Embed Size (px)
Citation preview
Introductions• Mark Lachniet ([email protected])• Technical Director, Security Services Group• Certified Information Systems Auditor
(CISA)• Certified Information Systems Security
Professional (CISSP)• Frequent presenter at local educational
conferences (MACUL, MAEDS, MIEM)• Technical certifications from Novell,
Microsoft, Linux Professional Institute, etc.• Formerly the I.S. Director at Holt Public
Schools
The CIA Triangle
Confidentiality
Integrity Availability
The CIA Triangle• Confidentiality– The unintended or unauthorized disclosure of
computer data or information
• Integrity– The unintended or unauthorized modification of
computer data or information
• Availability– The loss of service of critical applications, systems,
data, networks or computer services
• We need to worry about all three
The CIA Triangle – examples• Confidentiality
– Disclosure of special education status
– Disclosure of free and reduced lunch status
– Disclosure of salary information, performance evaluations, union grievances, criminal history checks, etc.
• Integrity– Compromise of financial systems (e.g. to create a fake
vendor and cut checks, change salary, etc.)
– Compromise of student management systems (changing grades, attendance, etc)
• Availability– Ability to pay employees, vendors
– Ability to use Internet and networked resources for education
The Cost of Downtime• Have you analyzed how much it costs your
organization to have systems down?• Without computer labs and library systems,
many educational activities can’t take place • Even if you cannot quantify the cost of lost
educational opportunities, you probably have 70% to 80% of your costs in labor
• If people can’t work, at least after a while, you are losing that money
• Also creates costs associated with paying I.T. staff to fix issues, or getting help from outside vendors
So What Can You Do?• Help your district to establish ongoing risk
management activities!• This may be a new thing for your technical people –
their idea of managing risk might be the “cat and mouse” game of preventing and catching students who are “hacking”
• In truth, we care about the business impact of computer security
• A stable and mature I.T. infrastructure means stable (and predictable) costs
• Unfortunately, tech people generally dislike structure and documentation
• As someone with more rigorous training in financial controls, you might be able to help!
Defining Good I.T. Operations• One organization that tries to do this is ITIL
(http://www.itil.org/itil_e/index_e.html)• ITIL is the acronym for the "IT
Infrastructure Library" • Has many documents on best practices that
you could use internally to develop your practices and standards
• We will discuss some of these areas, and include additional information on security management as well
• Another good resource are the free computer security policies from SANS (http://www.sans.org/resources/policies)
Create a Risk Management Group• Ideally, you will create a group that regularly
examines and manages risks to the organization (in our case I.T.)– Include representation from I.T., finance, media
services, school administration, the board, etc. – Everyone has a stake in keeping I.T. running!– Identify critical I.T. resources (perhaps through a
Business Impact Analysis) and impacts of downtime
– Identify specific risk management strategies for these key systems (e.g. disaster recovery plans, security software, personnel controls, procedures, etc.)
– Implement and monitor the success of controls over time
Risk Management Activities• Ensure that network scans are performed to
identify systems with security flaws• Need to assess Internet-accessible systems, internal
systems, and web applications at a minimum• Need to assess the security of wireless and remote
access systems• Regularly review user access rights within
applications and file systems• Regularly review policies and procedures• Review trend data, forecast future trends• Regularly review disaster recovery plans (and
make sure they cover everything that is important!)
Performing a BIA• Identify Business Processes and Applications
(the core business of the organization – what do you do?)Educational systems (libraries, labs, etc.)Educational administrative systems (student
management, bus routing, e-mail and calendars, attendance, etc.)
Accounts Payables and Receivables, HR, payroll• For each application needed to support a
business process, what assets support it? EXAMPLE: Human Resources Database
Asset: Fileserver #1 (Compaq DL-320, 512, 9gig) Asset: Windows 2000 Advanced Server software Asset: XIOtech Storage Area Network Asset: Network Asset: Power
Performing a BIA• Identify your tolerance for downtime (can you
be down an hour? A day? A week?) • Identify the risks to these assets:
– Hardware / software failure– Computer “hackers”– User error– Disasters (flood, torando, etc.)
• Identify controls to minimize these risks, aimed specifically at the most critical assets:– Disaster recovery plans– Change control systems– User training– Network security (firewalls, log review, etc.)
Change Control• Need a formal system for change management to I.T.
systems that:– Is used for “critical” I.T. systems– Has separate roles for proposing and approving
changes (a second set of eyes can help prevent problems)
– Maintains a record of changes over time (so you can go back and review what has been done if something goes wrong, and to help you keep your inventory of assets current)
– Has “back-out” procedures in the event of a problem• Some people use databases or paper systems for this
purpose• It needn’t be complex – the more complex it is, the
less likely it will be used• A simple e-mail mailbox that you CC all your
communications on might be fine
Disaster Recovery Plans• You need recovery plans for your critical assets, in the
event that they are unavailable• This includes all of the “dependencies” such as power,
network, etc. (this is often missed)• Much of the time, the plans in place are inadequate! • The plan (and systems) Should be reviewed and tested
on a regular basis (old y2k plans don’t count)• Should be of sufficient detail that plans could be used
by less experienced staff members• Will probably require provisions for outside help
(external consultants, reciprocal agreements with another district or ISD, etc.)
• Must include “crash kits” of prepared hardware, software, backup tapes, etc. needed
• Should include provisions for off-site storage of data, as well as off-site recovery of systems in case of disaster
Vendor Management• It is also helpful to formally manage your relationship
with vendors and service providers • Include security and DR provisions in the contracting /
purchasing / RFP process whenever possible • Formally require an analysis of security for all
potential computer purchases (e.g. student management systems, wireless labs, Internet Service Providers, etc.) so at least the issue is raised
• Require a minimum level of security for anyone who connects to your network (anti-virus, access control, use of administrative access, etc.)
• Determine how vendors should be monitored while on-site or using remote access systems (do they get an escort? Are they required to sign in? Is there a log?)
• May also choose to identify and monitor key performance indicators (KPI) such as uptime, response time on helpdesk calls, etc.
Remote Access• Remote access systems can be a source of trouble – worms
and viruses can spread through them, and they allow access to systems to users that may be very far away (such as hackers from other countries!)
• Define who, and in what way, access is allowed your systems remotely
• Analyze Internet systems, dial-up, VPN, etc.• Who is granted access? Who approves that access?• How are remote users monitored? How would abuse be
identified?• What are the minimum security standards for systems
that connect remotely (e.g. antivirus)• From what systems and locations are you allowed to
connect? School-owned property only? Home computers? Coffee shops?
• What about school data stored on remote systems? Are there rules on what can be stored where?
Wireless Security• By default, wireless is fairly insecure• There is a tension between security and accessibility
(in schools, accessibility usually wins)• Signal leakage is a problem – some wireless systems
can be accessed from the street or parking lots• Wireless is usually connected right to the internal
network, bypassing security features such as firewalls• Consider wireless users in the same category as
Internet users – untrusted and potentially hostile• Consider technical issues such as encryption and
authentication• Consider non-technical issues such as who can use it
and when, turning off devices when not in use, etc.
System Build and Maintenance• Should have policies and procedures regarding
system build, “hardening” and maintenance• Are systems built according to a standard? (this
promotes consistency, which leads to availability and security)
• Do systems have fault-tolerance built in? Are they backed up? Is the system appropriate for its use? (e.g. is it a “server class” or desktop machine?)
• Are systems regularly patched? How often? Does this include both the operating system *and* applications?
• Are systems proactively reviewed for signs of trouble? (impending hardware failure, running out of disk space, etc)
• How are administrative rights on the systems used? Are admin passwords changed periodically?
System Monitoring• Most computers and network devices are not
monitored properly (or at all!)• You may miss security incidents, as well as
performance issues that would show up in logs• The default level of logging on servers and network
devices is usually inadequate• Requires up-front configuration of systems to trap
useful information, and definitions of what is worthy of investigation
• Requires employee time to regularly review the logs, and a checklist that the task has been performed
• The use of automated log analysis tools can help immensely (especially for network logs that are large, complex, and difficult to make sense of)
Access Control and Passwords• Are system access rights defined and implemented
according to a formal system?• Who is responsible for defining the access that an
employee gets? I.T.? Unit managers? Administration? (hint: I.T. people may not be the best people to decide this)
• Does H.R. have a formal line of communication with I.T. for ID addition, removal and changes?
• Are passwords secure? Are they a complex mixture of characters, numbers and symbols? Do people share passwords? Do they write passwords on sticky notes, or use their own name or the name of their pets and children?
• Are access rights and passwords ever audited? How do you find and remove old accounts? Verify that password standards are followed?
• Are ID’s uniquely tied to a user?
Incident Response• In the event that something does happen, do
you have a formal system of handling the incident?
• A formal I.R. plan will allow you to define:– What constitutes an incident– Who is responsible for which tasks (e.g.
identification, investigation, recovery)– Who is allowed to talk to internal staff, the media,
the board, legal counsel– What documentation about the incident must be
maintained– How and when legal action might arise from an
incident, and how to preserve evidence for this purpose
Acceptable Use Policies• Geared towards end users (e.g. everyone)• Most schools already have them• Usually includes provisions for passwords, acceptable
use of the Internet and e-mail, installation of software, abuse of systems, use of anti-virus, etc.
• Detail what level of privacy people can expect• Should be regularly reviewed and updated to keep
current• Employees (and students) should be required to “sign
off” that they agree to the terms of usage• Some system should track who has signed off, and
when, to ensure that everyone has agreed to the latest policies
• Keep AUP’s simple – focus on what is appropriate, instead of listing all the things that are inappropriate
• Avoid including language on specific technologies
Employee Awareness• End users will probably need some training and/or
reminding about security issues• Consider using newsletters or small chunks of
inservice time to remind people• I.T. staff will definitely need to get educated in
security – you cannot expect them to understand the issues if they haven’t had any formal training
• Consider 1week/year of class time, or other activities for the I.T. staff on relevant topics
• Have tech people sign up for security listserves (e-mail services that send you updates when new flaws are discovered, or when new patches are available)
• Get training on the most common items, especially operating systems and firewalls
• www.sans.org and www.gocsi.com are good
Employee Responsibilities• Try to formally detail what is required of
employees in regards to security• For end users, refer to the AUP• For I.T. staff, formally identify who is
responsible for functions such as system patching and log monitoring
• This helps you make sure it gets done and that your I.T. staff has enough time to do the work
• Allows you to revisit the adequacy of your security program during employee performance reviews, etc.
Products and Services• At a minimum you need an Internet firewall• Consider contracting (or doing internally) regular
security scans of your hosts• Invest in an intrusion detection system• Consider desktop security products (to lock down
systems, limit engineer time fixing up broken systems, for example “ghost” or “fortress”)
• Consider managed services such as managed firewall, managed spam prevention and anti-virus, etc.
• Consider getting an outside analysis of your disaster recovery plan
• Invest in redundant systems (fault tolerant storage, extra power supplies, server clustering)
• Invest in service contracts for hardware and software (in some cases, you can’t get service or updates without this!)
Physical Security• It is critical to maintain a physical “zone of control”
around important assets. • Without physical security, all other measures can be
circumvented• Access to critical areas such as wiring closets can provide
unrestricted access to the network or damage of equipment (“oooh, look at the blinky lights”)
• Physical security helps to prevent the loss of equipment• Is there a badge / access control system with logging? Can
it be easily circumvented? (e.g. barcodes, numeric keypads)
• Do badges have picture ID’s? Can you readily identify a visitor and the date of their visit?
• Are master keys all accounted for? Are there many of them?
• Are locks and codes changed when people leave the organization?
Physical Security• Are external areas well lit?• Are all wiring closets secure?• Are all hinges on the inside of doors?• Are doors frequently propped open by
smokers? For delivery people?• Do walls go all the way to the ceiling (and not
just stop at the drop ceiling)• Are there insecure wireless networks? • Are there live data jacks in public areas?• Are vendors and service people accompanied
when on the premises?
Background Checks• On the prevention side, background checks could go
a long way to identify malevolent people
• Benefits of performing background checks:– Protect your employees, clients and property from
possible harm
– Protect your organization from possible fraud
– Minimize risk to your organization through legal or civil liability
– Promote the hiring of employees with good character, work habits and proficiency at their job
– Identify people who are risky in a school (e.g. with a criminal history, who are prone to poor workplace behaviors, etc.)
Background Checks• Include state and federal criminal history checks• Check the sex offenders registry (this has been in the
papers a lot lately – don’t count on others to do it!)• Include verification with non-regulated certification
issuers such as vendor specific and technical certifications (CNEs, MCSEs, etc.)
• Include verification of all listed employment and salary history
• Include verification of all higher education (college level)
• Include verbal verification of all character and employment references. For past employers, consider reaching the listed contact by calling the main organizational phone number, and verifying that the name, position, and phone number you were provided is correct prior to calling them.
References• http://www.securityfocus.com (sign up
for bugtraq and read the articles)
• http://www.microsoft.com/security
• http://www.sans.org (check out the student papers)
• http://www.cert.org
• http://www.gocsi.com
• http://www.securityportal.com
• http://www.isc2.org
Discussion
Mark Lachniet, CISSP, CISA
Technical Director, Security Group
Analysts International
(517) 336-1004 (voice)
(517) 336-1100 (fax)
mailto: [email protected]
http://lachniet.com/powerpoint
