november 7th, 2003 john bruggeman - educause 2003 conference 1 defining risk and fixing the top 20...
TRANSCRIPT
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference1
Defining Risk Defining Risk andand Fixing the Top 20 Fixing the Top 20
Security 101 for a small schoolSecurity 101 for a small school
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference2
Copyright 2003 John BruggemanCopyright 2003 John Bruggeman
Copyright John Bruggeman, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference3
John BruggemanJohn Bruggeman
– Hebrew Union College – Jewish Institute of Religion Seminary and Graduate School http://huc.edu
– National Director of Information Systems (97 – Present) GSEC Certified February 2003
– 4 Locations – Cincinnati, Jerusalem, Los Angeles, New York 500 Students, 350 Rabbinic, 150 Graduate
– Small Staff 1 support staff in Cincinnati, New York Part Time Contractor in LA and Jerusalem
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference4
AgendaAgenda
What is at risk?Who can do what?What are the Top 20 issues
http://www.sans.org/top20
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference5
Overview Overview
Risk – Data CIA– Data Confidentiality – Data Integrity – Data Availability
The Top 20 vulnerabilities – http://www.sans.org/top20
Security Policy– You can’t enforce what you haven’t defined
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference6
Types of RiskTypes of Risk
Data Confidentiality– Keep private information private
Data Integrity – Making sure your data is correct
Data Availability– Hardware failure, fire, flood
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference7
Types of Risk cont.Types of Risk cont.
Legal liability– What legal issues exist? HIPAA, FERPA
http://www.clm.com/pubs/pub-914447_2.html (monitoring conversations)
http://www.vnunet.com/News/1132421 (grade manipulation )
Professional credibility– What would be the impact of a security
breach?
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference8
Risk Assessment Risk Assessment
Risk = Threat x VulnerabilityWould someone have to be on campus to attack?What could they do on campus vs. off campus
(Internet)Why would they target my institution and what
would they want?
Vulnerabilities are the Gateways by which threats are manifested
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference9
Risk Assessment Risk Assessment
Who– Allow access, restrict access
What– Grade information, passwords, payroll info
When– Forever or just for a few months
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference10
Risk Assessment cont.Risk Assessment cont.
– WhereA network server or a PC in an office or a Zip
drive?
– WhyFERPA, legal liability, reputation
– How3DES, AES, VPN, will vary by value of the data
and where the data resides
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference11
Risk Assessment cont.Risk Assessment cont.
Who– Not just one departments job or one manager
Ongoing, organic process
– Identification, Authentication, Authorization– Define who has access and who doesn’t
Roles not peopleWho has access helps define where data is storedData shouldn’t be in more than one placeCan define who might want to hack
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference12
Risk Assessment cont.Risk Assessment cont.
What do you need to protect?– Departmental review
Registrar, Alumni, Development– Student, Alumni data (FERPA)
– Grades, personal information Financial data
– Institution, student, donor Health information (HIPAA)
– Employees, Students Information Technology (system data)
– Root password, admin password
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference13
Risk Assessment cont.Risk Assessment cont.
When– How long do you need to keep the data
secure?Create a disposal date
• http://www.uiuc.edu/cgi-bin/print_hit_bold.pl/admin_manual/code/rule_67.html
Secure Archives– Encrypted tape backups
– Outsource off site storage providers
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference14
Risk Assessment cont.Risk Assessment cont.
WhereOn a file server
– with server file permissions
On a workstation– no access controls or logging
On a zip drive or memory stick?– No control, no logging, portable and reproducible
On a laptop or PDA?Encrypted? Backed up? Auditing turned on?
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference15
Risk Assessment cont.Risk Assessment cont.
Why– FERPA : Student data– HIPAA : Health records– User trust : passwords, email, policy issues– Legal liability
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference16
Risk Assessment cont.Risk Assessment cont.
How – File access controls (Novell, MS, Apple )– Encryption– Physical isolation
– Limit access to office or system
– Remote accessVPN, Dial Up access
– Cost is determined by the value of the data
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference17
Risk Assessment cont.Risk Assessment cont.
Availability– Would you know if data was changed?
Intentionally Accidentally Student grade changes Address changes
– What if you couldn’t access your data (BCP) Business Continuity Planning For an hour, a day, a week? What would be the impact?
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference18
Other types of RiskOther types of Risk
Other risks to your Institution – Natural Disasters
Fire– California fire of 2003
Flood– Chicago city flood April 13th, 1992
Power Outage– East Coast August 14th 2003
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference19
Other types of Risk cont.Other types of Risk cont.
Personnel changes– Key personnel leave
President, network administrator
Legal charges– Providing data for lawsuits
What could you provide if you had toWhat would you want to be able to provide
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference20
Resources for Risk Resources for Risk AssessmentAssessmentCarnegie Mellon OCTAVE approach
– OCTAVE =Operationally Critical, Threat, Asset, and
Vulnerability Evaluation
– http://www.cert.org/octave/– Self guided tool for Risk assessment– Asset based risk assessment – Tool for both large and small institutions– Free though you can purchase consulting
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference21
Resources for Risk Resources for Risk AssessmentAssessment
– COBRA methodC & A Systems Security Ltd.Self Assessment toolFollows ISO 17799 guidelines Costs $895 - $1995http://www.riskworld.net
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference22
Resources for Risk Resources for Risk AssessmentAssessmentFRAP Method
– Facilitated Risk Assessment Process– Thomas Peltier,
http://www.peltierassociates.com/frap.htm
– Book form or training class – $595-$695 for class– Approximately $70 for his book
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference23
Resources for Risk Resources for Risk AssessmentAssessmentSANS Reading Room
http://www.sans.org/rr/papers/index.php?id=1204Overview of Risk
– Quantitative
• Cost per Incident and expected frequency
• Asset Value * Exposure Factor * Frequency
– Qualitative
• Rates the impact of the asset
• File Server vs. Personal PC
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference24
The FBI / SANS Top 20!The FBI / SANS Top 20!
Common Security vulnerabilities in Windows, Unix and Macintosh
Very well known, scripts exist to exploit each vulnerability
All vulnerabilities can be re-mediated by fully patching the OS
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference25
Windows Top 10Windows Top 10
1. IIS 4.0 and 5.0 fully patched
2. Microsoft Data Access Components (MDAC)
3. Microsoft SQL Server
4. Net BIOS – Unprotected Shares
5. Anonymous Logons
6. LAN Manager Authentication
7. Windows Authentication
8. Internet Explorer
9. Remote Registry Access
10.Windows Script Hosting
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference26
Macintosh Top 10Macintosh Top 10
1. Web servers with Dynamic Content
2. Mac OS X and Internet Explorer 5.1.4
3. Microsoft Word
4. AppleShare IP6 Pass Protocol
5. Macintosh Manager
6. OS X 10.2.2
7. StuffIT Expander Security Update
8. Mac OS X client
9. Open SSH
10. Apache Web Server
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference27
Unix Top 10Unix Top 10
1. Remote Procedure Calls
2. Apache Web Server (Nose job)
3. Secure Shell
4. SNMP (Simple Network Management Protocol
5. FTP
6. Remote login services (RLOGIN)
7. Line Printer Daemon (LPD)
8. Sendmail
9. BIND/DNS
10.General Unix Authentication
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference28
Creating a Security PolicyCreating a Security Policy
The Policy flows from the Risk Assessment– It is organic, it will change over time
It should inform users as well as educate – Give them the why and how
What data needs to be secure and from whom
Policy will have layers of defense http://www.sans.org/rr/securitybasics/univ_level.php
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference29
SummarySummary
Define your Risks!– Answer the basic
Who, What, When, Where, Why, How
Fix the Top 20 (or 30?)!Create a Security Policy
– Get buy-in from the Top and involve all departments
Feedback
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference30
Where to Get More InformationWhere to Get More Information
Web resources http://www.sans.org
• Sans (SysAdmin, Audit, Network, Security) http://www.cert.org
• Computer Emergency Response Team http://www.incidents.org
• Internet Storm Center tracking site http://www.secinf.net
• Windows Network Security http://www.securityfocus.com/
• Unix, Windows, Virus, IDS
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference31
Where to Get InformationWhere to Get Information
Email Lists– www.counterpane.com Bruce Schneier
– Monthly email digest of Computer security issues
– www.ntbugtraq.com– Windows NT security list
– www.intrusions.org– Daily digests of port probes and good discussions
– www.microsoft.com/security– Links to Microsoft’s security page
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference32
HIPAA InformationHIPAA Information
HIPAA Security Policy Development: A Collaborative Approach– http://www.sans.org/rr/policy/
HIPAA_policy.php Administrative simplification under
HIPAA.– http://www.hhs.gov/news/press/2002pres/
hipaa.html Sample HIPAA compliance statement
– http://www.medsoftusa.com/hippa.htm
November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference33
FERPA InformationFERPA Information
Protecting the Privacy of Student Records, Guidelines for Education Agencies.– http://nces.ed.gov/pubs97/p97527/CONTENTS.HTM
Guidelines for Compliance with the Family Educational Rights and Privacy Act. – http://www.nyu.edu/apr/ferpa.htm
School Sample – http://www.oberlin.edu/archive/records/retention/departments.html