SUG session on VLAN Improved incident response: Tool to rapidly identify wallplates Quick Assignments lookup tool Found 450 Unregistered IPs – notification in progress Wireless blocking
Transcript of "Download File"
Information Security Risk Assessment and Plans NPTF, October 18, 2004
Meeting Objective <ul><li>Briefly review 2003-2004 objectives </li></ul><ul><li>Do a reasonableness check on our plans for the next two years prior to costing them out. </li></ul>
Security Strategies <ul><li>Risk-driven – focus on those opportunities with highest risk reduction bang for the buck. </li></ul><ul><li>Make security the default wherever possible. </li></ul><ul><li>Achievable, affordable plans. Concrete steps and early deliverables. Extend early successes in subsequent years. </li></ul><ul><li>Security-in-depth: prevention, detection, response. </li></ul><ul><li>Evaluate a network design and migration strategy that balances availability against security, and capable of supporting broader preventative network security measures. </li></ul>
2003-2004 Activities <ul><li>Patch Management </li></ul>Standards <ul><li>SUS – 4200 registered users </li></ul><ul><li>Secure Out of Box </li></ul><ul><li>Email Virus/Spam filtering </li></ul><ul><li>Improved incident response </li></ul><ul><li>VLAN support </li></ul><ul><li>Wireless authentication & authorization </li></ul><ul><li>Limited, short-term filtering at PennNet edge </li></ul><ul><li>IDS Pilot </li></ul>Services/ Technologies <ul><li>Patch management </li></ul>LSP Training <ul><li>Patch management, strong passwords, desktop operating system firewalls </li></ul>End User Awareness <ul><li>Patch Management </li></ul>Policy Activities
Intrusion Detection <ul><li>A new tool, Arbor Peakflow, allows us to collect and analyze network "flow" info from Penn routers. </li></ul><ul><li>This helps us to see lists of </li></ul><ul><ul><li>top talkers, </li></ul></ul><ul><ul><li>traffic by protocol (web vs email vs p2p vs voice vs video, etc), </li></ul></ul><ul><ul><li>traffic by destination service provider (Cogent vs Qwest vs Abilene/Internet2), </li></ul></ul><ul><ul><li>and much more. </li></ul></ul>
Intrusion Detection <ul><li>Peakflow also allows us to identify denial of service (DoS, DDoS) attacks in progress, including sources and protocols, and possible filtering options. </li></ul><ul><li>In this role, the Arbor Peakflow tools act as a very sophisticated distributed IDS , helping us to do targeting filtering during major network-based attacks. </li></ul><ul><li>No dedicated IDS systems needed to be put inline into the network. Netflow data from the routers is used. </li></ul>
2004-2005 Risk Assessment <ul><li>Availability </li></ul><ul><li>Integrity </li></ul><ul><li>Confidentiality </li></ul>Relative risk: Lower Intermediate Higher <ul><li>Zero-day worm </li></ul><ul><li>Viruses/worms </li></ul><ul><li>Obtaining patches for non-operating system applications </li></ul><ul><li>New machines arrive on campus </li></ul><ul><li>Malicious acts by disgruntled employee </li></ul><ul><li>Viruses/worms </li></ul><ul><li>Phishing </li></ul><ul><li>Web application security </li></ul><ul><li>Sniffing </li></ul>
Proposed Security Plans <ul><li>Phishing, email attachments, dangerous URLs </li></ul><ul><li>Misuse of University data </li></ul><ul><li>Application security patches </li></ul><ul><li>Disabling file sharing </li></ul>End User Awareness <ul><li>Firewall appliance, model server/workgroup firewall policies </li></ul><ul><li>VPN gateway </li></ul>Standards <ul><li>Integrated network authentication/ vulnerability scanning </li></ul><ul><li>Campus-wide wired and wireless network authentication </li></ul><ul><li>Self-service scanning rollout </li></ul><ul><li>Self-service scanning pilot </li></ul><ul><li>Web security audits </li></ul><ul><li>Raise security out of box bar and expand to most year round purchases </li></ul><ul><li>Evaluate web application security scanners </li></ul><ul><li>PennKey hardware authentication R&D </li></ul><ul><li>Create new web materials supporting security patches to common applications. </li></ul>Services/ Technologies <ul><li>Web application security </li></ul>LSP Training <ul><li>Critical data on managed servers with backup </li></ul><ul><li>Mandatory desktop operating system firewalls </li></ul><ul><li>Mandatory rebuilds when compromised </li></ul><ul><li>Virus filtering on mail servers. </li></ul><ul><li>Require authentication/encryption for additional protocols. </li></ul><ul><li>Broader Enforcement of Signed confidentiality statements </li></ul><ul><li>Security & Privacy Impact Assessment (SPIA) </li></ul>Policy 2005-2006 2004-2005
Improving Web App Security <ul><li>Information Security to develop and publish criteria for sensitive web-based applications, work to identify them on campus and manually audit for common errors. </li></ul><ul><li>Security & Privacy Impact Assessment will mandate risk assessments for applications providing private personal information </li></ul><ul><li> Web-based application scanners can detect sophisticated attacks like cross-site scripting, SQL injection, but to date have not been effective at finding some of the simplest and most common errors that application developers make. Continue to evaluate these tools. </li></ul><ul><li> Establish a one hour class covering some of the most common security errors in web-based applications. </li></ul>Proposal Subject to Approval Following a peer's problem with SSN authentication, we found two similar problems at Penn. In 2003, we had reports from end users of two sensitive web applications giving any user access to anyone else's data. Risk Assessment
Sniffing <ul><li>Considerable progress has been made in the availability of clients and servers supporting strong authentication (e.g. SMTP, LDAP). Revisit the Critical Host policy and update with new requirements for strong authentication, and possibly encryption for those applications for which it makes sense. </li></ul>Proposal Subject to Approval It’s becoming increasingly likely that critical, unencrypted passwords and sensitive email messages may be captured, particularly on wireless networks where anyone with a wireless card can view anyone else’s network traffic unless it is encrypted. T Risk Assessment
New machines arrive on campus Approx. 2,500 new / 7,500 returning computers connect to PennNet at start of the academic year. Many machines not patched, or have become infected. Probably between 1000 and 2000 mobile laptops move between PennNet and other network providers (e.g. home ISPs, other employers' networks, etc.). Adequately securing transient machine is manually-intensive, requiring IT staff time to check patch level, passwords, A/V signatures, etc.. In many cases, e.g. public wireless locations, simply not possible to ensure that machines are properly secured. Ensuring that machines get rebuilt following infection, particularly student machines, is difficult. We currently have no way to enforce our requirement that infected machines be rebuilt, and a widespread worm could lead to long waits to rebuild infected student machines. Risk Assessment <ul><li> Integrate vulnerability scanning with wired and wireless login processes. Place infected or vulnerable machines in a "quarantine" VLAN that only allows them connectivity to patch management services. </li></ul><ul><li>Test Windows XP SP 2 "secure network connect” feature: blocks all connections until critical patches are applied. If successful, provide broad education and expanded out of box defaults to ensure that Windows XP Service Pack 2 machines are configured to use a Expand out-of-box program to include most year-round computer purchases. </li></ul><ul><li> Require in Computer Security Policy that operating system firewalls be enabled,and that "secure network connect" features be enabled, where present. </li></ul><ul><li> Modify Disconnect policy to authorize Information Security to require rebuilds before reconnection to PennNet when machines are compromised at most privileged level. </li></ul>Proposal Subject to Approval
Viruses/Worms <ul><li>Considerable progress in the past year limiting the spread of malware . The remaining significant risks of the spread of malware are through users clicking on virus infected email attachments, or clicking on URL's with harmful content that exploit vulnerabilities in web browsers. </li></ul><ul><li>Saw first widespread destrutiv worm this year: Witty </li></ul><ul><li>AOL announced this year, general availability of AOL PassCode, a two-factor authentication </li></ul><ul><li>Keystroke logging (viruses/worms that capture user keystrokes like passwords, credit card numbers or other sensitive data) are becoming more common. These worms store keystrokes on local HD or send to IRC. </li></ul><ul><li>Keystroke logging worms and backdoors are beginning to appear more frequently : -9/03 Fizzer worm, Bugbear (seen at Penn) 4/04 SDBot (seen at Penn </li></ul><ul><li>Wide distribution of a keystroke logging worm could seriously undermine the security of PennKey passwords. </li></ul>Risk Assessment <ul><li>Additional emphasis on email attachments, web surfing and firewalls in end user awareness campaign. </li></ul><ul><li>Critical Host Policy to require all critical University data on managed servers w/ backups, and to mandate virus filtering on mail servers. </li></ul><ul><li>Computer Security Policy to require activation of desktop operating system firewalls. </li></ul><ul><li>PennKey was designed to include the flexibility to expand PennKey authentication from simple password-based authentication to also support stronger form of authentication such as hardware authentication tokens. Begin R&D work and develop a contingency plan for supplementing PennKey password authentication with stronger forms of authentication. Among other options, explore possible integration of hardware authentication tokens with next-generation PennCard. </li></ul>Proposal Subject to Approval
Phishing Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.
Phishing End user awareness is the most effective tool. End users must know the ease with which email can be forged, the importance of not clicking on dangerous/suspect URLs, and must be wary of any email requests to enter usernames, passwords, credit card numbers and social security numbers. Include phishing in broad end user security education. Proposal Subject to Approval Gartner estimates 30 million Americans have received a phishing attack, and about 3 percent submitted personal information in response. The threat against personal financial data and identity theft is greater than the threat against University data -- no phishing attacks have yet been reported targeting Penn passwords/systems. However the potential is there, and the most effective remedy, awareness, is inexpensive. Risk Assessment
Malicious Employee <ul><li>Include misuse of University data in broad employee communications. </li></ul><ul><li>Broader enforcement of need for signed employee confidentiality statements. </li></ul>Proposal Subject to Approval We’ve had relatively few cases reported of malicious use of access to critical/sensitive University data. However, misuse of privileged access by employees is a more likely threat than risks to confidentiality/integrity from worms, viruses or computer hacking. Individual units on campus work to ensure that employees with sensitive access must sign confidentiality statements, however there is currently no policy that requires this. Risk Assessment
Patches for Applications <ul><li> End user awareness is the most effective tool. Work to make sure that end users and LSPs understand the importance of applying not only operating system patches, but application patches as well. Make sure that new student communications mention the importance of bringing original CDs to campus. Expand the Information Security website to provide resources for managing application security for common applications at Penn. </li></ul><ul><li> Provide and test recommendations for patching MS applications without needing original CD. </li></ul>Proposal Subject to Approval We have focused in the past year on putting in place services to ensure that critical operating system patches get quickly applied. We currently do not have a systematic program for ensuring that application security patches (e.g. Netscape Navigator, AOL Instant Messenger, etc.) get deployed. In many cases, particularly for students our ability to apply Microsoft Office patches is limited when students did not retain their original Office CD. Risk Assessment
Zero Day Worm <ul><li> Include expanded information about file sharing risks and how to disable file sharing in campus-wide end-user awareness communications. </li></ul><ul><li> Modify Computer Security Policy to require activation of operating system firewalls for all desktops. </li></ul><ul><li> Modify Critical Host Policy to require that within 2-4 years all critical University data be stored on centrally or locally managed file servers with a backup program in place. </li></ul>Proposal Subject to Approval <ul><li> A “zero day worm” is one that exploits a vulnerability which has not been publicly disclosed, and for which no patches are available. All machines running the targeted service would be vulnerable, even if fully patched. </li></ul><ul><li> Limiting factors are the ability to acquire many zero day exploits and the ability to conduct extensive testing on numerous platforms. Nation-states are the only groups likely to have sufficient resources. </li></ul><ul><li>Windows SMB/CIFS file sharing service (garden variety Windows Ffile Ssharing service enabled on numerous Penn Windows machines) is the most likely target of a worst-case-worm. </li></ul><ul><li> A blended attack would be most likely: Windows file sharing attack would only be one attack vector, supplemented by email and spread to trusted, open file shares. </li></ul><ul><li> A 60% rate of compromise for the world’s business PCs is a reasonable estimate for an attack by a nation-state. </li></ul><ul><li> Machines not behind firewalls, but with direct Internet connectivity would be compromised in minutes at most. </li></ul><ul><li> Most machines would be compromised within several hours, whether on private intranets, or with direct Internet connectivity. </li></ul><ul><li> Estimated cost per system is $5-6K (data loss, productivity, hardware damage). </li></ul><ul><li>Source: “Worst Case Worm Scenario” http://www.icir.org/vern/papers/worst-case-worm.WEIS04.pdf </li></ul>Risk Assessment
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.