How to Create an IT Security Program
Download
Report
Transcript How to Create an IT Security Program
How to Create an IT Security
Program
Tracy Mitrano
Steve Schuster
R. David Vernon
Copyright Tracy Mitrano, Steven Schuster and David Vernon, 2004. This work is the
intellectual property of the author. Permission is granted for this material to be
shared for non-commercial, educational purposes, provided that this copyright
statement appears on the reproduced materials and notice is given that the copying
is by permission of the author. To disseminate otherwise or to republish requires
written permission from the author.
Outline
History
The policy component
Security office today
Setting the Stage
Why worry?
Increased reliance on IT to support the
teaching, research and business functions of
Cornell
Nature of the IT tools being used
Operating systems
Cornell as an ISP
IP networks
Vast application suites
Why Worry …
National scrutiny
Post 9/11
Recording industry / copyright issues
Higher education as a “scapegoat” …
Peer pressure (Educause, I2, University
presidents …)
HIPAA, FERPA …
General liability specter of changing laws
And, of course, increase in attacks …
What do Our Peers Think a
Security Program Should Do?
Surveyed Members of the Common
Solution group.
R1 / Ivy …
What are your “top 10” Information
Technology Security service needs?
1) Information Technology
Security Audits / Assessments
Vulnerability scanning
System hardware and application
architecture review
Patch status
Open E-mail relay notification
2) Information Technology
Security Tool Provisioning
Virus software distribution
Firewall software distribution / firewall hardware
provisioning
Custom security tool kit development
Secure network (VPN) services
Secure machine room services (Collocation)
Central E-mail filtering (Spam and virus)
3) Incident Response
Coordination and information
dissemination
Internal & external parties
Damage control / isolation
Forensic analysis
Resolution
Post incident review
4)
Classes / Training
Information Technology
Security Awareness
Technical
Executive
General patron
Publications (Online and paper)
Speakers
Alerts: – virus / worm notifications.
Consulting
Technical
Executive
5) Intrusion Detection
Network monitoring
Network and central application log
examination
6) Authentication / Authorization
Services
Certificate signing / authority
Cryptographic key handling / escrow
Access control
7) Information Technology
Policy Enforcement and Abuse
Response.
Copyright infringement notification
Response to abuse of applications /
hardware
Authority to enforce policy via technical
means and university governance
Formalized liaison role with legal / and
select university authorities.
And Finally
8) Security Related Internet Standards
Work
9) Information Technology Policy
Development
10) Contingency Planning
Disaster recovery
Business continuity
Within Cornell
List is not unexpected
Nice outline of ideal service scope
However what is “obvious” is not always
simple …
Nature of Cornell’s decentralized control of IT
Nature of IT technology
Budget constraints, etc
Demand for new services
Cornell Guidance
Security Taskforce
Charged by VP of IT
Examine current structures and recommend
changes if needed.
Members included:
JA, CU Police, Legal Council, Audit Office,
Financial systems, Policy advisor, FABIT, CCD’s,
Planning Information & Policy Analysis, OIT and
CIT.
Taskforce Concluded
Create an Information Technologies
Security Office
Appoint an Information Technologies
Security Officer to direct the ITSO
Merge CIT virus, abuse and security
functions under the ITSO
Office would be charged to …
•Be the locus of information technology security at Cornell.
•Have formal authority to act on the University’s behalf to
assure adoption of relevant University Policy and appropriate
response to IT threats that could act to violate University policies
or laws.
•Identify campus-wide IT security needs.
•Act to coordinate campus-wide information technology security
services.
•Provide proactive services, such as education and monitoring for
network anomalies.
•Provide reactive services, such as incident response and damage
control.
•Enable coordinated response from key University agents, such as
Cornell Police, Audit, JA, Legal Counsel and other related parties.
•Act as an interface with external agents, such as local, state and
federal law enforcement.
•Work in close partnership with campus agents responsible for
policy and infrastructure development.
•Work to optimize institutional investment in IT tools to assure
broad utility, such as authentication, authorization and encryption
applications.
•Be a diplomatic liaison to assure best response from within a
highly decentralized campus.
Recap
Security Locus
Collaborative
Partnering
Proactive
Educating
Diplomat – (But with just enough
“teeth”…)
However What is “Obvious” is
Not Always Simple – Revisited.
Given
Limited resources
Smart independent departments
Workforce planning
Nature of IP, poor default OS security, E-mail ...
National pressures
And a strong desire not to “throw the baby out with
the bathwater.”
What do we do?
First Steps
Taskforce perspective is correct
Hire a director!
“Top Ten” list as a service target
Triage – identify areas of greatest risks
Form guidance groups
Executive
Taskforce members
Operational
Technical talent throughout Cornell
First Steps Continued …
Work within the Cornell policy process to identify
the balance between evasive control and users
expectations for privacy and open access.
Leverage national relationships
Computer Policy and Law
I2/ Educause
Other national resources (CERT…)
First Steps Continued …
Embrace the notion of desktop
stewardship
Principle problem at Cornell today
Assume that the Internet is and will always be
insecure
Story of CIT and desktop stewardship
Oh Yes, and …
P2P / Copyright
Pervasive mobile devices / wireless
Education
Registry / Network Authentication
Digital asset management
Control of digital assets outside of Cornell’s domain
Fingerprinting
Authorization / Authentication outside of Cornell’s
domain
Expectation to be a national leader
Need to balance with internal demands
Closing Thoughts
Recognition of current work
Departments
CIT & the office of the VP of IT (OIT)
CIT Security, Abuse and Virus support
OIT Policy program
Ponder the value of net billing generated
awareness
The “Workforce Planning” context
Closing Thoughts …
Balance, Balance, Balance …
Challenge may shift over time
Formal authority (Nice to have, but ideally
should never be needed.)
Ramifications of ad-hoc IT security
Campus desires more support, but the
program will fail without the support of
campus
Cornell’s Security Program:
The Policy Component
Tracy Mitrano
Director of IT Policy
Computer Policy and Law Program
Policy: Big “P” and Little “p”
Big P
National arena
EDUCAUSE’s position on FBI’s petition to the FCC to
extend CALEA to data networks
National security policy
Little P
Institutional policy
IT security policies: a piece of a larger whole
IT security policies not the same thing as national
security
Policy Picture at Cornell
University Policy Office
Centralized office for a decentralized
institution
Formulation and Issuance of university policy
http://www.univco.cornell.edu/policy/current.html
http://www.univco.cornell.edu/policy/pop.html
Volume 5: Information Technologies
http://www.cit.cornell.edu/oit/policy/drafts/
Recording and Registration
of Domain Names
Color Key
Encryption
Use of Encryption
Key Escrow
Escrow
Keys
Reporting
Security
Incidents
Bright Green: Existing
University Policy
Turquoise: Existing Policy,
scheduled for revision
Light Green: EPRG
approved, scheduled for
promulgation early 2004
Light Yellow: PAG
approved, schedule for
EPRG review early 2004
Tan: Impact Statement
approved, drafting with
stakeholders
Bright Blue: OIT drafting
impact statement
Security of
Information Technology
Resources
Responsible Use of
Information Technology
Resources
Network
Registry
Network Registry
Privacy of Network
and Network
Flow
Logs
Access to
Electronic
Mail
Mass Electronic
Mailing
Authentication and Authorization
Four Policies for IT Security
Escrow of Encryption Keys
Reporting Security Incidents
http://www.univco.cornell.edu/policy/SECREP.for.june
1.html
Security of Information Technology Resources
http://www.univco.cornell.edu/policy/eek.for.html
http://www.univco.cornell.edu/policy/SEC.for.html
Network Registry
http://www.univco.cornell.edu/policy/NR.for.html
Escrow of Encryption Keys
Cornell University expects stewards,
custodians, and users of institutional
administrative data who deploy software
or algorithmic programs for encryption to
establish procedures ensuring that the
university has access to all such records
and data.
Reporting Security Incidents
Users of Information Technology devices
connected to the Cornell network must
report all electronic security incidents
promptly and to the appropriate party or
office.
Security of Information Technology
Resources
Cornell University expects all individuals
using information technology devices
connected to the Cornell network to take
appropriate measures to manage the
security of those devices.
Network Registry
Cornell University requires network
administrators or users to register all
devices (including wireless hubs and
switches) connected to the Cornell
network in a continuously updated central
CIT network registry service.
Conclusion
IT security policy is a piece of the IT
policy puzzle, which is itself another piece
of the larger whole of university policy
designed to preserve and protect
institutional assets and interests, comply
with all applicable laws, and contribute to
the citizenship experience of membership
to the university community.
http://www.cit.cornell.edu/oit/policy/framework.ht
ml
Cornell’s Security Program:
The Security Office Today
Steve Schuster
Objectives
What is an effective security program?
Describe the broad elements of the Cornell
IT Security Office
Discuss current priorities
Outline some specific efforts and services
Some emerging lessons learned
An Effective IT Security Program
Must:
Aid in the establishment of security policies that are enforceable,
understandable and implementable
Train faculty, staff and students with respect to IT security policies
and their responsibilities to protect IT resources and data
Implement an infrastructure that enforces the principles
articulated in the policies and protects the IT resources and data
within the institution
Implement sound risk assessment practices to identify IT security
risks and vulnerabilities within the IT infrastructure
Provide monitoring and analysis of the infrastructure to identify
unauthorized activities
Develop appropriate analysis and response procedures to
efficiently respond and effectively manage IT security incidents
Develop business continuity plans that ensure the appropriate
availability of critical IT resources
Security Program Elements
Incident Response
Processes
And Procedures
Security is a process
– not a product
Security Monitoring
And
Analysis
Continuous
Risk Assessment &
Penetration Testing
Business Continuity
And
Disaster Recovery
Secure Infrastructure
Implementation
Security
Policy and User
Awareness
Clean and
Consistent
Monitoring of processing
components, network
characteristis and intrusion
detection systems
Risks assessments performed regularly
Within the infrastructure
Complementary infrastructure,
process and procedures
Building security and services into the infrastructure
Responsible use, acceptable behavior and expected results
Security Policy and Awareness
Support for the Development of University
Policies
Reporting of Security Incidents
Security of IT Resources
Network Registry
Authentication/Authorization
Security Policy and Awareness
Support for the Development of University
Policies
Security Education Program
Travelers of the Electronic Highway (TEH)
General user awareness
Support of local service providers
Security Policy and Awareness
Support for the Development of University
Policies
Security Education Program
University Best Practices Guidelines
Security configurations
Security incident response methods
Security Policy and Awareness
Support for the Development of University
Policies
Security Education Program
University Best Practices Guidelines
Technical Response to Legislation
HIPAA
FERPA
GLB
Security Infrastructure
Network infrastructures
Participate in the emerging uses and
capabilities of Cornell’s computing
infrastructures (LAN, WLAN, Dial-up, public
labs, etc)
Security Infrastructure
Network infrastructures
Security Applications
Anti-Virus
Personal firewalls
Scanning
System analysis/forensics
Security Infrastructure
Network infrastructures
Security Applications
Authentication/Authorization
University authentication requirements
Risk assessment
Security Infrastructure
Network infrastructures
Security Applications
Authentication/Authorization
Network Access Control (Firewalls)
Restricted addressing
Edge ACL’s (push security closer to the edge)
Traditional firewall service (still not there)
Security Infrastructure
Network infrastructures
Security Applications
Authentication/Authorization
Network Access Control (Firewalls)
Direct Department Support
Specific security or incident related issues
Secure architecture development
Business Continuity and Disaster
Recovery
Participate in current BC/DR development
efforts
Ensure current efforts included system
compromise and infections as addressable
events
Business Continuity and Disaster
Recovery
Participate in current BC/DR development
efforts
Develop BC/DR plans that include
Identification of critical assets
Processes and procedures to be followed
when compromise occurs on a critical
resource
Risk Assessments
Central Security Assessments
Service or infrastructure assessments
(wireless, IP, etc)
Network and System Scanning
Risk Assessments
Central Security Assessments
System scanning at time of registration
Scan student systems upon registration
Limit or revoke network access upon unclean
scan
Risk Assessments
Central Security Assessments
System scanning at time of registration
Promote and support for localized
scanning
Distribute scanning software to local support
providers
Train support providers as necessary
Security Monitoring and Analysis
Development of Automated Reports
Processing of network management logs
Network usage reports
Net alarms
Billing alerts
Security Monitoring and Analysis
Development of Automated Reports
Intrusion Detection
Network Based Anomaly Detection (NBAD)
For central operation and some distributed views
More easily operationalized than IDS
NIDS
Some local IDS for critical systems or
infrastructures
Operations and response is more difficult here
Security Monitoring and Analysis
Development of Automated Reports
Intrusion Detection
Honey Pot
Use of some “empty” networks for scanning
identification
Some early experience with honey pot
operations
Security Monitoring and Analysis
Development of Automated Reports
Intrusion Detection
Honey Pot
Identification and response to specific
events or system behavior
Algorithms to identify worm infected systems
Incident Response
Backline Support
NOC
Help Desk
NUBB
Incident Response
Backline Support
University IT Operational Procedures
Operational procedures with CU Police
Operational procedures with Federal Agencies
Incident Response
Backline Support
University IT Operational Procedures
Direct Support for Departments as
necessary
Identification
Analysis
Response
Incident Response
Backline Support
University IT Operational Procedures
Direct Support for Departments as
necessary
Support for University-Wide Security
Incident Response mechanisms
Virus response
A Growing Set of Lessons Learned
Community trust is paramount
It’s OK to crawl before you walk… before you
run…
All elements described above should move
together at the same pace
The distributed nature of our environment does
not need to mean less security but rather a
different security strategy
Consolidating security operations and security
budget provide both leverage and accountability
Questions