managing security the intelligent way: moving from spreadsheets to a knowledge base joshua drummond,...
Post on 22-Dec-2015
218 views
TRANSCRIPT
Managing Security the Intelligent Way:
Moving from Spreadsheets to a Knowledge Base
Joshua Drummond, Security Architect
Neil Matatall, Security Programmer/Analyst
Marina Arseniev, Associate Director of Enterprise Architecture
University of California, Irvine
University of California, Irvine
• Located in Southern California• Year Founded: 1965• Enrollment: over 24K students• 1,400 Faculty (Academic Senate)• 8,300 Staff• 6,000 degrees awarded annually• Carnegie Classification: Doctoral/Research – Extensive• Extramural Funding - 311M in 2005-2006• Undergoing significant enrollment growth
Our Security Status? http://www.privacyrights.org
– 800,000 in November, 2006: Hacker(s) gained access to a database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information.
– 35,000 in December, 2006: The University discovered that personal information of current and former students, faculty members, and staff may have been exposed by a computer network intrusion -- including names,SSNs, home addresses, phone numbers and e-mail addresses.
– 11,000 in February, 2007: Names, grades, and SSNs were posted on an unprotected Web site after summer session in 1999. College stopped using SSNs as students IDs in 2002.
– 65,000 - February, 2007: A programming error resulted in personal information of individuals being exposed on the University's Web site. Included were names, addresses, SSNs, and in some cases credit card numbers.
Security is Multi-layer
U serIden tity M anagem ent
A u then tica tionE duca tion
N etw ork /W ebA ccoun t A dm in
F irew a lls , E ncryp tionLogg ing/A ud iting
A p plicationA u tho riza tionLogg ing /A ud it
T est T oo ls
D ataA u tho riza tionLogg ing /A ud it
E ncryp tion ,Inven to ry
O p era tio nsB ackups ( inc l o ff-s ite)
Logg ing /A ud itD isaste r R ecove ry
P o licies , S tan d ard s , P ro ced ures , T ech n ica l R efe ren ce A rch itec tu reA pp roved T oo ls and L ifecyc le
E xcep tions by A pp rovalR egu la rly rev iew ed
We do a lot today…SDLC and Change Management
• Security requirements and design reviews from get-go.• Code reviews of all security and database code • Developers reuse security components
– Single-signon, authorization API, user identity objects
• Automated nightly code and application security scanning – Jtest, AppScan, Nessus, database security scanning
• Scheduled network & configuration vulnerability scanning – Firewall rules, Foundstone, Sophos virus scans, Tripwire
• Consolidated storage of sensitive data, database model reviews of personal identity data
• Concurrency and stress testing to detect thread security– Jmeter, OpenSTA (100s of concurrent virtual test user load)
REPEAT, REPEAT, and REPEAT…
Still had problems
• Urgent call from our director:– Have you patched the server with X?– Is Server Y behind a firewall?– Did Server Y have any Credit Card information stored?– Is the database encrypted?– When was the last time a security review of Application X was done?
• Dana Doe is on vacation! Don’t know!• Different answers from different people!• Little confidence that information is current.• Spreadsheet Hell!
– Too many checklists, spreadsheets, and documents– Host IP change introduces document update nightmare.– If a server is added, remember to add it to the firewall rules in
multiple spreadsheets. How about scanning tools?– Missing information, such as whom to contact for problem.– Scattered information in documents outside of Excel on multiple file
systems, whiteboards, obscure and owned by and accessible to different people
Objectives
• Needed to better organize, consolidate, and centralize security policy and procedures.
• Needed to manage “preventative security maintenance” more consistently and efficiently, with less redundancy…– Security checklists and rules– Security reviews and their results, track
enforcement and followup– Oversight functions for secure development,
acquisition, maintenance and operations.
Agenda
• Background on Ontologies and Protege
• Realized value - demonstration of our knowledgebase and reports
• How to implement it in your organization
• Summary
• Useful URLs and Q&A
Background
• What is an Ontology?– “An ontology describes the concepts
and relationships that are important in a particular domain, providing a vocabulary for that domain as well as a computerized specification of the meaning of terms used in the vocabulary. In recent years, ontologies have been adopted in many business and scientific communities as a way to share, reuse and process domain knowledge. Ontologies are now central to many applications such as scientific knowledge portals, information management systems, and electronic commerce. “
– Supports inheritable properties (is-a)– Attributes of an object can be
complex objects themselves (rich). Nestable…
Writing
Short StoryHistorical
Novel
Classic Medieval Modern
Book Ontology
Stanford University’s Protégé Knowledgebase and Ontology Tool
• Allows easy modeling and creation of ontology• Auto generates forms for collecting and capturing information
based on ontology and class definitions.• “Reverse slots” allow rich linking ability and automatic
updates of changing relationships.– Remember the removal of the server and associated updates of firewall
rules?
• Generates an HTML view of knowledge and ontology.• Can use an XML plug-in
– generate reports in other formats and for specific audiences, without storing redundant data.
• Currently used for UCI Enterprise Architecture Repository• Open source at http://protege.stanford.edu/
Agenda
• Background on Ontologies and Protege
• Realized value - demonstration of our knowledgebase and reports
• How to implement it in your organization
• Summary
• Useful URLs and Q&A
Realized Value: Autogenerated Reports from Protege
• Network Inventory Report – By Host Name – By IP Address
• Firewall Rules Report – By Firewall – By Host Name – By IP Address
• Personal Identity Database Report – By Server – By Database
• Personal Identity Datafile Report – By Server
Before and After - Firewalls
Unix Sys Admin
Windows Sys AdminDepartment Firewall Admin
Campus Border Firewall Admin
Agenda
• Background on Ontologies and Protege
• Realized value - demonstration of our knowledgebase and reports
• How to implement it in your organization
• Summary
• Useful URLs and Q&A
How to Implement in your Organization…
• Step 1: Inventory existing spreadsheets and documents related to security.
• Step 2: Identify information you want to track centrally. What is important or critical? Do that first.
• Step 3: Design your ontology (or copy ours)• Step 4: Assign roles – who updates, who views• Step 5: Capture information• Step 6: Add any customizations to Protégé• Step 7: Create secured reports for various audiences
– Validate reports and usefulness of collected information with stakeholders.
How - Protégé Customizations
• Although editing of knowledge base is done centrally through the Protégé desktop client, we wanted to automate the generation of all report output
• Wrote two custom Java classes that use the Protégé API to emulate actions usually done through GUI to be done through an automated command line script instead
– edu.uci.adcom.protege.ProjectXmlExport– edu.uci.adcom.protege.ProjectHtmlExport
• Modified the existing HTML Export plug-in to change the structure of the output HTML
– List Instances before Slots on Class pages– Made string attributes that are URLs actual hyperlinks– Add line breaks between multiple Slot values
How – Using XSLT for Reports
• Replicate exactly and replace former spreadsheets with the same functionality
• Created canned reports for specific views on knowledge • XSLT is used to transform XML export of entire
knowledge base to report specific “simple” XML• Then again from the “simple” XML to multiple HTML
views for each report or Excel Spreadsheet• XSL and CSS are flexible and can be modified to
customize presentation of data
How - Putting it all together
• Ant script is used to tie everything together and make it easily scheduled from command line
After
• Rich inventory of knowledge, including firewall rules and network inventory
• New information - that didn’t exist • Zero spreadsheets• 10 custom reports – both HTML and
Excel• Centralize maintenance of single
repository across organizational units• Access based on privileges • 60 individuals in the organization have a
clear view of potential holes in security for analysis and proactive planning
• Sensitive data tracked– 35 data files– 50 database fields
• Tracking versions of 12 major applications for patch management
• Added 5 hosts to backup and anti-virus scanning procedure
Before• Firewalls
– Border, Police, Financial Services, Windows OS, and Server Firewall
– Each firewall had its own spreadsheet (5 spreadsheets total)
– 30+ servers behind multiple firewalls. Servers duplicated across spreadsheets.
• White Boards– Partial Network Inventory– Unpatched servers on whiteboard
• 4 units keeping redundant or out of sync information in private locations
• Limited access - personal computers• Sensitive data locations unclear• No version management of applications• Servers with no virus protection or backed up
Metrics
Future Plans
• Continue to evolve the ontology to include more attributes and relationships
• Continue capturing and updating new information• Look into using the Protégé Web-based front-end with a JDBC
backend to support multi-user updates and views.• Generate checklists intelligently based on attributes for reviews
– Example: if reviewing an application running on IIS and MS SQL Server, the checklist would be customized to that environment.
• Generate more canned reports.• Write queries that proactively determine potential trouble spots
– A personal identity database field that has not been encrypted.
– An application review that requires follow-up on security vulnerabilities
Q&A
• AdCom's application security checklist - http://snap.uci.edu/viewXmlFile.jsp?resourceID=1440
• Stanford’s Protégé Knowledgebase and Ontology Tool (Java, Open Source)- http://protege.stanford.edu
• XML/XSLT processing - http://xerces.apache.org
• Ant - http://ant.apache.org