SNS Funding and IT Strategic Plan

Transcription

1 FY IT Budget Proposal IST: Systems & Network Security (SNS) ABBA Category One: Institutional Effectiveness ABBA Category Two: Information Technology For more information about this proposal, contact: Michael Green, SNS is responsible for managing risk associated with network attached hosts for all of the UCB campus. SNS currently offers host vulnerability scanning, detection of compromised hosts at the border, and scanning for hosts not regularly patching. SNS handles customer communication for all of these activities. 1. Alignment with IT Strategic Plan This budget request is for SNS funding to support the security, reliability, and access portion of the IT Strategic Plan. 2. Impact SNS is the central system and network security organization and serves the entire campus. 3. Risk assessment If we don t fund SNS, we will not have central host vulnerability assessments, intrusion detection at the border, or incident management. 4. Innovation The role of SNS is primarily operational. This does not preclude SNS from innovating in areas such as restricted data management, but the primary mission is to manage risk associated with network attached hosts. 5. Funding model The funding model for SNS is sustainable at the level being requested. The staff is fairly small and there are no efficiencies to be gained without reducing services. March 29,

2 Base Funding SNS is funded by a combination of campus and IST/CIO funding. In FY06-07, the campus allocated $960K to fund SNS, IST provided $120K to cover the cost of one FTE, and the CIO $280K for labor and software. At a high-level, funding for SNS in FY06-07 looked like this: Base Budget - Campus Funding Labor and benefits $492,640 Training for SNS employees $12,000 Supplies and expenses for SNS employees, includes hosting $33,932 Software (RDM, Pointsec, Foundstone, Symantec, Tripwire and host security bundle) $351,873 Hardware (purchase and refresh) $50,668 Hardware (maintenance) $5,067 Office space $13,680 Funding from campus $959,860 Base Budget- CIO and IST Funding Labor and benefits $342,032 Training $6,000 Supplies and expenses $29,766 Consultants (Security Training) $22,000 Funding from CIO and IST $399,798 Total funding $1,359,658 The FY06-07 numbers form the base for the FY07-08 budget. March 29,

3 Staff The core SNS group consists of five full-time employees, a half-time supervisor and.25 of an FTE to work on application vulnerability assessments. For day-to-day management, SNS reports through the IST Infrastructure Services group. The campus security group (CISPC) oversees SNS activities. Major SNS accomplishments in FY06-07 Release of the Restricted Data Management (RDM) application Working with IST Application Services, SNS developed an application that allows departments to register systems that contain restricted data. The RDM has been integrated into SNS notification and scanning systems. Hosts registered in the RDM are scanned more frequently and thoroughly. Any incidents associated with a system registered in RDM results in a priority ticket being generated and senior SNS staff being immediately notified. The RDM system has been well received by the UC security community and has been offered to other campuses at no charge. UCLA was the first to take us up on this offer Made progress in moving from compromise notification to risk management In the past, SNS primarily focused on notifying security contacts that a host in their department had been compromised and was attacking other systems. In FY06-07, SNS made significant progress toward the goal of working with campus departments to manage risks associated with running networked systems. Using results from the Foundstone host vulnerability scanner, SNS notified departmental security contacts of systems that had a high risk of being compromised. SNS also now routinely notifies security contacts of Windows systems that have not been patched. FY07-08 security priorities and estimated costs There are four key security initiatives that have been proposed for 07-08, the incremental cost of doing all four would be around $300K, increasing the total annual central campus security expense from $1.3M to $1.6M. The items below are in order of CISPC priority. The numbers in parenthesis are estimated annual costs, except for RDM modification (Priority 2), which is a one time cost. 1. Hire an education and outreach manager ($115,822) Hire a person to develop a more comprehensive campus security education and outreach program. This position, recommended by the PWC security audit and peer campuses, will coordinate campus security education efforts and work with committees like the Committee for Protection of Human Subjects, CISPC and DSC, as well as the FERPA and HIPAA officers to come up with communication plans for policies and compliance. Campus security committees and officers do a good job of developing policy and technical methods to monitor compliance, but are not extremely effective at March 29,

4 communicating with each other or the campus. One of the key responsibilities of the person in this position will be to make sure that there is more effective campus communication. The $115,882 is an annual ongoing cost. 2. Add registration of restricted data feeds to the RDM ($35,000) The purpose of this project is to modify the RDM so that data owners have a way to review, then approve or reject, requests for restricted data feeds. This work will be done by IST Applications Services who built the RDM application and who has already developed some basic code to provide restricted data feed management. The Data Stewardship Council (DSC) has formed a working group to evaluate the best way to handle restricted data feed registration. SNS will participate in the DSC effort, develop requirements, and work with IST Application Services to modify the RDM. The $35,000 is a one-time cost. 3. Develop an application vulnerability assessment service ($137,448) In the past, persons looking to gain unauthorized control of a computer system targeted weaknesses, typically weaknesses in software that had not been patched. Software with vulnerabilities, particularly system software that runs with access to all parts of a system, can be attacked to gain complete control of a system. Gaining access to a system with vulnerable system software is not difficult, but fortunately it is possible to keep a system reasonably patched and fend off the casual attacker. This is why SNS has spent so much effort in building systems to notify users that their systems need to be patched. There are other ways to gain access to system information. Two that are of some concern are cross site scripting (XSS) and SQL injection. The basic idea behind both of these is to get a server to run commands that the attacker sends to the server. In the case of SQL injection, the commands are designed to retrieve data. SNS needs to develop the capability of detecting Web applications that are vulnerable to XSS and SQL injection attacks and notifying the developers of those applications that they need to be fixed. IBM recently completed some consulting intended to help us review tools, both open source and commercial, which scan applications looking for vulnerabilities that can be exploited to gain access to, or information from, a system via its user interface. It is important that automated vulnerability scanners be accurate. Too many false positives cause alerts to be ignored. From our testing, and testing with IBM, we feel that the commercial product AppScan is a good product to use for application vulnerability scanning. UCOP is releasing an RFP, so the cost of the software may be lower than the quote that we got from the vendor. Doing application vulnerability assessments properly requires that the person interpreting the results of the scans have a clear understanding of how applications are developed. The estimated annual cost, listed above, includes 75% of a PA IV who has the appropriate level of experience with applications March 29,

5 development and understands how to interpret the results of the vulnerability scans. Part of the consulting engagement with IBM was to transfer knowledge of how to properly interpret the results of application vulnerability scans. To keep that experience relevant, the other 25% of this person s time will be spent in IST Applications Services as a member of the Web Applications team. The $137,448 is an annual ongoing cost. 4. Deploy IDS in the interior of the campus network ($16,000) SNS only monitors traffic at the border, and for the most part, only outgoing traffic. This would allow us to detect attacks that don t leave the campus network. The $16,000 is an annual ongoing cost. Impact of adding priorities 1 and 2 to the annual security budget If we hire an education and outreach manager, and add registration of restricted data feeds to the RDM, the SNS base budget increases from $960K to 1.1M, bringing the total annual cost of central campus security to $1.5M. Base Budget + Priorities 1 and 2 - Campus Funding Labor and benefits $601,540 Training for SNS employees $14,000 Supplies and expenses for SNS employees, includes hosting $38,854 Software (RDM, Pointsec, Foundstone, Symantec, Tripwire, host security bundle, RDM restricted data feed registration) $386,873 Hardware (purchase and refresh) $50,668 Hardware (maintenance) $5,067 Office space $13,680 Funding from campus $1,110,682 Base Budget + Priorities 1 and 2 - CIO and IST Funding Labor and benefits $342,032 Training $6,000 Supplies and expenses $29,766 Consultants (Security Training) $22,000 Funding from CIO and IST $399,798 Total funding $1,510,480 March 29,

6 AVC-IT CIO FY BUDGET SUBMISSION Summary of Funding Model: IST: SYSTEMS & NETWORK SECURITY (SNS) (Base + Priorities 1 & 2) Summary of funding: campus vs other ACTUAL PROJECTED FY FY FY FY FY Campus funding sources Temporary/development $0 -$140 $0 $0 $0 Permanent/on-going -$597,897 -$959,860 -$1,110,682 -$1,075,682 -$1,075,682 Total campus funding sources -$597,897 -$960,000 -$1,110,682 -$1,075,682 -$1,075,682 Other funding sources (IST/CIO) Temporary/development -$456,164 -$399,658 -$399,798 -$399,798 -$399,798 Permanent/on-going -$3,134 $0 $0 $0 $0 Total other funding sources -$459,298 -$399,658 -$399,798 -$399,798 -$399,798 TOTAL ALL FUNDING SOURCES -$1,057,195 -$1,359,658 -$1,510,480 -$1,475,480 -$1,475,480 Note: In accordance with the University's accounting system, positive numbers are expenses or deficits, while negative numbers are funding or surpluses. March 29, 2007 Page 17