UCAR Security Training Update

Aaron Andersenfor

Peter Burkholder12 March 2007

Overview

• Hired Peter Burkholder as casual to complete training assessment and modules

• Peter made excellent progress but was hired by a firm in Maryland

• Plan is to complete the training and will likely fly him back to give the first required training here in April.

Training Update

•CSAC required on-site security training for “designated sysadmins” in early 2006

•Eight hours of training annually

•Improve quality of security and system administration practices at UCAR

Needs assessment•Keep training focussed on pragmatic

needs and specific to UCAR practices

•Peter Burkholder has analyzed training implications of CSAC policies and done an initial survey of the 112 ‘designated’ sysadmin (vs. 54 SAs by job title)

•Formed an advisory group of sysadmins to provide content feedback and guidance

Survey Highlights

• Many small site SAs (41< 5 systems), and these systems are a mix of platforms

• Small sites SAs self-assess as OK at security

• Comments:

• As long as I follow established procedures, I feel confident in the security of our systems.

• I gave myself a 5 [Outstanding] based on the fact that I promply upgrade my system to deal with security issues as soon as they are identified by UCAR experts and they make me aware of the need for an upgrade. I am not personally a security expert.

• Certainly my process of installing/applying security updates is not as timely as I'd like. For the most part, updates still need to be manually/individually applied on Mac systems.

• Anybody who says "Outstanding" is lying :-)

Training Structure•5 modules of 2-3 hours each

•UCAR Security Essentials will be required

•Choose among the following courses to meet or exceed 8 hours

•Securing Unix/Linux, Securing MacOSX, Securing Windows, Service Hardening

UCAR Security Essentials

•First course, targeted April 2007

•Guiding principles in UCAR InfoSec

•UCAR security incident response

•UCAR security infrastructure (network, passwords)

•Law and Ethics for sysadmins

Other Courses

•Given the number of people managing a few machines, focus on specifics of system hardening, with intro infrastructure tools

•Securing Unix/Linux & Securing MacOSX -- May 2007?

•Hardening Services -- June 2007?

•Securing Windows – Additional expertise needed may (outsource)

Windows Training

•Jason Fossen

• http://www.enclaveconsulting.com/

•Randy Franklin Smith

• http://www.ultimatewindowssecurity.com/

•Mark Minasi

• http://www.minasi.com/