Technology Oversight Committee April 23, 2008 Item 5 Page 1 of 1 EXECUTIVE SUMMARY ACTION ITEM Tri-University Vulnerability Scanning/Management Solution ISSUE NAU, UA, and ASU seek funding to implement and deploy a vulnerability scanning and management solution. Funding amount requested: $195,000. BACKGROUND In April 2007, the Technology Oversight Committee hired a consultant, Moran Technology Consulting, to develop a strategic planning framework that would help the Regents and universities decide when, how, and to what degree potential IT collaborative opportunities could be pursued. The study was concluded in June 2007 with eleven initiatives defined. Three of those initiatives were selected for further review; IT Security Scanning, Open Supercomputing Services, and IT Methodologies, Processes, and Tools. On October 12, 2007, a detailed project plan for the selection and implementation of a security scanning solution was presented to ATOC and approved, of which one step was to request funding from ABOR. DISCUSSION To create an effective vulnerability scanning and management solution, this initiative will select and install the appropriate hardware and software for conducting the scans, develop methodologies and processes for staff to conduct effective scans, and provide guidance for selecting and prioritizing critical networks to scan. The ultimate goal is to provide the three universities with the tools needed to detect system and web vulnerabilities before they become exploited by intruders and reduce the risk of sensitive information loss or disruptions to the networks that support our core mission. The proposed scanning solution would allow the universities to: Gain an external intruder s point of view by scanning through network perimeters from scanners located at a sister university Take the vantage point of an attacker located on the campus network by regularly scanning their own critical networked IT assets from the inside The projected completion date is August 2008. RECOMMENDATION It is recommended that the ABOR Technology Oversight Committee approve this grant application for $195,000 from unallocated 2008 ARRO funds to support the Tri- University Vulnerability Scanning/Management Solution. CONTACTS: Michele Norin, CIO, UofA, (520) 621-5972; norin@arizona.edu Fred Estrella, CIO, NAU, (928) 523-9998; fred.estrella@nau.edu Adrian Sannier, CITO, ASU, (480)965-8419; adrian.sannier@asu.edu
The Arizona Board of Regents Request for Proposals and Application Guidelines Information Technology Innovation Fund 2008 Innovation Grant Program Tri-University Vulnerability Scanning/Management Solution Arizona Board of Regents 2020 N. Central Avenue, Suite 230 Phoenix, AZ 85004 Phone: 602-229-2560 Fax: 602-229-2555 www.azregents.edu
ATTACHMENT A: IT INNOVATION FUND GRANT APPLICATION COVER SHEET 1. Project Title: Tri-University Vulnerability Scanning/Management Solution 2. Lead Institution/Unit: The University of Arizona 3. Amount requested: $ 195,000 4. Please check any collaborating campuses or universities: _x ASU Main (Tempe) ASU West Campus ASU Polytechnic Campus ASU Downtown Campus _x UA (Tucson) UA South _x NAU 5. List other collaborating institutions or organizations (outside the Arizona University System): 2
6. Briefly describe the project (50 words maximum): This initiative strives to create an effective vulnerability scanning and management solution. This involves selecting and installing the appropriate hardware and software for conducting the scans, developing methodologies and processes for staff to conduct effective scans, and providing guidance for selecting and prioritizing critical networks to scan. 7. Project Director: Name: Sylvia Johnson (UA), Harper Johnson (NAU), Scott Banks (ASU) Title: Information Security Officers Phone: Email: sjohnson@arizona.edu, harper.johnson@nau.edu, Fax: Address: City/State/Zip: SIGNATURE: DATE: 8. Co-directors? [ ] Yes [ ] No (Please list contact information for co-directors, if any, on a separate sheet.) 9. Department Chair/ Unit Director/ College Dean/ Provost (may not be same as Project Director): Name: Title: Phone: Email: Fax: Address: Michele Norin (UA), Fred Estrella (NAU), Adrian Sannier (ASU) Chief Information Technology Officers norin@arizona.edu, fred.estrella@nau.edu, adrian.sannier@asu.edu City/State/Zip: 10. Sponsored Projects Office Representative: SIGNATURE: Name: Title: Phone: Email: Fax: Address: DATE: City/State/Zip: SIGNATURE: DATE: IT Innovation Fund Grant Program c/o Arizona Board of Regents 2020 N. Central Avenue, Suite 230 Phoenix, AZ 85004 Phone: 602-229-2524 Fax: 602-229-2555 www.azregents.edu 3
Table of Contents Introductory Material... 2 Grant Application Cover Sheet (Attachment A)... 2 Table of Contents... 4 Project Summary... 5 Proposal Narrative... 5 Description of Need or Opportunity... 5 Description of Intended Outcomes and Strategies... 6 Technical Needs... 7 Work Plan/Timeline... 8 Key Personnel... 9 Milestones, Performance Metrics, and Deliverables... 10 Evaluation Plan... 11 Budget Documents... 12 Budget Request Form (Attachment B)... 12 Budget Justification... 13 Faculty/Staff Compensation Worksheet (Attachment C)... 13 Other Attachments... 14 Project Timeline and Progress Report (Attachment D)... 14 4
Project Summary This grant application is part of a previous project report presented to ABOR to create a shared Tri-University vulnerability scanning and management solution, which was one of the recommendations of the Moran Technology Consulting IT Collaborative Opportunities study. The proposed scanning solution would allow the three universities to: Gain an external intruder s point of view by scanning through network perimeters from scanners located at a sister university Take the vantage point of an attacker located on the campus network by regularly scanning their own critical networked IT assets from the inside To create an effective vulnerability scanning and management solution, this initiative will select and install the appropriate technologies for conducting both network system and web application scans, develop methodologies and processes for staff to conduct effective scans, and provide guidance for selecting and prioritizing critical networks to scan. The ultimate goal is to provide the three universities with the tools needed to detect system and web vulnerabilities before they become exploited by intruders and reduce the risk of sensitive information loss or disruptions to the networks that support our core mission. Proposal Narrative Part 1: Description of Need or Opportunity: Vulnerability scanning on networks is the practice of using tools to automate the detection of potential weaknesses in networked computer systems, and the process of interpreting these results to determine which vulnerabilities may be the most susceptible to being leveraged by a potential intruder. Regularly conducting vulnerability scanning (henceforth referred to as scanning ) is a critical component of an overall defense-in-depth strategy, and can establish a baseline of security exposures which an intruder can exploit. This baseline can be used in tracking on-going remediation efforts and provides guidance for Information Technology (IT) system administrators regarding security issues that need to be addressed. The significant benefits of regularly scanning each university s network include: Establishing a baseline of vulnerabilities that an intruder may exploit Providing IT system administrators with an outside view of services that they may be offering on the network Acting as a safety net for routine yet critical tasks such as patching software running on networked devices; for example, a vulnerability scan may reveal a previously overlooked critical patch that is missing Providing a certain degree of review for potentially insecure configurations Helping to comply with pertinent government or industry regulations 5
Discovering and addressing vulnerabilities in web applications in addition to network system vulnerabilities is also of significant and growing importance. Vulnerabilities in web applications can lead to significant data leakage, alteration of data, or even the compromise of an otherwise secure networked system. Currently, each of the three universities conducts its own network vulnerability scanning with a variety of primarily open-source tools and contracted services. Significant labor costs and effort are required to deploy those tools, making regular scanning of network vulnerabilities throughout the universities problematic. Contracted vulnerability assessment services could be eliminated if the universities owned their own vulnerability scanning solution. Collaboration among the universities to share a common vulnerability scanning solution and methodologies was a recommendation of the Moran Technology Consulting IT Collaborative Opportunities study. Some of the enhanced benefits of a scanning solution shared by the three universities include: Leveraging economies of scale to improve purchasing power and reduce the need for overlapping hardware Saving the overhead cost of developing scanning methodologies multiple times for each university independently Sharing technical expertise among security staff at the three universities to gain fresh perspectives and technical synergies Standardizing best practices for vulnerability scanning Aiding central IT to gain a more consistent, current view of the types of systems on the campus network, and providing additional insights into the type of data that may be stored on given networks Gaining the perspective of both an external intruder by scanning through network perimeters from scanners located at another university and an attacker located on the campus network At the direction of the Committee after the Moran study, the three universities assembled a working group led by The University of Arizona to explore this initiative. The group put together a report and project proposal in October 2007 for the Board outlining a plan to implement a shared Tri-U vulnerability scanning solution. Part 2: Description of Intended Outcomes and Strategies: Successful implementation of a shared vulnerability scanning infrastructure in order to realize the benefits described previously requires that three intermediary goals be accomplished: 1. Development of scanning methodologies to be implemented at all three universities 2. Selection of a scanning tool which fulfills Tri-U requirements 3. Development of prioritization criteria for network sensitivity The first goal, to create uniformly adopted scanning methodologies, is critical both for ensuring a baseline of standards for scans and for facilitating communications and technical cooperation between security staff at the three universities. Also, having the same ground rules 6
across the three universities will increase the value of the data both for internal security staff and for audit purposes. The second goal of selecting the right scanning tool is clearly important for maximizing the benefit that the selected product can offer while minimizing the amount of time and effort required to customize the tool to fit requirements. The third goal, to determine a set of criteria used to prioritize which networks to scan, is necessary to make efficient use of staff time spent on analyzing scan results. Security staff should spend more time and resources analyzing networks that contain resources critical to the mission and well-being of the universities. This judgment would become significantly more difficult to make without the ability to differentiate between networks. To use an extreme example, a main server in the Registrar s office should have more resources committed to analyzing its vulnerabilities than a transient laptop connected to wireless. This proposal focuses on the second goal of selecting and acquiring the right scanning tool. After reviewing practices at other universities and going over Gartner recommendations, an RFI was issued to determine marketscope. Summarizing briefly, the RFI reflected requirements collected by the working group during Phase 1 of the project, and covered 19 major points ranging from technical quality of scans to compliance reporting to training support offered by the vendor. A virtualized lab environment was created at the University of Arizona which contained both systems that were well protected and systems that had known vulnerabilities, and products participating in the RFI were tested first in this isolated lab environment. After initial testing, scans of other network segments were collected to review results against a larger sample size. Also during testing, the working group concluded that none of the leading network vulnerability scanners have a sufficiently mature web scanning functionality bundled in, and that a standalone web app scanner would be necessary to have the desired results. The addition of an automated penetration testing tool to the suite will also assist in the verification of vulnerabilities discovered. Based on the information gathered during the RFI, the working group proposes a suite consisting of (1) a network vulnerability scanning/management solution, (2) a web application vulnerability scanning solution, and (3) an automated penetration testing tool. Some of the tools covered during the exploratory process include the same solutions used by the Auditor General s Office. The web application vulnerability scanning solution was not part of the Moran report, but it bears repeating that it is considered by the working group to be very important and would provide a means of addressing an expanding source of vulnerabilities. Part 3: Technical Needs: Both the web application vulnerability scanning solution and the automated penetration testing tool are software based solutions, which will require the implementation of servers with the likely reliance on virtualization in order to decrease costs and maintenance. The technical needs to implement the network vulnerability scanning/management solution will depend on the solution chosen. As an example, certain vendors provide blackbox scanning appliances and complete hosted management services, whereas other vendors require hardware 7
to be provided for their solution. The specifics of the technical needs will be pending the vendor selection at the conclusion of the RFP. Part 4: Work Plan/Timeline: The work plan and timeline chart below has excluded resources and personnel as well as personnel hours, as these items will vary greatly depending on the vulnerability scanning solution chosen. For example, certain vendors offer turnkey solutions whereas others require or allow significant customization. Another example is the training of systems administrators some vendors offer regular vendor-led training as part of their total cost, whereas for others more University staff time will need to be dedicated for training. Work Plan/Timeline Chart: Schedule Aug 2007- Sep 2007 (Done) Project Phase/ Key Milestone Phase 1: Conduct requirements analysis and obtain project approval. Checkpoint 1: Present report to ABOR analyzing costs and benefits Tasks and Activities Resou rces and Perso nnel Perso nnel Hours Identify members of Tri-U working group and organize Begin conducting market survey of vulnerability scanning service offered by peer universities and tools used Begin identifying initial requirements from working group representatives Determine criteria for priority of networks to scan (PCI, student data, credit card transactions, network backbone networks, DNS, etc?). List gathered by Tri-U effort Each university determines which of their networks (IP ranges) match which of the above defined criteria. Review if classification of data and network criticality brings up additional technical requirements not identified earlier Oct 2007- Dec 2007 (Done) Phase 2: Define network sensitivity standards and determine priority of networks to scan based on sensitivity standards. Examine need for additional requirements after network identification. Checkpoint 2: Face to face meeting for working group participants to review requirements in person and discuss progress. Dec 2007- Jan 2008 (Done) Jan 2008- Mar 2008 Phase 3: Develop product evaluation criteria based on requirements gathered. Concurrently, develop high level methodologies for conducting scans both internally and of a sister university. Checkpoint 3: Review developed product evaluation criteria and methodologies Phase 4: Conduct market survey of scanning products Determine product evaluation criteria for selecting a scanning product based on requirements Develop high-level, technology-independent methodologies for security staff to conduct scans of another university, in terms of notification, scanning process and handling the results Develop suggested methodologies for security staff to conduct scans of their own critical networks Conduct market survey of vulnerability scanner vendors 8
(Done) Apr 2008- Jun 2008 Jun 2008 - Jul 2008 Jul 2008-mid Aug 2008 Checkpoint 4: In person or web meeting for working group participants to review RFI results Phase 4b: Issue RFP for vulnerability scanning solution, and acquire most suitable solution available Checkpoint 4b: Acquire solution or suite of solutions to meet TriU needs Phase 5: Obtain and set up site(s) for vulnerability scanner selected. Develop key performance indicators (KPIs) for production system. Define scanner specific processes to supplement previously defined high-level methodologies. Start production pilot after initial training for security staff. Checkpoint 5: In person meeting to compare pilot project results against predetermined KPIs and assess lessons learned from pilot. Phase 6: Make necessary modifications from pilot results versus KPIs and conduct final kickoff training. Begin implementation of regular, full scale scanning. Checkpoint 6: In person meeting with working group to discuss next steps and follow-up. Draft and send out RFI using requirements defined in Phases 1 and 2 above Draft and send out RFP Conduct test of select products against established product evaluation criteria Demo top product(s) to Tri-U working group for feedback and conclude solution selection Develop proposed deployment design for selected scanner Submit test results, deployment design, and recommendation for top product to ABOR pending funding Develop Key Performance Indicators (KPIs) for production system. This is different from the product evaluation criteria developed previously as it accounts for strengths and weaknesses of the actual scanner system being implemented Set up hardware/network infrastructure for scanner system Develop specific detailed technology-based scanning procedures tailored to the selected tool to supplement previously defined highlevel methodologies Conduct first training session for security staff from all three Universities Initiate pilot scanning program involving small, closely monitored network ranges Make modifications based on lessons learned from pilot program. Repeat previous steps if necessary Conduct final kickoff training session for security staff conducting the scan Begin internal training and advertising campaign for systems administrators Implement regular, full scale scanning 9
Part 5: Key Personnel: Harper Johnson (Harper.Johnson@nau.edu) Director NAU ITS Information Security Gwen Ceylon (gwen.ceylon@nau.edu) Sr. Information Security Analyst NAU ITS Information Security Greg Wilson (Greg.Wilson@ASU.EDU) Systems Analyst, Principal ASU UTO Ops Systems and Security Jeremy Glassman (jeremy.glassman@arizona.edu) Network Systems Analyst, Graduate Assistant UA UITS Security Operations Laura Corcoran (lcorcora@email.arizona.edu) Network Systems Analyst, Senior UA UITS Security Operations Abraham Kuo (akuo@arizona.edu) Network Systems Analyst, Principal UA UITS Security Operations Sylvia Johnson (sjohnson@arizona.edu) UA University Information Security Officer Part 6: Milestones, Performance Measures, and Deliverables: Phase and Checkpoint 1: (Scheduled for Sep 2007, Done) Conduct requirements analysis on project, and obtain project approval. Checkpoint 1 is to present report to ABOR analyzing costs and benefits regarding overall Tri-U Vulnerability Scanning/Management Infrastructure collaboration and project. Phase and Checkpoint 2: (Scheduled for Nov 2007, Done) Define network sensitivity standards and priority of networks to scan based on sensitivity standards. Examine additional requirements which may have surfaced after network identification. Checkpoint 2 is to review requirements collection from Phase 1 in person and discuss progress. Phase and Checkpoint 3: (Scheduled for Jan 2008, Done) Develop product evaluation criteria. Checkpoint 3 is to meet and review developed product evaluation criteria and methodologies Phase and Checkpoint 4: (Scheduled for Mar 2008, Done) Conduct market survey (RFI) of scanning products, demo and compare top products using pre-defined product evaluation criteria. Checkpoint 4 is to meet to review market survey. Phase and Checkpoint 4b: (Scheduled for Jun 2008) Conduct RFP for vulnerability scanning/management solutions using previously defined metrics. Checkpoint 4b is to have acquired a solution that meets the TriU needs. The conclusion of Checkpoint 4b will also include the generation of the Reimbursement Report. Phase and Checkpoint 5: (Scheduled for Jul 2008) Develop key performance indicators for the deployment of the solution selected, and implement the scanning 10
procedures in a pilot production network. Checkpoint 5 is to meet to compare pilot project results against pre-determined KPIs and assess lessons learned from pilot. Phase and Checkpoint 6: (Scheduled for mid August 2008) Finalize training for security staff, begin mass adoption of scanning solution and methodology, and begin advertising and training campaign for systems administrators. Checkpoint 6 concludes with a meeting with the working group to review progress, discuss any next steps, and generate the Interim Progress Report. The Final Project/Financial Report is proposed to be submitted in July of 2009, roughly one year after the initial implementation of the vulnerability scanning/management solution. Part 7: Evaluation Plan: The fundamental success of this project revolves around the detection and remediation of vulnerabilities on critical networks. As such, the success of the project should be measured by how accurate, how precise, and how actionable the information gathered is. In the near term, trending should be kept for critical networks on how many of the vulnerabilities detected were high priority, how many were actionable and quickly remediated, and how many were either false positives or had other compensating measures reducing the exposure caused by the vulnerability. 11
ATTACHMENT B: BUDGET REQUEST FORM Lead Institution: Project Title: University of Arizona Tri-University Vulnerability Scanning/Management Solution Project Director: AMOUNT REQUESTED: Match Amount: Source of Match: 1. PERSONNEL COSTS (List names/titles separately) 0.00 A. Key Personnel (Faculty & Staff) Salaries (itemize): 0.00 B. Support Personnel (Clerical, Assistants, etc.) Salaries (itemize): 0.00 C. Key Personnel Fringe Benefits (ERE) 0.00 D. Support Personnel Fringe Benefits (ERE) 0.00 0.00 TOTAL PERSONNEL COSTS: 2. PROFESSIONAL/OUTSIDE SERVICES (itemize): 0.00 3. STAFF TRAVEL: 0.00 4. COMMUNICATIONS: 0.00 5. MATERIALS & SUPPLIES: 195,000.00 6. OTHER OPERATING EXPENDITURES: 0.00 7. SUBTOTAL (TOTAL DIRECT COSTS) 195,000.00 8. INDIRECT COSTS (Max. 8% of subtotal costs) 2 9. TOTAL COSTS 195,000.00 1 Matching and/or supporting funds, while not required, will be considered positively in reviewing the proposal. 2 Indirect and overhead funds may be included as part of the match, but may not be included in the amount requested. PARTNERSHIP DISTRIBUTION: If multiple universities/campuses will be partnering, please use the following table to list the amount of grant funds that each participating university/campus will require: University/Campus: Amount Requested: 12
Budget Justification Network Vulnerability Scanning/Management Solution $120,000 Web Application Vulnerability Scanning Tool $48,000 Vulnerability Penetration Testing Tool $27,000 Total cost $195,000 The range of costs varies considerably for the network vulnerability scanning solutions tested by the working group. As a result, the actual initial first year costs may be considerably less than the maximum cost expressed above. 13
ATTACHMENT C: IT Innovation Fund Grant Faculty/Staff Compensation Detail Worksheet Proposal Title: Proposal Number: Universities: Worksheet Completed By: Date Submitted to ABOR: Tri-University Vulnerability Scanning/Management Solution Northern Arizona University, Arizona State University, The University of Arizona Name: Abraham Kuo Email: akuo@arizona.edu Phone: (520) 626 9736 Name of Faculty or Staff Member ASU/NAU/UA staff State- Funded Part- Time? Y or N State- Funded Full- Time? Y or N 9-mo. or 12- mo.? Brief description of grant-funded task(s) to be performed: No grant funding will be applied towards staff time and labor costs Time frame of grant-funded task(s) to be performed: Start End Amount of grant budget request (with detailed calculations): Time contribution contingent upon product selection PLEASE NOTE: If your request to ABOR includes compensation for course release for a full-time faculty, you must submit a letter signed by the Department head stating that the course release has been authorized by the Department, under one of the two following conditions: If the faculty s course load and salary have both been reduced, ABOR will consider a request to compensate the faculty for project-related work up to the amount of the salary reduction. If the faculty s course load has been reduced with no reduction in salary, ABOR will consider a request to pay for replacement (part-time) instructors. 14
ATTACHMENT D: IT INNOVATION FUND GRANT PROJECT TIMELINE AND PROGRESS REPORT Reporting Period: From Through Project #: Project Name: Institution: Tri-University Vulnerability Scanning/Management Solution PI Name: PI Phone: PI Email: Key Milestones, Performance Measures, and/or Deliverables (from original proposal): Target Date Status:* Progress During This Time Period/Notes/Explanations Phase 4b: RFP and solution selection. Present Reimbursement Report Phase 5: Solution-specific process development and pilot deployment Phase 6: General implementation w/ focus on critical networks. Present Interim Progress Report Final report and one year later followup Jun 08 Jul 08 Aug 08 July 09 If appropriate, please attach a brief description and explanation of any planned modifications to the original project timeline, budget, or work plan. PI Signature Date *For Status, enter: 1 = Ahead of schedule 2 = On track to meet schedule 3 = Behind schedule 15