Application Security Proposal

Document Sample
Application Security Proposal Powered By Docstoc
					Information Security Risk
Assessment and Plans

     NPTF, October 18, 2004

    Meeting Objective

■   Briefly review 2003-2004 objectives
■   Do a reasonableness check on our
    plans for the next two years prior to
    costing them out.

                    Version 2.4 10/18/04    2
    Security Strategies

■   Risk-driven – focus on those opportunities with
    highest risk reduction bang for the buck.
■   Make security the default wherever possible.
■   Achievable, affordable plans. Concrete steps and
    early deliverables. Extend early successes in
    subsequent years.
■   Security-in-depth: prevention, detection, response.
■   Evaluate a network design and migration strategy
    that balances availability against security, and
    capable of supporting broader preventative network
    security measures.

                        Version 2.4 10/18/04              3
    2003-2004 Activities

Policy         Patch Management

End User       Patch management, strong passwords, desktop operating system firewalls

LSP Training   Patch management

Services/      SUS – 4200 registered users
               Secure Out of Box
               Email Virus/Spam filtering

               Improved incident response

               VLAN support

               Wireless authentication & authorization

               Limited, short-term filtering at PennNet edge

               IDS Pilot

Standards      Patch Management

                                         Version 2.4 10/18/04                           4
    Intrusion Detection

■   A new tool, Arbor Peakflow, allows us to
    collect and analyze network "flow" info from
    Penn routers.
■   This helps us to see lists of
    ■   top talkers,
    ■   traffic by protocol (web vs email vs p2p vs voice vs
        video, etc),
    ■   traffic by destination service provider (Cogent vs
        Qwest vs Abilene/Internet2),
    ■   and much more.

                          Version 2.4 10/18/04                 5
    Intrusion Detection

■   Peakflow also allows us to identify denial of
    service (DoS, DDoS) attacks in progress,
    including sources and protocols, and possible
    filtering options.
■   In this role, the Arbor Peakflow tools act as a
    very sophisticated distributed IDS, helping
    us to do targeting filtering during major
    network-based attacks.
■   No dedicated IDS systems needed to be put
    inline into the network. Netflow data from the
    routers is used.

                      Version 2.4 10/18/04            6
     2004-2005 Risk Assessment

Relative risk:             Higher                 Intermediate                  Lower

■                 ■ Web application           ■ Viruses/worms
                  security                    ■ Phishing
                  ■ Sniffing

■                                             ■ Malicious acts by
                                              disgruntled employee

■                 ■ New machines arrive       ■ Viruses/worms           ■ Zero-day worm
                  on campus                   ■ Obtaining patches for
                                              non-operating system

                                          Version 2.4 10/18/04                            7
    Proposed Security Plans
                                        2004-2005                                  2005-2006
Policy         ■ Mandatory    desktop operating system firewalls                      data on
                                                                               ■ Critical
               ■ Mandatory rebuilds when compromised                           managed servers with
               ■ Virus filtering on mail servers.
               ■ Require authentication/encryption for additional protocols.
               ■ Broader Enforcement of Signed confidentiality statements
               ■ Security & Privacy Impact Assessment (SPIA)

End User       ■Phishing, email attachments, dangerous URLs

Awareness      ■Misuse of University data
               ■Application  security patches
               ■Disabling file sharing

LSP Training   ■Web application   security

Services/      ■Self-service scanning pilot                                    ■ Integrated network
               ■Web security  audits                                           authentication/
Technologies                                                                   vulnerability scanning
               ■Raise security out of box bar and expand to most year round
               purchases                                                       ■Campus-wide wired

               ■Evaluate web application security scanners
                                                                               and wireless network
               ■PennKey hardware authentication R&D
                                                                               ■Self-service scanning
               ■ Create new web materials supporting security patches to
               common applications.

Standards      ■Firewall appliance, model server/workgroup firewall policies
               ■VPN gateway

                                         Version 2.4 10/18/04                                           8
      Improving Web App Security

Risk Assessment
  Following a peer's problem with SSN authentication, we found two similar problems at Penn. In 2003, we had
  reports from end users of two sensitive web applications giving any user access to anyone else's data.

Proposal Subject to Approval

  ■ Web-based application scanners can detect sophisticated attacks like cross-site scripting, SQL injection, but to
  date have not been effective at finding some of the simplest and most common errors that application developers
  make. Continue to evaluate these tools.
  ■ Establish a one hour class covering some of the most common security errors in web-based applications.

  ■ Information Security to develop and publish criteria for sensitive web-based applications, work to identify them
  on campus and manually audit for common errors.
  ■ Security & Privacy Impact Assessment will mandate risk assessments for applications providing private personal

                                                Version 2.4 10/18/04                                                   9

Risk Assessment

  It’s becoming increasingly likely that critical, unencrypted passwords and sensitive email messages may be
  captured, particularly on wireless networks where anyone with a wireless card can view anyone else’s network
T traffic unless it is encrypted.

Proposal Subject to Approval

  ■ Considerable progress has been made in the availability    of clients and servers supporting strong authentication
  (e.g. SMTP, LDAP). Revisit the Critical Host policy and update with new requirements for strong authentication,
  and possibly encryption for those applications for which it makes sense.

                                                 Version 2.4 10/18/04                                                    10
           New machines arrive on campus

Risk Assessment
 Approx. 2,500 new / 7,500 returning computers connect to PennNet at start of the academic year. Many machines not patched,
 or have become infected. Probably between 1000 and 2000 mobile laptops move between PennNet and other network
 providers (e.g. home ISPs, other employers' networks, etc.).
 Adequately securing transient machine is manually-intensive, requiring IT staff time to check patch level, passwords, A/V
 signatures, etc.. In many cases, e.g. public wireless locations, simply not possible to ensure that machines are properly
 Ensuring that machines get rebuilt following infection, particularly student machines, is difficult. We currently have no wa y to
 enforce our requirement that infected machines be rebuilt, and a widespread worm could lead to long waits to rebuild infected
 student machines.

Proposal Subject to Approval
  ■ Integrate vulnerability scanning with wired and wireless login processes. Place infected or vulnerable machines in a
  "quarantine" VLAN that only allows them connectivity to patch management services.
  ■ Test Windows XP SP 2 "secure network connect” feature: blocks all connections until critical patches are applied. If
  successful, provide broad education and expanded out of box defaults to ensure that Windows XP Service Pack 2 machines
  are configured to use a Expand out-of-box program to include most year-round computer purchases.
  ■ Require in Computer Security Policy that operating system firewalls be enabled,and that "secure network connect" features
  be enabled, where present.
  ■ Modify Disconnect policy to authorize Information Security to require rebuilds before reconnection to PennNet when
  machines are compromised at most privileged level.
                                                       Version 2.4 10/18/04                                                 11
Risk Assessment
  ■     Considerable progress in the past year limiting the spread of malware . The remaining significant risks of
      the spread of malware are through users clicking on virus infected email attachments, or clicking on URL's
      with harmful content that exploit vulnerabilities in web browsers.
  ■   Saw first widespread destrutiv worm this year: Witty
  ■   AOL announced this year, general availability of AOL PassCode, a two-factor authentication
  ■   Keystroke logging (viruses/worms that capture user keystrokes like passwords, credit card numbers or other
      sensitive data) are becoming more common. These worms store keystrokes on local HD or send to IRC.
  ■   Keystroke logging worms and backdoors are beginning to appear more frequently :
      -9/03 Fizzer worm, Bugbear (seen at Penn) 4/04 SDBot (seen at Penn
  ■   Wide distribution of a keystroke logging worm could seriously undermine the security of PennKey passwords.

Proposal Subject to Approval
  ■   Additional emphasis on email attachments, web surfing and firewalls in end user awareness campaign.
  ■   Critical Host Policy to require all critical University data on managed servers w/ backups, and to mandate
      virus filtering on mail servers.
  ■   Computer Security Policy to require activation of desktop operating system firewalls.
  ■   PennKey was designed to include the flexibility to expand PennKey authentication from simple password-
      based authentication to also support stronger form of authentication such as hardware authentication tokens.
      Begin R&D work and develop a contingency plan for supplementing PennKey password authentication with
      stronger forms of authentication. Among other options, explore possible integration of hardware
      authentication tokens with next-generation PennCard.
                                               Version 2.4 10/18/04                                                  12
Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool
recipients into divulging personal financial data such as credit card numbers, account
usernames and passwords, social security numbers, etc. By hijacking the trusted
brands of well-known banks, online retailers and credit card companies, phishers are
able to convince up to 5% of recipients to respond to them.

                                   Version 2.4 10/18/04                                  13

           Version 2.4 10/18/04   14

                   Version 2.4 10/18/04   15

Risk Assessment

  Gartner estimates 30 million Americans have received a phishing attack, and about 3 percent submitted personal
  information in response. The threat against personal financial data and identity theft is greater than the threat
  against University data -- no phishing attacks have yet been reported targeting Penn passwords/systems.
  However the potential is there, and the most effective remedy, awareness, is inexpensive.

Proposal Subject to Approval

  End user awareness is the most effective tool. End users must know the ease with which email can be forged, the
  importance of not clicking on dangerous/suspect URLs, and must be wary of any email requests to enter
  usernames, passwords, credit card numbers and social security numbers.
  Include phishing in broad end user security education.

                                                Version 2.4 10/18/04                                                  16
      Malicious Employee

Risk Assessment

  We’ve had relatively few cases reported of malicious use of access to critical/sensitive University data. However,
  misuse of privileged access by employees is a more likely threat than risks to confidentiality/integrity from worms,
  viruses or computer hacking. Individual units on campus work to ensure that employees with sensitive access
  must sign confidentiality statements, however there is currently no policy that requires this.

Proposal Subject to Approval

  ■ Include misuse of University data in broad employee communications.
  ■ Broader enforcement of need for signed employee confidentiality statements.

                                                 Version 2.4 10/18/04                                                    17
       Patches for Applications
Risk Assessment
      We have focused in the past year on putting in place services to ensure that critical operating system patches
      get quickly applied. We currently do not have a systematic program for ensuring that application security
      patches (e.g. Netscape Navigator, AOL Instant Messenger, etc.) get deployed. In many cases, particularly for
      students our ability to apply Microsoft Office patches is limited when students did not retain their original
      Office CD.

Proposal Subject to Approval
  ■ End user awareness is the most effective tool. Work to make sure that end users and LSPs understand the
  importance of applying not only operating system patches, but application patches as well. Make sure that new
  student communications mention the importance of bringing original CDs to campus. Expand the Information
  Security website to provide resources for managing application security for common applications at Penn.
  ■ Provide and test recommendations for patching MS applications without needing original CD.

                                                  Version 2.4 10/18/04                                                 18
      Zero Day Worm
Risk Assessment
  ■ A “zero day worm” is one that exploits a vulnerability which has not been publicly disclosed, and for which no
  patches are available. All machines running the targeted service would be vulnerable, even if fully patched.
  ■ Limiting factors are the ability to acquire many zero day exploits and the ability to conduct extensive testing on
  numerous platforms. Nation-states are the only groups likely to have sufficient resources.
  ■ Windows SMB/CIFS file sharing service (garden variety Windows Ffile Ssharing service enabled on numerous
  Penn Windows machines) is the most likely target of a worst-case-worm.
  ■ A blended attack would be most likely: Windows file sharing attack would only be one attack vector,
  supplemented by email and spread to trusted, open file shares.
  ■ A 60% rate of compromise for the world’s business PCs is a reasonable estimate for an attack by a nation -
  ■ Machines not behind firewalls, but with direct Internet connectivity would be compromised in minutes at most.
  ■ Most machines would be compromised within several hours, whether on private intranets, or with direct

  Internet connectivity.
  ■ Estimated cost per system is $5-6K (data loss, productivity, hardware damage).
  ■Source:   “Worst Case Worm Scenario”

Proposal Subject to Approval
  ■  Include expanded information about file sharing risks and how to disable file sharing in campus-wide end-user
  awareness communications.
  ■ Modify Computer Security Policy to require activation of operating system firewalls for all desktops.
  ■ Modify Critical Host Policy to require that within 2-4 years all critical University data be stored on centrally or
  locally managed file servers with a backup program in place.
                                                   Version 2.4 10/18/04                                                   19

Description: Application Security Proposal document sample