Transcript Office of Security & Disaster Recovery 2002 Accomplishments

The State of the State for
Information Security
Are We in a Cyber War?
Presented by: Dan Lohrmann,
Michigan Chief Information Security Officer
Merit Annual Meeting - June 2004
Security Session Agenda
Topic 1: What’s going on around the cyber
world?
Topic 2: Summary of security issues facing
Michigan State Government
– including recent incidents.
Topic 3: How are we attacking the problem in
Michigan State Government?
Is Michigan at Risk?
Where Attacks Come From
Foreign govt.
(% of Respondents reporting attacks)
Foreign corp.
U.S. Competitors
Hackers
Disgruntled Employees
0%
20%
40%
60%
80%
100%
Attack Profiles
Finacial Fraud
(by Category)
Information Theft
Other
Denial of Service
Vandalism
0%
5%
10%
15%
20%
Source: 2003 CSI/FBI Crime & Security Survey
25%
30%
35%
40%
State Sees Threats Daily

Typical Incidents per day (approx.)
– 22,500 e-mail viruses
– 38,000 scans/probes
– 620 web server attacks
– 3 Computer Hi-jack attempts
Typical Incidents and Causes

Trojan/System Backdoor
– Acceptable Use Violations:





Peer-to-Peer file sharing
Instant Messaging (Chat programs)
Visiting Inappropriate Sites
Online games
Website Defacements
– Need for Patch Management
– Need for Change Management
Typical Incidents and Causes
Continued

Worms/Viruses
– County network connections (CodeRed.F)
– Contractors plugging in infected laptops on SOM
network (SQLSlammer)
– Employees dialing into network with unsecured and
infected home machines (MS Blaster/Nachi)
– Peer-to-Peer file sharing (Klez.h, BugBear)

Illegal/Inappropriate Activity
– Child pornography
– Copyright violations (Pirated software, music,movies)
– SPAM
Compromised PC
Investigation

Discovery
–

IDS Flags “Unusual Traffic” to and from system.
Investigation and Analysis
–
–
Further investigation in IDS reveals:

System appears to have been remote controlled from Asia and
Europe.

Use of Kazaa ( Peer-to-Peer File Sharing).
Forensic image taken of pc’s hard drive for analysis.


Analysis reveals presence of Sub7, extensive use of Kazaa, GB’s of
pirated music and software, and multiple other Trojans.
Follow-up


System was determined to be “untrusted” and was rebuilt.
State employee was terminated after a disciplinary hearing with HR
and management staff.
Compromised Web Server
Investigation

Discovery
– Help Desk tickets report users having trouble getting to web services on
server.
– IDS reports multiple attacks to the system from several addresses in
England and North Africa.

Investigation and Analysis
– Further investigation reveals a compromise of the system via a known
critical security vulnerability over HTTP.
– System was “tagged” by an automated process before the Attacker loaded
a “root kit” onto the system. Attacker was identified by files left on the
system.
– Forensic image of servers hard drives were taken for investigation.

Follow-up
– Server was rebuilt from backup, patches were applied, and placed back
into production.
– Patch was available for 6 weeks prior to compromise.
Consider These Questions
 Can
I Detect?
– an intrusion as it occurs across my entire network?
 Can
I React?
– with sufficient speed and resources to minimize
loss?
 Can
I Identify?
– what systems and data were compromised?
What is my risk of loss if I can’t?
A Changing World
Security 2004
The Process

Rapid risk assessment

As is analysis

Gap determination

To be Security
recommendations
Results
Based upon the DIT rapid risk assessment, the.
Enterprise security group had recommendations
in the following six(6) focus areas:
1)
2)
3)
4)
5)
6)
Roles and responsibilities.
Security awareness, training and education.
Security incident management.
Computer security risk management.
Disaster recovery.
Certification and accreditation of applications and
systems.
Solution Options



Due Diligence
On-going process of meeting legal and common practice
security standards
Industry Standards
International industry practices that support a consistent and
proven level of quality, functionality, and security
Best Practices
Implementations are the recognized International industry
leaders utilizing the highest degree of quality, functionality,
and depth of protection
Security Awareness Training and
Education
Short-term or Low-Cost Plans
 Notice and Consent Log-on Banner
Displayed on all SOM computers as digital notrespassing sign
 User must accept requirements and verify as
authorized user
 Intranet on-line training program
 Convenient access to best practices and security
information
 Develop basic security certification program required
by policy
 Internet website security best practices
 Central repository for wide-array of security
information available to state, local governments,
private industry and public

Security Awareness Training and
Education
Higher Costs or Long Term Plans

Develop security education program
 Require all employees attend annual training
by policy
 Develop tiered-training levels based on role
within the Enterprise
 Encourage a security-aware culture
 Security “Road Shows”
 Security Certification of System
Administration & other computer functions
Computer Security Risk
Management
Higher Costs or Long Term Plans

Mandated Risk Assessments for systems
Centralized security group dedicated to risk assessments
on systems classified as requiring recovery within 90 days

Required Penetration testing on State
devices (on regular basis)
Identify devices with known vulnerabilities, address, and
mitigate
Disaster Recovery
Short-term or Low-Cost Plans
 Establish ownership of DR
Business owners accept responsibility for and held
accountable for DR and BCP plans for critical systems
 Consistently provide off-site storage for backup tapes
 Document existing processes; preliminary step to
creating DR and BCP plans
Documented plans must be reviewed and stored in
locations that can be accessed if primary facility is lost
Disaster Recovery
Higher Costs or Long Term Plans

Business Impact Analysis (BIA)
Business owners perform BIA on all critical systems

Prioritize systems based on results of BIA

All DR and BCP plans created and tested
Business owners create and test plans for all critical
applications / systems
Certification and Accreditation
Higher Costs or Long Term Plans


Classify data by sensitivity
Applications / systems that are existing, developed, or
purchased (COTS), identify sensitivity of data to be
processed
Benchmark hardware, software, and firmware
 Gartner Group: 90% of security breaches occur
because attackers take advantage of poor configuration
 Consensus Minimum Security Benchmarks (Gold
Standard) from NSA, NIPC, SANS, and CIS for
baseline level of security identification
 OES reviews and certifies hardened systems
Office of Enterprise Security
What Do We Do?

Michigan IT Strategic & Tactical Security Plans

Coordinate Incident Response, Patch Management, Security
Awareness, Risk Management, DR, and security
certification/accreditation processes within DIT

Homeland Security Liaison, Cyber-Security Committee Chair,
Critical Infrastructure Protection (CIP) Co-Chair

NASCIO & other national + state + local coordination

DIT Emergency Management Coordinators (DIT EOC)

MITech Security Sub-Committee, SDII Phase 2 Processes
Where’s Help
At Home & Work ?
Michigan State Government Awareness Training is coming
Good Websites:
http://www.staysafeonline.com
http://www.staysafeonline.info
http://www.getnetwise.org/
http://www.besafeonline.org
Some Practical Tips -- What can you do?
1. Keep your personal information private including your name, phone number,
address, passwords and social security or credit card numbers.
2. Turn off the computer if you feel uncomfortable with what you are seeing on the
screen.
3. Never agree to let children meet someone in person who they have met online.
4. Don’t share photos of yourself with strangers.
5. Keep the computer your child uses in a central location.
6. Join children as they surf the Internet.
7. Install anti-virus and firewall software on your computer.
8. Remember, not everyone on the Web is who they say they are.
Where’s Help?
Public Sector - State/Federal
• White House – http://www.whitehouse.gov/homeland
• Department of Homeland Security –
http://www.dhs.gov
• Michigan Homeland Security Website –
www.michigan.gov/homeland
• National Infrastructure Protection Center (NIPC) –
Recently renamed to Information Analysis Infrastructure
Protection (IAIP) http://www.nipc.gov
Where’s Help?
Public Sector - NIST
National Institute of Standards and Technology
Founded in 1901, NIST is a non-regulatory federal agency within the U.S.
Commerce Department's Technology Administration. NIST's mission is to
develop and promote measurements, standards, and technology to enhance
productivity, facilitate trade, and improve the quality of life. NIST carries out its
mission in four cooperative programs:
Manufacturing Extension Partnership, a nationwide network of local centers
offering technical and business assistance to smaller manufacturers; and
Advanced Technology Program, which accelerates the development of innovative
technologies for broad national benefit by co-funding R&D partnerships with the
private sector. http://www.nist.gov/
SP- 800-12- Information Security, The NIST Handbook
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
SP-800 –18 – Guide For Developing Security Plans
http://csrc.ncsl.nist.gov/publications/nistpubs/800-18/Planguide.PDF
Questions?
Contact Information:
Name: Dan Lohrmann
Phone: (517) 241-4090
e-Mail: [email protected]