CH2MHILL Communications Group

1
University of Alaska System and UAF Information
Technology Security Review 2007
2
The CH2M HILL - Coalfire Systems Team

• The CH2M HILL Team delivers industry-leading
  Information
• Technology (IT) security services.
• The Team has delivered more than 300 IT security
• assessments and remediation planning engagements
  to
• clients, including recent projects for
• University environments, including the University
  of Colorado and California systems
• States of Colorado, Florida, Iowa, Oregon, and
  Oklahoma
• County and City governments in multiple states
• U.S. Department of Energy, Centers for Disease
  Control and Prevention
• Hundreds of banks and financial institutions
• Hospitals and health insurance companies
• Apply methodologies that enable transfer of
  knowledge and enhance client capability for
  ongoing IT security programs

3
Compliance Trends
A Brief History of Regulatory Time
2000- Present
1970-1980

• COPPA
• USA Patriot Act 2001
• EC Data Privacy Directive
• CLERP 9
• CAN-SPAM Act
• FISMA
• Sarbanes Oxley (SOX)
• CIPA 2002
• Basel II
• NERC 1200 (2003)
• CISP
• Payment Card Industry (PCI)
• California Individual Privacy SB1386
• State Privacy Laws

1990-2000

• Privacy Act of 1974
• Foreign Corrupt Practice Actof 1977

1980-1990

• EU Data Protection
• HIPAA
• FDA 21CFR Part 11
• C6-Canada
• GLBA

• Computer Security Act of 1987

4
Project Overview
Project activities for the Information Security
Review included

• Evaluate the Universitys business practices and
  procedures. Make recommendations for improving
  business processes.
• Ensure adequate controls are in place to protect
  Confidentiality, Integrity, and Availability.
• Identify vulnerabilities, determine their risks,
  and make recommendations to resolve or mitigate
  those risks.

Project methodology

• Internal and External Vulnerability Scans.
• System Baseline analysis.
• Interviews with Critical Business owners.
• Compare findings against a set of Common Control
  Objectives.
• Areas reviewed included Data Management Policies
  and Practices, the IT Security Program, Networks,
  Identity Management Directory, Authentication and
  Authorization Services, Database, Application
  Development/Support, Windows and Unix Servers,
  Desktop Support, Data Center Operations, Help
  Desk, and Telephony.

5
COBIT Maturity Model
6
Vulnerability Scans
Project activities for the Information Security
Review included

• Internal scans were used to evaluate the
  effectiveness of controls from threats internal
  to the University (employee or contractor).
• External scans were conducted to assess the
  Universitys vulnerabilities from an untrusted
  network, such as the Internet.
• UAF provided CH2M HILL with a list of 137 systems
  to assess. Hosts were grouped into Windows and
  Unix systems, and reports were generated
  separately.

7
Vulnerability Scans (Internal)
Unix Group 1
Windows
8
Vulnerability Scans (External)
Unix Group 1
Windows
9
Vulnerability Scans
Recommendations

• Document any known suspicious ports for future
  scans.
• Focus on High, Critical, and Urgent
  vulnerabilities first.
• Only support strong encryption protocols (SSLv3,
  SSHv2, 3DES, AES, etc.)
• Never use default SNMP strings (Public, Private)
• Ensure all applications are part of a
  vulnerability management program, not just OSs.
• If patches cannot be deployed on schedule,
  document the business justification.
• Conduct periodical (typically quarterly) network
  scans, both Internal and External (Nessus,
  Qualys, NeXpose, Retina, ISS, GFI, etc.)
• Establish a secure baseline configuration (CIS
  Benchmarks, NSA, DISA, Vendors)

10
Common Controls
Definition

• Each area was assessed against a set of 42 common
  control objectives.
• Each control objective was mapped to regulatory
  requirements, best practices, and
  guidelines ISO 17799 (International
  Organization for Standards) COBIT 4.0
  (Control Objectives for IT and Related
  Technology HIPAA (Health Insurance
  Portability and Accountability Act) NIST 800
  (National Institute of Standards and
  Technology) GLBA (Gramm-Leach-Bliley
  Act ) PCI DSS (Payment Card Industry
  Data Security Standard)

11
Common Controls
Recommendations

• 42 Control Objectives Reviewed
• Low Risk 10 areas meeting control objectives
• Network admins have implemented appropriate
  security practices
• Avoid access creep, maintain appropriate service
  levels, and conduct regular system maintenance.
• Medium Risk 31 areas partially meeting control
  objectives
• Missing one or more elements vs full compliance
• Correct by conducting a comprehensive risk
  assessment, establishing additional security
  policies, and creating a business continuity plan
  based on a business impact analysis.
• No quick fixes and requires long term
  commitments
• High Risk 1 area did not meet control
  objectives (Media Disposition and Sanitization)
• Lacking an information classification program,
  sensitive data inventories, and destruction
  standards for all media
• University may not be able to detect if sensitive
  data is compromised or lost, or to minimize the
  potential impact of a data breach.

12
Action To Date

• Done or in process
• 7 of 32 Identified Risks to be resolved by
  January, 2008
• Action plan for remaining 25 in process
• Media disposition and sanitization options under
  review
• To be done
• External security reviews for UAA and UAS
• Place vulnerability scans and other security
  reviews on a regular schedule
• Identify where regulation or policy may be needed

13
Security Program Resource Impact
Migration Intensive effort applied to conduct
risk assessment, develop policies, deploy
controls, and establish accountability.
Sustaining Period Security dependent on
processes and controls
Heroic Period Security dependent on Individuals.
Limited documentation, training and testing.

• Security Premium
• Documentation
• Training
• Policies and Procedures
• Audit and Reporting
• Testing

• Function Growth
• Growth in users
• Expansion of applications
• Extended services

Budget
2003 2005 2007 2009 2011 2013 2015
Time