summer 2004 – information security carl forde. introduction purpose: to present an outline of my...
Post on 21-Dec-2015
215 views
TRANSCRIPT
Summer 2004 – Information Security
Carl Forde
Introduction
Purpose: To present an outline of my projects and learnings for thesummer.
Process: Present projects and learnings. Open the floor for questions.
Payoff:You will have an understanding of what I’veworked on, how I proceeded, the customers, the value to thecustomers, and what I’ve learned.
Project Overview
SCADA Security
ASAT Reporting (ongoing project)
Performance Metrics (summer project plan) in compliance with IT 1.5 of ASAT
Adware/Malware Removal Tools
Oracle Discoverer user manual
Other activities
Project 1: SCADA Security
Scope: Provide fast, safe solution to secure SCADA systems
Customers: All BU’s using a SCADA system
Value to Customer: Safe and secure system that will allow a BU to continue processes easily
Research: What is SCADA?
Supervisory Control and Data Acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste treatment, transportation) to all Americans. As such, they are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today. SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems are often weak.
Analyze: The Problem At Hand
How much can we tighten security without impeding the system’s ability to perform its primary function?
Inventory: Identify Where SCADA Is Used
We must identify SCADA systems in use We must determine what security controls are already in
place Process Owner Site/Location Anti-virus Regular Security Audits Current Security Patches Network Access Restrictions (by device, by port) How many users have access to the SCADA system (either
directly or over the network)
SCADA Risks
Risks we must control Authorized internal users performing unauthorized
tasks. Email access by devices on the Process network. Internet access from the Process network. Wireless Connectivity.
Risks we cannot control Hackers have targeted SCADA systems in the past and will
do so more in the future. The number of hacking attacks continues to increase
dramatically.
Solutions to SCADA Security
Strong network access controls, much like a firewall, helps.
Intrusion Detection Systems (IDS) help-However, monitoring is very expensive and these are only
reactive systems.
Most Effective Solution
Personal hardware firewall limiting access to specific devices and only on specific ports.
A SCADA network is only as secure as its weakest connecting point. It is essential to implement firewalls.
What is a Firewall?
A firewall is basically the first line of defense for your network. The basic purpose of a firewall is to keep uninvited guests from browsing your network. A firewall can be a hardware device or a software application and generally is placed at the perimeter of the network to act as the gatekeeper for all incoming and outgoing traffic.
Project 2: ASAT Reporting (ongoing project)
Scope: ASATs bring value to Alcoa as it drives better processes and controls while helping us to manage our environment. Reports help keep track of Alcoa’s ASAT progress.
Customers: Shareholders, Investors, Customers, Suppliers, Co-workers, Internal/External Audit, and everyone who does business with Alcoa.
Value to Customer: Peace of mind to know that Alcoa is in compliance with all laws, is living our values (Integrity, EHS, Customer, Excellence, People, Profitability, and Accountability), and is in control.
Research: What is an ASAT?
The Alcoa Self Assessment Tool, or ASAT, introduced as a multi-discipline tool in June, 1998, is a set of Management Control Objectives which are available to self assessors and auditors who need to assure management, administrative departments, and processes are meeting the expectations of good control standards and practices at Alcoa.
The ASAT provides objective feedback and identifies weaknesses in internal controls and processes. This process of identifying weaknesses and addressing them allows locations to ensure that their control environments are strong and that they remain strong.
Sarbanes – Oxley Legislation
July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002
In response to incidents of accounting irregularities The Act established the Public Company Accounting
Oversight Board (PCAOB) to oversee corporate governance, disclosure, and auditor standards
Section 404 requires certification of a company’s internal control system by the CEO, CFO, and the external auditors
Section 404 of the Act
Status of Section 404
Original deadline of 12/31/03 was changed to 12/31/04 to allow appropriate time for compliance with new guidance
Alcoa is moving forward in the assessment of our internal control system while the PCAOB (Public Company Accounting Oversight Board) prepares to publish further guidance on the certification process
What Other Companies Are Doing…
Article from CIOInsight.com - August 8, 2003 According to a survey conducted in April by AMR
Research Inc., about 85 percent of all public companies intend to change their IT systems as part of their efforts to comply with the law. And those companies are planning to spend $2.5 billion in 2003 alone on projects related to compliance.
To Insure SOX 404 Compliance….
I assisted with reviews of ASAT work, specifically of testing documentation.
I looked for the name or initials of the person who did the test, the date of completion, summary of results, how the test was produced, and any special sampling methods
This is the minimum information that must be in the TrendTracker ASAT test text area, with a hyperlink to supporting details.
I went through over 40 ASAT sections and found that most of this information was present.
I informed Bill Yurkovich if the documentation present was weak.
Scoring: Self Assessment Levels
Minimum Expectations Testing Action Plans Frequency
All applicable Minimum Expectations answered and thoroughly explained, giving the reader enough information to draw a clear conclusion.
Performed for all applicable Testing Suggestions for each objective.
Detailed action plans are developed, including an identified SPA and completion date. Progress is tracked on a regular basis. The action plans address the risk
All applicable minimum expectations and testing suggestions are completed in full at least every 18 months. The ASAT is part of an on-going management system.
All applicable Minimum Expectations are answered and thoroughly explained, giving the reader enough information to draw a clear conclusion.
The majority of applicable testing suggestions for each objective is completed in all applicable major areas.
Detailed action plans are developed, including an identified SPA and completion date. Progress is tracked on a regular basis. The action plans address the risk
No specific frequency stated. Most likely completed only in preparation of an audit.
All applicable Minimum Expectations are answered. Explanations are limited so that a clear conclusion cannot be made.
The majority of applicable testing suggestions for all objectives in at least one major area are completed. At least limited testing in the other applicable major areas
Actions plans are limited and may or may not include SPAs or completion dates.
No specific frequency stated. Most likely completed only in preparation of an audit.
Minimum Expectations are answered with little explanation. All minimum expectations may not be complete. No testing or limited testing.
Action plans are insufficient or are not developed. Control deficiencies are not addressed in a timely manner.
No specific frequency stated. Most likely completed only in preparation of an audit.
No Minimum Expectations are answered. No testing. No action plans.
3
2
1
Self Assessment Levels
Level
5
4
What Audit???
In Alcoa’s August 7 press release certifying our financial statements, Alain Belda said, “Alcoa has long had in place systems, procedures and controls to ensure the accuracy of our results, and we continually refine and improve upon these measures.”
Here at Alcoa an audit is not an event!Performing ASAT for the purpose of an upcoming audit is not a cost-effective use of resources and does not meet the requirements of ASAT Penetration Level 5. In fact, using this process is in violation of ABS principles because it results in the performance of two audits (a self-assessment and an internal audit). ASAT should not be done “for Audit,” but for the improvement of the process environment at each location.
How To Score Big: Obtain Level 5
To obtain a Level 5 in the ASAT process, a location is expected to have developed a “management system.” This entails performing a regular update of each location’s self-assessment. Audit has defined a regular update as at least once every 18 months. The update can be done all at one time, or it can be done in sections on an ongoing basis so that over an 18-month period, all of the objectives applicable to the location have been addressed and tested. Best practice is a 12-month schedule. Sustainability must be demonstrated in order to perform at an ASAT Level 5. This requires the completion of at least two ASAT cycles. The extent of testing completed in the ASAT should be based on the underlying risk of the process.
Good Idea: Performance Metrics!
IT1.5-A program of on-going measurement of management and administrative processes reflects performance against business objectives and customer requirements and is used to drive improvement.
Tools: Marsh TrendTracker
The TrendTracker software is a suite of applications designed to automate and consolidate the Alcoa Self-Assessment and Audit Processes. This solution is intended to make the ASAT and Audit processes more efficient and helps to ensure that Alcoa’s facilities operate in accordance with the appropriate corporate and governmental standards, recommendations and best practices.
Tools: Oracle Discoverer
With Discoverer, you can get and analyze data that you know is in Alcoa’s databases, without having to understand difficult database concepts.
Using Wizard windows and menus, Discoverer guides you through the steps to get and analyze data that supports your decisions. Discoverer does most of the hard work for you by going directly to the Oracle tables and pulling out the exact information you need without returning redundant and unnecessary information.
Good Idea: Oracle Discoverer Instructions!
Write up some detailed instructions on how to run a pre-made report in Oracle Discoverer
Oracle Discoverer Instructions
Part I – Running A Report
1) Open Internet Explorer 2) Go to the Alcoa Audit homepage
(http://intranet.alcoa.com/audit/default.asp?Level=1) 3) Click on “TrendTracker Web ASAT” at the top right 4) Click on “Launch TrendTracker” on the left menu 5) Click on the magnifying glass under iDiscoverer for the P650 instance
6) A new window will open 7) Click on the large image of a magnifying glass to launch Discoverer
8) When Discoverer launches enter your username in the field provided 9) Enter your password in the field provided 10) Leave the Database as P650 Important: Uncheck the “Oracle Applications User” box
11) Click connect or hit enter 12) Click the “Open an existing workbook” button
13) Click the “Database” button
Project 3: Adware/Malware Removal Tools
Scope: Research and test removal tools that will satisfy the needs of Alcoa at an Enterprise level
Customers: All Alcoa computer users
Value to Customer: Fixes these problems: Loss of bandwidth due to advertising traffic Loss of personal productivity due to users trying to cope with annoying pop-up
ads Increased costs and workload as the help desk personnel manually clean
workstations Loss of personal privacy due to cookies that track web surfing patterns degrade
the stability and usability of the workstation
Research: What is Adware/Malware?
Adware: Software that runs targeted advertisements on a PC and uses web-surfing patterns to target ads to users.
Malware: Malware, or Malicious Code, is a catch-all term used to refer to various types of software that can cause problems or damage your computer. The more common classes of program referred to as malicious code are viruses, worms, Trojan horses, macro viruses, and backdoors.
Research: Who is the BEST?
The BEST for Alcoa
What is needed for an Enterprise Solution: Central Management A management console that can manage thousands of clients Web Interface for remote monitoring Exception reporting and drill-down reporting Alerting (sms, pager, email) Delegated access control to management interface (ie, reports only) User, group and enterprise policies Integration with AD for users and group structure Extended actions (ignore, selective ignore, fence, delete, repair,
quarantine)
The BEST for Alcoa, continued
Minimum systems and network overhead Software distribution tools for agents and updates Hierarchical signature distribution Scheduled and push signature distribution Policy and update procedures that are location-dependent (ie.
Remote laptops) Remotely deployable repair/cleanup tools with rollback capability Proactive software action filters/warnings (ie. Warning, this
software is… continue or abort?) List of spyware filtered Around the clock lab to monitor threats, find new malware, and
distribute signatures Minimal end user controls ( locked local client) Scalable signature distribution facilities to meet demands of clients
Solution: The Sad Truth…
At this time there are no silver bullets. A combination of standards, procedures, and products will be required to reduce the different types of extended threats, including adware and malware. Although Microsoft’s XP Service Pack 2 will reduce the number of existing threats, additional software will always be necessary to protect users. These types of attacks will always be a threat because they do not attack the operating system but trick the user into compromising security.
Solutions: There is hope!
Some of the options that canbe implemented to reduce theextended threats are:
Tighten browser security settings, ie. disable Install on demand(IE) and Install on demand(other).
Tighten Web Gateway – create a block for the X-Stop box with a list of sites that have known advertisers, marketers, and junkware.
Deploy enterprise anti-spyware tools as they become available.
Other Activities
Intern Conference The famous NADC
(tour) ABS Training
Make to use Eliminate waste People linchpin the
system Teambuilding Exercise
Thank You Alcoa!