How Technology, People, and Processes Converged to Achieve a 95 Percent Reduction in Security Incidents!

Tammy L. Clark, Asst. Director-UCCS, Information Security

William Monahan, Information Security Administrator Lead

2

A Little Background Info Georgia State’s information security

program launched in 2000 Currently, 3 dedicated staff

members serve the campus community

6000-8000 staff and faculty 20,000+ students Decentralized information

technology environment

3

In 2004, Our Campus Averaged 20 to 40 Security Incidents a Day… 2 million attacks launched against our systems

each week 95% or more of the successful ones targeted

Win2k or XP workstations 5% aimed at servers and network equipment 580+ desktops ravaged by Sasser within a

week’s time 250+ of these compromised by hackers within

a day or two later 20-40 successful malware invasions per day on

university and residential systems combined

4

Most Common Threats Emailed worm attachments and URL’s that

install spyware and Trojan Horses Exploited backdoors left behind by worms used

to get “root” and install hacker utilities Cracking weak passwords to get root Using automated exploits such as “DCOM” to

get root NT and unix rootkits IRC hackers turning systems into bots for use in

DDOS attacks or as warez servers Spam propagation through various exploits that

install SMTP engines on workstations and mail servers misconfigured as open mail relays

5

Georgia State’s Security Architecture In addition to AV on the desktops and/or servers, robust

gateway scanners… √ Control or restriction at the edge or on segments via a firewall √ Dynamic blocking at the edge via IPS…√ Centrally-maintained patch management √ IPS at the desktop, on servers, at the edge √ Ability to mandate use of “strong” passwords, through a

combination of policy and technology √ VPN for remote access √ Encrypted data transmission √ Secure email and/or FTP Vulnerability assessment and risk analysis √ A SIM or central logging facility to gather disparate data

gathered daily from firewalls, IDS, IPS, AV, etc., with data correlation and reporting

24/7 monitoring and incident detection/response

6

Security Architecture Continued Regulatory compliance in ensuring minimum

levels of security on networked devices processing sensitive info √

Developing a security awareness course (we used WebCT Vista) that can be distributed to faculty, staff, and students √

Establishment of secure, trusted zones that are separated from the rest of the network √

Access/authentication requirements on every wired port (except public access stations) and wireless areas √

Identity management system Self defending networks

7

Our Information Security Roadmap Information Security Plan based on ISO

17799 Policy Committees and Taskforces Security Solutions Security Operations Security Awareness Defense In depth through layering in

new solutions

8

Campus Security Plan Organized and aligned with ISO 17799

domains (12) Identifies areas that require policy,

guidelines, standards, and solutions Takes into account the academic and

information technology strategic objectives

Provides a 3 year roadmap after which we will seek accreditation

9

Policy In 2001, GSU president’s Administrative

Counsel approved three important policies that provided the initial impetus allowing us to improve the security posture at our university Mandatory AV on all university-owned

computers Mandatory server registration and adherence

with minimum standards for security configurations

Mandatory requirement to adhere to specified security standards on all systems processing, storing, and transmitting sensitive information

10

Committees and Taskforces In 2001, the creation of the Information Technology

Systems and Security committee, staffed by college technology managers, faculty, legal affairs, campus police, human resources, etc., brought the GSU community together for the purpose of improving computer security, developing policies, standards, evaluating and recommending solutions

From this committee, smaller working groups were developed to create new policies, pilot security tools, standardize security configurations for workstations and servers, and create the university’s CSIRT policy, guidelines and formal incident response team

11

Security Solutions While the previous measures discussed have made a positive

impact, the university still suffered from spikes in worm and hacking activity that resulted in many systems being reinstalled and lost worker productivity from Fall 2000 through Spring 2004

The IDS solution introduced in 2000 allowed us to quickly detect and respond to these attacks but didn’t assist in reducing them

Fall 2004, we noticed that incidents had markedly dropped off, allowing us to begin to take a proactive approach rather than a reactive one

While we used to experience between 20-40 incidents (worm infections, copyright violations and compromises) per day on our network we now find that we only have on average, zero to two per day at this point in time and very infrequent spikes in activity

We attribute this incident reduction to the synergy of people, processes and new technology solutions we implemented

12

IPS at The Edge, Anyone? We evaluated McAfee’s Intrushield 4000 appliance and also did

some R&D with Tippingpoint and ISS Proventia’ TECHNOLOGY: We selected Intrushield as it allows us to create

thousands of virtual ‘child’ domains with just one appliance that can apply very granular, customized policies to protect networked devices. Unlike our ISS Realsecure IDS, which we still maintain due to auditing capabilities that allow us to easily detect IRC bots and compromised systems, the Intrushield IPS allows us to dynamically block attacks in realtime, 24/7

PROCESS: We maintain an overall GSU policy that is applied to networked devices not housed under specific child domains. We also shield a group of high risk devices with a very restrictive policy. We create child domains for various colleges and departments and allow them to specify additional things they want to restrict via their departmental policies, such as P2P applications

PEOPLE: We provide training to campus systems administrators and allow them to obtain a child domain, maintain their own policies and gain access to the management console to view all activity on just their specific areas

13

Intrushield

14

IPS on Desktops and Servers We deployed ISS SiteProtector in 2003, a central console that

can manage network, server, and desktop sensors. The network sensors perform the IDS function and the server and desktop sensors have IPS capabilities built in.

TECHNOLOGY: We began distributing desktop IPS clients in 2004 to residential students. From there, we provided them to staff maintaining campus labs and classrooms. Various systems administrators are in the process of deploying server sensors to protect their critical systems.

PROCESS: We group desktop and server sensors by colleges and departments and we also create sub-domains underneath these groupings that apply more granular policies to specific systems.

PEOPLE: We provide training to campus systems administrators and allow them to manage their sensor groups, distribute and install sensors, maintain their own policies and gain access to the management console to view activity on just their specific areas

15

ISS SiteProtector

16

Managed Antivirus TECHNOLOGY: We distribute Symantec

antivirus to all Windows and Mac systems on campus and allow users to install it on remote systems as well

PROCESS: We provide a managed client that allows us to “push” AV updates as they come out and group the clients by the college or department they fall into. We also provide an unmanaged client for our remote users

PEOPLE: We provide targeted information about worms and viruses to campus administrators and plan to allow them access to their own groups on our management console once Symantec releases the ability to distribute management of AV clients

17

Symantec Antivirus

18

GSU’s Secure Computing Initiative In response to regulatory requirements to protect customer

information, we established a program that mandates (yes, you heard this right!) the use of IPS, strong passwords, secure device configurations, and an electronic security awareness course

TECHNOLOGY: ISS Proventia’ desktop IPS and Symantec’s antivirus client. We also ask systems admins to either obtain ISS’ server sensor or allow us to place their device behind the “shield” with a restrictive policy

PROCESS: We require college/department information technology representatives to provide us with an inventory of systems and a survey questionnaire specifying what steps they are taking in the areas of backups, disaster recovery, etc. We provide them with training on the ISS SiteProtector management system, checklists that specify configuration requirements on XP and 2000 workstations (which are prevalent on our campus), and conduct a risk analysis of their area

PEOPLE: College/department technology representatives distribute and install the IPS and antivirus software, ensure that users’ systems are configured via our checklist requirements, and we contact users to take the security awareness course

19

HIPAA Compliance Matrix

20

Risk Analyses and Security Reviews As colleges and dept’s at GSU acquire new

technology from vendors to assist in their academic or business endeavors, we get involved in assessing the potential risk that new devices, software, etc., can introduce

TECHNOLOGY: We run vulnerability scans on these vendor-supplied systems

PROCESS: We also conduct risk analyses to determine the use of encryption in data transmission, examine security configurations, determine whether sensitive data is involved

PEOPLE: We work with vendors to resolve problems prior to systems going into production; we also place high risk systems behind the “shield”

21

Residential Segments of the Network This past year we implemented Perfigo’s CleanMachines

solution and it proved very successful in ensuring that students maintained reasonable levels of security on their systems.

TECHNOLOGY: We provided residents with the CleanMachines agent, ISS desktop IPS, and the Symantec antivirus client on a CD

PROCESS: We configured CleanMachines to check for the presence of the IPS, AV, and completion of Windows updates. We provided training to housing staff members and student assistants and a ‘clearinghouse’ website to go to for info

PEOPLE: Workstation support techs in our department assisted residents who could not successfully navigate CleanMachines due to worm infested systems and network techs helped residents with connectivity issues caused by bad “nic” cards or cables.

22

Security Operations We have several security monitoring systems that provide

critical information to us about attacks and intrusions 24/7 TECHNOLOGY: We establish automated alerting and

reporting mechanisms within Intrushield and ISS Siteprotector to provide targeted information

PROCESS: We are offering training to network operations and helpdesk technicians to allow them to field alerts 24/7 and create Remedy helpdesk tickets, make notifications, and contact us to analyze information that comes in about potential attacks and incidents

PEOPLE: We have an experienced security operations/incident handler in our department who collects data and manages incidents during business hours. We also have a CSIRT on campus and a policy that we are allowed to decide to disrupt network services to any device that represents a threat to the university if necessary without prior notification

23

Security Awareness TECHNOLOGY: We provide security awareness

presentations on demand and are in the process of distributing a WebCT Vista security awareness course to campus users

PROCESS: We are working to have this electronic course distributed to all incoming freshman students as part of their “freshman communities” curriculum. We require everyone on campus processing sensitive information to take the course and achieve a passing score on the test that accompanies it

PEOPLE: We are working with human resources staff members to include the course in their new employee orientations

24

Defense In Depth The challenge we all face in seeking to protect customer

information and university technical resources is achieving a delicate balance between applying controls and utilizing these resources at optimum levels of efficiency and effectiveness

From 2000 to the third quarter of 2004, we layered existing technological solutions, devised processes that often required the active participation of the campus community and we found that we could not stem the tide of blended threats that managed to evade our controls

The emergence of IPS at the edge, on servers and desktops, along with regulatory requirements that mandate minimum levels of security have evolved our efforts to allow us to be more proactive, to manage security efforts “end to end” on the network, rather than exist in a purely reactive mode. These controls are transparent for the most part to our campus community, as we do not deploy some of the more intrusive measures these solutions are capable of..

25

Defense in Depth Cont. We constantly devise policies and processes that

can be instituted to better protect network devices, more often than not, without user intervention. We focus on educating staff, faculty, and users about policies, mandated requirements, and about the threats and vulnerabilities they will encounter when they utilize systems connected to the internet…

We’ve achieved a measure of success at this point, but we continue to examine new technologies that surface such as ‘self defending networks’ and complex ones such as ‘IDMS’ to allow us to mitigate the effects of mobile users bringing infected systems to campus and access/authentication issues

26

Questions?

Copyright Tammy Clark, May 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.