effective implementations of a security program and security plan

Effective Implementations of a Security Program and Security Plan

Stefan Wahe

Gary DeClute

Tim FlynnScott Genung

April 11, 2006 Effective Implementations of a Security Program and Plan

2

Outline

• What Problem were we trying to solve with a Security Program/Plan

• What is a Security Program/Plan

• Deliverables and Implementation

• Where are we now and where are we going?

• What have we learned?

• Discussion


3

The Problem?• Reactive vs. Proactive

• Lack of Documented Standards, Procedures and Guidelines

• Increasing number laws and regulations

“We weren’t rowing in the same direction”


4


5

What is the problem?

• “we felt the pain” (August 2003 – August 2004)– 4 major DoS attacks that impacted performance and

disrupted network connectivity for most users throughout campus (nearly 3,000 infections total)

– multitudes of email borne threats that impacted the performance of the campus mail system and caused the University to be blacklisted by other email domains

– the University spent approximately $750K during the 2003-2004 academic year in clean up efforts


6


• anatomy of an attack: Sasser (April 2004)– 600+ virus infected systems detected within 3 days of

outbreak (there were around 15K nodes at the time)– 500+ systems removed to combat DoS volume and to

try and contain threats– all environments had exploited hosts (not just a

student problem); all environments felt the impact– many users were unable to consistently access the

Internet during finals week– some electronic exams had to be rescheduled


7


of the 600+ systems that were identified on ISUnet with Sasser in April 2004


8

What is a Security Program? • An Information Technology Security Program (ITSP) is an

administrative program that provides the policy and procedural framework for building and maintaining a secure information system

Policies& Roles

FollowProcedures

Awareness& Training

ProduceDocuments

ITSP


9

WPHINITSP

UDSITSP

FederalRegulations

StateRegulations

CampusPolicy

DoIT Policy

ITSPPolicy &

ProcedureInheritance


10

What is a security plan?

• a security plan encompasses …– what specific things will be done to defend against

current and future security threats (knowing that no one technology can defend against all threats)

– what are the impacts of these changes upon the systems and the users of them

– what is the timeframe of these changes and how are they dependent upon each other

– procedures for identifying how the plan will be enacted and how the University will react to future threats


11

Deliverables and Implementation

Framework of Program:System Definition and DescriptionIdentifies Roles of Actors and their

ResponsibilitiesIdentifies procedures, process and

guidelines for actors to follow to meet their responsibilities.


12

ITSPProgram

Descriptionand

Policy

ManagementSecurity

Guidelines

SecurityAdministrator

Guidelines

DeveloperSecurity

Guidelines

User SecurityGuidelines

InformationHandling

Guidelines

ManagementProcedures

OperationalProcedures

TechnicalProcedures

ResultingPlans andReports

Inherited and System SpecificProcedures and Documents

Inherited and SystemSpecific Policy & Guidelines

ITSP DocumentOrganization


13


The first section of the template assists in collecting a description of the system:

Assignment of Security Responsibility– Management Assignments

– Security Manager Responsibilities

– Security Administrator Assignments

– Application Developer Assignments

– Supporting Staff

– Users

Applicable Laws, Regulations and Policies– Identify Laws, Regulations and Policies

System Description– System Name

– Responsible Organization

– Information Contacts

– System Architecture

– System Environment


14

Management

Operations

Technical

Risk Management

Life Cycle Security Authorization to Process

Security Program

Review of Controls

Human Resources

Awareness & Training

Physical Security

Access Controls Audit Trails

Incident Response

Authentication and Authorization

Information Handling

Business Continuity

HW & SW Maintenance

Data Integrity

Documentation


15


Security Controls

Review of Security Controls

A Security Controls Review will consider all types of security controls, as described in the Information Technology Security Program and associated guidelines and procedures.

The System Security Manager will conduct Security Controls Review as directed by management.

Management will determine the schedule and scope of each Security Controls Review.

Reporting and Remediation of Security Controls

Weaknesses in security controls will be reported and remedied.

The System Security Manager will implement a process for the timely reporting to Management of any discovered weaknesses in the security controls.

Management will report significant weaknesses in the security controls to Senior Management, and will assure effective remedial action.


16


• Documented procedures, process and guidelines for system actors to follow in order to comply with their responsibilities

• Documented results:Risk Management ReportLog ReportAccess Control Audit

• Schedule of when tasks and responsibilities should be completed.Also known al the Master Schedule


17


The Master Schedule

System Cluster Item Actor (s) Feq 2006 2007 2008

Access Controls

Access Review

System Security Manager, Security Administrators

Y

Security Program

ITSP Review

Management, Project Manager, System Security Manager

2x1y

Training Security Training

Project Manager, System Security Manager

Y

Risk Assess & Mgt

Risk Assessment

Management, System Security Manager

1x3y

Risk Assess & Mgt

Vulnerability Review

Project Manager, System Security Manager

2x1y


18


Five Steps to Success

1. System Definition and Assessment

2. Identify Gaps

3. Provide Recommendations

4. Planning an Implementation

5. On-Going Assessment (Master Schedule)


19


• lessons learned from prior DoS attacks– once a threat penetrated the perimeter defenses of

the network, there was little to prevent it from spreading and creating impact

– inconsistent defenses within the network created entry points for security threats to emerge

– substantial variation in the degree of host defenses created environments that were heavily impact while others were not

– quickly identifying the behavior of the threat was key to defending against it


20


• emerging themes– cannot predict type or impact of threats before they

emerge– insufficient visibility to threats once they appear– insufficient defenses in place to counter these threats

(they need to be integrated directly into the network model)

– inconsistent defenses within the network create entry points where threats can then emerge within and then impact the interior


21


• guiding principles to a security plan– visibility: the need to see clear evidence of a security

event in a timely manner– defense in depth: the need to implement a

combination of technologies that can defend against a multitude of threats at different layers within the network

– consistency: all environments on network must have same level of defense to prevent a security threat from gaining a foothold within the perimeter of the network


22

Deliverables and Implementation• ISUnet security enhancement plan

(28 initiatives)– hire a security engineer– early warning notification– enhanced service provider

connectivity– introduce perimeter firewalling– create a DMZ– enhance VPN implementation– enhance DNS– enhance QoS policies– introduce IPS– enhance anti-spoofing techniques– implement vLAN restructuring– implement zone based filtering and

firewalling– segregate experimental networks– implement CoA (Conditions of

Access)

– implement a SIMS– implement backbone enhancements– enhance directory authentication– implement identity management– enhance registration systems– enhance rogue device detection– enhance wireless security– enhance statistics– implement vulnerability scanning– consider network admission control– implement automated system

quarantines– enhance anti-virus and anti-spam for

email– enhance email security– implement SMTP authentication


23

Status and Next Steps

• Being Implemented in:– Public Health Information Network– University Directory Service

• Identified Gaps:– Security Awareness Training– Media Disposal

• Identifying next system/departmentfor implementation


24

Status and Next Step

• focus on top 7 initiatives– introducing IPS (Intrusion Prevention System)

technology– implementing CoA (Conditions of Access)– enhancing registration systems for ResNet– enhancing email security– implementing vulnerability scanning– hiring a security engineer– implementing vLAN restructuring


25

Status and Next Step• introducing IPS (began 8/04)

– goal: to identify AND block threat traffic to reduce impact upon the network

• IPS same as IDS, but also blocks threat traffic

– placed at the perimeter and key points within the backbone of the campus network

– address the largest source of potential threats.• traffic passing from each ResNet environment to the

network backbone• traffic passing from the WAN to the network backbone

– somewhat effective against zero day threats


26


27

management console views from UnityOne appliances from Tipping Point


28

Status and Next Step• CoA (Conditions of Access) (8/04)

– need for a policy

– goal: create an environment where host based defenses are consistent

– required the use of the University’s site licensed AV solution for ALL systems that connect to the network.

– required the use of automatic OS updating for critical patches

http://www.mcafee.com/us/default.asp


29

Status and Next Step• enhanced registration systems (began

8/04)– goal: use existing registration systems to

automate a process for enforcing CoA– ResNet

• built on top of registration system• user agrees to CoA• installation and setup of anti-virus software• apply OS patches and configure automatic updating• shortcomings:

– one time only enforcement– ineffective against zero day threats– must be monitored


30


31

Status and Next Step• enhanced email security

– goal: stop email based threats from passing to, from, and within the campus network

– policy and process to register campus and departmental email systems and require AV filtering.

– perimeter email filters (completed)• designed to prevent email borne threats from being

exchanged between the Internet and the campus network

– interior email filters (could not complete)• designed to prevent email borne threats from being

exchanged between systems within the campus network


32

Status and Next Step• vulnerability scanning

– goal: • locate systems that are vulnerable to known

exploits in order to prevent them from affecting others.

• enforce the CoA policy

– Nessus is used to scan for unapplied MS patches when possible


33

Status and Next Step

• hiring a security engineer (5/05)– goal: dedicated resource focused on

proactive and reactive aspects of network and host based security

– coordinate and share information.– develop consistent methods and practices.– first step towards a centralized security office.– due to budget constraints existing positions

were reclassified to create the position


34

Status and Next Step• implementing vLAN restructuring (began 2/05)

– goal: place like systems in like environments so that security rules can effectively be applied AND maintained

– separation of address space types• to reduce scope of impact of future threats

• to allow for the introduction of new defensive techniques (ex: IP source guard)

• to simplify the development and maintenance of security policies


35


36

Status and Next Step• beyond IPS: the need for NBAD (spring 2005)

– NBAD (Network Based Anomaly Detection)

– IPS is signature based (with very limited anomaly detection)

– IPS cannot defend against zero day attacks that did not target known (signatured) vulnerabilities

– goal: need a system that can track application volume per local or remote host and then report on deviation from baseline volumes (this is NBAD)

– take advantage of NetFlow export data– can identify systems that exhibit major behavioral changes– can issue shuns or null routes to immediately react to

threats


37

management console views from StealthWatch


38

Status and Next Step• beyond registration systems

– port based authentication• user (802.1x) or machine based authentication each time the

system touches the network• goal: log who connected when and where (may be a

CALEA compliance requirement)• currently are testing as a replacement to VMPS

– generic NAC (Network Admission Control)• goal: automate enforcement of CoA each time user

touches network (instead of just when registration occurs)

• researching technologies and products


39

Lessons Learned

• Implementation takes time

• Need for Resources (People)

• Cultural Shift

• Need for Governance

• Risk Management Processes


40

Lessons Learned

• need to be proactive, monitoring is not enough.– threats are emerging too fast– NAC

• all initiatives need to be based in policy.– problems -> policies -> initiatives


41

Discussion

Questions

effective implementations of a security program and security plan

Documents

security programplanwhat

administrative program

future security threats

planeffective implementations

planthe problem

student problem

planoutlinewhat problem

plan deliverables