go, pending purchasing announcement • AppScan • Continuing to scan web apps on request • SSN Re-scan and Purge • Starting to plan for the next round

  12. Questions? • Steve Lovaas • IT Security Manager • ACNS • Steven.Lovaas@colostate.edu • 297-3707

More Related