Post on 18-Jan-2018
description
transcript
Educause Security 2006© Baylor University 2006
1
Security Assessments for
Information Technology
Bob HartlandDirector of IT Servers and
Network Services
Jon AllenInformation Security Officer
By
Educause Security 2006© Baylor University 2006
2
Baylor University
• Chartered in 1845• Largest Baptist University
in the world• 13,799 Students• 2,000 Full Time
Employees• 85 Buildings Networked
Waco, Texas
Educause Security 2006© Baylor University 2006
3
Organizational ChartReagan Ramsower
CIO/CFO
Bob HartlandDirector of IT Servers and Networking Systems
Data Network Voice Network Video Network ServersJon Allen
Information SecurityOfficer
Educause Security 2006© Baylor University 2006
4
BU Network 2005
Educause Security 2006© Baylor University 2006
5
Why an Assessment?• Several high profile security
compromises in the news.• Potential Identity theft issues
for cliental• Legal costs• Public relation nightmare
• Help you stay out of the news!
• Defines a risk level base line
Educause Security 2006© Baylor University 2006
6
Choosing a Vendor
Educause Security 2006© Baylor University 2006
7
Why an outside vendor?• Struggled with even making the recommendation• Better equipped to handle a complex environment.• Documentation- Formal report
• Good – documents your vulnerabilities and gets your people engaged.
• Bad – documents your vulnerabilities and you are now on the hook.
• Unbiased look at your system• Best of breed expertise
Educause Security 2006© Baylor University 2006
8
Three Types of Vendors• Tier Three
• Simple Scans (commercial or open source packages)
• Predefined scopes• Inside scans only• No Verification of vulnerabilities• Canned report with little insight• Relatively inexpensive
Educause Security 2006© Baylor University 2006
9
Three Types of Vendors• Tier Two
• Simple Scans (commercial or open source packages)
• Scope is somewhat limited• Both inside and outside scans• Some verification of vulnerabilities• Thorough report• Medium to high cost
Educause Security 2006© Baylor University 2006
10
Three Types of Vendors• Tier One
• Scans are customizable• Scope is customizable• Both inside and outside scans• Full verification of vulnerabilities• Detailed report with recommended course of
action• Higher cost
Educause Security 2006© Baylor University 2006
11
Planning
Educause Security 2006© Baylor University 2006
12
Defining the Assessment• Define scope before picking vendor• Exercise none disclosure to protect both parties• Redefine scope after meeting with chosen vendor• Identify critical systems with associated timelines• Predefine areas of potential issues• Identify point person to handle issues• Schedule update meetings• Develop project plan with associated time line
Educause Security 2006© Baylor University 2006
13
Key Components ofOffsite Assessment
• Strong test of detection technologies on Internet connection
• Know the source IP address space the assessment will originate from
• Should not be a drag on bandwidth
Educause Security 2006© Baylor University 2006
14
Key Components ofOnsite Assessment
• Make sure to know requirements and have a site ready for the consultants
• The site should be separate from IT staff to avoid raising suspicion
• The network connection should be open to access the systems to be targeted
Educause Security 2006© Baylor University 2006
15
Baylor’s Assessment• 2 week external scan• 2 week internal scan• 1 week personnel interviews• 1 week social engineering• Scan included PBX• Draft report with meeting• Final report and presentation
Educause Security 2006© Baylor University 2006
16
Getting Started
Educause Security 2006© Baylor University 2006
17
Follow the Plan
Educause Security 2006© Baylor University 2006
18
Assessment Execution• Remember - confidentiality of the assessment
happening will give a more realistic snapshot of security
• Make sure that DPS and at least one lead IT administer are aware
• Clearly define the order of the assessment to limit the occurrences of unexpected outages
Educause Security 2006© Baylor University 2006
19
Daily reviews• Make sure to keep aware of how the
assessment is progressing• React if necessary to glaring critical issues
discovered• Timelines may need to be adjusted due to
extended scan times
Educause Security 2006© Baylor University 2006
20
The results are in…which direction are you headed?
Educause Security 2006© Baylor University 2006
21
Vulnerabilities Identified
• Technical
• Behavioral
Educause Security 2006© Baylor University 2006
22
Remediation• All your dirty laundry is now exposed• Be inclusive of findings
• Executives• IT departments• School/Department IT managers• General Counsel
• Prioritize vulnerabilities to be resolved.• Vulnerability Severity• Resource cost• Business impact
• Set schedules and milestones• Create a response document to the assessment discoveries
Educause Security 2006© Baylor University 2006
23
By Products• Security Team• Security Training• Security awareness campaign
Educause Security 2006© Baylor University 2006
24
Was it worth it?
Educause Security 2006© Baylor University 2006
25
Desired Results Achieved• Got the attention of the
right people• Documented a baseline• Remediation of exposed
issues• Long term strategy
Educause Security 2006© Baylor University 2006
26
Looking Forward• Multiyear agreement can
reduce cost.• Assessment follow-ups will
allow for trending data to show policy and remediation impact
• Assessments do not replace normal security vigilance
Educause Security 2006© Baylor University 2006
27
Questions?• Bob Hartland
Director for IT Servers and Network ServicesBob_Hartland@Baylor.edu
Speakers:
• Jon AllenInformation Security OfficerJon_Allen@Baylor.edu