Transcript Arlington Co 5.17

Information Integrity
The Arlington Way
Ensuring Continuity of County Services in an
Emergency
Why do we need Information Security
• The need for security is becoming more
important because of the following reasons:
– E-Government initiatives
– Required for communicating and doing business
safely in potentially unsafe environments
– Provides continuity of County Services in the event of
an emergency
– Insures the maximum utilization of County’s
technology investments
– Provides Employees a worry free cyber work place
2
The Information Security Challenge
Need
Tactical
E-Government Communications
Emergency
Technology
Workforce
optimization
Constituent
Communication
E-learning
Internet
Internet
Presence
presence
Internet
access
County
intranet
Constituent
Services
Security Requirements
•
•
•
•
Expanded access
heightened security risks
Layered Defense
Multiple components
Integration into
infrastructure
Continuity of County
Services
3
Legal and Governmental
Policy Issues
– Organizations that operate
vulnerable networks will face
increasing and substantial liability.
– US Federal legislation mandating
security includes the following:
• GLB financial
services legislation
• Government Information Security
Reform Act
• HIPAA
• Sarbanes Oxley
4
Threat Capabilities—More
Dangerous and Easier to Use
Packet forging/
spoofing
High
Stealth diagnostics
Back
doors
Sophistication
of hacker tools
Sweepers
Sniffers
Exploiting known
vulnerabilities
Hijacking
sessions
Disabling
audits
Self replicating
code
Password
cracking
Technical
knowledge
required
Password
guessing
Low
1980
1990
2007
5
Arlington Information Security Methodology
• Complete Security Solution requires all of the
following:
–
–
–
–
–
Prevention
Detection
Response
Forensics
Reporting
6
Network Security as a
Continuous Process
•Network security is a
continuous process built
around a security policy.
– Step 1: Secure
– Step 2: Monitor
– Step 3: Test
– Step 4: Improve
Secure
Improve
Security
Policy
Monitor
Test
7
Secure the Network
•Implement security
solutions to stop or
prevent unauthorized
access or activities,
and to protect
information:
–
–
–
–
–
–
Authentication
Encryption
Firewalls/Access control
Vulnerability patching
Anti-virus
Network Access Control (802.1x)
Secure
Improve
Security
Policy
Monitor
Test
8
Monitor Security
–Detects violations to
the security policy
–Involves system
auditing, reporting,
and real-time alerting
–Validates the security
implementation in
Step 1
Secure
Improve
Security
Policy
Monitor
Test
9
Test Security
•Validates
effectiveness of
the security policy
through system
auditing and
vulnerability
scanning
Secure
Improve
Security
Policy
Monitor
Test
10
Improve Security
– Use information from the
monitor and test phases
to make improvements
to the security
implementation.
– Adjust the security policy Improve
as security
vulnerabilities and risks
are identified.
Secure
Security
Policy
Monitor
Test
11
Trends in SPAM
12
Region of Origin for Spam in the last 90 days
13
14
Category Definitions
15
16
Spam as a % of Internet Email (April 2007)
17
Anti-Virus/Anti-Spam Layered Approach
• We use a layered approach and monitor
the results at each filter
• At each layer filters are developed and
applied
• The performance of the each layer of
filtering is monitored
18
Strategy In Action
• Prevention
– Filtering Phishing Attacks - block phishing messages
from inbox
– Blocking access to dangerous web sites - based on
URL's identified through data analysis
• Monitoring
– Anti-Spyware tools
– Relationships with registrars, web site hosting
services , ISPs and Cyber Security vendors
– Reporting
– Threat Vulnerability Assessments
– Statistics
19
Symantec Reporting Server Dashboard
20
Virus Definition Distribution
21
Server Group ACG_SAV vs. Risk Name : Past 24 Hour
22
Security Response – Latest Risks
23
Action Summary – Blocked Security Risks
Computer User IP Address
Risk
Risk
Coun
t
First Occurrence
File / Entry
117247PC SYSTEM 10.114.0.85
Downloader
1
05/16/2007 11:27:35
C:/System Volume Information/_restore{9920A742-2450-4DD4-923161573DEFE736}/RP578/A0080682.exe
15507PC SYSTEM 10.105.2.56
Backdoor.Trojan
1
05/16/2007 12:00:09
C:/System Volume Information/_restore{CECD1DF2-2B76-4AC3-9F569587C8E6E719}/RP1098/A0124555.exe
15507PC SYSTEM 10.105.2.56
Backdoor.Trojan
1
05/16/2007 12:59:00
C:/System Volume Information/_restore{CECD1DF2-2B76-4AC3-9F569587C8E6E719}/RP1098/A0124556.exe
15507PC SYSTEM 10.105.2.56
Backdoor.Trojan
1
05/16/2007 14:00:35
C:/System Volume Information/_restore{CECD1DF2-2B76-4AC3-9F569587C8E6E719}/RP1098/A0124557.exe
16355PC SYSTEM 10.191.1.45
Infostealer
1
05/16/2007 13:50:13
C:/System Volume Information/_restore{9920A742-2450-4DD4-923161573DEFE736}/RP707/A0119144.exe
16668PC SYSTEM 10.74.0.173
Backdoor.IRC.Bo
t
1
05/16/2007 13:54:13
C:/System Volume Information/_restore{E67D66D2-CBD8-4449-B4C7DA1FC69B6A9D}/RP466/A0072421.exe
16668PC SYSTEM 10.74.0.173
Backdoor.IRC.Bo
t
1
05/16/2007 12:54:32
C:/System Volume Information/_restore{E67D66D2-CBD8-4449-B4C7DA1FC69B6A9D}/RP466/A0072420.exe
24
The Anti-Virus Anti-spam strategy
(the old way)
• First we identify suspected spam domains and
associated subnets from the reports.
• Second, we run additional reports to identify other email
received from these domains or subnets that was not
detected. If the additional email is all spam we add the
domains and subnets to a spam Subnet/domain spread
sheet.
• Third, we add the domains to the NAV gateway blocking
list.
• Fourth, we review the NAV gateway reports to verify the
effectiveness and to reduce possible false positives for
the domain blocking.
• Fifth, we add the subnets to the firewall blocking list rule
25
The Anti-Virus Anti-spam strategy
(the New way)
Set it and Forget it!
26
Envision Firewall/IDS Dashboard
27
IDS Dashboard
28
Additional Cyber Security Initiatives
• Intrusion Detection/Prevention
– Server protection
– Desktop protection
•
•
•
•
•
Mobile worker
Public Wireless zones
Vulnerability Scanning
Employee education
Constituent education
29
Future Cyber Security Initiatives
• Web traffic Anti-virus scanning/filtering
• Enhanced Anti-spam filtering
30