CH2M HILL Communications Group by kby12992


									University of Alaska System
          and UAF
 Information Technology
     Security Review
The CH2M HILL - Coalfire Systems Team
 The CH2M HILL Team delivers industry-leading Information
Technology (IT) security services.

   The Team has delivered more than 300 IT security
assessments and remediation planning engagements to
clients, including recent projects for:                           ATTWP_101_1

      University environments, including the University of Colorado and California systems
      States of Colorado, Florida, Iowa, Oregon, and Oklahoma
      County and City governments in multiple states
      U.S. Department of Energy, Centers for Disease Control and Prevention
      Hundreds of banks and financial institutions
      Hospitals and health insurance companies

   Apply methodologies that enable transfer of knowledge and enhance client capability for ongoing
    IT security programs
Compliance Trends

                                  A Brief History of
                                  Regulatory Time                                    2000-

                                                                               COPPA
                                                                               USA Patriot Act 2001
                                                                               EC Data Privacy
  Privacy Act of 1974                                  1990-2000               Directive
  Foreign Corrupt Practice Act                                                CLERP 9
   of 1977                                                                     CAN-SPAM Act
                                                                               FISMA
                                                                               Sarbanes Oxley (SOX)
                                                                               CIPA 2002
                                                                               Basel II
                              1980-1990                   EU Data Protection
                                                                               NERC 1200 (2003)
                                                          HIPAA
                                                                               CISP
                                                          FDA 21CFR Part 11
                                                                               Payment Card Industry
                                                          C6-Canada
                                                          GLBA
                                                                               California Individual
                       Computer Security Act of 1987                           Privacy
                                                                               State Privacy Laws
Project Overview

Project activities for the Information Security Review included:
    Evaluate the University’s business practices and procedures. Make recommendations for
     improving business processes.
    Ensure adequate controls are in place to protect Confidentiality, Integrity, and Availability.
    Identify vulnerabilities, determine their risks, and make recommendations to resolve or mitigate
     those risks.

Project methodology
    Internal and External Vulnerability Scans.
    System Baseline analysis.
    Interviews with Critical Business owners.
    Compare findings against a set of Common Control Objectives.
    Areas reviewed included Data Management Policies and Practices, the IT Security Program,
     Networks, Identity Management Directory, Authentication and Authorization Services, Database,
     Application Development/Support, Windows and Unix Servers, Desktop Support, Data Center
     Operations, Help Desk, and Telephony.
COBIT Maturity Model

  COBIT Maturity Model

  Level 1             Level 2              Level 3            Level 4             Level 5
  Control objective   Security controls    Procedures have    Procedures and      Procedures and
  documented in a     documented as        been implemented   security controls   security controls are
  security policy     procedures                              are tested and      fully integrated into a
                                                             reviewed            comprehensive
                        Current Level                                             program
                       of the University

         Control Design Adequacy                              Control Effectiveness
Vulnerability Scans

Project activities for the Information Security Review included:
   Internal scans were used to evaluate the effectiveness of controls from threats internal to the
    University (employee or contractor).
   External scans were conducted to assess the University’s vulnerabilities from an untrusted
    network, such as the Internet.
   UAF provided CH2M HILL with a list of 137 systems to assess. Hosts were grouped into Windows
    and Unix systems, and reports were generated separately.
          Level        Vulnerability/Possible Vulnerability
                       Intruders can easily gain control of the host, which can lead to the compromise of your entire network security.
            Urgent     For example, vulnerabilities at this level may include full read and write access to files, remote execution of
                       commands, and the presence of backdoors.
                       Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive
            Critical   information. For example, vulnerabilities at this level may include full read access to files, potential backdoors,
                       or a listing of all the users on the host.
                       Intruders may be able to gain access to specific information stored on the host, including security settings. This
                       could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include
             High      partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering
                       rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-
                       Intruders may be able to collect sensitive information from the host, such as the precise version of software
            Medium     installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.

                       Intruders can collect information about the host (open ports, services, etc.) and may be able to use this
                       information to find other vulnerabilities.
Vulnerability Scans (Internal)

Unix Group 1
                                                    Risk Levels
                                Urgent   Critical      High       Medium   Low
       Vulnerability              0         2            5          16       2
       Possible Vulnerability     1         5           13           4       0
       Informational Findings    N/A      N/A            0           5      22

                                                    Risk Levels
                                Urgent   Critical      High       Medium   Low
       Vulnerability              4         9           19          28      4
       Possible Vulnerability     2         4            7           6      5
       Informational Findings    N/A      N/A           13          71     103
Vulnerability Scans (External)

Unix Group 1
                                                    Risk Levels
                                Urgent   Critical      High       Medium   Low
       Vulnerability              0         1            9          11      3
       Possible Vulnerability     9        10           13           4      0
       Informational Findings    N/A      N/A            0           1      3

                                                    Risk Levels
                                Urgent   Critical      High       Medium   Low
       Vulnerability              0         1            5          11      2
       Possible Vulnerability     1         5           11           3      0
       Informational Findings    N/A      N/A            0           1      3
Vulnerability Scans

   Document any known suspicious ports for future scans.
   Focus on High, Critical, and Urgent vulnerabilities first.
   Only support strong encryption protocols (SSLv3, SSHv2, 3DES, AES, etc.)
   Never use default SNMP strings (Public, Private)
   Ensure all applications are part of a vulnerability management program, not just OS’s.
   If patches cannot be deployed on schedule, document the business justification.
   Conduct periodical (typically quarterly) network scans, both Internal and External (Nessus, Qualys,
    NeXpose, Retina, ISS, GFI, etc.)
   Establish a secure baseline configuration (CIS Benchmarks, NSA, DISA, Vendors)
Common Controls
   Each area was assessed against a set of 42 common control objectives.
   Each control objective was mapped to regulatory requirements, best practices, and guidelines:
           ISO 17799 (International Organization for Standards)
           COBIT 4.0 (Control Objectives for IT and Related Technology
           HIPAA         (Health Insurance Portability and Accountability Act)
           NIST 800 (National Institute of Standards and Technology)
           GLBA          (Gramm-Leach-Bliley Act )
           PCI DSS (Payment Card Industry Data Security Standard)
Common Controls
 42 Control Objectives Reviewed

 Low Risk – 10 areas meeting control objectives

       Network admins have implemented appropriate security practices
       Avoid access creep, maintain appropriate service levels, and conduct regular system
   Medium Risk – 31 areas partially meeting control objectives
       Missing one or more elements vs full compliance
       Correct by conducting a comprehensive risk assessment, establishing additional security
        policies, and creating a business continuity plan based on a business impact analysis.
       No “quick fixes” and requires long term commitments
   High Risk – 1 area did not meet control objectives (Media Disposition and Sanitization)
       Lacking an information classification program, sensitive data inventories, and destruction
        standards for all media
       University may not be able to detect if sensitive data is compromised or lost, or to minimize
        the potential impact of a data breach.
Action To Date

          Done or in process
             7 of 32 Identified Risks to be resolved by January, 2008
             Action plan for remaining 25 in process

          Media disposition and sanitization options under review

          To be done
             External security reviews for UAA and UAS
             Place vulnerability scans and other security reviews on a regular schedule
             Identify where regulation or policy may be needed
Security Program Resource Impact

            Heroic Period            Migration         Sustaining Period           Security
           Security dependent      Intensive effort    Security dependent          Premium
             on Individuals.          applied to        on processes and     • Documentation
         Limited documentation,      conduct risk           controls         • Training
           training and testing.     assessment,                             • Policies and
                                   develop policies,                           Procedures
                                   deploy controls,                          • Audit and Reporting
                                                                             • Testing
                                     and establish

                                                                             Function Growth
                                                                             • Growth in users
                                                                             • Expansion of
Budget                                                                         applications
                                                                             • Extended services

         2003     2005       2007       2009       2011     2013      2015

To top