effective implementations of a security program and security plan
DESCRIPTION
Effective Implementations of a Security Program and Security Plan. Tim Flynn Scott Genung. Stefan Wahe Gary DeClute. Outline. What Problem were we trying to solve with a Security Program/Plan What is a Security Program/Plan Deliverables and Implementation - PowerPoint PPT PresentationTRANSCRIPT
Effective Implementations of a Security Program and Security Plan
Stefan Wahe
Gary DeClute
Tim FlynnScott Genung
April 11, 2006 Effective Implementations of a Security Program and Plan
2
Outline
• What Problem were we trying to solve with a Security Program/Plan
• What is a Security Program/Plan
• Deliverables and Implementation
• Where are we now and where are we going?
• What have we learned?
• Discussion
April 11, 2006 Effective Implementations of a Security Program and Plan
3
The Problem?• Reactive vs. Proactive
• Lack of Documented Standards, Procedures and Guidelines
• Increasing number laws and regulations
“We weren’t rowing in the same direction”
April 11, 2006 Effective Implementations of a Security Program and Plan
4
April 11, 2006 Effective Implementations of a Security Program and Plan
5
What is the problem?
• “we felt the pain” (August 2003 – August 2004)– 4 major DoS attacks that impacted performance and
disrupted network connectivity for most users throughout campus (nearly 3,000 infections total)
– multitudes of email borne threats that impacted the performance of the campus mail system and caused the University to be blacklisted by other email domains
– the University spent approximately $750K during the 2003-2004 academic year in clean up efforts
April 11, 2006 Effective Implementations of a Security Program and Plan
6
What is the problem?
• anatomy of an attack: Sasser (April 2004)– 600+ virus infected systems detected within 3 days of
outbreak (there were around 15K nodes at the time)– 500+ systems removed to combat DoS volume and to
try and contain threats– all environments had exploited hosts (not just a
student problem); all environments felt the impact– many users were unable to consistently access the
Internet during finals week– some electronic exams had to be rescheduled
April 11, 2006 Effective Implementations of a Security Program and Plan
7
What is the problem?
of the 600+ systems that were identified on ISUnet with Sasser in April 2004
April 11, 2006 Effective Implementations of a Security Program and Plan
8
What is a Security Program? • An Information Technology Security Program (ITSP) is an
administrative program that provides the policy and procedural framework for building and maintaining a secure information system
Policies& Roles
FollowProcedures
Awareness& Training
ProduceDocuments
ITSP
April 11, 2006 Effective Implementations of a Security Program and Plan
9
WPHINITSP
UDSITSP
FederalRegulations
StateRegulations
CampusPolicy
DoIT Policy
ITSPPolicy &
ProcedureInheritance
April 11, 2006 Effective Implementations of a Security Program and Plan
10
What is a security plan?
• a security plan encompasses …– what specific things will be done to defend against
current and future security threats (knowing that no one technology can defend against all threats)
– what are the impacts of these changes upon the systems and the users of them
– what is the timeframe of these changes and how are they dependent upon each other
– procedures for identifying how the plan will be enacted and how the University will react to future threats
April 11, 2006 Effective Implementations of a Security Program and Plan
11
Deliverables and Implementation
Framework of Program:System Definition and DescriptionIdentifies Roles of Actors and their
ResponsibilitiesIdentifies procedures, process and
guidelines for actors to follow to meet their responsibilities.
April 11, 2006 Effective Implementations of a Security Program and Plan
12
ITSPProgram
Descriptionand
Policy
ManagementSecurity
Guidelines
SecurityAdministrator
Guidelines
DeveloperSecurity
Guidelines
User SecurityGuidelines
InformationHandling
Guidelines
ManagementProcedures
OperationalProcedures
TechnicalProcedures
ResultingPlans andReports
Inherited and System SpecificProcedures and Documents
Inherited and SystemSpecific Policy & Guidelines
ITSP DocumentOrganization
April 11, 2006 Effective Implementations of a Security Program and Plan
13
Deliverables and Implementation
The first section of the template assists in collecting a description of the system:
Assignment of Security Responsibility– Management Assignments
– Security Manager Responsibilities
– Security Administrator Assignments
– Application Developer Assignments
– Supporting Staff
– Users
Applicable Laws, Regulations and Policies– Identify Laws, Regulations and Policies
System Description– System Name
– Responsible Organization
– Information Contacts
– System Architecture
– System Environment
April 11, 2006 Effective Implementations of a Security Program and Plan
14
Management
Operations
Technical
Risk Management
Life Cycle Security Authorization to Process
Security Program
Review of Controls
Human Resources
Awareness & Training
Physical Security
Access Controls Audit Trails
Incident Response
Authentication and Authorization
Information Handling
Business Continuity
HW & SW Maintenance
Data Integrity
Documentation
April 11, 2006 Effective Implementations of a Security Program and Plan
15
Deliverables and Implementation
Security Controls
Review of Security Controls
A Security Controls Review will consider all types of security controls, as described in the Information Technology Security Program and associated guidelines and procedures.
The System Security Manager will conduct Security Controls Review as directed by management.
Management will determine the schedule and scope of each Security Controls Review.
Reporting and Remediation of Security Controls
Weaknesses in security controls will be reported and remedied.
The System Security Manager will implement a process for the timely reporting to Management of any discovered weaknesses in the security controls.
Management will report significant weaknesses in the security controls to Senior Management, and will assure effective remedial action.
April 11, 2006 Effective Implementations of a Security Program and Plan
16
Deliverables and Implementation
• Documented procedures, process and guidelines for system actors to follow in order to comply with their responsibilities
• Documented results:Risk Management ReportLog ReportAccess Control Audit
• Schedule of when tasks and responsibilities should be completed.Also known al the Master Schedule
April 11, 2006 Effective Implementations of a Security Program and Plan
17
Deliverables and Implementation
The Master Schedule
System Cluster Item Actor (s) Feq 2006 2007 2008
Access Controls
Access Review
System Security Manager, Security Administrators
Y
Security Program
ITSP Review
Management, Project Manager, System Security Manager
2x1y
Training Security Training
Project Manager, System Security Manager
Y
Risk Assess & Mgt
Risk Assessment
Management, System Security Manager
1x3y
Risk Assess & Mgt
Vulnerability Review
Project Manager, System Security Manager
2x1y
April 11, 2006 Effective Implementations of a Security Program and Plan
18
Deliverables and Implementation
Five Steps to Success
1. System Definition and Assessment
2. Identify Gaps
3. Provide Recommendations
4. Planning an Implementation
5. On-Going Assessment (Master Schedule)
April 11, 2006 Effective Implementations of a Security Program and Plan
19
Deliverables and Implementation
• lessons learned from prior DoS attacks– once a threat penetrated the perimeter defenses of
the network, there was little to prevent it from spreading and creating impact
– inconsistent defenses within the network created entry points for security threats to emerge
– substantial variation in the degree of host defenses created environments that were heavily impact while others were not
– quickly identifying the behavior of the threat was key to defending against it
April 11, 2006 Effective Implementations of a Security Program and Plan
20
Deliverables and Implementation
• emerging themes– cannot predict type or impact of threats before they
emerge– insufficient visibility to threats once they appear– insufficient defenses in place to counter these threats
(they need to be integrated directly into the network model)
– inconsistent defenses within the network create entry points where threats can then emerge within and then impact the interior
April 11, 2006 Effective Implementations of a Security Program and Plan
21
Deliverables and Implementation
• guiding principles to a security plan– visibility: the need to see clear evidence of a security
event in a timely manner– defense in depth: the need to implement a
combination of technologies that can defend against a multitude of threats at different layers within the network
– consistency: all environments on network must have same level of defense to prevent a security threat from gaining a foothold within the perimeter of the network
April 11, 2006 Effective Implementations of a Security Program and Plan
22
Deliverables and Implementation• ISUnet security enhancement plan
(28 initiatives)– hire a security engineer– early warning notification– enhanced service provider
connectivity– introduce perimeter firewalling– create a DMZ– enhance VPN implementation– enhance DNS– enhance QoS policies– introduce IPS– enhance anti-spoofing techniques– implement vLAN restructuring– implement zone based filtering and
firewalling– segregate experimental networks– implement CoA (Conditions of
Access)
– implement a SIMS– implement backbone enhancements– enhance directory authentication– implement identity management– enhance registration systems– enhance rogue device detection– enhance wireless security– enhance statistics– implement vulnerability scanning– consider network admission control– implement automated system
quarantines– enhance anti-virus and anti-spam for
email– enhance email security– implement SMTP authentication
April 11, 2006 Effective Implementations of a Security Program and Plan
23
Status and Next Steps
• Being Implemented in:– Public Health Information Network– University Directory Service
• Identified Gaps:– Security Awareness Training– Media Disposal
• Identifying next system/departmentfor implementation
April 11, 2006 Effective Implementations of a Security Program and Plan
24
Status and Next Step
• focus on top 7 initiatives– introducing IPS (Intrusion Prevention System)
technology– implementing CoA (Conditions of Access)– enhancing registration systems for ResNet– enhancing email security– implementing vulnerability scanning– hiring a security engineer– implementing vLAN restructuring
April 11, 2006 Effective Implementations of a Security Program and Plan
25
Status and Next Step• introducing IPS (began 8/04)
– goal: to identify AND block threat traffic to reduce impact upon the network
• IPS same as IDS, but also blocks threat traffic
– placed at the perimeter and key points within the backbone of the campus network
– address the largest source of potential threats.• traffic passing from each ResNet environment to the
network backbone• traffic passing from the WAN to the network backbone
– somewhat effective against zero day threats
April 11, 2006 Effective Implementations of a Security Program and Plan
26
April 11, 2006 Effective Implementations of a Security Program and Plan
27
management console views from UnityOne appliances from Tipping Point
April 11, 2006 Effective Implementations of a Security Program and Plan
28
Status and Next Step• CoA (Conditions of Access) (8/04)
– need for a policy
– goal: create an environment where host based defenses are consistent
– required the use of the University’s site licensed AV solution for ALL systems that connect to the network.
– required the use of automatic OS updating for critical patches
April 11, 2006 Effective Implementations of a Security Program and Plan
29
Status and Next Step• enhanced registration systems (began
8/04)– goal: use existing registration systems to
automate a process for enforcing CoA– ResNet
• built on top of registration system• user agrees to CoA• installation and setup of anti-virus software• apply OS patches and configure automatic updating• shortcomings:
– one time only enforcement– ineffective against zero day threats– must be monitored
April 11, 2006 Effective Implementations of a Security Program and Plan
30
April 11, 2006 Effective Implementations of a Security Program and Plan
31
Status and Next Step• enhanced email security
– goal: stop email based threats from passing to, from, and within the campus network
– policy and process to register campus and departmental email systems and require AV filtering.
– perimeter email filters (completed)• designed to prevent email borne threats from being
exchanged between the Internet and the campus network
– interior email filters (could not complete)• designed to prevent email borne threats from being
exchanged between systems within the campus network
April 11, 2006 Effective Implementations of a Security Program and Plan
32
Status and Next Step• vulnerability scanning
– goal: • locate systems that are vulnerable to known
exploits in order to prevent them from affecting others.
• enforce the CoA policy
– Nessus is used to scan for unapplied MS patches when possible
April 11, 2006 Effective Implementations of a Security Program and Plan
33
Status and Next Step
• hiring a security engineer (5/05)– goal: dedicated resource focused on
proactive and reactive aspects of network and host based security
– coordinate and share information.– develop consistent methods and practices.– first step towards a centralized security office.– due to budget constraints existing positions
were reclassified to create the position
April 11, 2006 Effective Implementations of a Security Program and Plan
34
Status and Next Step• implementing vLAN restructuring (began 2/05)
– goal: place like systems in like environments so that security rules can effectively be applied AND maintained
– separation of address space types• to reduce scope of impact of future threats
• to allow for the introduction of new defensive techniques (ex: IP source guard)
• to simplify the development and maintenance of security policies
April 11, 2006 Effective Implementations of a Security Program and Plan
35
April 11, 2006 Effective Implementations of a Security Program and Plan
36
Status and Next Step• beyond IPS: the need for NBAD (spring 2005)
– NBAD (Network Based Anomaly Detection)
– IPS is signature based (with very limited anomaly detection)
– IPS cannot defend against zero day attacks that did not target known (signatured) vulnerabilities
– goal: need a system that can track application volume per local or remote host and then report on deviation from baseline volumes (this is NBAD)
– take advantage of NetFlow export data– can identify systems that exhibit major behavioral changes– can issue shuns or null routes to immediately react to
threats
April 11, 2006 Effective Implementations of a Security Program and Plan
37
management console views from StealthWatch
April 11, 2006 Effective Implementations of a Security Program and Plan
38
Status and Next Step• beyond registration systems
– port based authentication• user (802.1x) or machine based authentication each time the
system touches the network• goal: log who connected when and where (may be a
CALEA compliance requirement)• currently are testing as a replacement to VMPS
– generic NAC (Network Admission Control)• goal: automate enforcement of CoA each time user
touches network (instead of just when registration occurs)
• researching technologies and products
April 11, 2006 Effective Implementations of a Security Program and Plan
39
Lessons Learned
• Implementation takes time
• Need for Resources (People)
• Cultural Shift
• Need for Governance
• Risk Management Processes
April 11, 2006 Effective Implementations of a Security Program and Plan
40
Lessons Learned
• need to be proactive, monitoring is not enough.– threats are emerging too fast– NAC
• all initiatives need to be based in policy.– problems -> policies -> initiatives
April 11, 2006 Effective Implementations of a Security Program and Plan
41
Discussion
Questions