Project Update December 2, Innovation Grant Program

Transcription

1 Tri-University Vulnerability Scanning/Management Solution Project Update December 2, Innovation Grant Program 1

2 Project Summary This grant application is part of a previous project report presented to ABOR to create a shared Tri-University vulnerability scanning and management solution, which was one of the recommendations of the Moran Technology Consulting IT Collaborative Opportunities study. The proposed scanning solution would allow the three universities to: Gain an external intruder s point of view by scanning through network perimeters from scanners located at a sister university Take the vantage point of an attacker located on the campus network by regularly scanning their own critical networked IT assets from the inside To create an effective vulnerability scanning and management solution, this initiative will select and install the appropriate technologies for conducting both network system and web application scans, develop methodologies and processes for staff to conduct effective scans, and provide guidance for selecting and prioritizing critical networks to scan. The ultimate goal is to provide the three universities with the tools needed to detect system and web vulnerabilities before they become exploited by intruders and reduce the risk of sensitive information loss or disruptions to the networks that support our core mission. Proposal Narrative Part 1: Description of Need or Opportunity: Vulnerability scanning on networks is the practice of using tools to automate the detection of potential weaknesses in networked computer systems, and the process of interpreting these results to determine which vulnerabilities may be the most susceptible to being leveraged by a potential intruder. Regularly conducting vulnerability scanning (henceforth referred to as scanning ) is a critical component of an overall defense-in-depth strategy, and can establish a baseline of security exposures which an intruder can exploit. This baseline can be used in tracking on-going remediation efforts and provides guidance for Information Technology (IT) system administrators regarding security issues that need to be addressed. The significant benefits of regularly scanning each university s network include: Establishing a baseline of vulnerabilities that an intruder may exploit Providing IT system administrators with an outside view of services that they may be offering on the network Acting as a safety net for routine yet critical tasks such as patching software running on networked devices; for example, a vulnerability scan may reveal a previously overlooked critical patch that is missing Providing a certain degree of review for potentially insecure configurations Helping to comply with pertinent government or industry regulations Discovering and addressing vulnerabilities in web applications in addition to network system vulnerabilities is also of significant and growing importance. Vulnerabilities in web applications 2

3 can lead to significant data leakage, alteration of data, or even the compromise of an otherwise secure networked system. Currently, each of the three universities conducts its own network vulnerability scanning with a variety of primarily open-source tools and contracted services. Significant labor costs and effort are required to deploy those tools, making regular scanning of network vulnerabilities throughout the universities problematic. Contracted vulnerability assessment services could be eliminated if the universities owned their own vulnerability scanning solution. Collaboration among the universities to share a common vulnerability scanning solution and methodologies was a recommendation of the Moran Technology Consulting IT Collaborative Opportunities study. Some of the enhanced benefits of a scanning solution shared by the three universities include: Leveraging economies of scale to improve purchasing power and reduce the need for overlapping hardware Saving the overhead cost of developing scanning methodologies multiple times for each university independently Sharing technical expertise among security staff at the three universities to gain fresh perspectives and technical synergies Standardizing best practices for vulnerability scanning Aiding central IT to gain a more consistent, current view of the types of systems on the campus network, and providing additional insights into the type of data that may be stored on given networks Gaining the perspective of both an external intruder by scanning through network perimeters from scanners located at another university and an attacker located on the campus network At the direction of the Committee after the Moran study, the three universities assembled a working group led by The University of Arizona to explore this initiative. The group put together a report and project proposal in October 2007 for the Board outlining a plan to implement a shared Tri-U vulnerability scanning solution. Part 2: Description of Intended Outcomes and Strategies: Successful implementation of a shared vulnerability scanning infrastructure in order to realize the benefits described previously requires that three intermediary goals be accomplished: 1. Development of scanning methodologies to be implemented at all three universities 2. Selection of a scanning tool which fulfills Tri-U requirements 3. Development of prioritization criteria for network sensitivity The first goal, to create uniformly adopted scanning methodologies, is critical both for ensuring a baseline of standards for scans and for facilitating communications and technical cooperation between security staff at the three universities. Also, having the same ground rules across the three universities will increase the value of the data both for internal security staff and for audit purposes. 3

4 The second goal of selecting the right scanning tool is clearly important for maximizing the benefit that the selected product can offer while minimizing the amount of time and effort required to customize the tool to fit requirements. The third goal, to determine a set of criteria used to prioritize which networks to scan, is necessary to make efficient use of staff time spent on analyzing scan results. Security staff should spend more time and resources analyzing networks that contain resources critical to the mission and well-being of the universities. This judgment would become significantly more difficult to make without the ability to differentiate between networks. To use an extreme example, a main server in the Registrar s office should have more resources committed to analyzing its vulnerabilities than a transient laptop connected to wireless. This proposal focuses on the second goal of selecting and acquiring the right scanning tool. After reviewing practices at other universities and going over Gartner recommendations, an RFI was issued to determine marketscope. Summarizing briefly, the RFI reflected requirements collected by the working group during Phase 1 of the project, and covered 19 major points ranging from technical quality of scans to compliance reporting to training support offered by the vendor. A virtualized lab environment was created at the University of Arizona which contained both systems that were well protected and systems that had known vulnerabilities, and products participating in the RFI were tested first in this isolated lab environment. After initial testing, scans of other network segments were collected to review results against a larger sample size. Also during testing, the working group concluded that none of the leading network vulnerability scanners have a sufficiently mature web scanning functionality bundled in, and that a standalone web app scanner would be necessary to have the desired results. The addition of an automated penetration testing tool to the suite will also assist in the verification of vulnerabilities discovered. Based on the information gathered during the RFI, the working group proposes a suite consisting of (1) a network vulnerability scanning/management solution, (2) a web application vulnerability scanning solution, and (3) an automated penetration testing tool. Some of the tools covered during the exploratory process include the same solutions used by the Auditor General s Office. The web application vulnerability scanning solution was not part of the Moran report, but it bears repeating that it is considered by the working group to be very important and would provide a means of addressing an expanding source of vulnerabilities. Part 3: Technical Needs: Both the web application vulnerability scanning solution and the automated penetration testing tool are software based solutions, which will require the implementation of servers with the likely reliance on virtualization in order to decrease costs and maintenance. The technical needs to implement the network vulnerability scanning/management solution will depend on the solution chosen. As an example, certain vendors provide blackbox scanning appliances and complete hosted management services, whereas other vendors require hardware to be provided for their solution. The specifics of the technical needs will be pending the vendor selection at the conclusion of the RFP. 4

5 Part 4: Work Plan/Timeline: The work plan and timeline chart below has excluded resources and personnel as well as personnel hours, as these items will vary greatly depending on the vulnerability scanning solution chosen. For example, certain vendors offer turnkey solutions whereas others require or allow significant customization. Another example is the training of systems administrators some vendors offer regular vendor-led training as part of their total cost, whereas for others more University staff time will need to be dedicated for training. Work Plan/Timeline Chart: Schedule Aug Sep 2007 (Done) Project Phase/ Key Milestone Phase 1: Conduct requirements analysis and obtain project approval. Checkpoint 1: Present report to ABOR analyzing costs and benefits Tasks and Activities Resou rces and Perso nnel Perso nnel Hours Identify members of Tri-U working group and organize Begin conducting market survey of vulnerability scanning service offered by peer universities and tools used Begin identifying initial requirements from working group representatives Determine criteria for priority of networks to scan (PCI, student data, credit card transactions, network backbone networks, DNS, etc?). List gathered by Tri-U effort Each university determines which of their networks (IP ranges) match which of the above defined criteria. Review if classification of data and network criticality brings up additional technical requirements not identified earlier Oct Dec 2007 (Done) Phase 2: Define network sensitivity standards and determine priority of networks to scan based on sensitivity standards. Examine need for additional requirements after network identification. Checkpoint 2: Face to face meeting for working group participants to review requirements in person and discuss progress. Dec Jan 2008 (Done) Jan Mar 2008 (Done) Phase 3: Develop product evaluation criteria based on requirements gathered. Concurrently, develop high level methodologies for conducting scans both internally and of a sister university. Checkpoint 3: Review developed product evaluation criteria and methodologies Phase 4: Conduct market survey of scanning products Checkpoint 4: In person or web meeting for working Determine product evaluation criteria for selecting a scanning product based on requirements Develop high-level, technology-independent methodologies for security staff to conduct scans of another university, in terms of notification, scanning process and handling the results Develop suggested methodologies for security staff to conduct scans of their own critical networks Conduct market survey of vulnerability scanner vendors Draft and send out RFI using requirements defined in Phases 1 and 2 above 5

6 Apr Jun 2008 Jun Jul 2008 Jul 2008-mid Aug 2008 group participants to review RFI results Phase 4b: Issue RFP for vulnerability scanning solution, and acquire most suitable solution available Checkpoint 4b: Acquire solution or suite of solutions to meet TriU needs Phase 5: Obtain and set up site(s) for vulnerability scanner selected. Develop key performance indicators (KPIs) for production system. Define scanner specific processes to supplement previously defined high-level methodologies. Start production pilot after initial training for security staff. Checkpoint 5: In person meeting to compare pilot project results against predetermined KPIs and assess lessons learned from pilot. Phase 6: Make necessary modifications from pilot results versus KPIs and conduct final kickoff training. Begin implementation of regular, full scale scanning. Checkpoint 6: In person meeting with working group to discuss next steps and follow-up. Draft and send out RFP Conduct test of select products against established product evaluation criteria Demo top product(s) to Tri-U working group for feedback and conclude solution selection Develop proposed deployment design for selected scanner Submit test results, deployment design, and recommendation for top product to ABOR pending funding Develop Key Performance Indicators (KPIs) for production system. This is different from the product evaluation criteria developed previously as it accounts for strengths and weaknesses of the actual scanner system being implemented Set up hardware/network infrastructure for scanner system Develop specific detailed technology-based scanning procedures tailored to the selected tool to supplement previously defined highlevel methodologies Conduct first training session for security staff from all three Universities Initiate pilot scanning program involving small, closely monitored network ranges Make modifications based on lessons learned from pilot program. Repeat previous steps if necessary Conduct final kickoff training session for security staff conducting the scan Begin internal training and advertising campaign for systems administrators Implement regular, full scale scanning Part 5: Key Personnel: Harper Johnson (Harper.Johnson@nau.edu) Director NAU ITS Information Security Gwen Ceylon (gwen.ceylon@nau.edu) Sr. Information Security Analyst NAU ITS Information Security Greg Wilson (Greg.Wilson@ASU.EDU) Systems Analyst, Principal ASU UTO Ops Systems and Security 6

7 Jeremy Glassman Network Systems Analyst, Graduate Assistant UA UITS Security Operations Laura Corcoran Network Systems Analyst, Senior UA UITS Security Operations Abraham Kuo Network Systems Analyst, Principal UA UITS Security Operations Sylvia Johnson UA University Information Security Officer Part 6: Milestones, Performance Measures, and Deliverables: Phase and Checkpoint 1: (Scheduled for Sep 2007, Done) Conduct requirements analysis on project, and obtain project approval. Checkpoint 1 is to present report to ABOR analyzing costs and benefits regarding overall Tri-U Vulnerability Scanning/Management Infrastructure collaboration and project. Phase and Checkpoint 2: (Scheduled for Nov 2007, Done) Define network sensitivity standards and priority of networks to scan based on sensitivity standards. Examine additional requirements which may have surfaced after network identification. Checkpoint 2 is to review requirements collection from Phase 1 in person and discuss progress. Phase and Checkpoint 3: (Scheduled for Jan 2008, Done) Develop product evaluation criteria. Checkpoint 3 is to meet and review developed product evaluation criteria and methodologies Phase and Checkpoint 4: (Scheduled for Mar 2008, Done) Conduct market survey (RFI) of scanning products, demo and compare top products using pre-defined product evaluation criteria. Checkpoint 4 is to meet to review market survey. Phase and Checkpoint 4b: (Scheduled for Jun 2008, In Progress) Conduct RFP for vulnerability scanning/management solutions using previously defined metrics. Checkpoint 4b is to have acquired a solution that meets the TriU needs. The conclusion of Checkpoint 4b will also include the generation of the Reimbursement Report. Phase and Checkpoint 5: (Scheduled for Jul 2008, In Progress) Develop key performance indicators for the deployment of the solution selected, and implement the scanning procedures in a pilot production network. Checkpoint 5 is to meet to compare pilot project results against pre-determined KPIs and assess lessons learned from pilot. Phase and Checkpoint 6: (Scheduled for mid August 2008) Finalize training for security staff, begin mass adoption of scanning solution and methodology, and begin advertising and training campaign for systems administrators. Checkpoint 6 concludes with a meeting with the working group to review progress, discuss any next steps, and generate the Interim Progress Report. 7

8 The Final Project/Financial Report is proposed to be submitted in July of 2009, roughly one year after the initial implementation of the vulnerability scanning/management solution. Part 7: Evaluation Plan: The fundamental success of this project revolves around the detection and remediation of vulnerabilities on critical networks. As such, the success of the project should be measured by how accurate, how precise, and how actionable the information gathered is. In the near term, trending should be kept for critical networks on how many of the vulnerabilities detected were high priority, how many were actionable and quickly remediated, and how many were either false positives or had other compensating measures reducing the exposure caused by the vulnerability. Budget Justification Network Vulnerability Scanning/Management Solution $120,000 Web Application Vulnerability Scanning Tool $48,000 Vulnerability Penetration Testing Tool $27,000 Total cost $195,000 The range of costs varies considerably for the network vulnerability scanning solutions tested by the working group. As a result, the actual initial first year costs may be considerably less than the maximum cost expressed above. 8

9 ATTACHMENT D: IT INNOVATION FUND GRANT PROJECT TIMELINE AND PROGRESS REPORT Reporting Period: From April 2008 Through November 2008 Project #: Project Name: Institution: Tri-University Vulnerability Scanning/Management Solution PI Name: PI Phone: PI Key Milestones, Performance Measures, and/or Deliverables (from original proposal): Target Date Status:* Progress During This Time Period/Notes/Explanations Phase 4b: RFP and solution selection. Present Reimbursement Report Phase 5: Solution-specific process development and pilot deployment Jun 08 3 Three products are in process for selection: 1. Network Vulnerability Scanning/Management Solution The software tool QualysGuard was selected in July 08 and access was acquired in Oct. /08. A delay occurred due to a change in the procurement process. 2. Web Application Vulnerability Scanning Tool The software tool IBM Rational AppScan was selected in August 08 and access was acquired in Oct. 08. The selection of this tool is dependent upon the network vulnerability tool, thus the delay in acquisition. 3. Vulnerability Penetration Testing Tool An initial market survey was completed in March 08 but no tool has been selected. The final selection has been intentionally deferred to allow time to implement network and web vulnerability tools listed above. Jul 08 3 For the three products to be selected: 1. Network Vulnerability Scanning/Management Solution This phase is in progress. A kick-off meeting took place in Oct. 08 with vendor training in Nov. 08 for 17 attendees from the 3 universities. 2. Web Application Vulnerability Scanning Tool This phase is in progress. Solution deployment began in Nov. 08 and vendor training is scheduled for Dec. 08 and/or Jan Vulnerability Penetration Testing Tool 9

10 This tool is deferred as stated above. Phase 6: General implementation w/ focus on critical networks. Present Interim Progress Report Final report and one year later followup Aug 08 July 09 To come. To come. If appropriate, please attach a brief description and explanation of any planned modifications to the original project timeline, budget, or work plan. *For Status, enter: 1 = Ahead of schedule 2 = On track to meet schedule 3 = Behind schedule 10