University of Alaska System and UAF Information Technology Security Review 2007.

University of Alaska System and UAF

Information TechnologySecurity Review

2007

The CH2M HILL - Coalfire Systems Team

The CH2M HILL Team delivers industry-leading InformationTechnology (IT) security services.

The Team has delivered more than 300 IT security assessments and remediation planning engagements to clients, including recent projects for:

University environments, including the University of Colorado and California systems States of Colorado, Florida, Iowa, Oregon, and Oklahoma County and City governments in multiple states U.S. Department of Energy, Centers for Disease Control and Prevention Hundreds of banks and financial institutions Hospitals and health insurance companies

Apply methodologies that enable transfer of knowledge and enhance client capability for ongoing IT security programs

ATTWP_101_1

Compliance Trends

1970-1980

1980-1990

1990-2000

2000- Present

A Brief History of A Brief History of Regulatory TimeRegulatory Time

Computer Security Act of 1987

EU Data Protection HIPAA FDA 21CFR Part 11 C6-Canada GLBA

COPPA USA Patriot Act 2001 EC Data Privacy

Directive CLERP 9 CAN-SPAM Act FISMA Sarbanes Oxley (SOX) CIPA 2002 Basel II NERC 1200 (2003) CISP Payment Card Industry

(PCI) California Individual

Privacy SB1386

State Privacy Laws

Privacy Act of 1974 Foreign Corrupt Practice Act

of 1977

Project Overview

Evaluate the University’s business practices and procedures. Make recommendations for improving business processes.

Ensure adequate controls are in place to protect Confidentiality, Integrity, and Availability. Identify vulnerabilities, determine their risks, and make recommendations to resolve or mitigate

those risks.

Project activities for the Information Security Review included:

Project methodology Internal and External Vulnerability Scans. System Baseline analysis. Interviews with Critical Business owners. Compare findings against a set of Common Control Objectives. Areas reviewed included Data Management Policies and Practices, the IT Security Program,

Networks, Identity Management Directory, Authentication and Authorization Services, Database, Application Development/Support, Windows and Unix Servers, Desktop Support, Data Center Operations, Help Desk, and Telephony.

COBIT Maturity Model


Level 1 Control objective documented in a security policy

Level 2 Security controls documented as procedures

Level 3 Procedures have been implemented

Level 4 Procedures and security controls are tested and reviewed

Level 5 Procedures and security controls are fully integrated into a comprehensive program

Control Design Adequacy Control Effectiveness


Level 1 Control objective documented in a security policy

Level 2 Security controls documented as procedures

Current Level

of the University

Level 3 Procedures have been implemented

Level 4 Procedures and security controls are tested and reviewed

Level 5 Procedures and security controls are fully integrated into a comprehensive program

Control Design Adequacy Control Effectiveness

Vulnerability Scans

Internal scans were used to evaluate the effectiveness of controls from threats internal to the University (employee or contractor).

External scans were conducted to assess the University’s vulnerabilities from an untrusted network, such as the Internet.

UAF provided CH2M HILL with a list of 137 systems to assess. Hosts were grouped into Windows and Unix systems, and reports were generated separately.

Project activities for the Information Security Review included:

Level Vulnerability/Possible Vulnerability

UrgentIntruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.

CriticalIntruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.

High

Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.

MediumIntruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.

LowIntruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.

Vulnerability Scans (Internal)

Risk LevelsUrgent Critical High Medium Low

Vulnerability 0 2 5 16 2Possible Vulnerability 1 5 13 4 0Informational Findings N/A N/A 0 5 22



Unix Group 1

Windows

Vulnerability Scans (External)

Unix Group 1

Windows





Vulnerability Scans

Document any known suspicious ports for future scans. Focus on High, Critical, and Urgent vulnerabilities first. Only support strong encryption protocols (SSLv3, SSHv2, 3DES, AES, etc.) Never use default SNMP strings (Public, Private) Ensure all applications are part of a vulnerability management program, not just OS’s. If patches cannot be deployed on schedule, document the business justification. Conduct periodical (typically quarterly) network scans, both Internal and External (Nessus, Qualys,

NeXpose, Retina, ISS, GFI, etc.) Establish a secure baseline configuration (CIS Benchmarks, NSA, DISA, Vendors)

Recommendations

Common Controls

Each area was assessed against a set of 42 common control objectives. Each control objective was mapped to regulatory requirements, best practices, and guidelines:

ISO 17799 (International Organization for Standards) COBIT 4.0 (Control Objectives for IT and Related Technology

HIPAA (Health Insurance Portability and Accountability Act) NIST 800 (National Institute of Standards and Technology) GLBA (Gramm-Leach-Bliley Act )

PCI DSS (Payment Card Industry Data Security Standard)

Definition

Common Controls

42 Control Objectives Reviewed Low Risk – 10 areas meeting control objectives

Network admins have implemented appropriate security practices Avoid access creep, maintain appropriate service levels, and conduct regular system

maintenance. Medium Risk – 31 areas partially meeting control objectives

Missing one or more elements vs full compliance Correct by conducting a comprehensive risk assessment, establishing additional security

policies, and creating a business continuity plan based on a business impact analysis. No “quick fixes” and requires long term commitments

High Risk – 1 area did not meet control objectives (Media Disposition and Sanitization) Lacking an information classification program, sensitive data inventories, and destruction

standards for all media University may not be able to detect if sensitive data is compromised or lost, or to minimize

the potential impact of a data breach.

Recommendations

Action To Date

Done or in process 7 of 32 Identified Risks to be resolved by January, 2008 Action plan for remaining 25 in process

Media disposition and sanitization options under review

To be done External security reviews for UAA and UAS Place vulnerability scans and other security reviews on a regular schedule Identify where regulation or policy may be needed

Migration Intensive effort

applied to conduct risk assessment,

develop policies,deploy controls,

and establishaccountability.

Sustaining PeriodSecurity dependent on processes and

controls

Heroic PeriodSecurity dependent

on Individuals. Limited documentation,

training and testing.

Budget$

Time

2003 2005 2007 2009 2011 2013 2015

Security Premium

• Documentation• Training• Policies and

Procedures• Audit and Reporting• Testing

Function Growth

• Growth in users• Expansion of

applications• Extended services

Security Program Resource Impact

University of Alaska System and UAF Information Technology Security Review 2007.

Documents

Transcript of University of Alaska System and UAF Information Technology Security Review 2007.