Transcript Effective Implementations of a Security Program and Security Plan

Effective Implementations of a
Security Program and Security Plan
Stefan Wahe
Gary DeClute
Tim Flynn
Scott Genung
Outline
• What Problem were we trying to solve with
a Security Program/Plan
• What is a Security Program/Plan
• Deliverables and Implementation
• Where are we now and where are we
going?
• What have we learned?
• Discussion
April 11, 2006
Effective Implementations of a
Security Program and Plan
2
The Problem?
• Reactive vs. Proactive
• Lack of Documented
Standards, Procedures and
Guidelines
• Increasing number laws and
regulations
“We weren’t rowing in
the same direction”
April 11, 2006
Effective Implementations of a
Security Program and Plan
3
April 11, 2006
Effective Implementations of a
Security Program and Plan
4
What is the problem?
• “we felt the pain” (August 2003 – August 2004)
– 4 major DoS attacks that impacted performance and
disrupted network connectivity for most users
throughout campus (nearly 3,000 infections total)
– multitudes of email borne threats that impacted the
performance of the campus mail system and caused
the University to be blacklisted by other email
domains
– the University spent approximately $750K during the
2003-2004 academic year in clean up efforts
April 11, 2006
Effective Implementations of a
Security Program and Plan
5
What is the problem?
• anatomy of an attack: Sasser (April 2004)
– 600+ virus infected systems detected within 3 days of
outbreak (there were around 15K nodes at the time)
– 500+ systems removed to combat DoS volume and to
try and contain threats
– all environments had exploited hosts (not just a
student problem); all environments felt the impact
– many users were unable to consistently access the
Internet during finals week
– some electronic exams had to be rescheduled
April 11, 2006
Effective Implementations of a
Security Program and Plan
6
What is the problem?
of the 600+ systems that were identified on ISUnet with Sasser in April 2004
April 11, 2006
Effective Implementations of a
Security Program and Plan
7
What is a Security Program?
• An Information Technology Security Program (ITSP) is an
administrative program that provides the policy and
procedural framework for building and maintaining a
secure information system
ITSP
Follow
Procedures
Policies
& Roles
Awareness
& Training
April 11, 2006
Produce
Documents
Effective Implementations of a
Security Program and Plan
8
ITSP
Policy &
Procedure
Inheritance
State
Regulations
Federal
Regulations
Campus
Policy
DoIT Policy
WPHIN
ITSP
April 11, 2006
Effective Implementations of a
Security Program and Plan
UDS
ITSP
9
What is a security plan?
• a security plan encompasses …
– what specific things will be done to defend against
current and future security threats (knowing that no
one technology can defend against all threats)
– what are the impacts of these changes upon the
systems and the users of them
– what is the timeframe of these changes and how are
they dependent upon each other
– procedures for identifying how the plan will be
enacted and how the University will react to future
threats
April 11, 2006
Effective Implementations of a
Security Program and Plan
10
Deliverables and Implementation
Framework of Program:
System Definition and Description
Identifies Roles of Actors and their
Responsibilities
Identifies procedures, process and
guidelines for actors to follow to
meet their responsibilities.
April 11, 2006
Effective Implementations of a
Security Program and Plan
11
Management
Security
Guidelines
ITSP
Program
Description
and
Policy
Security
Administrator
Guidelines
Developer
Security
Guidelines
User Security
Guidelines
ITSP Document
Organization
Management
Procedures
Operational
Procedures
Resulting
Plans and
Reports
Technical
Procedures
Information
Handling
Guidelines
Inherited and System
Specific Policy & Guidelines
April 11, 2006
Inherited and System Specific
Procedures and Documents
Effective Implementations of a
Security Program and Plan
12
Deliverables and Implementation
The first section of the template assists in
collecting a description of the system:
System Description
– System Name
– Responsible
Organization
– Information Contacts
– System Architecture
– System Environment
Assignment of Security Responsibility
–
–
–
–
–
–
Management Assignments
Security Manager Responsibilities
Security Administrator Assignments
Application Developer Assignments
Supporting Staff
Users
Applicable Laws, Regulations and Policies
– Identify Laws, Regulations and Policies
April 11, 2006
Effective Implementations of a
Security Program and Plan
13
Review of Controls
Risk Management
Management
Authorization to Process
Life Cycle Security
Business Continuity
Human Resources
Documentation
Data Integrity
Operations
Physical Security
HW & SW Maintenance
Access Controls
Security Program
Awareness & Training
Information Handling
Incident Response
Technical
Audit Trails
Authentication and
Authorization
April 11, 2006
Effective Implementations of a
Security Program and Plan
14
Deliverables and Implementation
Security Controls
Review of Security
Controls
A Security Controls Review will consider all types of security
controls, as described in the Information Technology Security
Program and associated guidelines and procedures.
The System Security Manager will conduct Security Controls
Review as directed by management.
Management will determine the schedule and scope of each
Security Controls Review.
Reporting and
Remediation of
Security Controls
Weaknesses in security controls will be reported and remedied.
The System Security Manager will implement a process for the
timely reporting to Management of any discovered weaknesses in
the security controls.
Management will report significant weaknesses in the security
controls to Senior Management, and will assure effective remedial
action.
April 11, 2006
Effective Implementations of a
Security Program and Plan
15
Deliverables and Implementation
• Documented procedures, process and
guidelines for system actors to follow in order to
comply with their responsibilities
• Documented results:
 Risk Management Report
 Log Report
 Access Control Audit
• Schedule of when tasks and responsibilities
should be completed.
 Also known al the Master Schedule
April 11, 2006
Effective Implementations of a
Security Program and Plan
16
Deliverables and Implementation
The Master Schedule
System Cluster
Item
Actor (s)
Feq
Access
Controls
Access
Review
System Security
Manager, Security
Administrators
Y
Security
Program
ITSP
Review
Management,
Project Manager,
System Security
Manager
2x1y
Training
Security
Training
Project Manager,
System Security
Manager
Y
Risk Assess &
Mgt
Risk
Assessmen
t
Management,
System Security
Manager
1x3y
Risk Assess &
Mgt
Vulnerabilit
y Review
Project Manager,
System Security
Manager
2x1y
April 11, 2006
2006
Effective Implementations of a
Security Program and Plan
2007
2008
17
Deliverables and Implementation
Five Steps to Success
1. System Definition and Assessment
2. Identify Gaps
3. Provide Recommendations
4. Planning an Implementation
5. On-Going Assessment (Master
Schedule)
April 11, 2006
Effective Implementations of a
Security Program and Plan
18
Deliverables and Implementation
• lessons learned from prior DoS attacks
– once a threat penetrated the perimeter defenses of
the network, there was little to prevent it from
spreading and creating impact
– inconsistent defenses within the network created
entry points for security threats to emerge
– substantial variation in the degree of host defenses
created environments that were heavily impact while
others were not
– quickly identifying the behavior of the threat was key
to defending against it
April 11, 2006
Effective Implementations of a
Security Program and Plan
19
Deliverables and Implementation
• emerging themes
– cannot predict type or impact of threats before they
emerge
– insufficient visibility to threats once they appear
– insufficient defenses in place to counter these threats
(they need to be integrated directly into the network
model)
– inconsistent defenses within the network create entry
points where threats can then emerge within and then
impact the interior
April 11, 2006
Effective Implementations of a
Security Program and Plan
20
Deliverables and Implementation
• guiding principles to a security plan
– visibility: the need to see clear evidence of a security
event in a timely manner
– defense in depth: the need to implement a
combination of technologies that can defend against a
multitude of threats at different layers within the
network
– consistency: all environments on network must have
same level of defense to prevent a security threat
from gaining a foothold within the perimeter of the
network
April 11, 2006
Effective Implementations of a
Security Program and Plan
21
Deliverables and Implementation
•
ISUnet security enhancement plan
(28 initiatives)
– hire a security engineer
– early warning notification
– enhanced service provider
connectivity
– introduce perimeter firewalling
– create a DMZ
– enhance VPN implementation
– enhance DNS
– enhance QoS policies
– introduce IPS
– enhance anti-spoofing techniques
– implement vLAN restructuring
– implement zone based filtering and
firewalling
– segregate experimental networks
– implement CoA (Conditions of
Access)
April 11, 2006
–
–
–
–
–
–
–
–
–
–
–
implement a SIMS
implement backbone enhancements
enhance directory authentication
implement identity management
enhance registration systems
enhance rogue device detection
enhance wireless security
enhance statistics
implement vulnerability scanning
consider network admission control
implement automated system
quarantines
– enhance anti-virus and anti-spam for
email
– enhance email security
– implement SMTP authentication
Effective Implementations of a
Security Program and Plan
22
Status and Next Steps
• Being Implemented in:
– Public Health Information Network
– University Directory Service
• Identified Gaps:
– Security Awareness Training
– Media Disposal
• Identifying next system/department
for implementation
April 11, 2006
Effective Implementations of a
Security Program and Plan
23
Status and Next Step
• focus on top 7 initiatives
– introducing IPS (Intrusion Prevention System)
technology
– implementing CoA (Conditions of Access)
– enhancing registration systems for ResNet
– enhancing email security
– implementing vulnerability scanning
– hiring a security engineer
– implementing vLAN restructuring
April 11, 2006
Effective Implementations of a
Security Program and Plan
24
Status and Next Step
• introducing IPS (began 8/04)
– goal: to identify AND block threat traffic to
reduce impact upon the network
• IPS same as IDS, but also blocks threat traffic
– placed at the perimeter and key points within the
backbone of the campus network
– address the largest source of potential threats.
• traffic passing from each ResNet environment to the
network backbone
• traffic passing from the WAN to the network backbone
– somewhat effective against zero day threats
April 11, 2006
Effective Implementations of a
Security Program and Plan
25
April 11, 2006
Effective Implementations of a
Security Program and Plan
26
management console views from UnityOne appliances
from Tipping Point
April 11, 2006
Effective Implementations of a
Security Program and Plan
27
Status and Next Step
• CoA (Conditions of Access) (8/04)
– need for a policy
– goal: create an environment where host based
defenses are consistent
– required the use of the University’s site licensed
AV solution for ALL systems that connect to the
network.
– required the use of automatic OS updating for
critical patches
April 11, 2006
Effective Implementations of a
Security Program and Plan
28
Status and Next Step
• enhanced registration systems (began
8/04)
– goal: use existing registration systems to
automate a process for enforcing CoA
– ResNet
•
•
•
•
•
built on top of registration system
user agrees to CoA
installation and setup of anti-virus software
apply OS patches and configure automatic updating
shortcomings:
– one time only enforcement
– ineffective against zero day threats
– must be monitored
April 11, 2006
Effective Implementations of a
Security Program and Plan
29
April 11, 2006
Effective Implementations of a
Security Program and Plan
30
Status and Next Step
• enhanced email security
– goal: stop email based threats from passing to,
from, and within the campus network
– policy and process to register campus and
departmental email systems and require AV
filtering.
– perimeter email filters (completed)
• designed to prevent email borne threats from being
exchanged between the Internet and the campus network
– interior email filters (could not complete)
• designed to prevent email borne threats from being
exchanged between systems within the campus network
April 11, 2006
Effective Implementations of a
Security Program and Plan
31
Status and Next Step
• vulnerability scanning
– goal:
• locate systems that are vulnerable to known
exploits in order to prevent them from affecting
others.
• enforce the CoA policy
– Nessus is used to scan for unapplied MS
patches when possible
April 11, 2006
Effective Implementations of a
Security Program and Plan
32
Status and Next Step
• hiring a security engineer (5/05)
– goal: dedicated resource focused on
proactive and reactive aspects of network
and host based security
– coordinate and share information.
– develop consistent methods and practices.
– first step towards a centralized security office.
– due to budget constraints existing positions
were reclassified to create the position
April 11, 2006
Effective Implementations of a
Security Program and Plan
33
Status and Next Step
• implementing vLAN restructuring (began 2/05)
– goal: place like systems in like environments
so that security rules can effectively be
applied AND maintained
– separation of address space types
• to reduce scope of impact of future threats
• to allow for the introduction of new defensive
techniques (ex: IP source guard)
• to simplify the development and maintenance of
security policies
April 11, 2006
Effective Implementations of a
Security Program and Plan
34
April 11, 2006
Effective Implementations of a
Security Program and Plan
35
Status and Next Step
• beyond IPS: the need for NBAD (spring 2005)
– NBAD (Network Based Anomaly Detection)
– IPS is signature based (with very limited anomaly
detection)
– IPS cannot defend against zero day attacks that did not
target known (signatured) vulnerabilities
– goal: need a system that can track application volume
per local or remote host and then report on deviation
from baseline volumes (this is NBAD)
– take advantage of NetFlow export data
– can identify systems that exhibit major behavioral changes
– can issue shuns or null routes to immediately react to
threats
April 11, 2006
Effective Implementations of a
Security Program and Plan
36
management console views from StealthWatch
April 11, 2006
Effective Implementations of a
Security Program and Plan
37
Status and Next Step
• beyond registration systems
– port based authentication
• user (802.1x) or machine based authentication each time the
system touches the network
• goal: log who connected when and where (may be a
CALEA compliance requirement)
• currently are testing as a replacement to VMPS
– generic NAC (Network Admission Control)
• goal: automate enforcement of CoA each time user
touches network (instead of just when registration
occurs)
• researching technologies and products
April 11, 2006
Effective Implementations of a
Security Program and Plan
38
Lessons Learned
•
•
•
•
•
April 11, 2006
Implementation takes time
Need for Resources (People)
Cultural Shift
Need for Governance
Risk Management Processes
Effective Implementations of a
Security Program and Plan
39
Lessons Learned
• need to be proactive, monitoring is not
enough.
– threats are emerging too fast
– NAC
• all initiatives need to be based in policy.
– problems -> policies -> initiatives
April 11, 2006
Effective Implementations of a
Security Program and Plan
40
Discussion
Questions
April 11, 2006
Effective Implementations of a
Security Program and Plan
41