120 likes | 271 Views
Security Issues. ITEC Advisory Council Steve Lovaas August 13, 2008. Updates on Security Tools and Tactics. Utimaco SafeGuard Enterprise edition AppScan SSN Re-scan and purge. Utimaco SafeGuard Enterprise. Review: State conducted a bid for encrypting all laptops
E N D
Security Issues ITEC Advisory Council Steve Lovaas August 13, 2008
Updates on Security Tools and Tactics • Utimaco SafeGuard Enterprise edition • AppScan • SSN Re-scan and purge
Utimaco SafeGuard Enterprise • Review: • State conducted a bid for encrypting all laptops • Utimaco won the bid, significant discount on their full suite of encryption products • We waited for their enterprise edition to mature; not all modules are integrated yet • We’re starting with full-disk encryption
Utimaco SafeGuard Enterprise (cont.) • Architecture: • Database server stores policies • Web server (IIS) provides client interface (proxy) to database for policy changes • Management server(s) • Client • Crypto keys control management access, user sign-in • Key recovery possible: user calls in
Utimaco SafeGuard Enterprise (cont.) • Full-disk encryption • Protects “data at rest” – protects the data on the drive if a laptop (or lab machine) walks away • Available for Windows XP and Vista (not 64-bit) • Mac and Linux clients eventually • “Pre-Boot Authentication” – inserts itself into the Boot process, hands credentials to Windows • As with ANY encryption product, use caution and back up before encrypting
Utimaco SafeGuard Enterprise (cont.) • Ready to go! • Hammering out client purchase/distribution details (RamTech) • For small deployments (just a few laptops), we’ll get you a CD with client and config files, and it’s a simple install • For broader deployments, ACNS can show AD administrators how to set up domain OU’s to help automate installation and encryption • Look for an official announcement with final pricing this week
Utimaco SafeGuard Enterprise (cont.) • Support and the future • For general questions regarding the product, help with installation, or key recovery, contact Steve Lovaas or Mike Willard via: • Email: sgn_help@colostate.edu • Phone: (Steve) 297-3707 (Mike) 491-4651 • As more units deploy the software, we will train the CTSS help desk to provide product support • We will be investigating modules for individual file encryption and multi-user access for file servers, as those modules are released for the enterprise edition
AppScan • Review • Purchased in 2007 from WatchFire (which was bought by IBM) • Scans web applications for a number of vulnerabilities (including SQL injection) • Results are good, but very detailed • Can be overwhelming – Scott Dawson working with web admins • Working to simplify and streamline the testing and analysis process • Continuing to evaluate the market and the risks • Please contact us if you’d like a scan
SSN Re-scan and Purge • Review • Spring 2008 effort was effective, but short notice made it difficult to plan for that much work • Our policies require annual re-scanning • In the spring, we promised that next time we would begin the discussion early regarding tactics, procedures, and tools • So now’s the time to start thinking about some things… tactics, procedures, tools
SSN Re-scan and Purge (cont.) • Tactics • Just servers? All computers? Where are the bodies? • Involve users? Have IT staff do the scans? • Procedures • How to report and deal with results? • What other procedures need to be in place first? • Tools • Spider 3 was in beta last time, we didn’t want the risk • Spider 3 is production, includes self-service functions • Other commercial tools exist
Summary • Utimaco SafeGuard Enterprise • Full-disk encryption for XP, Vista • Ready to go, pending purchasing announcement • AppScan • Continuing to scan web apps on request • SSN Re-scan and Purge • Starting to plan for the next round
Questions? • Steve Lovaas • IT Security Manager • ACNS • Steven.Lovaas@colostate.edu • 297-3707