Spooks in the Machine

Transcription

1 A Higher Education Services Company Spooks in the Machine Proactive Strategies for Securing the Network Steven M. Helwig, CISSP Technical Director

2 Contents of Presentation Aligning Security Goals with Institutional Goals Infrastructure Security Security Assessments Proactive Maintenance Extra Information (time permitting) Questions and Answers 2

3 Definition of Information Security The concepts, techniques, technical measures, and administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use. * * McDaniel, George, ed. IBM Dictionary of Computing. New York, NY: McGraw-Hill, Inc.,

4 A Higher Education Services Company Aligning Security Goals with Institutional Goals

5 Aligning Security Goals Know the Institutional Goals and Missions Know if any regulations (SOX, CISP, etc.) are applicable Know what is important to the Institution (data, resources, etc) Perform a Risk Analysis and Impact Study Recommend safeguards to protect the Institution s assets 5

6 A Higher Education Services Company Infrastructure Security

7 Proactive and Reactive Definitions Proactive Definition: Controlling a situation by causing something to happen rather than waiting to respond to it after it happens* Reactive Definition: Tending to react to a stimulus* 7

8 Proactive vs. Reactive: Q1 Question: Is a firewall appliance a proactive or reactive device? Reactive Agree or Disagree? 8

9 Proactive vs. Reactive: Q2 Question: Is Anti-Virus software a proactive or reactive application? Reactive Agree or Disagree? 9

10 Proactive vs. Reactive: Q3 Question: Is an Intrusion Detection System (IDS) a proactive or reactive system? Reactive Agree or Disagree? 10

11 Proactive vs. Reactive: Q4 Question: Is a Security Policy proactive or reactive? Proactive Agree or Disagree? 11

12 Proactive Infrastructure Develop security baseline Review event logs and log files Perform periodic vulnerability scans Know the Common Vulnerabilities and Exposures (CVE) for your systems Keep equipment patched Keep operating systems on servers current 12

13 A Higher Education Services Company Security Assessments

14 Why A Security Assessment? Develops Security Baseline Know where you are vulnerable Know your patch levels Document the network and network equipment (servers, routers, etc) Determine the adjustments needed to protect the network and equipment Bring a focus on security issues to administration 14

15 What's Involved in an Assessment? Always have in writing a Proper Authorization from Administration to Perform an Assessment Pre-Assessment meeting to discuss what will be happening during the assessment High Level Assessment Methodology Network Enumeration (IP and host identification) Network Scanning and Probing (Internal and External) Investigation of Vulnerabilities Exploitation of Vulnerabilities (only for experienced assessors) Documentation of campus network 15

16 What s Involved in an Assessment (con t)? Review of policies and procedures Investigation of physical security Review of Student and Staff orientation process Review of communication plans Review of disaster recovery and business continuity Review of patch management Analysis of server and computer configurations Analysis of firewall, IDS, Anti-Virus, etc. configurations and update procedures Port Scans Look for rogue networks Look for rogue wireless devices 16

17 What s Involved in an Assessment (con t)? Review of maintenance contracts for critical equipment and software Analysis of wireless security Review of authentication policies and procedures (proper authorization, termination deletions, rights) Review of security personnel (separation of duties) Review of anything else discovered during the assessment Review of major application security Review of wiring closets Observations Interviews 17

18 What s Involved in an Assessment (con t)? Some Recommended Tools: Vulnerability scanning software Port scanning software Drawing program Graphing program Word processor Network discovery software Network monitoring software Sniffer Ability to scan documents Digital camera 18

19 Assessment Deliverables Security Baseline documentation Listing of found vulnerabilities What vulnerabilities were found Description and criticality Resolution Listing of found open ports What uses the ports Written analysis of the activities performed Recommendations: Effective Practices Current condition and criticality Recommended resolution 19

20 A Higher Education Services Company Proactive Maintenance

21 Proactive Measures Know What You are Trying to Protect Patch Management Periodic Review of System Configurations Periodic Vulnerability Scans Change Control Management Policy and Procedure Reviews User Awareness Training Proper Communications Equipment Verification before Installing on Network Proper Authentication Monitoring of Events and Logs Monitoring of CVE sites Proper and Tested Backups and Restore Policies and Procedures 21

22 References and Resources Miliesky, G. (2004). A guide to proactive network security. Retrieved 2/15/2005, McNab, C. (2004). Network security assessment. California: O Reilly. Peltier, T., Peltier, J., Blackley, J. (2003). Managing a network vulnerability assessment. Florida: Auerbach. Brenton, C. (1999). Mastering network security. San Francisco: Sybex. Hutt, A., Bosworth, S., Hoyt, D. (1995). Computer security handbook, 3 rd edition. New York: Wiley and Sons. 22

23 References and Resources (con t) SANS Internet Storm: National Institute of Standards and Technology: CERT: Security Focus BugTraq: Microsoft Security: Institute for Security and Open Methodologies (ISECOM): McAfee: Symantec: 23

24 A Higher Education Services Company Extra Information

25 Risk Analysis Basics Assets to Protect Physical Reputation Intellectual Protecting From Employees Contractors and Vendors Other Institutions Hackers, Crackers, etc Students Disaster (Natural, Accidental, Intentional) Likelihood of Attack Impact to institution if data is lost, stolen, etc Cost to Protect Each Asset 25

26 Policy Basics Consistent with other Institutional Policies Administration Approval Acceptance by Institutional Community Compliant with Regulations, Laws, etc. Clear and Concise Justified Readable Enforceable Communicated Define Acceptable Level of Privacy Periodic Review (Stay Current) Contact for Further Explanation 26

27 Change Control Basics Changes Approved Changes Justified Changes Made by Persons with Proper Authorization Cost Implications Changes Well Documented Changes Adhere to Policy Changes Can Be Backed Out Changes Tested 27

28 Patch Management Ensures Systems are Up To Date Ensures Patches and Upgrades are Tested Provides Management Reports Identifies Vulnerabilities Patch Compliance May be Required to Meet Regulatory Requirements Enforces Periodic Vulnerability Scanning Assists in Understanding Current Vulnerabilities by Enforcing Constant Scanning for Known Vulnerability Updates 28

29 A Higher Education Services Company Questions?

30 A Higher Education Services Company Thank you for attending!