1 / 37

Managing Security the Intelligent Way: Moving from Spreadsheets to a Knowledge Base Joshua Drummond, Security Architect

Managing Security the Intelligent Way: Moving from Spreadsheets to a Knowledge Base Joshua Drummond, Security Architect Neil Matatall, Security Programmer/Analyst Marina Arseniev, Associate Director of Enterprise Architecture University of California, Irvine.

chi
Download Presentation

Managing Security the Intelligent Way: Moving from Spreadsheets to a Knowledge Base Joshua Drummond, Security Architect

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Security the Intelligent Way: Moving from Spreadsheets to a Knowledge Base Joshua Drummond, Security Architect Neil Matatall, Security Programmer/Analyst Marina Arseniev, Associate Director of Enterprise Architecture University of California, Irvine

  2. University of California, Irvine • Located in Southern California • Year Founded:  1965 • Enrollment: over 24K students • 1,400 Faculty (Academic Senate) • 8,300 Staff • 6,000 degrees awarded annually • Carnegie Classification:  Doctoral/Research – Extensive • Extramural Funding - 311M in 2005-2006 • Undergoing significant enrollment growth

  3. Our Security Status?http://www.privacyrights.org • 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. • 35,000 in December, 2006: The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion -- including names,SSNs, home addresses, phone numbers and e-mail addresses. • 11,000 in February, 2007: Names, grades, and SSNs were posted on an unprotected Web site after summer session in 1999. College stopped using SSNs as students IDs in 2002. • 65,000 - February, 2007: A programming error resulted in personal information of individuals being exposed on the University's Web site. Included were names, addresses, SSNs, and in some cases credit card numbers.

  4. Security is Multi-layer

  5. We do a lot today…SDLC and Change Management • Security requirements and design reviews from get-go. • Code reviews of all security and database code • Developers reuse security components • Single-signon, authorization API, user identity objects • Automated nightly code and application security scanning • Jtest, AppScan, Nessus, database security scanning • Scheduled network & configuration vulnerability scanning • Firewall rules, Foundstone, Sophos virus scans, Tripwire • Consolidated storage of sensitive data, database model reviews of personal identity data • Concurrency and stress testing to detect thread security • Jmeter, OpenSTA (100s of concurrent virtual test user load) REPEAT, REPEAT, and REPEAT…

  6. Still had problems • Urgent call from our director: • Have you patched the server with X? • Is Server Y behind a firewall? • Did Server Y have any Credit Card information stored? • Is the database encrypted? • When was the last time a security review of Application X was done? • Dana Doe is on vacation! Don’t know! • Different answers from different people! • Little confidence that information is current. • Spreadsheet Hell! • Too many checklists, spreadsheets, and documents • Host IP change introduces document update nightmare. • If a server is added, remember to add it to the firewall rules in multiple spreadsheets. How about scanning tools? • Missing information, such as whom to contact for problem. • Scattered information in documents outside of Excel on multiple file systems, whiteboards, obscure and owned by and accessible to different people

  7. Objectives • Needed to better organize, consolidate, and centralize security policy and procedures. • Needed to manage “preventative security maintenance” more consistently and efficiently, with less redundancy… • Security checklists and rules • Security reviews and their results, track enforcement and followup • Oversight functions for secure development, acquisition, maintenance and operations.

  8. Agenda • Background on Ontologies and Protege • Realized value - demonstration of our knowledgebase and reports • How to implement it in your organization • Summary • Useful URLs and Q&A

  9. Background Book Ontology • What is an Ontology? • “An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge. Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce.“ • Supports inheritable properties (is-a) • Attributes of an object can be complex objects themselves (rich). Nestable… Writing Short Story Historical Novel Classic Medieval Modern

  10. Stanford University’s Protégé Knowledgebase and Ontology Tool • Allows easy modeling and creation of ontology • Auto generates forms for collecting and capturing information based on ontology and class definitions. • “Reverse slots” allow rich linking ability and automatic updates of changing relationships. • Remember the removal of the server and associated updates of firewall rules? • Generates an HTML view of knowledge and ontology. • Can use an XML plug-in • generate reports in other formats and for specific audiences, without storing redundant data. • Currently used for UCI Enterprise Architecture Repository • Open source at http://protege.stanford.edu/

  11. Protégé GUI

  12. Protégé – Knowledge Capture

  13. HIPAA?

  14. Protégé – Application Instances

  15. Protégé – Authentication Instances

  16. Protégé – Authorization Instances

  17. Protégé – Patching Procedures

  18. Protégé – Query Capability

  19. Agenda • Background on Ontologies and Protege • Realized value - demonstration of our knowledgebase and reports • How to implement it in your organization • Summary • Useful URLs and Q&A

  20. Realized Value: Autogenerated Reports from Protoge • Network Inventory Report • By Host Name • By IP Address • Firewall Rules Report • By Firewall • By Host Name • By IP Address • Personal Identity Database Report • By Server • By Database • Personal Identity Datafile Report • By Server

  21. Before and After - Firewalls Unix Sys Admin Windows Sys Admin Department Firewall Admin Campus Border Firewall Admin

  22. Report: Network Inventory

  23. Reports: Personal Identity Database by Server

  24. Using Protégé to Capture Reviews

  25. Using Protégé to Capture Reviews

  26. Agenda • Background on Ontologies and Protege • Realized value - demonstration of our knowledgebase and reports • How to implement it in your organization • Summary • Useful URLs and Q&A

  27. How to Implement in your Organization… • Step 1: Inventory existing spreadsheets and documents related to security. • Step 2: Identify information you want to track centrally. What is important or critical? Do that first. • Step 3: Design your ontology (or copy ours) • Step 4: Assign roles – who updates, who views • Step 5: Capture information • Step 6: Add any customizations to Protégé • Step 7: Create secured reports for various audiences • Validate reports and usefulness of collected information with stakeholders.

  28. How - Our Ontology

  29. How - Protégé Customizations • Although editing of knowledge base is done centrally through the Protégé desktop client, we wanted to automate the generation of all report output • Wrote two custom Java classes that use the Protégé API to emulate actions usually done through GUI to be done through an automated command line script instead • edu.uci.adcom.protege.ProjectXmlExport • edu.uci.adcom.protege.ProjectHtmlExport • Modified the existing HTML Export plug-in to change the structure of the output HTML • List Instances before Slots on Class pages • Made string attributes that are URLs actual hyperlinks • Add line breaks between multiple Slot values

  30. Using Protégé to Capture Reviews

  31. How – Using XSLT for Reports • Replicate exactly and replace former spreadsheets with the same functionality • Created canned reports for specific views on knowledge • XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML • Then again from the “simple” XML to multiple HTML views for each report or Excel Spreadsheet • XSL and CSS are flexible and can be modified to customize presentation of data

  32. Reports: Personal Identity Datafile by Server

  33. How - Putting it all together • Ant script is used to tie everything together and make it easily scheduled from command line

  34. Metrics Before • Firewalls • Border, Police, Financial Services, Windows OS, and Server Firewall • Each firewall had its own spreadsheet (5 spreadsheets total) • 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets. • White Boards • Partial Network Inventory • Unpatched servers on whiteboard • 4 units keeping redundant or out of sync information in private locations • Limited access - personal computers • Sensitive data locations unclear • No version management of applications • Servers with no virus protection or backed up After • Rich inventory of knowledge, including firewall rules and network inventory • New information - that didn’t exist • Zero spreadsheets • 10 custom reports – both HTML and Excel • Centralize maintenance of single repository across organizational units • Access based on privileges • 60 individuals in the organization have a clear view of potential holes in security for analysis and proactive planning • Sensitive data tracked • 35 data files • 50 database fields • Tracking versions of 12 major applications for patch management • Added 5 hosts to backup and anti-virus scanning procedure

  35. Future Plans • Continue to evolve the ontology to include more attributes and relationships • Continue capturing and updating new information • Look into using the Protégé Web-based front-end with a JDBC backend to support multi-user updates and views. • Generate checklists intelligently based on attributes for reviews • Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment. • Generate more canned reports. • Write queries that proactively determine potential trouble spots • A personal identity database field that has not been encrypted. • An application review that requires follow-up on security vulnerabilities

  36. Q&A • AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440 • Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu • XML/XSLT processing - http://xerces.apache.org • Ant - http://ant.apache.org

More Related