It's time to begin planning for summer upgrades, and if information security isn't at the top of your list, it should be. Your students continue to learn more about the tools and technology that could be used to circumvent your current security infrastructure. What you need is a security architecture and approach that will continually evolve as the threat environment changes over time. We will start with methodology and then discuss the tools that will help you minimize the risks to your network.
Security Methodology 101
First Document, Then Test
It is impossible to measure the strength of your security solutions without first documenting what you are doing now and testing how well your current setup works. This documentation can be very formal, as it likely will be at larger school districts, or informal. Once you have documented your solutions, it is time to test. Create an appropriate rubric and determine whether your security design is effective or needs a bit of help. Good questions to ask during your testing: Do you follow your own rules? Do your security measures actually perform they way they were designed? Are your solutions easy to circumvent? If someone can get around your security, are you alerted?
Preventative vs. Detective Controls
When performing your security documentation exercise, consider the types of security controls you have in place.
A preventative control stops someone or something from doing something that they shouldn't do. When a new teacher comes to your school or district, there is a process that the administration and the IT organization performs so the new teacher can be added to the user account database and given access to the appropriate applications and services he or she needs. This process is a control. More specifically, it is a preventative control since the process prevents the new teacher from being given rights he or she shouldn't have.
Other preventative controls could be your firewall, locks on your server room doors, OS patch policy, and removing unnecessary services or applications.
A detective control will notify you when something is happening that shouldn't happen. When someone is attempting to log in with the administrator password and has attempted it five times, the system alerts you to this fact and allows you to take corrective action.
Other detective controls could be the alarm system for the server room, surveillance cameras, user account database audits, or a logging and alerting solution.
Strong and effective preventative controls are always superior to detective controls.
Once you have documented how you are controlling your environment, you should test the controls in order to verify that both the design and execution are effective. For instance, you may have a great control whereby whenever a teacher leaves the district, the IT organization is notified via e-mail that same day, and the teacher's account is disabled. However, if that e-mail is never written, you will have an ineffective control. Another example may be that you have a password policy that requires users to change their password every 90 days; however, when you test that control, you may find that your OS is set to enforce password changes every 180 days.
Identify Missing or Ineffective Controls
After you document how you are controlling your environment, you will probably see some gaps that should be fixed. For example, spyware has become quite a problem over the last couple years, but you may realize that you do not have a control that addresses it. You will also certainly find that some of your controls are ineffective. What you will need to do is create a list of gaps and projects to remedy your gaps. With the password gap noted above, the fix is simple: change enforcement to 90 days. Getting the administration to send you e-mails when teachers leave the district may be more difficult to remediate, but it is important to do so.
Tools of the Trade
When purchasing new security infrastructure, consider how you can achieve the best possible results at the lowest cost. Always include hardware, software, implementation, and ongoing maintenance costs in your evaluation. Do not forget to inquire about school, government, or nonprofit discounts and investigate whether programs such as E-rate might help.
Preventing unwanted access to your network is critical. If unauthorized users cannot enter your network, connect to your systems, or access your applications, you will significantly reduce the number of security incidents that you will have to track down and solve during your busy workday.
Ensure Operating System Security
When it comes to prevention, the first line of defense is the operating system and the policies you have implemented that are built into the OS. For the purpose of this article we will discuss the latest versions of Windows. However, much is also pertinent to UNIX, Linux, and Mac OS X.
Leverage the security built into the OS:
- Good user account management is extremely important. Policies surrounding group membership (only provide the access a person absolutely needs to perform his or her job, no more), passwords, and adding and removing accounts are essential.
- Harden the operating system by disabling unnecessary services.
- Turn on the host-level firewall and configure it to be as restrictive as possible.
- Automatically update the most critical OS patches (Windows Update Services).
These steps will enhance security without breaking the bank.
Strengthen the Perimeter
Traditional firewalls are an essential part of the security equation, but many organizations either don't have one or have one that is misconfigured or running outdated software with security vulnerabilities. A strong perimeter and a modern, up-to-date, well configured firewall is a critical piece of your security framework.
When selecting a firewall, you need to consider the following:
- Your budget and the range of features you need
- That someone on your staff is capable of configuring, managing, and maintaining it
- That maintenance and support must be current in order to receive the latest versions of the firmware
- Budgeting for a replacement in three- to five-years
- Content filtering and egress filtering for preventing the initiation of connections from the inside of your network to undesirable locations on the Internet
Protect Web Applications
A new type of firewall has recently become available-firewalls designed to protect Web-based applications and databases. These firewalls are intended to prevent exploitation of weaknesses in Web-based applications by learning what is normal behavior and preventing abnormal behavior. Since many schools and districts are considering the rollout of applications that allow students and parents to interact with school systems over the Internet, it seems prudent to determine the risk of a student exploiting a weakness in the application or database and how to mitigate that risk.
If your school is considering the rollout of Web-based applications, consider these items:
- Application firewalls are still relatively new but are capable of doing much more than a traditional firewall.
- Application firewalls are expensive and can be difficult to set up and manage.
- There are relatively few vendors, and most are smaller companies. However, it is likely that through consolidation and bigger players entering the market, the solutions will improve and prices will come down.
- The cost of an application firewall could be much less than the potential cost of a break-in. I would not want to be a district CIO trying to explain to a school board why student grades are being made public on a student Web site or trying to assure universities that the grades reported by the district have not been tampered with.
Secure Remote Access
Many schools now allow administration and faculty remote access into the school or district network, either for e-mail or in order to access school applications or files. When building a solution for remote access, it is imperative that security plays a central roll.
Connecting using a Virtual Private Network (VPN):
- All remote connections into the school or district network should be through a secure connection. This includes remote access for e-mail as well as applications or file servers.
- Remote access to Web servers should use SSLv3, TLSv1, or later. If performance is an issue, an SSL VPN appliance can be used instead of requiring the Web servers to perform the cryptographic computations.
- Many firewalls support client-based VPN. If you are planning to implement a client VPN solution, using an integrated firewall with VPN support is a good way to save money.
- Authentication of users is extremely important. Whichever VPN solution you choose should have a strong authentication mechanism. Two-factor authentication is preferred. Traditional username and password authentication is considered one-factor, something you know. Two-factor would also include something you are (thumb print or iris scan) or something you have (a token with a changing code or USB key).
Implement Detective Tools
The area where most schools, districts, and frankly, corporations are lacking is in detective controls and detective tools. Certainly, most organizations run antivirus software on Windows systems, and many are running an antispam solution too. However, other tools are not nearly as common. We'll start with the more common tools and move to those that are less common.
On Windows, antivirus solutions are a necessity. Viruses targeting Windows continue to be written in ever larger numbers each year. Additionally, although the risk is comparatively small, antivirus solutions for UNIX, Linux, and Mac OS X exist and in certain situations should be implemented.
Considerations for antivirus software on Windows:
- Antivirus solutions are dependent upon signatures being updated and delivered in a timely fashion to desktops and servers. Because of this, it is important that the time between a signature becoming available and it being installed is minimized in order to narrow the window of vulnerability.
- Because various companies identify, write, and propagate AV signatures at different rates, in order to minimize exposure, it is prudent to use competing products for server, e-mail, and desktop antivirus.
- AV infrastructure should be centrally managed with little or no need for end-user intervention.
- Multiple layers of AV defense should exist: at e-mail gateways and servers, on other servers, desktops, and possibly at the Internet gateway. Also, do not forget alternate vectors for viruses such as Instant Messaging clients.
Considerations for AV on other platforms:
- Anytime a file server (Samba server) is available to serve files to Windows clients, AV should be implemented.
- Desktops should be protected to minimize propagation of viruses, even if a virus has only a remote chance of affecting the system.
- The greatest danger to UNIX and Linux is prevented by diligent patching and using host-level firewalls to prevent access to unused ports.
- Monitor the threats out there for your systems. If it is necessary to implement AV, do not hesitate to do so. There are a number of good AV products for Mac, Linux, and UNIX.
Look at Antispam Solutions
Spam has been growing at a phenomenal rate over the past few years and, according to some, accounts for more than two-thirds of all e-mail. Much of this spam is inappropriate for students and certainly wastes the time of your administrators, teachers, and staff.
When looking for an antispam solution, consider the following:
- Stop the spam at the edge of your network in order to minimize the use of services to handle the spam. If you stop the spam even before it hits the mail server, the mail server can be better utilized to deliver and route appropriate e-mail.
- Find effective solutions that allow users to view the quarantine area in order to monitor false positives. Also, a solution that allows for personal white lists and black lists are appreciated by end users and will reduce misdirected mail.
- Antispam and antivirus protection go hand in hand-they both prevent unwanted e-mail from being distributed to users. Find solutions that do both and simplify administrative overhead.
- Spam affects all e-mail users. Mac and Windows users are equally susceptible to spam.
Consider Antimalware (Spyware, Adware, Trackware)
This is a relatively new nuisance, but it is becoming a larger problem. I have walked up to computers that are completely unusable because of spyware and adware. If you don't have a solution currently implemented, it is likely that you have multiple infections on every Windows computer you own that browses the Internet.
What to look for in antimalware products:
- You need a solution that is effective, sends out frequent updates, and is easy to implement and administer.
- Because many of the products are relatively new, they are not as mature as the antivirus solutions. The market is in flux, and the best solution reviewed six months ago may be an also-ran today. Do a little research.
- Centralized management of the solution is essential. Some of the products do not offer centralized administration; requiring end users to manage an antimalware product is a recipe for ineffectiveness.
- Look for integrated suites for antivirus and antimalware solutions in the future.
Review Intrusion Detection/Prevention (IDS/IPS)
Intrusion detection solutions monitor your network and systems for anomalous behavior and then alert that the behavior has occurred. Intrusion prevention goes one step further and attempts to prevent the unwanted behavior. High-end solutions provide host-level and network-level solutions that monitor and attempt to protect every system, every network device, and all traffic entering or leaving your network. Lower-end solutions typically provide detection or detection and protection at the gateway and can even be integrated into a multi-function firewall. An IDS/IPS solution can help you detect and solve problems quickly.
What to look for in IDS/IPS solutions:
- These solutions can be expensive in terms of the product's price and set-up and consulting costs. Create a budget and then determine what you can afford.
- Start with gateway protection. You will be able to afford the product and learn about its capabilities. In future years, you can make a more educated decision as to whether it is necessary to continue building out the solution to all hosts.
- IDS/IPS solutions are complex and powerful. Do not bite off more than you can chew and do not let implementation consultants leave before your staff is fully trained. Having an untrained person accidentally implement a rule that prevents access for legitimate traffic or configures the IDS to alert on trivial happenings will anger users.
Check Out Network/Server Logging and Alerting
You will want to know if someone is attempting a brute force attack on an administrative password. You will also want to know if someone is using a large amount of bandwidth over a long period of time. Your logging and alerting mechanism can help you see what's happening and take action before the users start knocking at your door.
What to consider in a network/server logging and alerting tool:
- Find a tool that can handle all of your network and server logs.
- Find a solution that is easy to configure and easy to customize in order to provide the best alerting for your unique environment.
- Most solutions alert by sending e-mail. You should also consider whether the product can send a page or SMS alert.
- There are inexpensive products that can meet most organizations' needs. Do not hesitate to implement this solution because you believe it might be too expensive.
Other Products and Solutions:
- Network security scanners are great for regularly running vulnerability assessments against your network and systems.
- Server and network monitoring will notify you when a system fails or is about to fail and when memory usage or disk utilization is running at dangerously high levels. You will know when a problem occurs before most of your users.
- Wireless security solutions, such as VPN or WPA for users connecting to your wireless network, and wireless network monitoring tools can monitor rogue access points and rogue users.
- Security awareness training should be mandatory every year.
- Enhancements to physical security such as video monitoring of key servers and better access security for the server room and the facility as a whole should be implemented.
- Designate someone on your staff to become an information security expert and place them in a training program so that they can help you provide the security solutions your organization requires.
You will not be able to upgrade everything in one summer. However, you should review this list of areas and determine where you believe you can best enhance your security this year and begin planning for your future security enhancements.
Eric Svetcov, CISSP, is president of Palint Technology, Inc. and former director of technology for St. Ignatius College Preparatory in San Francisco.