november 7th, 2003 john bruggeman - educause 2003 conference 1 defining risk and fixing the top 20...

November 7th, 2003John Bruggeman - EDUCAUSE 2003 Conference1

Defining Risk Defining Risk andand Fixing the Top 20 Fixing the Top 20

Security 101 for a small schoolSecurity 101 for a small school


Copyright 2003 John BruggemanCopyright 2003 John Bruggeman

Copyright John Bruggeman, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


John BruggemanJohn Bruggeman

– Hebrew Union College – Jewish Institute of Religion Seminary and Graduate School http://huc.edu

– National Director of Information Systems (97 – Present) GSEC Certified February 2003

– 4 Locations – Cincinnati, Jerusalem, Los Angeles, New York 500 Students, 350 Rabbinic, 150 Graduate

– Small Staff 1 support staff in Cincinnati, New York Part Time Contractor in LA and Jerusalem


AgendaAgenda

What is at risk?Who can do what?What are the Top 20 issues

http://www.sans.org/top20


Overview Overview

Risk – Data CIA– Data Confidentiality – Data Integrity – Data Availability

The Top 20 vulnerabilities – http://www.sans.org/top20

Security Policy– You can’t enforce what you haven’t defined


Types of RiskTypes of Risk

Data Confidentiality– Keep private information private

Data Integrity – Making sure your data is correct

Data Availability– Hardware failure, fire, flood


Types of Risk cont.Types of Risk cont.

Legal liability– What legal issues exist? HIPAA, FERPA

http://www.clm.com/pubs/pub-914447_2.html (monitoring conversations)

http://www.vnunet.com/News/1132421 (grade manipulation )

Professional credibility– What would be the impact of a security

breach?


Risk Assessment Risk Assessment

Risk = Threat x VulnerabilityWould someone have to be on campus to attack?What could they do on campus vs. off campus

(Internet)Why would they target my institution and what

would they want?

Vulnerabilities are the Gateways by which threats are manifested


Risk Assessment Risk Assessment

Who– Allow access, restrict access

What– Grade information, passwords, payroll info

When– Forever or just for a few months


Risk Assessment cont.Risk Assessment cont.

– WhereA network server or a PC in an office or a Zip

drive?

– WhyFERPA, legal liability, reputation

– How3DES, AES, VPN, will vary by value of the data

and where the data resides



Who– Not just one departments job or one manager

Ongoing, organic process

– Identification, Authentication, Authorization– Define who has access and who doesn’t

Roles not peopleWho has access helps define where data is storedData shouldn’t be in more than one placeCan define who might want to hack



What do you need to protect?– Departmental review

Registrar, Alumni, Development– Student, Alumni data (FERPA)

– Grades, personal information Financial data

– Institution, student, donor Health information (HIPAA)

– Employees, Students Information Technology (system data)

– Root password, admin password



When– How long do you need to keep the data

secure?Create a disposal date

• http://www.uiuc.edu/cgi-bin/print_hit_bold.pl/admin_manual/code/rule_67.html

Secure Archives– Encrypted tape backups

– Outsource off site storage providers



WhereOn a file server

– with server file permissions

On a workstation– no access controls or logging

On a zip drive or memory stick?– No control, no logging, portable and reproducible

On a laptop or PDA?Encrypted? Backed up? Auditing turned on?



Why– FERPA : Student data– HIPAA : Health records– User trust : passwords, email, policy issues– Legal liability



How – File access controls (Novell, MS, Apple )– Encryption– Physical isolation

– Limit access to office or system

– Remote accessVPN, Dial Up access

– Cost is determined by the value of the data



Availability– Would you know if data was changed?

Intentionally Accidentally Student grade changes Address changes

– What if you couldn’t access your data (BCP) Business Continuity Planning For an hour, a day, a week? What would be the impact?


Other types of RiskOther types of Risk

Other risks to your Institution – Natural Disasters

Fire– California fire of 2003

Flood– Chicago city flood April 13th, 1992

Power Outage– East Coast August 14th 2003


Other types of Risk cont.Other types of Risk cont.

Personnel changes– Key personnel leave

President, network administrator

Legal charges– Providing data for lawsuits

What could you provide if you had toWhat would you want to be able to provide


Resources for Risk Resources for Risk AssessmentAssessmentCarnegie Mellon OCTAVE approach

– OCTAVE =Operationally Critical, Threat, Asset, and

Vulnerability Evaluation

– http://www.cert.org/octave/– Self guided tool for Risk assessment– Asset based risk assessment – Tool for both large and small institutions– Free though you can purchase consulting


Resources for Risk Resources for Risk AssessmentAssessment

– COBRA methodC & A Systems Security Ltd.Self Assessment toolFollows ISO 17799 guidelines Costs $895 - $1995http://www.riskworld.net


Resources for Risk Resources for Risk AssessmentAssessmentFRAP Method

– Facilitated Risk Assessment Process– Thomas Peltier,

http://www.peltierassociates.com/frap.htm

– Book form or training class – $595-$695 for class– Approximately $70 for his book


Resources for Risk Resources for Risk AssessmentAssessmentSANS Reading Room

http://www.sans.org/rr/papers/index.php?id=1204Overview of Risk

– Quantitative

• Cost per Incident and expected frequency

• Asset Value * Exposure Factor * Frequency

– Qualitative

• Rates the impact of the asset

• File Server vs. Personal PC


The FBI / SANS Top 20!The FBI / SANS Top 20!

Common Security vulnerabilities in Windows, Unix and Macintosh

Very well known, scripts exist to exploit each vulnerability

All vulnerabilities can be re-mediated by fully patching the OS


Windows Top 10Windows Top 10

1. IIS 4.0 and 5.0 fully patched

2. Microsoft Data Access Components (MDAC)

3. Microsoft SQL Server

4. Net BIOS – Unprotected Shares

5. Anonymous Logons

6. LAN Manager Authentication

7. Windows Authentication

8. Internet Explorer

9. Remote Registry Access

10.Windows Script Hosting


Macintosh Top 10Macintosh Top 10

1. Web servers with Dynamic Content

2. Mac OS X and Internet Explorer 5.1.4

3. Microsoft Word

4. AppleShare IP6 Pass Protocol

5. Macintosh Manager

6. OS X 10.2.2

7. StuffIT Expander Security Update

8. Mac OS X client

9. Open SSH

10. Apache Web Server


Unix Top 10Unix Top 10

1. Remote Procedure Calls

2. Apache Web Server (Nose job)

3. Secure Shell

4. SNMP (Simple Network Management Protocol

5. FTP

6. Remote login services (RLOGIN)

7. Line Printer Daemon (LPD)

8. Sendmail

9. BIND/DNS

10.General Unix Authentication


Creating a Security PolicyCreating a Security Policy

The Policy flows from the Risk Assessment– It is organic, it will change over time

It should inform users as well as educate – Give them the why and how

What data needs to be secure and from whom

Policy will have layers of defense http://www.sans.org/rr/securitybasics/univ_level.php


SummarySummary

Define your Risks!– Answer the basic

Who, What, When, Where, Why, How

Fix the Top 20 (or 30?)!Create a Security Policy

– Get buy-in from the Top and involve all departments

Feedback


Where to Get More InformationWhere to Get More Information

Web resources http://www.sans.org

• Sans (SysAdmin, Audit, Network, Security) http://www.cert.org

• Computer Emergency Response Team http://www.incidents.org

• Internet Storm Center tracking site http://www.secinf.net

• Windows Network Security http://www.securityfocus.com/

• Unix, Windows, Virus, IDS


Where to Get InformationWhere to Get Information

Email Lists– www.counterpane.com Bruce Schneier

– Monthly email digest of Computer security issues

– www.ntbugtraq.com– Windows NT security list

– www.intrusions.org– Daily digests of port probes and good discussions

– www.microsoft.com/security– Links to Microsoft’s security page


HIPAA InformationHIPAA Information

HIPAA Security Policy Development: A Collaborative Approach– http://www.sans.org/rr/policy/

HIPAA_policy.php Administrative simplification under

HIPAA.– http://www.hhs.gov/news/press/2002pres/

hipaa.html Sample HIPAA compliance statement

– http://www.medsoftusa.com/hippa.htm


FERPA InformationFERPA Information

Protecting the Privacy of Student Records, Guidelines for Education Agencies.– http://nces.ed.gov/pubs97/p97527/CONTENTS.HTM

Guidelines for Compliance with the Family Educational Rights and Privacy Act. – http://www.nyu.edu/apr/ferpa.htm

School Sample – http://www.oberlin.edu/archive/records/retention/departments.html

november 7th, 2003 john bruggeman - educause 2003 conference 1 defining risk and fixing the top 20...

Documents

john bruggeman educause

risk assessment risk

jerusalem slide

flood slide

manifested slide

defined slide

small school slide

vulnerabilities http