Chaos to Clarity: Consolidate Your Security Information into a Knowledge

Base

Joshua Drummond, Security ArchitectNeil Matatall, Security Programmer/Analyst

Marina Arseniev, Associate Director of Enterprise Architecture

University of California, Irvine

About us…

• Located in Southern California• Year Founded:  1965• Enrollment: over 24K students• 1,400 Faculty (Academic Senate)• 8,300 Staff• 6,000 degrees awarded annually• Carnegie Classification:  Doctoral/Research –

Extensive• Extramural Funding - 311M in 2005-2006• Undergoing significant enrollment growth

Security Status Across Higher Ed? http://www.privacyrights.org

– 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants.

– 5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft.

– 4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen.

– 3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address.

Security is Multi-layer

U serIden tity M anagem ent

A u then tica tionE duca tion

N etw ork /W ebA ccoun t A dm in

F irew a lls , E ncryp tionLogg ing/A ud iting

A p plicationA u tho riza tionLogg ing /A ud it

T est T oo ls

D ataA u tho riza tionLogg ing /A ud it

E ncryp tion ,Inven to ry

O p era tio nsB ackups ( inc l o ff-s ite)

Logg ing /A ud itD isaste r R ecove ry

P o licies , S tan d ard s , P ro ced ures , T ech n ica l R efe ren ce A rch itec tu reA pp roved T oo ls and L ifecyc le

E xcep tions by A pp rovalR egu la rly rev iew ed

We do a lot…SDLC and Change Management

• Security requirements and design reviews from get-go.

• Code reviews

• Developers reuse security components

• Automated nightly code and application security scanning

• Scheduled network & configuration vulnerability scanning

• Consolidated storage of sensitive data, database model reviews of personal identity data

• Concurrency and stress testing to detect thread security

Still had problems

• Urgent call from our director:

– Have you patched server X?– Is Server Y behind a firewall?– Did Server Y have any Credit Card information stored?– Is the database encrypted?– When was the last time a security review of Application X was

done?

• Peter The Anteater is on vacation! • Peter is now at Google!• Different answers from different people.• Little confidence that information is current.

Not enough…

– Many security layers meant many documents owned by many people

– Scattered checklists, spreadsheets, and diagrams not accessible

– Host IP change = document update nightmare.

– New server? Update how many firewalls? – Missing information, such as whom to contact– Proprietary knowledge departed with staff turnover

Spreadsheet Hell!

What we learned …

• Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate.

• Explored different approaches and tools – both vendor and open source.

• Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase.

– Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository.

Objectives

• Quickly respond to threats.

• Organize, consolidate, and centralize security procedures and facts about layers of security.

– Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc

– Track security checklists– Track code, database, and security reviews,

results and follow-up– Track oversight functions for secure

development, acquisition, maintenance, operations and decommissioning.

Agenda

• Background on Ontologies and Protégé• Realized value - demonstration of our

knowledgebase and reports• How to implement this in your

organization• Summary• Useful URLs and Q&A

Background

• What is an Ontology?

– “An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge. Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “

– Supports inheritable properties (is-a)

– Attributes of an object can be complex objects themselves (rich). Nestable…

Writing

Short StoryHistorical

Novel

Classic Medieval Modern

Book Ontology

Stanford University’s Protégé

• Allows easy modeling and creation of ontology

• Auto generates forms for collecting and capturing information based on ontology and class definitions.

• “Reverse slots” allow rich linking ability and automatic updates of changing relationships.

– Remember the removal of the server and associated updates of firewall rules?

Stanford University’s Protégé

• Generates an HTML view of knowledge and ontology.

• Can be exported in XML format– generate reports in other formats and for specific

audiences, without storing redundant data.

• Multi-user capable

• Highly Scaleable – Simulations have handled over 5 million objects

• Open source at http://protege.stanford.edu/– Java API to program against– Under active development (last release Aug 24, 2007)

Protégé GUI

HIPAA?

Protégé – Application Instances

Protégé – Authentication Instances

Protégé – Authorization Instances

Protégé – Backup Procedures

Protégé – Query Capability

Agenda

• Background on Ontologies and Protégé• Realized value - demonstration of our

knowledgebase and reports• How to implement it in your

organization• Summary• Useful URLs and Q&A

Using Protégé to Capture Reviews

Using Protégé to Capture Reviews

Realized Value: Auto-generated Reports from Protégé

• Network Inventory Report – By Host Name – By IP Address

• Firewall Rules Report – By Firewall – By Host Name – By IP Address

• Personal Identity Database Report – By Server – By Database

• Personal Identity Datafile Report – By Server

• Application Report– Includes developed and vendor applications

Before and After - Firewalls

Unix Sys AdminWindows Sys Admin

Department Firewall Admin

Campus Border Firewall AdminDatabase Admin

Reports: Personal Identity Database by Server

Agenda

• Background on Ontologies and Protégé• Realized value - demonstration of our

knowledgebase and reports• How to implement it in your

organization• Summary• Useful URLs and Q&A

How to Implement in your Organization…

• Step 1: Inventory existing spreadsheets and documents

• Step 2: Identify information you want to track centrally.

• Step 3: Design your ontology (or copy ours)

• Step 4: Assign roles – who updates, who views

• Step 5: Capture information

• Step 6: Add any customizations to Protégé

• Step 7: Create secured reports for various audiences

Our Ontology

Updates

• 3 ways to update your knowledge base• Desktop Client / Local Project

– Only one person can update at a time– Must have access to project file

• Web Server– Multi-User, access anywhere– Interface has its weaknesses

• Client / Server– Best of both worlds– Must have desktop client installed

Updates – Client / Server

• Use built-in client-server mode for multi-user updates

• Grant access to individual users– Support for role-based permissions

• Updates are propagated in near-real-time

• BE CAREFUL! – Everything is stored in plain text

Customizations

• Modified the existing HTML Export plug-in to change the structure of the output HTML

– Encrypt Sensitive Values

– List Instances before Slots on Class pages

– Made string attributes that are URLs actual hyperlinks

– Add line breaks between multiple Slot values

Using Protégé to Capture Reviews

Automation

• Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports

• Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI– edu.uci.adcom.protege.ProjectXmlExport– edu.uci.adcom.protege.ProjectHtmlExport

Using XSLT for Reports

• Replicate exactly and replace former spreadsheets with the same functionality

• Created canned reports for specific views on knowledge

• XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML

• Then again from the “simple” XML to multiple HTML views for each report

• XSL and CSS are flexible and can be modified to customize presentation of data

Protégé

Java - edu.uci.adcom.ProjectXMLExport

XSLT – Massage to Domain Specific Data

XSLT – Generate Individual Reports

(For Web Reports) CSS – To Customize the Display

Report Generation Process Outline

Reports: Personal Identity Datafile by Server

Putting it all together

• Ant script is used to tie everything together

• Can be easily scheduled to generate reports

After• Centralized inventory of

knowledge about firewall rules

• Zero spreadsheets• 3 custom reports – HTML and

Excel• Centralize maintenance of

single repository across organizational units

• No redundancy

Before• Border, Police, Financial

Services, Windows OS, and Server Firewall

• Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total)

• 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets.

Metrics – Firewall Management

After• New information - that didn’t exist

– Integrated database, network, and application information

• Zero spreadsheets• 9 custom reports –HTML and

Excel• Centralize maintenance of

repository across organizational units

• Access to repository extended to 60 individuals based on privileges

• Clearer view of potential holes in security for analysis and proactive planning

• Sensitive data tracked– 40 data files– 50 database fields

• Added 40 hosts to backup and anti-virus scanning procedure

Before

• White Boards and Documents– Partial Network Inventory– Unpatched servers on

whiteboard

• 4 units keeping redundant or out of sync information in private locations

• Limited access - personal computers

• Sensitive data locations unclear• Servers with no virus protection

or backed up

Metrics – Network and Data Inventory

Future Plans

• Continue to evolve the ontology to include more attributes and relationships

• Continue capturing and updating new information – Automate capture of information with tools

• Create an plugin for encrypting sensitive information• Create a slot-based authorization plugin• Generate checklists intelligently based on attributes

– Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment.

• Create notifications about potential trouble spots– A personal identity database field that has not been

encrypted.

Q&A

• AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440

• Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu

• XML/XSLT processing - http://xerces.apache.org• Ant - http://ant.apache.org