Educause Security 2006© Baylor University 2006

1

Security Assessments for

Information Technology

Bob HartlandDirector of IT Servers and

Network Services

Jon AllenInformation Security Officer

By

Educause Security 2006© Baylor University 2006

2

Baylor University

• Chartered in 1845• Largest Baptist University

in the world• 13,799 Students• 2,000 Full Time

Employees• 85 Buildings Networked

Waco, Texas

Educause Security 2006© Baylor University 2006

3

Organizational ChartReagan Ramsower

CIO/CFO

Bob HartlandDirector of IT Servers and Networking Systems

Data Network Voice Network Video Network ServersJon Allen

Information SecurityOfficer

Educause Security 2006© Baylor University 2006

4

BU Network 2005

Educause Security 2006© Baylor University 2006

5

Why an Assessment?• Several high profile security

compromises in the news.• Potential Identity theft issues

for cliental• Legal costs• Public relation nightmare

• Help you stay out of the news!

• Defines a risk level base line

Educause Security 2006© Baylor University 2006

6

Choosing a Vendor

Educause Security 2006© Baylor University 2006

7

Why an outside vendor?• Struggled with even making the recommendation• Better equipped to handle a complex environment.• Documentation- Formal report

• Good – documents your vulnerabilities and gets your people engaged.

• Bad – documents your vulnerabilities and you are now on the hook.

• Unbiased look at your system• Best of breed expertise

Educause Security 2006© Baylor University 2006

8

Three Types of Vendors• Tier Three

• Simple Scans (commercial or open source packages)

• Predefined scopes• Inside scans only• No Verification of vulnerabilities• Canned report with little insight• Relatively inexpensive

Educause Security 2006© Baylor University 2006

9

Three Types of Vendors• Tier Two

• Simple Scans (commercial or open source packages)

• Scope is somewhat limited• Both inside and outside scans• Some verification of vulnerabilities• Thorough report• Medium to high cost

Educause Security 2006© Baylor University 2006

10

Three Types of Vendors• Tier One

• Scans are customizable• Scope is customizable• Both inside and outside scans• Full verification of vulnerabilities• Detailed report with recommended course of

action• Higher cost

Educause Security 2006© Baylor University 2006

11

Planning

Educause Security 2006© Baylor University 2006

12

Defining the Assessment• Define scope before picking vendor• Exercise none disclosure to protect both parties• Redefine scope after meeting with chosen vendor• Identify critical systems with associated timelines• Predefine areas of potential issues• Identify point person to handle issues• Schedule update meetings• Develop project plan with associated time line

Educause Security 2006© Baylor University 2006

13

Key Components ofOffsite Assessment

• Strong test of detection technologies on Internet connection

• Know the source IP address space the assessment will originate from

• Should not be a drag on bandwidth

Educause Security 2006© Baylor University 2006

14

Key Components ofOnsite Assessment

• Make sure to know requirements and have a site ready for the consultants

• The site should be separate from IT staff to avoid raising suspicion

• The network connection should be open to access the systems to be targeted

Educause Security 2006© Baylor University 2006

15

Baylor’s Assessment• 2 week external scan• 2 week internal scan• 1 week personnel interviews• 1 week social engineering• Scan included PBX• Draft report with meeting• Final report and presentation

Educause Security 2006© Baylor University 2006

16

Getting Started

Educause Security 2006© Baylor University 2006

17

Follow the Plan

Educause Security 2006© Baylor University 2006

18

Assessment Execution• Remember - confidentiality of the assessment

happening will give a more realistic snapshot of security

• Make sure that DPS and at least one lead IT administer are aware

• Clearly define the order of the assessment to limit the occurrences of unexpected outages

Educause Security 2006© Baylor University 2006

19

Daily reviews• Make sure to keep aware of how the

assessment is progressing• React if necessary to glaring critical issues

discovered• Timelines may need to be adjusted due to

extended scan times

Educause Security 2006© Baylor University 2006

20

The results are in…which direction are you headed?

Educause Security 2006© Baylor University 2006

21

Vulnerabilities Identified

• Technical

• Behavioral

Educause Security 2006© Baylor University 2006

22

Remediation• All your dirty laundry is now exposed• Be inclusive of findings

• Executives• IT departments• School/Department IT managers• General Counsel

• Prioritize vulnerabilities to be resolved.• Vulnerability Severity• Resource cost• Business impact

• Set schedules and milestones• Create a response document to the assessment discoveries

Educause Security 2006© Baylor University 2006

23

By Products• Security Team• Security Training• Security awareness campaign

Educause Security 2006© Baylor University 2006

24

Was it worth it?

Educause Security 2006© Baylor University 2006

25

Desired Results Achieved• Got the attention of the

right people• Documented a baseline• Remediation of exposed

issues• Long term strategy

Educause Security 2006© Baylor University 2006

26

Looking Forward• Multiyear agreement can

reduce cost.• Assessment follow-ups will

allow for trending data to show policy and remediation impact

• Assessments do not replace normal security vigilance

Educause Security 2006© Baylor University 2006

27

Questions?• Bob Hartland

Director for IT Servers and Network ServicesBob_Hartland@Baylor.edu

Speakers:

• Jon AllenInformation Security OfficerJon_Allen@Baylor.edu