1 / 52


BRINGING TECHNOLOGY TO THE STATES. ITSC. www.itsc.state.md.us. STATE OF MARYLAND LOCKHEED MARTIN. MITRETEK SYSTEMS UNIVERSITY OF MARYLAND. Sponsored by the US Department of Labor. Winner of Case Study Award - International Summit on Service to the Citizen

Télécharger la présentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. BRINGING TECHNOLOGY TO THE STATES ITSC www.itsc.state.md.us STATE OF MARYLAND LOCKHEED MARTIN MITRETEK SYSTEMS UNIVERSITY OF MARYLAND Sponsored by theUS Department of Labor Winner of Case Study Award - International Summit on Service to the Citizen Winner of Showcase Award - Joint Employment and Training Technology Conference Internet Security How Much is Enough? Orange Beach, Alabama May 23, 2000 Steve Miksell ITSC

  2. Internet Security How much is enough? 2

  3. Agenda • Introduction • Threats, Risks and Vulnerabilities • Risk Reduction I (Tools) • Risk Reduction II (End-to-End Solutions) • Risk Reduction III (An On-Going Process) • Conclusion

  4. Internet Benefits and The Role of Security Internet Access (Benefits to Users and Staff) SESA Cost Savings (Client Savings/ Agency Savings) • Security Required to Assure Confidence Allowing Benefits to be Realized • Costs to Achieve this will affect bottom line • Household access • Personal Computer • Other devices • Third party access • Community-based organization • Libraries • Agencies • Schools • Ease-of-use • Ability to save agency costs • Accuracy of information and transactions • Cost of Internet hardware and software design and implementation • Cost of multiple modes of operation Security and Privacy

  5. UI Internet Security Issues Availability Privacy and Confidentiality Financial and Data Integrity

  6. Security -- Package or Process Universal Security Package (1 size fits all) Solution is an “ongoing” process tailored to the environment and application

  7. Security Program Activities

  8. Key Elements of a Security Program • People • Management • Staff Policies & Procedures Tools

  9. Computer Misuse and Abuse (USA TODAY from FBI and CSI Institute Surveys)

  10. Agenda • Introduction • Threats, Risks and Vulnerabilities • Risk Reduction I (Tools) • Risk Reduction II (End-to-End Solutions) • Risk Reduction III (An Ongoing Process) • Conclusion

  11. Threats, Vulnerabilities, & Risks Vulnerability Threat Risk

  12. Internet Threats

  13. Web Server Vandalism WWW.Site.State.XX.US Welcome from the Commissioner……. • Vandalized Web Sites (a small sample): • NASA • DOJ • KKK • Greenpeace • CIA

  14. Secured SESA IT Environment Fire- Wall Web Server Viruses and other malicious codes represent another threat to service. One, or several malicious individuals can launch “attacks” which deny service to all other users. Denial of Service

  15. SESA IT Environment Fire- Wall Web Server Release of Confidential Information Legitimate user, who provides confidential information to the SESA. Hacker pretends to be someone else, obtaining confidential information, such as wage records or UI claim status from the SESA.

  16. SESA IT Environment Fire- Wall Web Server Fraud Over the Internet Dishonest individuals submit fraudulent claims, using anonymity of the Internet to hide their identity.

  17. Agenda • Introduction • Threats, Risks and Vulnerabilities • Risk Reduction I (Tools) • Risk Reduction II (End-to-End Solutions) • Risk Reduction III (An On-Going Process) • Conclusion

  18. Security Services (Tools and Techniques) Techniques • Server Lockdown • Log Analysis • Incident Handling Procedures • Security Policies • Risk Assessments • … • ... TOOLS • Firewalls • Intrusion Detection • Virus Detection • Authentication Mechanisms (e.g., PKI) • Virtual Private Networks • … • ...

  19. Snake Oil UI Issues and IT Security Services Availability Confidentiality Integrity Good Product/ NO Fit System Configuration Firewalls Accountability Architecture Monetary and Privacy Issues Non-Repudiation Threats posed by those who might commit fraud. Authentication Incident Mgmt. Identification Access Control Administration

  20. Agenda • Introduction • Threats, Risks and Vulnerabilities • Risk Reduction I (Tools) • Risk Reduction II (End-to-End Solutions) • Risk Reduction III (An Ongoing Process) • Conclusion

  21. INTERNET Threats & Points of Vulnerability Internet Access Exposes Personal and Monetary Information Threat: Vandals Threat: Malicious Users Threat: Snoops, Data Modifiers Threat: Snoops, Data Modifiers Threat: Imposters Client Side Communications Path Server Side

  22. Server Side SecurityLegacy & Operational Data Mainframes • Security Services: • System Configuration • Access Control • Identification & Authentication • Accountability • Facility Security • Software Import Control Servers

  23. Server Side Security • Firewalls • Incident Handling • Training • Security Services: • Administrative Procedures • Physical & Personnel Security • Architecture Your LAN External LAN/ Internet Service A ? Unauthorized Authorized Service X ? Email Service A ? Audit Logs Service X ?

  24. Server Side SecurityThe Web Server • Security Services: • System Configuration • Access Control • Identification & Authentication • Accountability • Non-Repudiation • Facility Security • Software Import Control • Incident Management The World UI Data

  25. Secure Communication Security Service: Encrypted pipe SSL (between remote client and server Client Side Client Side Remote Site Communications Path (Internet) Server Side (Intranet) Security Service: Encrypted pipe (VPN) between firewalls

  26. Client Side Security • Security Services (Applied to Browsers, Platforms and Individuals): • System Configuration • Identification & Authentication • Encryption • Software Import Control • Access Control via Passwords • Non-Repudiation • USER TRAINING

  27. Agenda • Introduction • Threats, Risks and Vulnerabilities • Risk Reduction I (Tools) • Risk Reduction II (End-to-End Solutions) • Risk Reduction III (An Ongoing Process) • Conclusion

  28. Security in the Life Cycle of(SESA & UI) Internet Applications Plan What will be done for Security? Design How will It Be Done? Implement Building the Application to incorporate Security Operate Running the Application Securely

  29. Key Issues Claimant Signatures Required? Use of PKI, SSN or Other Authentication techniques? Hours of Operation Contingency Plans Information Handling Policies Security Policy Privacy Policy Discipline Policies Legal Procedures Incident Handling Security Planning Risk Understanding Staff Involvement UI Director Business Managers IT Managers Operations Managers Quality Control Legal Counsel Planning Elements

  30. Policy & Conflict Resolution Cost Ease of Use Security Compatibility Laws & Guidelines

  31. Internet AuthenticationA Major Policy Challenge User convenience must be balanced with privacy and fraud prevention If it’s too hard to prove I’m ME, I won’t bother to use the Internet INTERNET Solutions exist, but their selection and implementation involve cost/certainty/convenience tradeoffs and will require clear policy guidelines.

  32. Spectrum of Authentication Options Assume that knowledge of Name and SSN authenticate user and allow immediate access to Wage Data Require Certificates or other Stringent Authentication Procedures PKI or Biometrics ESTABLISH “Blind Authentication” Procedures that: 1) Protect Privacy 2) Fully exploit Internet capabilities to eliminate the need for direct staff support NEVER release Sensitive over the Internet “Safe but Restrictive” “Higher Risk but User Friendly”

  33. Key Issues Secure Architecture Security Requirements Privacy Requirements Allocation of functions to Hardware/Software/Procedures Firewall policy Encryption Virus Protection Forms Design System Impact Audit Requirements Security Design Reviews Risk Reduction Staff Involvement Business Managers IT Managers/Staff Operations Managers Quality Control Design Elements

  34. Key Issues Secure Server Configuration Firewall Configuration Security Testing Virus Software Security Training Risk Assessment Staff Involvement IT Managers/Staff Operations Managers/Staff Quality Control Implementation Elements

  35. Key Issues Update virus software Monitor security alerts Apply patches for security bugs Update access control lists Monitor audit data Report incidents to management Continually verify server integrity Continually verify web page integrity Periodic Risk Assessment -- particularly as the environment changes Staff Involvement Operations Staff IT Staff Management Operational Elements

  36. Agenda • Introduction • Threats, Risks and Vulnerabilities • Risk Reduction I (Tools) • Risk Reduction II (End-to-End Solutions) • Risk Reduction III (An Ongoing Process) • Conclusion

  37. To Answer the Original Question ... • How Much Security is Enough? • Other Questions Must be Answered... • What is the application? • What level of risks can be tolerated? • What are costs vs. risks?

  38. INTERNET Web Server Application Monitoring Administration Server Lockdown • Website -- Set up as Standalone Server with No Links to Other SESA Assets • Services -- Providing PUBLIC SESA and UI Information to the General Population, Including Links to External Resources • Threats Include: • Vandalism (Graffiti and False Information or Links) • Denial of Service

  39. Threshold Security Server Lockdown Monitoring Backups Contingency Plan Enhanced Security Server Certificate Intrusion Detection Firewall Automated Alerts Automatic Shutdown Web Server Security

  40. INTERNET UI Initial Claims Application Administration Administration Access & Accountability Data Collection Combined with Distribution of Private Information Firewall • Threats • Imposters Submitting False Information • Increased chance of Privacy Violations: • On the Internet • On the Server • On Other SESA computers • Increased Impact of Vandalism/Graffiti Encryption Identification & Authentication Identification & Authentication

  41. Threshold Security Life Cycle Process Comprehensive Policies Access Controls and Reasonable Authentication Point Solutions with End-to-end Security Integration Periodic Assessment Enhanced Security All of the threshold security services at significantly enhanced levels UI Claims

  42. The Original Question -- How Much Security is “Enough”? Enough security to reduce risk to a level you are comfortable with. Steps to achieving that comfort level: • Understanding the Application • Understanding the Risks • Mitigating Risks through a continuous process of security awareness

  43. Extra Credit Topics • Interesting URLs • Personnel Security • DDOS • PKI • Securing Applications • ITSC Contacts

  44. Further “Reading”(Some Interesting Security URL’s) • Government Sites • NIST (csrc.nist.gov) • Private Organizations • SANS (www.sans.org) • SlashDot (www.slashdot.com) • ISS (www.iss.net) • (www.counterpane.com) • (www.needguide.com)

  45. An Approach to Personnel Security • Strong Authentication • Intrusion Detection • Encryption of Key Databases • Audit and Close Security Holes • NOT -- Single Administrator with Universal Access • Background Checks • Strong Written Policies • Training -- Policies, Expectations, Consequences • Control and Monitoring of Sensitive Data • from “Network World”, May 8, 2000

  46. Observations on Personnel Security • Security tools and procedures are not a substitute for trusted employees • Employee “background checks” need to be appropriate to the nature of the job • Onerous Unneeded Security is Self Defeating • Expensive • Morale Busters • Workarounds will be found • Effective Security is a Team Effort -- Don’t alienate the Team

  47. Distributed Denial of Service(From WebCast Presented by ISS on February 16, 2000)

  48. Securing a UI E-Commerce Transaction through PKI Is signature valid? Signature OK Certification Authority Internet 6. Verify signer’s credentials 7. Digitally sign response 8. Send Response Encrypted claim Signature OK Is signature valid? Encrypted claim 1. Complete claim form 2. Digitally sign claim 3. Encrypt Transaction 4. Decrypt claim 5. Check Validity 9. Process claim Claimant UI Office/SESA * PKI - Public Key Infrastructure

  49. Public Key Infrastructure PKI Certification Authority (CA) • Management • Certificate Authorities to validate integrity of public keys by : • Issuing Certificates • Validating Certificates • Revoking Certificates • Cooperating with other CAs • Assigning Responsibility and Liability • Technical • Browser, Server and E-mail software to support: • Key Generation • Symmetric Encryption • Public/private Key Encryption • Secure Key Storage • Digital Signature Creation/Verification PKI Initiatives Utah Digital Signature Program Access Certificates for Electronic Services (ACES) Corporate PKIs - example, Texas Instrument, US West PKI Support Commercial CAs - Verisign, Digital Signature Trust PKI Tool Development - Verisign, Entrust, RSA

  50. Internet Application Processes

More Related