1 / 41

Effective Implementations of a Security Program and Security Plan

Effective Implementations of a Security Program and Security Plan. Tim Flynn Scott Genung. Stefan Wahe Gary DeClute. Outline. What Problem were we trying to solve with a Security Program/Plan What is a Security Program/Plan Deliverables and Implementation

hetal
Download Presentation

Effective Implementations of a Security Program and Security Plan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective Implementations of a Security Program and Security Plan Tim Flynn Scott Genung Stefan Wahe Gary DeClute

  2. Outline • What Problem were we trying to solve with a Security Program/Plan • What is a Security Program/Plan • Deliverables and Implementation • Where are we now and where are we going? • What have we learned? • Discussion Effective Implementations of a Security Program and Plan

  3. The Problem? • Reactive vs. Proactive • Lack of Documented Standards, Procedures and Guidelines • Increasing number laws and regulations “We weren’t rowing in the same direction” Effective Implementations of a Security Program and Plan

  4. Effective Implementations of a Security Program and Plan

  5. What is the problem? • “we felt the pain” (August 2003 – August 2004) • 4 major DoS attacks that impacted performance and disrupted network connectivity for most users throughout campus (nearly 3,000 infections total) • multitudes of email borne threats that impacted the performance of the campus mail system and caused the University to be blacklisted by other email domains • the University spent approximately $750K during the 2003-2004 academic year in clean up efforts Effective Implementations of a Security Program and Plan

  6. What is the problem? • anatomy of an attack: Sasser (April 2004) • 600+ virus infected systems detected within 3 days of outbreak (there were around 15K nodes at the time) • 500+ systems removed to combat DoS volume and to try and contain threats • all environments had exploited hosts (not just a student problem); all environments felt the impact • many users were unable to consistently access the Internet during finals week • some electronic exams had to be rescheduled Effective Implementations of a Security Program and Plan

  7. What is the problem? of the 600+ systems that were identified on ISUnet with Sasser in April 2004 Effective Implementations of a Security Program and Plan

  8. What is a Security Program? • An Information Technology Security Program (ITSP) is an administrative program that provides the policy and procedural framework for building and maintaining a secure information system Effective Implementations of a Security Program and Plan

  9. Effective Implementations of a Security Program and Plan

  10. What is a security plan? • a security plan encompasses … • what specific things will be done to defend against current and future security threats (knowing that no one technology can defend against all threats) • what are the impacts of these changes upon the systems and the users of them • what is the timeframe of these changes and how are they dependent upon each other • procedures for identifying how the plan will be enacted and how the University will react to future threats Effective Implementations of a Security Program and Plan

  11. Deliverables and Implementation Framework of Program: • System Definition and Description • Identifies Roles of Actors and their Responsibilities • Identifies procedures, process andguidelines for actors to follow to meet their responsibilities. Effective Implementations of a Security Program and Plan

  12. Effective Implementations of a Security Program and Plan

  13. Deliverables and Implementation The first section of the template assists in collecting a description of the system: System Description • System Name • Responsible Organization • Information Contacts • System Architecture • System Environment Assignment of Security Responsibility • Management Assignments • Security Manager Responsibilities • Security Administrator Assignments • Application Developer Assignments • Supporting Staff • Users Applicable Laws, Regulations and Policies • Identify Laws, Regulations and Policies Effective Implementations of a Security Program and Plan

  14. Review of Controls Risk Management Security Program Management Authorization to Process Life Cycle Security Business Continuity Human Resources Documentation Awareness & Training Data Integrity Operations Information Handling Physical Security Incident Response HW & SW Maintenance Access Controls Audit Trails Technical Authentication and Authorization Effective Implementations of a Security Program and Plan

  15. Deliverables and Implementation Effective Implementations of a Security Program and Plan

  16. Deliverables and Implementation • Documented procedures, process and guidelines for system actors to follow in order to comply with their responsibilities • Documented results: • Risk Management Report • Log Report • Access Control Audit • Schedule of when tasks and responsibilities should be completed. • Also known al the Master Schedule Effective Implementations of a Security Program and Plan

  17. Deliverables and Implementation The Master Schedule Effective Implementations of a Security Program and Plan

  18. Deliverables and Implementation Five Steps to Success • System Definition and Assessment • Identify Gaps • Provide Recommendations • Planning an Implementation • On-Going Assessment (Master Schedule) Effective Implementations of a Security Program and Plan

  19. Deliverables and Implementation • lessons learned from prior DoS attacks • once a threat penetrated the perimeter defenses of the network, there was little to prevent it from spreading and creating impact • inconsistent defenses within the network created entry points for security threats to emerge • substantial variation in the degree of host defenses created environments that were heavily impact while others were not • quickly identifying the behavior of the threat was key to defending against it Effective Implementations of a Security Program and Plan

  20. Deliverables and Implementation • emerging themes • cannot predict type or impact of threats before they emerge • insufficient visibility to threats once they appear • insufficient defenses in place to counter these threats (they need to be integrated directly into the network model) • inconsistent defenses within the network create entry points where threats can then emerge within and then impact the interior Effective Implementations of a Security Program and Plan

  21. Deliverables and Implementation • guiding principles to a security plan • visibility: the need to see clear evidence of a security event in a timely manner • defense in depth: the need to implement a combination of technologies that can defend against a multitude of threats at different layers within the network • consistency: all environments on network must have same level of defense to prevent a security threat from gaining a foothold within the perimeter of the network Effective Implementations of a Security Program and Plan

  22. ISUnet security enhancement plan (28 initiatives) hire a security engineer early warning notification enhanced service provider connectivity introduce perimeter firewalling create a DMZ enhance VPN implementation enhance DNS enhance QoS policies introduce IPS enhance anti-spoofing techniques implement vLAN restructuring implement zone based filtering and firewalling segregate experimental networks implement CoA (Conditions of Access) implement a SIMS implement backbone enhancements enhance directory authentication implement identity management enhance registration systems enhance rogue device detection enhance wireless security enhance statistics implement vulnerability scanning consider network admission control implement automated system quarantines enhance anti-virus and anti-spam for email enhance email security implement SMTP authentication Deliverables and Implementation Effective Implementations of a Security Program and Plan

  23. Status and Next Steps • Being Implemented in: • Public Health Information Network • University Directory Service • Identified Gaps: • Security Awareness Training • Media Disposal • Identifying next system/departmentfor implementation Effective Implementations of a Security Program and Plan

  24. Status and Next Step • focus on top 7 initiatives • introducing IPS (Intrusion Prevention System) technology • implementing CoA (Conditions of Access) • enhancing registration systems for ResNet • enhancing email security • implementing vulnerability scanning • hiring a security engineer • implementing vLAN restructuring Effective Implementations of a Security Program and Plan

  25. Status and Next Step • introducing IPS (began 8/04) • goal: to identify AND block threat traffic to reduce impact upon the network • IPS same as IDS, but also blocks threat traffic • placed at the perimeter and key points within the backbone of the campus network • address the largest source of potential threats. • traffic passing from each ResNet environment to the network backbone • traffic passing from the WAN to the network backbone • somewhat effective against zero day threats Effective Implementations of a Security Program and Plan

  26. Effective Implementations of a Security Program and Plan

  27. management console views from UnityOne appliances from Tipping Point Effective Implementations of a Security Program and Plan

  28. Status and Next Step • CoA (Conditions of Access) (8/04) • need for a policy • goal: create an environment where host based defenses are consistent • required the use of the University’s site licensed AV solution for ALL systems that connect to the network. • required the use of automatic OS updating for critical patches Effective Implementations of a Security Program and Plan

  29. Status and Next Step • enhanced registration systems (began 8/04) • goal: use existing registration systems to automate a process for enforcing CoA • ResNet • built on top of registration system • user agrees to CoA • installation and setup of anti-virus software • apply OS patches and configure automatic updating • shortcomings: • one time only enforcement • ineffective against zero day threats • must be monitored Effective Implementations of a Security Program and Plan

  30. Effective Implementations of a Security Program and Plan

  31. Status and Next Step • enhanced email security • goal: stop email based threats from passing to, from, and within the campus network • policy and process to register campus and departmental email systems and require AV filtering. • perimeter email filters (completed) • designed to prevent email borne threats from being exchanged between the Internet and the campus network • interior email filters (could not complete) • designed to prevent email borne threats from being exchanged between systems within the campus network Effective Implementations of a Security Program and Plan

  32. Status and Next Step • vulnerability scanning • goal: • locate systems that are vulnerable to known exploits in order to prevent them from affecting others. • enforce the CoA policy • Nessus is used to scan for unapplied MS patches when possible Effective Implementations of a Security Program and Plan

  33. Status and Next Step • hiring a security engineer (5/05) • goal: dedicated resource focused on proactive and reactive aspects of network and host based security • coordinate and share information. • develop consistent methods and practices. • first step towards a centralized security office. • due to budget constraints existing positions were reclassified to create the position Effective Implementations of a Security Program and Plan

  34. Status and Next Step • implementing vLAN restructuring (began 2/05) • goal: place like systems in like environments so that security rules can effectively be applied AND maintained • separation of address space types • to reduce scope of impact of future threats • to allow for the introduction of new defensive techniques (ex: IP source guard) • to simplify the development and maintenance of security policies Effective Implementations of a Security Program and Plan

  35. Effective Implementations of a Security Program and Plan

  36. Status and Next Step • beyond IPS: the need for NBAD (spring 2005) • NBAD (Network Based Anomaly Detection) • IPS is signature based (with very limited anomaly detection) • IPS cannot defend against zero day attacks that did not target known (signatured) vulnerabilities • goal: need a system that can track application volume per local or remote host and then report on deviation from baseline volumes (this is NBAD) • take advantage of NetFlow export data • can identify systems that exhibit major behavioral changes • can issue shuns or null routes to immediately react to threats Effective Implementations of a Security Program and Plan

  37. management console views from StealthWatch Effective Implementations of a Security Program and Plan

  38. Status and Next Step • beyond registration systems • port based authentication • user (802.1x) or machine based authentication each time the system touches the network • goal: log who connected when and where (may be a CALEA compliance requirement) • currently are testing as a replacement to VMPS • generic NAC (Network Admission Control) • goal: automate enforcement of CoA each time user touches network (instead of just when registration occurs) • researching technologies and products Effective Implementations of a Security Program and Plan

  39. Lessons Learned • Implementation takes time • Need for Resources (People) • Cultural Shift • Need for Governance • Risk Management Processes Effective Implementations of a Security Program and Plan

  40. Lessons Learned • need to be proactive, monitoring is not enough. • threats are emerging too fast • NAC • all initiatives need to be based in policy. • problems -> policies -> initiatives Effective Implementations of a Security Program and Plan

  41. Discussion Questions Effective Implementations of a Security Program and Plan

More Related