Chaos to Clarity: Consolidate Your Security Information into a Knowledge Base

1

• Chaos to Clarity Consolidate Your Security
  Information into a Knowledge Base
• Joshua Drummond, Security Architect
• Neil Matatall, Security Programmer/Analyst
• Marina Arseniev, Associate Director of Enterprise
  Architecture
• University of California, Irvine

2
About us

• Located in Southern California
• Year Founded  1965
• Enrollment over 24K students
• 1,400 Faculty (Academic Senate)
• 8,300 Staff
• 6,000 degrees awarded annually
• Carnegie Classification  Doctoral/Research
  Extensive
• Extramural Funding - 311M in 2005-2006
• Undergoing significant enrollment growth

3
Security Status Across Higher Ed?
http//www.privacyrights.org

• 800,000 in November, 2006 Hacker(s) gained
  access to a database containing personal
  information on current and former students,
  current and former faculty and staff, parents of
  financial aid applicants, and student applicants.
  
• 5,800 in August, 2007 Computer with the SSNs of
  students was discarded before its hard drive was
  erased, forcing the school to warn students about
  potential identify theft.
• 4,375 on September, 2007 Former students at risk
  for identity fraud after an instructor's laptop
  computer was stolen.
• 3,100 on September, 2007 A technical problem in
  the way student bills are printed possibly
  allowed student SSNs to be sent to another
  student's address.

4
Security is Multi-layer
5
We do a lotSDLC and Change Management

• Security requirements and design reviews from
  get-go.
• Code reviews
• Developers reuse security components
• Automated nightly code and application security
  scanning
• Scheduled network configuration vulnerability
  scanning
• Consolidated storage of sensitive data, database
  model reviews of personal identity data
• Concurrency and stress testing to detect thread
  security

6
Still had problems

• Urgent call from our director
• Have you patched server X?
• Is Server Y behind a firewall?
• Did Server Y have any Credit Card information
  stored?
• Is the database encrypted?
• When was the last time a security review of
  Application X was done?
• Peter The Anteater is on vacation!
• Peter is now at Google!
• Different answers from different people.
• Little confidence that information is current.

7
Not enough

• Many security layers meant many documents owned
  by many people
• Scattered checklists, spreadsheets, and diagrams
  not accessible
• Host IP change document update nightmare.
• New server? Update how many firewalls?

• Missing information, such as whom to contact
• Proprietary knowledge departed with staff
  turnover
• Spreadsheet Hell!

8
What we learned

• Maintaining separate spreadsheets on server
  configurations, firewalls, and personal identity
  data, each with redundant and inconsistent
  information, is inappropriate in today's security
  climate.
• Explored different approaches and tools both
  vendor and open source.
• Merged with the Enterprise Architecture approach
  to use Stanfords Protégé Knowledgebase.
• Open source ontology and knowledge-based tool, to
  intelligently capture and maintain comprehensive
  enterprise security information in a single
  repository.

9
Objectives

• Quickly respond to threats.
• Organize, consolidate, and centralize security
  procedures and facts about layers of security.
• Facts about data, architectures, components,
  applications, encryption, auditing/logging,
  firewalls/rules, backup procedures, etc
• Track security checklists
• Track code, database, and security reviews,
  results and follow-up
• Track oversight functions for secure development,
  acquisition, maintenance, operations and
  decommissioning.

10
Agenda

• Background on Ontologies and Protégé
• Realized value - demonstration of our
  knowledgebase and reports
• How to implement this in your organization
• Summary
• Useful URLs and QA

11
Background

• What is an Ontology?
• An ontology describes the concepts and
  relationships that are important in a particular
  domain, providing a vocabulary for that domain as
  well as a computerized specification of the
  meaning of terms used in the vocabulary. In
  recent years, ontologies have been adopted in
  many business and scientific communities as a way
  to share, reuse and process domain knowledge.
  Ontologies are now central to many applications
  such as scientific knowledge portals, information
  management systems, and electronic commerce.
• Supports inheritable properties (is-a)
• Attributes of an object can be complex objects
  themselves (rich). Nestable

Book Ontology
Writing
Short Story
Historical Novel
Classic
Medieval
Modern
12
Stanford Universitys Protégé

• Allows easy modeling and creation of ontology
• Auto generates forms for collecting and capturing
  information based on ontology and class
  definitions.
• Reverse slots allow rich linking ability and
  automatic updates of changing relationships.
• Remember the removal of the server and associated
  updates of firewall rules?

13
Stanford Universitys Protégé

• Generates an HTML view of knowledge and ontology.
• Can be exported in XML format
• generate reports in other formats and for
  specific audiences, without storing redundant
  data.
• Multi-user capable
• Highly Scaleable
• Simulations have handled over 5 million objects
• Open source at http//protege.stanford.edu/
• Java API to program against
• Under active development (last release Aug 24,
  2007)

14
Protégé GUI
15
Protégé Knowledge Capture
16
(No Transcript)
17
HIPAA?
18
Protégé Application Instances
19
Protégé Authentication Instances
20
Protégé Authorization Instances
21
Protégé Patching Procedures
22
Protégé Backup Procedures
23
Protégé Query Capability
24
Agenda

• Background on Ontologies and Protégé
• Realized value - demonstration of our
  knowledgebase and reports
• How to implement it in your organization
• Summary
• Useful URLs and QA

25
Using Protégé to Capture Reviews
26
Using Protégé to Capture Reviews
27
(No Transcript)
28
Realized Value Auto-generated Reports from
Protégé

• Network Inventory Report
• By Host Name
• By IP Address
• Firewall Rules Report
• By Firewall
• By Host Name
• By IP Address
• Personal Identity Database Report
• By Server
• By Database
• Personal Identity Datafile Report
• By Server
• Application Report
• Includes developed and vendor applications

29
Before and After - Firewalls
Unix Sys Admin
Windows Sys Admin
Department Firewall Admin
Campus Border Firewall Admin
Database Admin
30
(No Transcript)
31
Report Firewall by Host
32
Reports Personal Identity Database by Server
33
Reports Personal Identity Datafile by Server
34
Agenda

• Background on Ontologies and Protégé
• Realized value - demonstration of our
  knowledgebase and reports
• How to implement it in your organization
• Summary
• Useful URLs and QA

35
How to Implement in your Organization

• Step 1 Inventory existing spreadsheets and
  documents
• Step 2 Identify information you want to track
  centrally.
• Step 3 Design your ontology (or copy ours)
• Step 4 Assign roles who updates, who views
• Step 5 Capture information
• Step 6 Add any customizations to Protégé
• Step 7 Create secured reports for various
  audiences

36
Our Ontology
37
Updates

• 3 ways to update your knowledge base
• Desktop Client / Local Project
• Only one person can update at a time
• Must have access to project file
• Web Server
• Multi-User, access anywhere
• Interface has its weaknesses
• Client / Server
• Best of both worlds
• Must have desktop client installed

38
Updates Client / Server

• Use built-in client-server mode for multi-user
  updates
• Grant access to individual users
• Support for role-based permissions
• Updates are propagated in near-real-time
• BE CAREFUL!
• Everything is stored in plain text

39
Customizations

• Modified the existing HTML Export plug-in to
  change the structure of the output HTML
• Encrypt Sensitive Values
• List Instances before Slots on Class pages
• Made string attributes that are URLs actual
  hyperlinks
• Add line breaks between multiple Slot values

40
Using Protégé to Capture Reviews
41
Automation

• Although editing of knowledge base is done
  centrally through the desktop client, we wanted
  to automate the generation of reports
• Wrote two Java classes that use the Protégé API
  to emulate actions usually done through GUI
• edu.uci.adcom.protege.ProjectXmlExport
• edu.uci.adcom.protege.ProjectHtmlExport

42
Using XSLT for Reports

• Replicate exactly and replace former spreadsheets
  with the same functionality
• Created canned reports for specific views on
  knowledge
• XSLT is used to transform XML export of entire
  knowledge base to report specific simple XML
• Then again from the simple XML to multiple HTML
  views for each report
• XSL and CSS are flexible and can be modified to
  customize presentation of data

43
Report Generation Process Outline
44
Reports Personal Identity Datafile by Server
45
Putting it all together

• Ant script is used to tie everything together
• Can be easily scheduled to generate reports

46
Metrics Firewall Management

• After
• Centralized inventory of knowledge about firewall
  rules
• Zero spreadsheets
• 3 custom reports HTML and Excel
• Centralize maintenance of single repository
  across organizational units
• No redundancy

• Before
• Border, Police, Financial Services, Windows OS,
  and Server Firewall
• Each firewall had its own spreadsheet maintained
  by a different person (5 spreadsheets total)
• 30 servers behind multiple firewalls. Servers
  duplicated across spreadsheets.

47
Metrics Network and Data Inventory

• Before
• White Boards and Documents
• Partial Network Inventory
• Unpatched servers on whiteboard
• 4 units keeping redundant or out of sync
  information in private locations
• Limited access - personal computers
• Sensitive data locations unclear
• Servers with no virus protection or backed up

• After
• New information - that didnt exist
• Integrated database, network, and application
  information
• Zero spreadsheets
• 9 custom reports HTML and Excel
• Centralize maintenance of repository across
  organizational units
• Access to repository extended to 60 individuals
  based on privileges
• Clearer view of potential holes in security for
  analysis and proactive planning
• Sensitive data tracked
• 40 data files
• 50 database fields
• Added 40 hosts to backup and anti-virus scanning
  procedure

48
Future Plans

• Continue to evolve the ontology to include more
  attributes and relationships
• Continue capturing and updating new information
• Automate capture of information with tools
• Create an plugin for encrypting sensitive
  information
• Create a slot-based authorization plugin
• Generate checklists intelligently based on
  attributes
• Example if reviewing an application running on
  IIS and MS SQL Server, the checklist would be
  customized to that environment.
• Create notifications about potential trouble
  spots
• A personal identity database field that has not
  been encrypted.

49
QA

• AdCom's application security checklist -
  http//snap.uci.edu/viewXmlFile.jsp?resourceID144
  0
• Stanfords Protégé Knowledgebase and Ontology
  Tool (Java, Open Source)- http//protege.stanford.
  edu
• XML/XSLT processing - http//xerces.apache.org
• Ant - http//ant.apache.org