Скачать презентацию Security Policy The Big Picture 2003 IT Fall Скачать презентацию Security Policy The Big Picture 2003 IT Fall

87d8bd7d5156f24ec1306855f819e8a0.ppt

  • Количество слайдов: 21

Security Policy: The Big Picture 2003 IT Fall Retreat Associated Colleges of the South Security Policy: The Big Picture 2003 IT Fall Retreat Associated Colleges of the South Todd K. Watson Senior System/Network Administrator Southwestern University [email protected] edu Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Goals for this presentation: 1) To cause you to think about IT security comprehensively, Goals for this presentation: 1) To cause you to think about IT security comprehensively, so you can draft policy and procedure to fit your institutions security model. 2) To ignite discussion about topics related to security which lead to policy/procedure decisions. Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Starting thoughts Let's not focus on creating documents, but instead securing our infrastructure. “Security Starting thoughts Let's not focus on creating documents, but instead securing our infrastructure. “Security is a process, not a product!!!” -- Bruce Schneier, Counterpane Security We've all spent significant time and money building an IT empire. We must protect it of course! But. . ● What are we protecting? ● What are we protecting it from? [email protected] edu Todd K. Watson ● How do Information Technology Services we protect it? http: //tkdubs. net

No rewards We only hear about security when it fails. No matter how much No rewards We only hear about security when it fails. No matter how much effort you put toward security, if it fails, your efforts will be questioned. Look at 9/11 and the intelligence community. No matter what they did prevent, they are chastized for what they didn't Q: How can we measure the success of our security? Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

01010101010101010101010101010101010101010101010101010101010 1010 1 0 10 Q: What are we protecting? A: Information. Bits. Zeros 01010101010101010101010101010101010101010101010101010101010 1010 1 0 10 Q: What are we protecting? A: Information. Bits. Zeros and Ones. Financial Records ● Intellectual Property Passwords ● Salaries ● Grades ● Exams ● Correspondence ● ● 10 0 Credit Card Numbers Medical ● 10 10 1 ● ● 10 ● ● Contact/Directory Info Sensitive Personal Info Annual Giving Info ● University 111101001 Records Todd K. Watson Information Technology Services ● Violations [email protected] edu Performance Evals http: //tkdubs. net

Why are we protecting it? ● FERPA – Family Educational Right to Privacy Act Why are we protecting it? ● FERPA – Family Educational Right to Privacy Act ● HIPAA -- Health Insurance Portability and Accountability Act ● Copyrights ● Sense of ownership ● Auditors ● Reduce risk of rebuilding Q: What are other reasons for protection? Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Who are we protecting it from? Todd K. Watson Information Technology Services tkw@southwestern. edu Who are we protecting it from? Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

How do we protect it? ● Firewalls ● Intrusion Detection ● Logging ● Backups How do we protect it? ● Firewalls ● Intrusion Detection ● Logging ● Backups (offsite) ● Antivirus/worm ● POLICIES!!!! Training/Education Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Firewalls ● WAN – – holes get opened, but do they ever get closed? Firewalls ● WAN – – holes get opened, but do they ever get closed? – firewall still means you have open/exploitable services – ● logging? Who/what monitors the logs? intrusion detection/prevention – are you monitoring the packets which make it through the firewall? LAN – have you evaluated what your network is like inside your firewall? What about that trojans? Go. To. My. PC, instant access to your LAN! host-based firewalls are as important as at the WAN [email protected] edu link. Information Technology Services http: //tkdubs. net – Todd K. Watson

Intrusion Detection/Prevention ● ● IDS/IPS – buzz acronyms w/new products daily policy-centric – what Intrusion Detection/Prevention ● ● IDS/IPS – buzz acronyms w/new products daily policy-centric – what to look for, and what to do when found. What kind of reporting and followup Data required for successful IDS/IPS is extremely sensitive. What data are stored? How are they used? Continual evolution of rules. Must tie-in with upgrade policy. Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Logging ● Centralized logging systems invaluable ● timings are essential!! ● Too much data Logging ● Centralized logging systems invaluable ● timings are essential!! ● Too much data to manually inspect ● Doubtful that a single tool is effective ● Reports ● Notifications ● What to keep for how long Q: What are your favorite logging utils? Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Backups Probably the MOST important policy with direct ties to secur Security incidents can Backups Probably the MOST important policy with direct ties to secur Security incidents can be equated with disaster recovery. 1)Set policy/procedure that cover your bases 2)Implement 3)Test 4)Review licy and lly TE: Po e usua NO dure ar backups, Proce. For e ifferent to confuse th d is easy seful to it o, but u em. tw bine th com 5)Rinse and Repeat Policy should include procedure for off-site storage Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Viruses and Worms Security Policies should address the following: ● Anti-virus software installed and Viruses and Worms Security Policies should address the following: ● Anti-virus software installed and data file updates ● Patching end-user systems ● Patching servers ● Push antivirus and patches to users. Require students to agree to run Anti-virus and patches – be scanned. Many Schools networks were taken down this Fall due to Blaster worm. This is only going to continue. Blaster luckily wasn't as bad as it potentia could have been; however, it still caused major disruptions. ● Any Blaster/Virus/Worm Stories? Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Bill, Please Vulnerabilities init stop!!! and make Microsoft Windows CERT Advisory CA-2003 -27 Multiple Bill, Please Vulnerabilities init stop!!! and make Microsoft Windows CERT Advisory CA-2003 -27 Multiple Exchange Original issue date: October 16, 2003 Last revised: -Source: CERT/CC Systems Affected * Multiple versions of Microsoft Windows (ME, NT 4. 0 TSE, 2000, XP, Server 2003) * Microsoft Exchange Server 5. 5 and Microsoft Exchange Server 2000 Overview There are multiple vulnerabilities in Microsoft Windows and Microsoft Exchange, the most serious of which could allow remote attackers to execute arbitrary code. CA-2003 -23 : RPCSS Vulnerabilities in Microsoft Windows CA-2003 -22 : Multiple Vulnerabilities in Microsoft Internet Explorer CA-2003 -20 : W 32/Blaster worm CA-2003 -19 : Exploitation of Vulnerabilities in Microsoft RPC Interface CA-2003 -18 : Integer Overflows in Microsoft Windows Direct. X MIDI Library CA-2003 -16 : Buffer Overflow in Microsoft RPC CA-2003 -14 : Buffer Overflow in Microsoft Windows HTML Conversion Library CA-2003 -09 : Buffer Overflow in Core Microsoft Windows DLL CA-2003 -04 : MS-SQL Server Worm CA-2003 -03 : Buffer Overflow in Windows Locator Service Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Updating Servers/Services ● Outline procedures in policies for system upgrades – – document system Updating Servers/Services ● Outline procedures in policies for system upgrades – – document system state prior/post installation (RCS/CVS) – notification requirements? – ● preparations, testing, changelog reviews regularly scheduled maintenance windows Regularly audit for software and OS security holes – join appropriate mailing lists (Q: Which do you monitor) how often should you run automated update checks? [email protected] edu – Todd K. Watson Information Technology Services http: //tkdubs. net

Human Factors “Security usually fails at the seams – at the point where two Human Factors “Security usually fails at the seams – at the point where two systems interact” -- Bruce Schneier The most important seam is that which we have little control over; the human element. Just like with data entry errors, introducing human interaction introduces security risks. n” o epti Social Engineering ec of D k r “I forgot my password” -- in person and via phoneead “Ant Mitnic R i ev by K Honest Mistakes “Oops, I just e-mailed a list of SAT scores to the whole campus!” “I let my ex-boyfriend use my account, but never changed my passwd” Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

(Not so) Future Worries ● Card Systems – – interesting cost subsidy w/dining and (Not so) Future Worries ● Card Systems – – interesting cost subsidy w/dining and banking svcs. – ● very cool applications concerns about practical security issues (lost/stolen) Biometric devices – opens a whole new can of worms about sensitive data warehousing. though I personally find the technology cool. . the Todd K. Watson “big-brother” aspect bugs me (and will [email protected] edu many) – Information Technology Services http: //tkdubs. net

Auditing Security Policies should have self-assessment mechanisms built-in (at least that's what we've learned Auditing Security Policies should have self-assessment mechanisms built-in (at least that's what we've learned in a recent SACS accreditation review). Plagiarizing from the best source on auditing (IMO), “A System Administrator's Guide to Auditing, ” by Geoff Halprin – “Few things will ruin a sysadmin's day faster than the announcement of an audit. It sometimes seems this practice is arbitrarily invoked by higher management for the sole purpose of adding to the workload of an already overworked support staff. Many view the auditing process as an insult, or an indication that someone is questioning the team's abilities or efforts. The truth is that an audit is nothing more than a tool. Like any tool, it can be effective or it can be abused. . . . an audit can be something to use in a way that has direct benefit to our jobs. . . ” Successful policy/procedure with self-assessment will prepare you for any unannounced audits! Now, let's discuss how we feel about the competency of our auditors to audit us! Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Writing Policy ● ● Write a mission statement that defines a clear/concise focus of Writing Policy ● ● Write a mission statement that defines a clear/concise focus of what the policy aims to achieve before a single line of policy is written. Don't re-invent the wheel. There are hundreds of policies available on the net to cut-and-paste from. KISS – (K)eep (I)t (S)imple (S)tupid (and my favorite band in the 70's) Ask for help/reviewers, but don`let meanings/focus get watered down to appease everyone. Stand ground. Set a review schedule. Get your policy out there! [email protected] edu ● Todd K. Watson Information Technology Services http: //tkdubs. net

Break! Thank you for listen to me. . Time for a break and refreshments, Break! Thank you for listen to me. . Time for a break and refreshments, and more discussion on security issues. Next slide is my recommended reading list. Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net

Todd's Recommended Reading ➢ ➢ ➢ ➢ “Beyond Fear: Thinking Sensibly About Security in Todd's Recommended Reading ➢ ➢ ➢ ➢ “Beyond Fear: Thinking Sensibly About Security in an Uncertain World”, Bruce Schneier (2003) ISBN: 0 -387 -02620 -7 “Secrets and Lies: Digital Security in a Networked World”, Bruce Schneier (2000) ISBN: 0 -471 -25311 -1 “The Art of Deception: Controlling the Human Element of Security”, Kevin Mitnick & William Simon (2002) ISBN: 0 -471 -23712 -4 “A Guide to Developing Computing Policy Documents”, Edited by Barbara Dijker (1996) ISBN: 1 -880446 -57 -80 -4 (www. sage. org) “A System Administrator's Guide to Auditing”, Geoff Halprin (2000) ISBN: 1880446 -21 -9 (www. sage. org) “The Practice of System and Network Administration”, Thomas Limoncelli and Christine Hogan (2002) ISBN: 0 -201 -70271 -1 “Writing Information Security Policies”, Scott Barman (2001) ISBN: 157870264 X Todd K. Watson Information Technology Services [email protected] edu http: //tkdubs. net