Educational Networks – The Vanishing

PerimeterBrian Rue, Lead Senior AuditorInformation Technology AuditsState of FloridaAuditor Generalbrianrue@aud.state.fl.us

In the beginning……

The Computer

The Perimeter

The Enterprise Security Management System

Today – Connection Complexity

The network perimeter The network perimeter may be a thing of the may be a thing of the past, Symantec past, Symantec executives said. "The executives said. "The perimeter is pretty perimeter is pretty porous and in fact porous and in fact may not be may not be definable," according definable," according to John Schwarz, to John Schwarz, president and COO of president and COO of Symantec. Symantec.

Network Security –Network Security – Where’s the Perimeter?Where’s the Perimeter?

The Vanishing PerimeterThe Vanishing Perimeter Wireless “Cloud of Connectivity”Wireless “Cloud of Connectivity” Web Services (DIY - do it yourself)Web Services (DIY - do it yourself) Next-Generation Cell Phones and PDAsNext-Generation Cell Phones and PDAs Instant MessengerInstant Messenger Internet BrowsersInternet Browsers E-mailE-mail Peer-to-PeerPeer-to-Peer Remote AccessRemote Access SAN/NASSAN/NAS Voice over IPVoice over IP Relational DatabasesRelational Databases E-CommerceE-Commerce HIPAAHIPAA

Defense ResourcesDefense Resources II

Router SecurityRouter SecurityMaintaining Access Control ListsMaintaining Access Control ListsRobust Network Management Robust Network Management

SystemSystemRestricting Logon Options Restricting Logon Options

(Telnet)(Telnet)Applying Vendor PatchesApplying Vendor Patches

FirewallsFirewallsMultiple DeploymentsMultiple Deployments

Intrusion Detection SystemsIntrusion Detection SystemsHost/NetworkHost/Network

Defense Resources IIDefense Resources II

Antivirus ProtectionAntivirus ProtectionHostHostGatewayGatewayPDA’sPDA’sNew 3G Cell Phones?New 3G Cell Phones?ClientClient

Additional Server SecurityAdditional Server SecurityHarden Server BoxesHarden Server BoxesHarden MainframeHarden MainframeApply PatchesApply Patches

Application SecurityApplication SecurityGranular SecurityGranular Security

E-CommerceE-CommerceFortifying SOAP, XMLFortifying SOAP, XML

Bugbear is currently the worst Bugbear is currently the worst computer-security outbreak computer-security outbreak globally, Mikko Hypponen, globally, Mikko Hypponen, manager of antivirus research at F-manager of antivirus research at F-Secure Corp. in Helsinki, Finland, Secure Corp. in Helsinki, Finland, said in an e-mail to the Associated said in an e-mail to the Associated Press. The worm is expected to Press. The worm is expected to last well into next year because last well into next year because many consumers won't realize many consumers won't realize their computer is infected, their computer is infected, Hypponen said.Hypponen said.

Defense Resources IIIDefense Resources III

Public-Key Infrastructure (PKI)Public-Key Infrastructure (PKI)Web ServicesWeb ServicesWireless AccessWireless AccessSAN SAN (PKI for users and use of Digital Certificates for (PKI for users and use of Digital Certificates for

devices)devices)

Virtual Private DatabaseVirtual Private DatabaseBuilding Security in the Data Server to Building Security in the Data Server to

Restrict Applications Restrict Applications (Hackers know the easiest (Hackers know the easiest way to your data can be through your applications)way to your data can be through your applications)

Voice Over IPVoice Over IPVPNVPNSegregate VOIP Network from InternetSegregate VOIP Network from InternetHarden Call Management BoxesHarden Call Management Boxes

Defense Resources IVDefense Resources IV

Network User SecurityNetwork User SecurityBiometricsBiometricsTwo-factor Authentication Two-factor Authentication (example: SecurID)(example: SecurID)Single Sign-onSingle Sign-onRestricting Operating Systems - UC Santa Barbara’s Restricting Operating Systems - UC Santa Barbara’s

ResNet which supports residents hall network ResNet which supports residents hall network connections for students recently restricted Windows connections for students recently restricted Windows users to Windows XP due to the difficulty students users to Windows XP due to the difficulty students had in patching and securing other Windows had in patching and securing other Windows versions.versions.

Remote User SecurityRemote User SecurityTwo-factor Authentication Two-factor Authentication Secure Socket Layer (HTTPS) or VPNSecure Socket Layer (HTTPS) or VPNClient AntivirusClient AntivirusClient FirewallClient Firewall

Defense Resources VDefense Resources V "Some of the colleges have been advocating a more casual, "Some of the colleges have been advocating a more casual,

friendly, and collaborative atmosphere. Wireless removes the friendly, and collaborative atmosphere. Wireless removes the restraints of working with permanently positioned computers, and restraints of working with permanently positioned computers, and this both facilitates and enriches the teaching and learning this both facilitates and enriches the teaching and learning environment."environment."

— —Beth Chancellor, Director, Telecommunications, University of MissouriBeth Chancellor, Director, Telecommunications, University of Missouri

Wireless SecurityWireless SecurityVPNVPN Internet Authentication Services (RADIUS Server) Internet Authentication Services (RADIUS Server) WEP/MAC – The Absolute MinimumWEP/MAC – The Absolute MinimumLEAP - LEAP - Lightweight Extensible Authentication Protocol (Cisco)Lightweight Extensible Authentication Protocol (Cisco)EAP – Win XPEAP – Win XP

PEAP - PEAP - Protected Extensible Authentication ProtocolProtected Extensible Authentication Protocol SSN - SSN - Simple Secure NetworkSimple Secure Network TKIP -TKIP -Temporal Key Integrity Protocol part of 801.11iTemporal Key Integrity Protocol part of 801.11i

Virtual Local Area Networks (VLANs) Virtual Local Area Networks (VLANs)

Defense Resources VIDefense Resources VI

Actively Auditing NetworksActively Auditing NetworksScannersScannersUse of Outside VendorsUse of Outside VendorsAfter Hours Desk ChecksAfter Hours Desk ChecksWar Driving/War Walking –War Driving/War Walking –

NetStumbler reports on what channel a NetStumbler reports on what channel a given network operates on, who makes the given network operates on, who makes the access point hardware, and whether WEP is access point hardware, and whether WEP is enabled.enabled.

On the RadarOn the RadarEnterprise Security Management (ESM) Enterprise Security Management (ESM)

Looking for the magic console to centralize the monitoring and Looking for the magic console to centralize the monitoring and management of security policy for the enterprise (integrate, management of security policy for the enterprise (integrate, interconnect, interoperate, translate data, be interchangeable, and interconnect, interoperate, translate data, be interchangeable, and more)more) "We think there's a strong need for industry standards in the security "We think there's a strong need for industry standards in the security

industry. We need to reduce the amount of complexity," said Don industry. We need to reduce the amount of complexity," said Don Haille, president of Fidelity Investments Systems Co., based in Boston.Haille, president of Fidelity Investments Systems Co., based in Boston.

The USA PATRIOT ACTThe USA PATRIOT ACTMay require additional logging of student access to the Internet May require additional logging of student access to the Internet and e-mail activities. and e-mail activities.

www.ins.usdoj.gov/graphics/lawsregs/patriot.pdfwww.ins.usdoj.gov/graphics/lawsregs/patriot.pdf

Intrusion Protection Systems (IPS)Intrusion Protection Systems (IPS) Monitoring of hacker reconnaissance activityMonitoring of hacker reconnaissance activity11 that usually precedes that usually precedes

a network attack and responding to this activity with a modified a network attack and responding to this activity with a modified response to disrupt the reconnaissance activity and lessen the response to disrupt the reconnaissance activity and lessen the chance of an attack.chance of an attack.

1. HTTP-based probes, “finger” probes, TCP/UDP Port Scans, SNMP probes +1. HTTP-based probes, “finger” probes, TCP/UDP Port Scans, SNMP probes +

The Ultimate Network Security SolutionThe Ultimate Network Security Solution

8 Essential Steps to Building a Human Firewall (

www.humanfirewall.org)

1. Get top management buy-in and commitment

Like most initiatives, improving information security awareness across your organization requires the buy-in and commitment of top management.

2. Assign and clarify roles and responsibilities

One of the biggest obstacles to improving information security awareness and behavior is a lack of clear-cut roles and responsibilities.

3. Create an Action Plan with a budget

Information security action plans should start with an assessment of the relative value of information assets within your organization. This typically involves some sort of risk management assessment and process.

4. Develop and/or update information security policies

Information security policies provide the guidelines for what is considered to be acceptable and unacceptable behavior when it comes to safeguarding information. Well-defined policies that are read and understood by everyone involved in handling sensitive information is one of the best ways to improving protection of vital information assets.

5. Develop an organization-wide Security Awareness/Education program

Based on a foundation of a risk assessment, defined information security roles and responsibilities, an action plan with budget and officially sanctioned policies, an organization-wide security awareness program can then be implemented to communicate with employees and other individuals involved in handling sensitive or confidential information.

6. Measure the progress of your Security Awareness/Education efforts

While measuring the results of a security awareness program is important to evaluate progress, it is fast becoming a necessity in specific industries such as financial services and healthcare where new regulations governing privacy and security require that organizations act in good faith to communicate policies and procedures---and are able to prove they have done so. (USA Patriot Act, HIPAA, Etc.)

7. Adapt and improve your Security Awareness/Education programs according to progress/feedback

As an ongoing function, information security needs to be treated as a continuous cycle of planning, action, feedback and improvement. Because information technology evolves so rapidly (e.g. the recent explosive growth of wireless communications) in today's marketplace, the human side of information security must try to keep pace by building on a strong "human firewall" foundation.

8 .Develop an information security incident response team and plan

Just as an organization should have some kind of a disaster recovery plan in the event of a natural disaster such as a flood, so should you have a plan for managing information security incidents that are detected and/or reported by employees and others. Designating a security incident response team will help you to establish proper procedures in advance and greatly increase the odds of resolving any incidents quickly and effectively. It's important that anyone responsible for assuring information security understand the process for reporting any suspected incident.

National Institute of Standards and Technology - NIST

http://csrc.nist.gov/publications/nistpubs/index.html

SP 800-47 Security Guide for Interconnecting Information Technology Systems

SP 800-46 Security for Telecommuting and Broadband Communications

SP 800-44 Guidelines on Securing Public Web Servers SP 800-41 Guidelines on Firewalls and Firewall PolicySP 800-40 Procedures for Handling Security PatchesSP 800-32 Introduction to Public Key Technology and the

Federal PKI InfrastructureSP 800-31 Intrusion Detection Systems (IDS)SP 800-30 Risk Management Guide for Information

Technology Systems

National Institute of Standards and Technology - NIST

http://csrc.nist.gov/publications/nistpubs/index.html

SP 800-47 Security Guide for Interconnecting Information Technology Systems

SP 800-46 Security for Telecommuting and Broadband Communications

SP 800-44 Guidelines on Securing Public Web Servers SP 800-41 Guidelines on Firewalls and Firewall PolicySP 800-40 Procedures for Handling Security PatchesSP 800-32 Introduction to Public Key Technology and the

Federal PKI InfrastructureSP 800-31 Intrusion Detection Systems (IDS)SP 800-30 Risk Management Guide for Information

Technology Systems

National Strategy To Secure Cyberspace

National Strategy To Secure Cyberspace

http://www.whitehouse.gov/pcipb/http://www.whitehouse.gov/pcipb/

Enterprise Rollout Problems (ERP)

Enterprise Rollout Problems (ERP)

Enterprise Resource Planning Systems (ERP) represent complex network architectures performing complicated computations on intricate business processes.

Enterprise Resource Planning Systems (ERP) represent complex network architectures performing complicated computations on intricate business processes.

Balancing institutional functionality with user, budget, IT support, and hardware limitations…………

Balancing institutional functionality with user, budget, IT support, and hardware limitations…………

Examining an ERP Implementation

Examining an ERP Implementation

1. Has entity mapped business processes and developed a strategy to re-engineer or port legacy business processes to ERP?

2. Will the ERP project follow entity systems development policies and procedures or will new controls guide the implementation?

3. Does the entity maintain an active Steering Committee with upper management participation?

4. Are there adequate provisions to retain important legacy application staff in the project until completion?

5. Has the entity performed, or planning to perform adequate sizing procedures of equipment to match needs of users and ERP?

1. Has entity mapped business processes and developed a strategy to re-engineer or port legacy business processes to ERP?

2. Will the ERP project follow entity systems development policies and procedures or will new controls guide the implementation?

3. Does the entity maintain an active Steering Committee with upper management participation?

4. Are there adequate provisions to retain important legacy application staff in the project until completion?

5. Has the entity performed, or planning to perform adequate sizing procedures of equipment to match needs of users and ERP?

ERP Part 2ERP Part 26. Are deliverables and completion dates clearly specified

in contract and are institutional controls in place to monitor contract activity and approve deliverables?

7. Are internal auditors or consultants included in the development team to ensure data/process controls are implemented during the coding of business processes?

8. Has the entity developed a test management strategy encompassing load testing and functional testing including monitoring network traffic pattern trends from the ERP system to gain detailed utilization statistics?

9. Has an end-user training plan been created with adequate resources and allocated time to minimize disruptions at go-live date?

10. Has go-live date been planned to maximize user training time and minimize transaction loads?

6. Are deliverables and completion dates clearly specified in contract and are institutional controls in place to monitor contract activity and approve deliverables?

7. Are internal auditors or consultants included in the development team to ensure data/process controls are implemented during the coding of business processes?

8. Has the entity developed a test management strategy encompassing load testing and functional testing including monitoring network traffic pattern trends from the ERP system to gain detailed utilization statistics?

9. Has an end-user training plan been created with adequate resources and allocated time to minimize disruptions at go-live date?

10. Has go-live date been planned to maximize user training time and minimize transaction loads?

Discussion Time