Information Security Training for SysAdmins. Center for Education and Research in Information Assurance and Security, Purdue University

Transcription

1 Information Security Training for SysAdmins Center for Education and Research in Information Assurance and Security, Purdue University

2 Published by: CERIAS, The Center for Education and Research in Information Assurance and Security CERIAS 656 Oval Drive Purdue University West Lafayette, Indiana 47907! "#$%%!$& % ' ' % $ 2

3 PREFACE %'!% ()! $ CENTER FOR EDUCATION AND RESEARCH IN INFORMATION ASSURANCE AND SECURITY ()' %*! %% ( ' + ) $ $! %%,,, $ %%% %%'!-.%% % $.%! %%$.!% %% $ IS TRAINING FOR SYSADMINS MATERIALS %/%-0) 1% )2 3) "' /) $%% % % %%'$ 3

4 Instructor Materials Content Outline$%! %$% %$%! % %$%%% %! % %$4% '% %+' % '%% +'%$ Slides$' %% % % % $%% %% % % %5%$ %! %% %$4 $ % $ Video$!% % $!% %6%!$!%!% %%' %%' ' % $ %,,!%! $ %' % %,!%6 $ Learning Activities$%!! % ' %% $ %!!% 7+ 8 % '% ' % % $! %!% %5' '%! %% $ Test Questions$ 9' %!!%() $ %+ % $! 99 5 $2 9% '!!! %9 $2%+ % 4

5 % '! $! 9%% ' $!%1 -!% %%%+ % % '!$ %! %!%$!% %3 9 %$ 9 %%' -0):)% 3) ::(% +' )$"%% :%+: % $&! : %!! $"%%, % %!% %!%% % $1%%%, ' %'% $ % %!%%, $ Student Materials Slides$! ' %%%!!$% ' +$ Learning Activities$! %! %! %!! %%' $ Test Questions$! 9 %! '!!! $! (0 3$)&;% % 5 $ TIPS FOR EFFECTIVE USE Systems Perspective$! %! $ % %%'' + ' %$ $ % 5

6 $1%%+ % $ #+ $ % % $ %%% % % %! <%%!%$' % % ' % ' % $"=2' %! $% %%6 % 6%5% $ 2'! % %% %$ 65%% %6 %7% 8$ % %'% $ Needs-Based Training$ % % %% % %+ +'%$>'% % $ % %++'% %+% %$ '%% %! % %+ +'%$1 '%%%!+'% % '+'% %$ % %% $ +'%%!% +'% %!%<'' $&,!%%5 % '''%$ % %% 6$'! %% %%% 6 +'%%!%$& %% %% +'%%!%$!%% % 5 6'%% $2 % % %%6!%%$ 6

7 CONTACT INFORMATION ; % %!!%%! % +$A'! % % +'' %' %6'' +'@$%!++9$ Matt Rose! BCB;!%.! "#&/DED DBC,/EB,DD0 F $ $ 7

8 CONTENT OUTLINE: MODULE 1: INFORMATION SECURITY ESSENTIALS Note: Topic 2, Risk Analysis Overview (shaded), is used for the example content outline, slides, exercises, and test questions. Topic 1: Basic Concepts of Information Security... Lesson 1: Concepts and Terms Identify different types of threats (knowledge level 1) Define probes (comprehension level 2) Define systems and account compromises (comprehension level 2) Define theft (comprehension level 2) Define Malware (comprehension level 2) Identify different types of vulnerabilities (knowledge level 1) Define vulnerability (comprehension level 2) Describe human vulnerabilities (knowledge level 1) Describe physical vulnerabilities (knowledge level 1) Describe technology vulnerabilities (knowledge level 1) List types of attacks and motives for attacks (comprehension level 2) Define hackers (knowledge level 1) Define crackers (knowledge level 1) Define insider (knowledge level 1) Describe social engineering (knowledge level 1) Identify consequences of security breaches for Universities such as: (comprehension level 2) Identify prevalent security technologies (comprehension level 2) Describe cryptography and its purpose (knowledge level 1) Describe Hashing and its purpose (knowledge level 1) Define Public key encryption (knowledge level 1) Define Secret key encryption (knowledge level 1) Describe Digital signatures Identify a Firewall and its primary purpose (knowledge level 1) Define Intrusion Detection (knowledge level 1)... Lesson 2: Assets & Regulations... 8

9 1.2.1 Identify types of computer and information assets (knowledge level 1) List some tangible and intangible assets (comprehension level 2) Examples of lost tangible and intangible assets Describe FERPA (Family Educational Rights and Privacy Act) as it relates to Universities (knowledge level 1) Describe HIPAA (Health Insurance Portability and Accountability Act) as it relates to Universities (knowledge level 1)... Lesson 3: Goals Outline the goal of the CIA model (knowledge level 2) Confidentiality Integrity Availability Outline the goal of non-repudiation (knowledge level 1) Outline the goal of auditability (knowledge level 1) Topic 2: Risk Analysis Overview...11 Lesson 1: Risk Assessment Describe risk-analysis and its purpose in information security (knowledge level 2) Describe asset classification (knowledge level 2) List the steps of asset classification (knowledge level 1) Describe threat and vulnerability assessment (knowledge level 2) List categories of threats and vulnerabilities (knowledge level 1) Assign probability and severity to threats (knowledge level 2) Describe evaluation of controls (knowledge level 2) Describe the purposes of controls (knowledge level 2) Describe analysis, decision, and documentation (knowledge level 2) Describe Cost benefit model (knowledge level 2) Outline the importance of communication (knowledge level 2)

10 Outline the purpose of monitoring and auditing (knowledge level 2) Identify Legal implications and Downstream risks (comprehension level 1)...17 Topic 3: Common Information Security Vulnerabilities... Lesson 1: Universities... Lesson 2: Systems Administrators... Lesson 3: End Users... Topic 4: Information Assurance and Security Policy Lesson 1: Policies, Standards, Guidelines and Procedures Define Guidelines (knowledge level 2) Define Policy (knowledge level 2) Define Procedures (knowledge level 2) Define Standards (knowledge level 2) Describe the differences between guidelines, and procedures (knowledge level 2)... Lesson 2: Guidelines, Policies, Procedures and Standards Describe what makes good information security policies, standards, guidelines, and procedures (knowledge level 2) Describe the ISO standard as it relates to information security (knowledge level 2) Describe Common Criteria (ISO 15408) as it relates to information security (knowledge level 2) Identify examples of information security policies, standards, guidelines, and procedures (comprehension level 1) Lesson 3: Incident Response Discuss the purpose of incident response in information security. (knowledge level 2) List the components for an incident response strategy. (comprehension level 1)... 10

11 EXAMPLE CONTENT: TOPIC 2: RISK ANALYSIS OVERVIEW Lesson 1: Risk Assessment Goal: Learner will be able to outline the steps of the risk assessment process. Performance Outcomes: Describe risk-analysis and its purpose in information security (knowledge level 2) The goal of the risk assessment process is to provide management with the information they need to make sound business decisions regarding risk whether to accept it, to mitigate it, or to avoid it. A risk is the chance of encountering loss or harm. An information security risk analysis attempts to quantify and qualify the likelihood of encountering harm or loss of information or data assets. To adequately consider your chances of incurring harm or loss, it is necessary to consider both the value of the information, as well as the types and probability of risks to the information. Risk Analysis is a key step to managing risks. The steps that are taken to manage risk should be based upon a sound and thorough risk analysis. Risk analysis should be conducted when starting a project or development cycle, as well as at preplanned intervals that coordinate with business cycles. Effective risk analysis includes internal experts and subject matter experts, because no one knows systems better than the individuals responsible for developing and maintaining them. The risk analysis outcome should be sound information to ensure sound managerial decision-making regarding security controls to implement. A risk analysis should tell management how to proceed based on current concerns and corresponding costs to control the risk versus accepting the risk. Risk analysis will not eliminate risk, rather it should help reduce risk to an acceptable level, also known as risk mitigation. Managerial decisions are based on the costs required to implement safeguards and the expected risk mitigation. Costs to implement 11

12 safeguards and mitigate risks are discussed further in the section on cost-benefit analysis Describe asset classification (knowledge level 2) Asset classification is the process of categorizing a university s valued possessions into manageable groups. These groups are generally broken out into the following areas: Hardware, Software, Information and Services List the steps of asset classification (knowledge level 1) The purpose of conducting asset classification is to maintain appropriate protection of assets at your institution and ensure that information assets receive an appropriate level of protection. In other words, it is not cost effective to spend $5,000 to protect an information asset that is valued at $2,500. Therefore, in order to determine the value of an asset, it is necessary to perform an asset classification. Asset classification is the process of categorizing assets into smaller, more manageable groups. The following are types of information assets: o Hardware: All of the hardware assets that a university owns need to be classified. This includes all computer and technology equipment that would need to be replaced in the event of an incident. For example, monitors, servers, routers, etc. o Software: All of the software programs and packages that are needed for business continuity need to be identified. This includes off the shelf software products such as Microsoft office, as well as customized software that is developed in house or outsourced. o Information: Information assets typically refer to the data or information itself. Examples of information assets common to universities include: databases of students ids, research findings, donor information, financial aid records, and so on. o Services: Services include communication & data sharing, infrastructure support, etc. 12

13 2.1.3 Describe threat and vulnerability assessment (knowledge level 2) A threat and vulnerability assessment is one of the most important steps in the risk analysis process. This step utilizes the input from the previous step, asset classification. Once all assets have been classified, they are examined to identify the potential threats to each asset. Once the threats to each asset have been identified, the vulnerabilities for each asset are identified. These vulnerabilities are also identified with regards to the threat, examining the vulnerabilities each threat may use. The output from this procedure will be a list of threats and vulnerabilities for each asset. It is important to understand that there will always be some level of vulnerability for every organization List categories of threats and vulnerabilities (knowledge level 1) The following is a list, albeit not extensive, of some wellknown or common examples of threats and vulnerabilities within each of the respective categories. o o o o o Hardware: Misconfiguration, Lost / stolen devices Software: Malware, Illegal / prohibited software Data: Corruption, Theft, Deletion Policies and Procedures: Non-existent, Employees unaware People: Attrition, Illness, Injury Assign probability and severity to threats (knowledge level 2) Once threats have been identified, they need to be put into context and assigned a probability of occurrence. This means they will be rated on a likelihood of occurrence, known as Annual Rate of Occurrence (ARO), as well as the severity associated with the occurrence, known as Single Loss Expectancy (SLE). ALE (Annualized Loss Expectancy) is a term used when performing this procedure, which is the product of ARO and SLE (ARO * SLE = ALE). It is a quantitative analysis of the probability that an event will occur as well as the loss (severity) that would accompany the event. 13

14 2.1.4 Describe evaluation of controls (knowledge level 2) Describe the purposes of controls (knowledge level 2) The purpose of controls is to preserve the confidentiality, integrity, and availability of your information systems and data. Sometimes controls intend to prevent attacks, such as ACL s (Access Control Lists) on routers. Other times controls seek to detect attacks that are occurring or have occurred. Effective detection controls can help you quarantine attacks and mitigate negative effects. Finally, other controls need to be put in place to respond to attacks after they have occurred to minimize damage, resume operations, and implement corrective procedures to safeguard against future attacks Describe analysis, decision, and documentation (knowledge level 2) As previously mentioned, the cost of a control (such as purchasing a firewall, an anti-virus program, conducting security training, or hiring another security administrator), must be weighed against the value of the assets being protected. Potential controls should be based on a risk/value proposition. Cost benefit can be an effective means for analyzing the cost of countermeasures, the benefit of countermeasures and comparing costs to benefits to make a decision. Costs of countermeasures go beyond purchasing costs to include implementation, operations, maintenance, usability, scalability, and performance costs Describe Cost benefit model (knowledge level 2) Cost benefit analysis is an analysis of the cost effectiveness of different security safeguards in order to see whether the benefits of the safeguards outweigh the costs of both implementation and risk. The basic procedures of costbenefit analysis include: Estimating costs for all suggested safeguards Estimating the expected risk mitigation (or the benefit) for each safeguard. 14

15 Estimating Costs With information about potential security risks in hand, you are in a position to identify safeguards, or controls, to mitigate those risks. For every risk, you should analyze a) the nature of the risk, and b) the source of the risk (i.e., the vulnerability). Then, you should identify safeguards that will mitigate the risk. Note that in many instances, more than one safeguard will be appropriately identified to mitigate the risk. It is then necessary to estimate the costs of the safeguard(s). Safeguard costs usually include direct and indirect costs and include the expected life and annual maintenance costs to calculate an average annual cost over the life of the safeguard. Estimating Benefit(s) For each threat or risk, determine whether the selected safeguard(s) will reduce 1) the likelihood of occurrence, and 2) the damage of such an incident, or 3) both. Finally, you need to determine to what degree likelihood of occurrence and damage will be reduced. This is the benefit that the safeguard will offer. With this information in hand, you are in a position to analyze the costs versus the benefits of implementing given safeguards Outline the importance of communication (knowledge level 2) Communication is key during the risk assessment process. Including a wide range of personnel in the analysis and decision making phases can provide you with a better sense of risks as well as types of controls that will work in your environment. Communication is also important in a more formal sense, and that is in the process of documentation. The work performed during the risk assessment should be documented as well as the results to create a baseline and historical data for the next time. 15

16 Outline the purpose of monitoring and auditing (knowledge level 2) The purpose of auditing and monitoring is to verify that policies and procedures are being adhered to, as well as ensure that security measure are in place and up to date. It is important to audit system logs and other security measures on a regular basis to ensure that they are functioning properly. o High-level Auditing: Recently, auditing and monitoring have become synonymous with one another. The importance is not the distinction between the definitions of the two terms, but the goal each strives to achieve. The term audit is more of an evaluation that takes place periodically, ensuring compliance with certain standards, whereas monitoring is the on-going evaluation of policies, procedures, etc It is important that audits take place on a regular basis to help ensure that things such as policies are in place and enforced as well as verifying required security measures are being taken. Below is a list of some common activities that take place at this level of an audit. Ensure policies are procedures are up to date Ensure compliance with policies and procedures Verify separation of duties Verify physical controls Verify user controls Verify auditability is possible o Operations / Systems Auditing: Another aspect of auditing and monitoring are the systems. Throughout this process, systems are audited to ensure they are configured properly, the proper controls are in place, and logs for auditing are being maintained. Most importantly, this phase of the audit seeks to ensure system integrity. Below are some examples of the events that take place during this phase. 16

17 Validate systems configurations Ensure valid user accounts Verify user permissions and privileges Identify policy deviation o Usage Auditing: This phase helps to identify potential security risks by comparing current usage against a recorded baseline usage statistic. o Monitoring: Monitoring is an ongoing process that seeks to constantly check the integrity of systems and processes. The point is that performing a security risk assessment is not, or should not, be a one-time event. New vulnerabilities are discovered every day. New products are purchased and installed every day. The value of assets change with alterations is business cycles and business goals. Therefore, it is important to periodically revisit information security assets, risks, and countermeasures Identify Legal implications and Downstream risks (comprehension level 1) Tort law in the United States requires four fundamental components: duty, negligence, damage and cause. Spelled out in the light of information security, we can examine the effect this has on information security: Duty: Do I have a responsibility to protect information? This is the area that has been building steam. With they media awareness and push from the government to see that systems are secured, one would have to be blind not to be aware of the need to protect information. In fact, your security and privacy policies may automatically assign you the understanding of your duty. Negligence: Defines a breach of duty. Can evidence be produced that shows the defendant did not fulfill his or her duty of care? If the organization had left a system in a default insecure state or not applied a security patch they were aware of, this shows negligence. 17

18 Damage: Demonstrates the plaintiff has suffered some quantifiable harm. If a system that was broken into and attacking another organization, the damages can be identified. If private information was stolen and resulted in identity theft, the damages can be identified. Cause: Is the breach of duty related to the damages closely enough to be considered a primary cause? This plugs the duty, negligence and damage together to see if they add up if = 3, then the case is valid. To combat the threat of liability, organizations should adopt and be able to prove compliance to information security standards and best practices. Many organizations adopt standards in word only, not in deed this may only further your liability problems. To truly combat this threat, organizations will have to show due diligence through compliance to standards and best practices. That way if an incident should arise, the organization could say it was making a best effort attempt at protecting the information and here is the proof. If a hacker is able to utilize your computer to perform a DDOS on company XYZ that results in significant loss of revenue to company XYZ, can you be held liable for this? 18

19 EXAMPLE SLIDES: TOPIC 2: RISK ANALYSIS OVERVIEW 19

20 20

21 21

22 22

23 23

24 EXAMPLE EXERCISES: TOPIC 2: RISK ANALYSIS OVERVIEW Exercise 1 The following is a scenario that will be used to walk through the steps of a risk assessment: Metrocollege was established approximately twenty years ago, coming together via a merger of a junior college and a technical trade college in the same town. Their two campuses are about thirty miles apart. The campuses are connected via a T1 (1.544 Mbps) WAN (Wide Area Network) connection, and Internet connectivity is achieved through a local ISP. As for hardware, there are 12 computer labs that are not properly secured, 12 servers running unmanaged services, 24 printers and approximately 500 PC s without anti-virus software spread across the two campuses. The following is a list of most of those services the IT department provides to the faculty, staff and students; application and print services, distance learning, , financial records management, HR and student record management, Internet access (unrestricted) and remote access. Questions: What is the purpose of a risk assessment? What assets can you identify in the above scenario? What is the purpose of a threat and vulnerability assessment? What threats and vulnerabilities can you identify in the given scenario? What types of controls should be in place to foster a secure environment? Should monitoring and auditing be taking place? If so, what type and why? What are some legal implications that the college may face if an incident were to occur? What federal regulations apply to the college? Why? Answers: What is the purpose of a risk assessment? The purpose of the risk assessment process is to provide management with the information they need to make sound 24

25 business decisions regarding risk whether to accept it, to mitigate it, or to avoid it Perform an asset classification on the above scenario. Hardware 12 servers 24 printers 500 PC s Routers for Internet connection and WAN connection Software Operating systems Distance learning Faculty and student applications Information Financial records HR records Student records Services Application and printing Distance learning Financial records management HR and student records management Internet Remote access What is the purpose of a threat and vulnerability assessment? The purpose of this procedure is to identify the threats and vulnerabilities associated with each of the assets identified in the asset classification Perform a threat and vulnerability assessment for the given scenario Asset Asset Threats Vulnerability Classifiction Hardware 12 Servers Hacker / Cracker Unmanaged services; weak physical security 24 Printers Thieves Weak physical security 500 PC s Hacker / Cracker / Virus No anti-virus software 25

26 Software Distance Learning Hacker / Cracker Session hijacking Faculty and Staff Hacker / Cracker and student applications Operating systems Hacker / Cracker / Virus Not compliant with current patch level; no antivirus software Information Financial records Hacker / Cracker / Insider HR records Hacker / Cracker / Insider Student records Hacker / Cracker / Insider Services Application and printing Distance learning Financial records management HR and student records management Internet access Remote access Hacker / Cracker Hacker / Cracker Hacker / Cracker Hacker / Cracker Hacker / Cracker Hacker / Cracker Hacker / Cracker What types of controls should be in place to foster a secure environment? There needs to be physical security measures put in place Machines need to be audited to identify unmanaged / unused service so these services can be shut down Anti-virus software needs to be loaded on all machines Should monitoring and auditing be taking place? If so, what type and why? Yes monitoring and auditing should be taking place. An operations / systems audit needs to take place to identify the unmanaged / unused services on the machines What are some legal implications that the college may face if an incident were to occur? Liability, violation of regulations. What federal regulations apply to the college? Why? FERPA, because they are lawfully responsible for protecting student educational records 26

27 Exercise 2 Kip was a senior systems administrator for Southside University. Just before the University's Halloween party, Kip submitted his letter of resignation and two weeks notice to the operating manager, Scott. Scott immediately posted the job opening, but at the end of the two weeks, a suitable candidate for systems administrator hadn't been found. Forced to dig deep into the employee pool, Scott promoted one of their best student employees, Jake, to temporary systems administrator. Jake was a half-time intern and a student at the University, and showed promise in the area of systems administration. Before he left Southside University, Kip sat down with Jake to "show him the ropes" of systems administration. One of the last things Kip told Jake was that all of the antivirus software on all the end-user workstations and desktops needed to be updated. And so, after settling in, Jake started doing just that. He began by updating the virus definition files because they hadn t been updated in over two months. Then, he configured the antivirus software to scan the machines once a week, starting today. Two hours after he had updated the first computer, the virus software detected the Nimda virus, three hours after he completed updating the second computer, the same thing, and less than an hour after updating the third, it too detected the virus. Questions: %- Why did this happen? Did Southside have documentation on how to install antivirus software? If so, why wasn't it implemented? Did Jake know about the documentation? Did they have a policy on how exiting employees, such as Kip, should train new employees? Answers: Why did this happen? This incident probably happened because the virus software had not been updated regularly. It may also have been because 27

28 the antivirus software hadn t scanned the machines in a long time. The Nimda virus may have been present for quite some time and was never detected Did Southside have documentation on how to install antivirus software? It appears they did not have any documentation. This was apparent because Kip showed Jake the ropes as opposed to giving him any documentation on the systems. If so, why wasn't it implemented? Systems administrator may have taken for granted that it just software and therefore it would be a typical install, not needing any special configurations Did they have a policy on how exiting employees, such as Kip, should train new employees? Obviously not, it appears that Kip just gave Jake a run down of what was currently going on, the high-level overview of the infrastructure, and some side notes about what needed to be done. 28

29 EXAMPLE TEST QUESTIONS The purpose of risk analysis is to: A. Eliminate Risk B. Identify risks so they can be managed C. Determine policy Answer: B The purpose of risk-analysis it to: A. Eliminate risk B. Quantify and qualify the likelihood of harm or loss C. Preserve confidentiality, integrity and availability D. Evaluate alternative security measure Answer: B Risk analysis includes (select all that apply): A. The likelihood of encountering harm or loss B. The impact of harm or loss C. The cost of implementing safeguards D. All of the above Answer: D The process of categorizing a university s valued possessions into manageable groups is known as: A. Asset classification B. Cost-benefit analysis C. Risk analysis D. Risk assessment Answer: A Which of the following is not a step of asset classification? A. Hardware B. Software C. Information D. Service E. All of the above are classes Answer: E 29

30 2.1.3 In order to perform a threat and vulnerability analysis, which step must be completed first? A. Asset classification B. Cost-benefit analysis C. Risk analysis D. Risk assessment Answer: A Which of the following are considered a category of threat? A. Data B. People C. Policies and Procedures D. Software E. All of the above Answer: E A quantitative analysis of the probability that an event will occur as well as the loss that will accompany the event: A. ALE B. ARO C. SLE D. None of the above Answer: A The probability that an event (threat) will occur is known as: A. Annual Rate of Occurrence B. Annualized Loss Expectancy C. Single Loss Expectancy D. None of the above Answer: A Risk assessment includes the following steps: 1. asset classification 2. threat and vulnerability assessment 30

31 3. 4. analysis, decision, and documentation, 5. identification of legal implications. What is the name of step number 3? A. Attack probability B. Evaluation of controls C. Risk mitigation D. None of the above Answer: B The purpose of is to preserve the confidentiality, integrity, and availability of information systems and data. A. Controls B. Firewalls C. Policies D. Procedures Answer: A An example of a type of control is: A. ACL B. Firewall C. Gateway D. None of the above Answer: A Cost-benefit analysis can be an effective means for analyzing the cost of: A. Attacks B. Countermeasures C. Threats D. Vulnerabilities Answer: B The basic steps in cost-benefit analysis are: A. Estimating costs for safeguards and benefits of reduced risk B. Estimating potential loss and prevention costs C. Both A & B D. None of the above Answer: C 31

32 is / are an important part of the risk assessment and documentation phases. A. Communication B. Controls C. Cost-benefit analysis Answer: A The purpose of auditing and monitoring is to: A. Verify that policies and procedures are being adhered to B. Assess the threats in relations to assets C. Identify proper countermeasures D. None of the above Answer: A Which of the following is not a fundamental component of Tort law in the United States? A. Duty B. Negligence C. Damage D. Effect Answer: D 32

33 EXAMPLE COURSE EVALUATION SysAdmin Project Module 1 Information Security Essentials Course Evaluation Please take a few minutes to give us feedback on this short course. We appreciate your input. Strongly Disagree Neutral Agree Strongly Agree Disagree Risk Analysis I enjoyed learning about risk analysis. I learned a great deal about risk analysis. I will be able to use what I learned about risk analysis in my job. 33