University of Alaska System and UAF Information Technology Security Review 2007
The CH2M HILL - Coalfire Systems Team l The CH2M HILL Team delivers industry-leading Information Technology (IT) security services. l The Team has delivered more than 300 IT security assessments and remediation planning engagements to clients, including recent projects for: University environments, including the University of Colorado and California systems States of Colorado, Florida, Iowa, Oregon, and Oklahoma County and City governments in multiple states U.S. Department of Energy, Centers for Disease Control and Prevention Hundreds of banks and financial institutions Hospitals and health insurance companies l Apply methodologies that enable transfer of knowledge and enhance client capability for ongoing IT security programs ATTWP_101_1
Compliance Trends Present A Brief History of Regulatory Time Computer Security Act of 1987 EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA COPPA USA Patriot Act 2001 EC Data Privacy Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC 1200 (2003) CISP Payment Card Industry (PCI) California Individual Privacy SB1386 State Privacy Laws Privacy Act of 1974 Foreign Corrupt Practice Act of 1977
Project Overview l Evaluate the University’s business practices and procedures. Make recommendations for improving business processes. l Ensure adequate controls are in place to protect Confidentiality, Integrity, and Availability. l Identify vulnerabilities, determine their risks, and make recommendations to resolve or mitigate those risks. Project activities for the Information Security Review included: Project methodology l Internal and External Vulnerability Scans. l System Baseline analysis. l Interviews with Critical Business owners. l Compare findings against a set of Common Control Objectives. l Areas reviewed included Data Management Policies and Practices, the IT Security Program, Networks, Identity Management Directory, Authentication and Authorization Services, Database, Application Development/Support, Windows and Unix Servers, Desktop Support, Data Center Operations, Help Desk, and Telephony.
COBIT Maturity Model Level 1 Control objective documented in a security policy Level 2 Security controls documented as procedures Level 3 Procedures have been implemented Level 4 Procedures and security controls are tested and reviewed Level 5 Procedures and security controls are fully integrated into a comprehensive program Control Design AdequacyControl Effectiveness COBIT Maturity Model Level 1 Control objective documented in a security policy Level 2 Security controls documented as procedures Current Level of the University Level 3 Procedures have been implemented Level 4 Procedures and security controls are tested and reviewed Level 5 Procedures and security controls are fully integrated into a comprehensive program Control Design AdequacyControl Effectiveness
Vulnerability Scans l Internal scans were used to evaluate the effectiveness of controls from threats internal to the University (employee or contractor). l External scans were conducted to assess the University’s vulnerabilities from an untrusted network, such as the Internet. l UAF provided CH2M HILL with a list of 137 systems to assess. Hosts were grouped into Windows and Unix systems, and reports were generated separately. Project activities for the Information Security Review included: LevelVulnerability/Possible Vulnerability Urgent Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors. Critical Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host. High Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail- relaying. Medium Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Low Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
Vulnerability Scans (Internal) Risk Levels UrgentCriticalHighMediumLow Vulnerability Possible Vulnerability Informational FindingsN/A 0522 Risk Levels UrgentCriticalHighMediumLow Vulnerability Possible Vulnerability24765 Informational FindingsN/A Unix Group 1 Windows
Vulnerability Scans (External) Unix Group 1 Windows Risk Levels UrgentCriticalHighMediumLow Vulnerability Possible Vulnerability Informational FindingsN/A 013 Risk Levels UrgentCriticalHighMediumLow Vulnerability Possible Vulnerability Informational FindingsN/A 013
Vulnerability Scans l Document any known suspicious ports for future scans. l Focus on High, Critical, and Urgent vulnerabilities first. l Only support strong encryption protocols (SSLv3, SSHv2, 3DES, AES, etc.) l Never use default SNMP strings (Public, Private) l Ensure all applications are part of a vulnerability management program, not just OS’s. l If patches cannot be deployed on schedule, document the business justification. l Conduct periodical (typically quarterly) network scans, both Internal and External (Nessus, Qualys, NeXpose, Retina, ISS, GFI, etc.) l Establish a secure baseline configuration (CIS Benchmarks, NSA, DISA, Vendors) Recommendations
Common Controls l Each area was assessed against a set of 42 common control objectives. l Each control objective was mapped to regulatory requirements, best practices, and guidelines: ISO (International Organization for Standards) COBIT 4.0 (Control Objectives for IT and Related Technology HIPAA (Health Insurance Portability and Accountability Act) NIST 800 (National Institute of Standards and Technology) GLBA (Gramm-Leach-Bliley Act ) PCI DSS (Payment Card Industry Data Security Standard) Definition
Common Controls l 42 Control Objectives Reviewed l Low Risk – 10 areas meeting control objectives Network admins have implemented appropriate security practices Avoid access creep, maintain appropriate service levels, and conduct regular system maintenance. l Medium Risk – 31 areas partially meeting control objectives Missing one or more elements vs full compliance Correct by conducting a comprehensive risk assessment, establishing additional security policies, and creating a business continuity plan based on a business impact analysis. No “quick fixes” and requires long term commitments l High Risk – 1 area did not meet control objectives ( Media Disposition and Sanitization ) Lacking an information classification program, sensitive data inventories, and destruction standards for all media University may not be able to detect if sensitive data is compromised or lost, or to minimize the potential impact of a data breach. Recommendations
Action To Date l Done or in process 7 of 32 Identified Risks to be resolved by January, 2008 Action plan for remaining 25 in process l Media disposition and sanitization options under review l To be done External security reviews for UAA and UAS Place vulnerability scans and other security reviews on a regular schedule Identify where regulation or policy may be needed
Migration Intensive effort applied to conduct risk assessment, develop policies, deploy controls, and establish accountability. Sustaining Period Security dependent on processes and controls Heroic Period Security dependent on Individuals. Limited documentation, training and testing. Budget $ Time Security Premium Documentation Training Policies and Procedures Audit and Reporting Testing Function Growth Growth in users Expansion of applications Extended services Security Program Resource Impact