Your SlideShare is downloading. ×
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Educause Annual 2007
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Educause Annual 2007

979

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
979
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.
    • Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base
    • Joshua Drummond, Security Architect
    • Neil Matatall, Security Programmer/Analyst
    • Marina Arseniev, Associate Director of Enterprise Architecture
    • University of California, Irvine
  • 2. About us…
    • Located in Southern California
    • Year Founded:  1965
    • Enrollment: over 24K students
    • 1,400 Faculty (Academic Senate)
    • 8,300 Staff
    • 6,000 degrees awarded annually
    • Carnegie Classification:  Doctoral/Research – Extensive
    • Extramural Funding - 311M in 2005-2006
    • Undergoing significant enrollment growth
  • 3. Security Status Across Higher Ed? http://www.privacyrights.org
      • 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants.
      • 5,800 in August, 2007: Computer with the SSNs of students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft.
      • 4,375 on September, 2007: Former students at risk for identity fraud after an instructor's laptop computer was stolen.
      • 3,100 on September, 2007: A technical problem in the way student bills are printed possibly allowed student SSNs to be sent to another student's address.
  • 4. Security is Multi-layer
  • 5. We do a lot… SDLC and Change Management
    • Security requirements and design reviews from get-go.
    • Code reviews
    • Developers reuse security components
    • Automated nightly code and application security scanning
    • Scheduled network & configuration vulnerability scanning
    • Consolidated storage of sensitive data, database model reviews of personal identity data
    • Concurrency and stress testing to detect thread security
  • 6. Still had problems
    • Urgent call from our director:
      • Have you patched server X?
      • Is Server Y behind a firewall?
      • Did Server Y have any Credit Card information stored?
      • Is the database encrypted?
      • When was the last time a security review of Application X was done?
    • Peter The Anteater is on vacation!
    • Peter is now at Google!
    • Different answers from different people.
    • Little confidence that information is current.
  • 7. Not enough…
      • Many security layers meant many documents owned by many people
      • Scattered checklists, spreadsheets, and diagrams not accessible
      • Host IP change = document update nightmare.
      • New server? Update how many firewalls?
      • Missing information, such as whom to contact
      • Proprietary knowledge departed with staff turnover
      • Spreadsheet Hell!
  • 8. What we learned …
    • Maintaining separate spreadsheets on server configurations, firewalls, and personal identity data, each with redundant and inconsistent information, is inappropriate in today's security climate .
    • Explored different approaches and tools – both vendor and open source.
    • Merged with the Enterprise Architecture approach to use Stanford’s Protégé Knowledgebase.
      • Open source ontology and knowledge-based tool, to intelligently capture and maintain comprehensive enterprise security information in a single repository.
  • 9. Objectives
    • Quickly respond to threats.
    • Organize, consolidate, and centralize security procedures and facts about layers of security.
      • Facts about data, architectures, components, applications, encryption, auditing/logging, firewalls/rules, backup procedures, etc
      • Track security checklists
      • Track code, database, and security reviews, results and follow-up
      • Track oversight functions for secure development, acquisition, maintenance, operations and decommissioning .
  • 10. Agenda
    • Background on Ontologies and Protégé
    • Realized value - demonstration of our knowledgebase and reports
    • How to implement this in your organization
    • Summary
    • Useful URLs and Q&A
  • 11. Background
    • What is an Ontology?
      • “ An ontology describes the concepts and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge . Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “
      • Supports inheritable properties (is-a)
      • Attributes of an object can be complex objects themselves (rich). Nestable…
    Writing Short Story Historical Novel Classic Medieval Modern Book Ontology
  • 12. Stanford University’s Protégé
    • Allows easy modeling and creation of ontology
    • Auto generates forms for collecting and capturing information based on ontology and class definitions.
    • “ Reverse slots” allow rich linking ability and automatic updates of changing relationships.
      • Remember the removal of the server and associated updates of firewall rules?
  • 13. Stanford University’s Protégé
    • Generates an HTML view of knowledge and ontology.
    • Can be exported in XML format
      • generate reports in other formats and for specific audiences, without storing redundant data.
    • Multi-user capable
    • Highly Scaleable
      • Simulations have handled over 5 million objects
    • Open source at http://protege.stanford.edu/
      • Java API to program against
      • Under active development (last release Aug 24, 2007)
  • 14. Protégé GUI
  • 15. Protégé – Knowledge Capture
  • 16.  
  • 17. HIPAA?
  • 18. Protégé – Application Instances
  • 19. Protégé – Authentication Instances
  • 20. Protégé – Authorization Instances
  • 21. Protégé – Patching Procedures
  • 22. Protégé – Backup Procedures
  • 23. Protégé – Query Capability
  • 24. Agenda
    • Background on Ontologies and Protégé
    • Realized value - demonstration of our knowledgebase and reports
    • How to implement it in your organization
    • Summary
    • Useful URLs and Q&A
  • 25. Using Protégé to Capture Reviews
  • 26. Using Protégé to Capture Reviews
  • 27.  
  • 28. Realized Value: Auto-generated Reports from Protégé
    • Network Inventory Report
      • By Host Name
      • By IP Address
    • Firewall Rules Report
      • By Firewall
      • By Host Name
      • By IP Address
    • Personal Identity Database Report
      • By Server
      • By Database
    • Personal Identity Datafile Report
      • By Server
    • Application Report
      • Includes developed and vendor applications
  • 29. Before and After - Firewalls Unix Sys Admin Windows Sys Admin Department Firewall Admin Campus Border Firewall Admin Database Admin
  • 30.  
  • 31. Report: Firewall by Host
  • 32. Reports: Personal Identity Database by Server
  • 33. Reports: Personal Identity Datafile by Server
  • 34. Agenda
    • Background on Ontologies and Protégé
    • Realized value - demonstration of our knowledgebase and reports
    • How to implement it in your organization
    • Summary
    • Useful URLs and Q&A
  • 35. How to Implement in your Organization…
    • Step 1: Inventory existing spreadsheets and documents
    • Step 2: Identify information you want to track centrally.
    • Step 3: Design your ontology (or copy ours)
    • Step 4: Assign roles – who updates, who views
    • Step 5: Capture information
    • Step 6: Add any customizations to Protégé
    • Step 7: Create secured reports for various audiences
  • 36. Our Ontology
  • 37. Updates
    • 3 ways to update your knowledge base
    • Desktop Client / Local Project
      • Only one person can update at a time
      • Must have access to project file
    • Web Server
      • Multi-User, access anywhere
      • Interface has its weaknesses
    • Client / Server
      • Best of both worlds
      • Must have desktop client installed
  • 38. Updates – Client / Server
    • Use built-in client-server mode for multi-user updates
    • Grant access to individual users
      • Support for role-based permissions
    • Updates are propagated in near-real-time
    • BE CAREFUL!
      • Everything is stored in plain text
  • 39. Customizations
    • Modified the existing HTML Export plug-in to change the structure of the output HTML
      • Encrypt Sensitive Values
      • List Instances before Slots on Class pages
      • Made string attributes that are URLs actual hyperlinks
      • Add line breaks between multiple Slot values
  • 40. Using Protégé to Capture Reviews
  • 41. Automation
    • Although editing of knowledge base is done centrally through the desktop client, we wanted to automate the generation of reports
    • Wrote two Java classes that use the Protégé API to emulate actions usually done through GUI
      • edu.uci.adcom.protege.ProjectXmlExport
      • edu.uci.adcom.protege.ProjectHtmlExport
  • 42. Using XSLT for Reports
    • Replicate exactly and replace former spreadsheets with the same functionality
    • Created canned reports for specific views on knowledge
    • XSLT is used to transform XML export of entire knowledge base to report specific “simple” XML
    • Then again from the “simple” XML to multiple HTML views for each report
    • XSL and CSS are flexible and can be modified to customize presentation of data
  • 43. Report Generation Process Outline Protégé Java - edu.uci.adcom.ProjectXMLExport XSLT – Massage to Domain Specific Data XSLT – Generate Individual Reports (For Web Reports) CSS – To Customize the Display
  • 44. Reports: Personal Identity Datafile by Server
  • 45. Putting it all together
    • Ant script is used to tie everything together
    • Can be easily scheduled to generate reports
  • 46.
    • After
    • Centralized inventory of knowledge about firewall rules
    • Zero spreadsheets
    • 3 custom reports – HTML and Excel
    • Centralize maintenance of single repository across organizational units
    • No redundancy
    Metrics – Firewall Management
    • Before
      • Border, Police, Financial Services, Windows OS, and Server Firewall
      • Each firewall had its own spreadsheet maintained by a different person (5 spreadsheets total)
      • 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets.
  • 47.
    • After
    • New information - that didn’t exist
      • Integrated database, network, and application information
    • Zero spreadsheets
    • 9 custom reports –HTML and Excel
    • Centralize maintenance of repository across organizational units
    • Access to repository extended to 60 individuals based on privileges
    • Clearer view of potential holes in security for analysis and proactive planning
    • Sensitive data tracked
      • 40 data files
      • 50 database fields
    • Added 40 hosts to backup and anti-virus scanning procedure
    Metrics – Network and Data Inventory
    • Before
    • White Boards and Documents
      • Partial Network Inventory
      • Unpatched servers on whiteboard
    • 4 units keeping redundant or out of sync information in private locations
    • Limited access - personal computers
    • Sensitive data locations unclear
    • Servers with no virus protection or backed up
  • 48. Future Plans
    • Continue to evolve the ontology to include more attributes and relationships
    • Continue capturing and updating new information
      • Automate capture of information with tools
    • Create an plugin for encrypting sensitive information
    • Create a slot-based authorization plugin
    • Generate checklists intelligently based on attributes
      • Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment.
    • Create notifications about potential trouble spots
      • A personal identity database field that has not been encrypted.
  • 49. Q&A
    • AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440
    • Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu
    • XML/XSLT processing - http://xerces.apache.org
    • Ant - http://ant.apache.org

×