MI-GMIS

September 18th, 2007

Security Topics for Government

Introductions

• Mark Lachniet From Analysts International• Solutions Architect for the Security Services Group• Formerly a K-12 administrator and teacher for

Walsh College’s MSIA program• Certified Information Systems Security Professional

(CISSP), Certified Information Systems Auditor (CISA)

• Member of the High Tech Crimes Investigation Association (HTCIA)

• Try to stay away from products and talk about needs• Despite being on the technical track, many of the

topics I want to discuss have more to do with proper management and oversight than boxes and software

Goal & Format

• A random assortment of current issues that seem to be on the minds of governmental organizations

• Current problems in information security in general

• Time for free-form discussion (?)

Setting the Stage

• The Computer Security Institute releases a yearly report on computer crime.

• The new one (2007) is at http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf– The average annual loss reported in this year’s survey shot

up to $350,424 from $168,000 the previous year. Not since the 2004 report have average losses been this high.

– Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident further said they’d suffered a “targeted attack,” defined as a malware attack aimed exclusively at their organization or at organizations within a small subset of the general population

– Financial fraud overtook virus attacks as the source of the greatest financial losses

– Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software)

Formalizing Security

• For a variety of reasons (maturing IT organizations, regulatory compliance, etc.) one of the larger areas of growth is in internal organization

• This includes such things as creating a formal task-force or workgroup to manage security efforts

• Many organizations have a 5-year plan, sometimes even specific to I.T. - Why not have one for information security?

• There are too many things to be done, and too little time to do it, so staying organized is critical

• One way to do this is to organize a workgroup that meets regularly to talk specifically about security

Formalizing Security

• Create a group with good representation, possibly including:– IT (Server, network, workstation, apps)– Human Resources– Legal– Finance– End Users

• Schedule regular meetings (quarterly?)• Keep minutes of meetings, have an organized secretary• Keep track of work (assessments completed, audit findings to

be addressed, etc.) so that you have a snapshot of where you are at all times

• There should be a spreadsheet that tracks every “bad” finding that you have had and how it was (or will be) addressed

• Identify a long-term plan for security improvement• Allocate resources (FTE and Capital) to achieve the plan• Develop a calendar of “stuff to do” on a regular basis

Stuff To Do and Suggested Occurrences

• Suggested Occurrences are highly variable, but this is what I may recommend to my business customers– Update the DR / BCP (quarterly)– Exercise the DR / BCP Plan (yearly)– Perform internal vulnerability assessments (yearly)– Perform external vulnerability assessments (quarterly)– Perform assessments of Web Applications (yearly)– Perform comprehensive security audits (yearly)– Review firewall, application and system logs (daily)– Analyze regulatory compliance (PCI, CJIS, financial audits)– Review controls on contracted services, purchases (yearly)– Review data classification and lifecycle controls (yearly)– Perform self-assessments on risk (e.g. risk of building failure, of

data being stolen on a laptop, etc.) (yearly)– Review password security (yearly)– Audit operating system and 3rd party application security (yearly)

Comprehensive Assessments

• One thing you can do is to perform a wide-ranging security assessment (similar to an audit, but typically doesn’t actually go to machines for sample data)

• This should include not only technical host and network stuff, but practices and procedures, physical security, etc.

• You can develop your own with free guides on the Internet (NIST and ISACA.org are a good starting point) or hire an outsider

• When Analysts does them, we break them into four main focus areas:– Physical Security– Network Security– Logical Security (hosts, Active directory, etc.)– Practices and procedures

• We then identify weaknesses, identify possible improvements, and rank them in terms of cost (capital and FTE) and gain

Ranking Matrix

• We use a ranking matrix to try to identify the “sweet spot” (upper right) which is then used as a planning tool

5

3

1

1 3 5

Least Gain Most Gain Security Gain

Least Cost

Most Cost

C O S T

LS4, NS6, PP2

NS2, LS6 LS2

LS1, PP1, PP7

NS1, LS5, PP5

NS4, LS3, LS7, PP6

PS2, PS3, NS5, PP4

PP3 PS1, NS3

PS4

Physical Security

• Facilities / Grounds Physical Security• Server Room & Wiring Closet Physical Security• Server and Workstation Physical Security• Secure Storage and Handling of Electronic and

Printed Data• Disaster Recovery – Alternate Site Considerations• Fire Detection and Suppression• Emergency Backup Power and UPS Systems• Network Availability• Server Availability

Network Security

• Network Confidentiality and Encryption• Port-Based Access Control• IP Telephony Security• Wireless Security• Internet Border / Firewall Security• Network Intrusion Prevention Systems• Network Protection for SPAM / Malware• Partner / Vendor Data Network Connection Security• Remote Access Security• Network Logging

Logical Security

• System Build and Hardening• Account and Password Security• System Access and Authentication Systems• Malware / Anti-Virus Protection• Host Based Intrusion Prevention Systems• System Logging• E-Mail Servers and Systems• Application Development Practices

Administrative Practices

• Remote Access / Remote Users Administrative Practices

• Remote Access Training and Awareness• Information Systems Support Staff

Administrative Procedures• End User Administrative Policies• Information Classification• Information Systems Coordination with

Human Resources• Separation of Duties• Vendor / External Organization Management

Administrative Practices

• Incident Response Procedures• Change Control Systems• System Documentation• Service Level Agreement (SLA)

Management• Management Planning and Support• Regulatory Compliance• Risk Assessment Strategies• Audit and Security Event Management

Systems• Backup Practices and Storage

Physical Security

• A simple audit of your physical security may be a good idea. Some things that I typically find:– Hinges on the OUTSIDE of the doors, particularly in areas that

are not well lit or that don’t have alarm sensors– Lack of adequate sensor coverage for alarm systems– Walls with drop ceilings that could be removed to enter secure

areas over the wall (watch for white powder!)– Monitoring of ingress / egress points by a live person– Video surveillance systems– Sign-in / Sign-out and escort by an employee– Locks – master keys, locks that are never re-keyed after people

leave, keypad locks that can be “shoulder surfed”– Review of security alarm logs– Security of data centers, and electronic media! (I once did an

audit where a county left backups of all their data including law enforcement laying around on cabinets where it could be stolen and restored)

Vendor Management

• The security implications of vendors and other third parties shouldn’t be ignored

• This is especially important when you have:– Vendors with dedicated connections– Vendors with remote access (dial, vpn)– Companies performing application development*– Companies selling you products (RFP)– Vendors providing you services (hosting, ISP, etc.)– Vendors physically in your environment

• Consider writing a policy as to what you expect of these organizations

• Require them to adhere to certain minimum standards as part of the contracting / purchasing project. Hit them where the money is!

• Build a security section into all RFP templates and contracts• By default, you can probably NOT expect security unless you

are paying extra for it

Managing All the Tools

• It seems like there are a million new tools out there that you just “have to have”

• Vendors make it seem like their products will solve all of your problems, and they may well solve many of them, but they tend to downplay how much effort you will have to put into managing them!

• First of all, there is training to become comfortable with the products, and then there is the ongoing maintenance

• For example, with Intrusion Prevention Systems, you may need to update the signatures weekly, if not daily

• Patching systems require vetting the patches to make sure they don’t break things

• It practically requires a half time person just to read all of the logs that are generated by your devices (a practice which is, of course, required by some regulation or another)

Logging and Log Analysis

• Keeping and analyzing logs are a critical part of IT governance, and especially important when it comes to investigating incidents

• Many places don’t collect adequate logs in the first place – Pre win2003 logging is inadequate by default– Network devices like firewalls often log only to a

temporary local store or not at all• Logging sources are isolated, have to be read in

many different spots• Log data is too detailed, impossible for a normal

human to find the “needle in the haystack” before passing out from boredom

• Systems are not set to the same time

Logging and Log Analysis

• Consider setting up or purchasing a log analysis system• On the cheap – Snare syslog agents for Windows, Kiwi

Syslog to consolidate, Sawmill to generate HTML reports• http://lachniet.com/cheaplogging (a bit old)• Many options for Microsoft (www.gfi.com)• Consider a Security Incident Management (SIM) product

like Cisco’s MARS, ARCSight, NetIQ, etc. • There are really two different levels – products that allow

you to parse your logs quickly and find issues, and products that try to find them for you (SIM)

• With Sawmill, for example, you can get a HTML report of what your PIX has been doing for the last 24hrs and scan through it in 10 minutes to identify changes and issues

• None of these will magically do it all for you!

Application Development

• The focus of hackers is moving from missing patches to poorly developed applications

• Many, if not most, internally (and externally) developed applications have security flaws

• This is particularly true of web applications• There are a variety of ways to hack a web application to get

into the database, and sometimes even the operating system and network

• Make sure that if you have people doing development that they follow some minimum standards.

• Consider http://www.owasp.org as a starting point• Require proof of third-party testing for any applications you

might purchase• Consider having assessments done on critical systems before

they are implemented (or after major changes)

Web Application Vulnerabilities

Study Shows Most Web Applications Have Vulnerabilities

(5 February 2004)

A four-year test of more than 250 Web applications found that at least 92% of them were vulnerable to attacks including cross-site scripting, SQL injection and parameter tampering. WebCohort's Application Defense Center conducted the test, which looked at applications on "e-commerce, online banking, enterprise collaboration and supply chain management web sites."

http://www.vnunet.com/News/1152521

BCP / DR

• Business Continuity Planning (BCP) and Disaster Recovery (DR) still seem to be an area of focus

• Many people are getting hit with audit findings that they only have DR and not true BCP

• Consider BCP as the business “wrapper” that goes around DR• A few things that typically go into these updates are

– Business Impact Analysis (start with the business people and work your way down to assets. Without doing this, how can you be sure you got all the right technology in your plan?)

– Operational Procedures (where do the bosses meet, how do you initiate a call tree, who talks to the media, who cuts emergency PO’s, etc. This is what the boss types need)

• A few very promising technologies for BCP:– VMWARE (stick around for the next session!)– SAN (especially with SAN replication to a remote site)– Wide Area Network accelerators (to speed backups, apps)– Faster, cheaper Internet (especially county fiber!)

Information Privacy / Encryption

• There have been a lot of highly publicized incidents involving stolen data

• For example, laptops getting stolen at airports with hundreds of thousands of social security numbers or backup tapes that weren’t encrypted and couldn’t be found or “fell off the truck”

• To minimize this, consider some basic protections:– Identify what kind of sensitive data you have as part of your

information classification– Collect and store as little as possible– Ensure that you have adequate security (tested!) on systems that

store and process it– Ensure that you use encryption to protect it – particularly on

laptops and backup tapes that leave the physical environment– Create a plan on how to respond if it happens anyway – especially

what to say and who will say it– Have that “oops letter” already created and ready to send. A slow

response looks bad• One good product for full disk encryption is SecureDoc WinMagic. It

protects the whole hard drive so even forensics can’t get it.

Incident Response

• Its not a matter of if you are going to be hacked….• Its not just a matter of hacking, either, it could be a proper

disaster, a physical threat, etc. • When it happens, an organized response to the crisis is

essential! Don’t count on responding calmly and rationally during the crisis

• Prepare an Incident Response (IR) plan ahead of time with involvement from key stakeholders

• Identify which people are responsible for which tasks – consider non-technical tasks such as informing employees, contacting the media, etc.

• Create a minimum set of documentation to keep throughout the incident – this will help you to learn from your errors, and may be necessary for law enforcement

• Create standards (based on information classification) for how to respond. Re-format the server? Call the cops?

Computer Evidence• The problem: Organizations have an increasing need for

computer evidence that is admissible in court, and need high-end technical assistance for hacking incidents.

– Crime involving technology continues to increase– Law enforcement is over-burdened and has big backlogs– Computer data is increasingly becoming central to civil lawsuits

(fraud, problems with the SEC, intellectual property, etc.)– No standards for forensic methodology, especially for volatile

data (data that is in memory such as network connections that is lost when the computer is powered down)

– I.T. security consultants do not always have a good understanding of legal concepts such as the chain of custody

– Information about non-technical crimes is increasingly stored on PCs and devices such as Cell phones and PDA’s, requiring specialized software

Computer Evidence• One definition of computer forensics is

“Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. ...”

• Forensics is another area of growth• Very often seen in “fire the naughty surfer” investigations• Often in CO$TLY lawsuits• Integrate into your Incident Response plans• Also important when dealing with electronic media that could potentially

go to law enforcement. If you mess it up, you could very well blow the case!

• Consider joining the HTCIA (htcia.org) and/or working with your techie cops on some kind of plan

• One tip: Don’t mess with it if you aren’t sure what you are doing• Another tip: Keep the hard drives of anyone you find suspicious

Administrator Termination• I.T. staff members have an unprecedented level of

access to key organizational data, and this access must be managed when they leave the organization– Passwords exist on numerous disparate systems, usually

not recorded– Most organizations have difficulty identifying all of the

steps that need to be taken– I.T. administrators frequently know the passwords of

regular users– Dial-up, VPN, Internet-facing systems need to be closed

off ASAP– I.T. administrators may have organizational property (data,

hardware, software, intellectual property, etc.) that needs to be retrieved

– In some cases, the termination is hostile, and an immediate threat is perceived

Administrator Termination

• To address this need, you need to identify all the places where access is granted in the organization

• Doing this ahead of time (e.g. a master password list, and detailed list of tasks) is a very good idea

• Doing it on the fly (e.g. Analysts’ ATS service) is a multi-step process:– Evaluate risk – did they make any threats? Are they a “hacker”?– Identify all access (especially remotely accessible)– Change the passwords– Assist / consult on internal staff issues (obtain all property,

perform exit interview, communication to staff about departure, require a password change for everyone? IT Staffers often know a lot of user passwords!)

– Obtain employee personal data (hard drive, home directory, e-mail) and analyze for signs of malfeasance such as “time bombs”, non-compliance with the AUP, existence of hacking tools, evidence of browsing hacking or threatening web sites, etc.)

Misc. Issues for Government

• Sensitive data systems and networks– LEIN! (See the CJIS policy council)– Fingerprint systems– Concealed weapon databases– Credit card systems (e.g. deed lookups)– Friend of the court– Probate, etc. etc.

• Electronic 911 and IP Telephony• Coordination with the State of Michigan and nearby

entities• Consider the MI-ISAC (the focal point of all the US-

Cert and MS-Isac alerts coming into the Michigan) being run by the State. Contact Rich Resoner at the state at 517-335-3093

Discussion

Mark LachnietAnalysts International(517) 336-1004 (voice)(517) 336-1100 (fax)

mlachniet@analysts.com

Email me to request copy of presentation.Or http://lachniet.com/powerpoint