Security at the UW

Security is:

• Essential
• Elusive (really hard)
• Expensive
• Everyone's job

Essential to:

• Protect information and personal privacy
• Protect the critical infrastructure
• Avoid liability
• Comply with laws (HIPAA, GLB, FERPA, ISB policy)

Elusive and Expensive because:

• Threats are getting worse (more aggressive, more frequent, more devastating)
• Recent attacks impact not just the computers and information on them, but also the network itself

Expectations for the network are rising and conflicting:

• Reliability to support critical applications (some life critical)
• Resilience in the face of cyber attacks
• Flexibility to accommodate application innovation
• Pervasive availability to support diverse tasks (e.g. voice, wireless, building maintenance sensors, telework, external partners, etc.)

Lessons learned already:

• The network brought the problems, so people want to believe that the network can and should solve them
• Patching every host individually by-hand doesn't work
• Perimeter protections (a firewall around a big group of computers) are not sufficient, and sometimes inhibit innovation and/or network supportability
• Perimeter protections are also changing the essential nature of the Internet (e.g. tunneling more applications via port 80; security vs. innovation/openness/flexibility)
• Adding new high-risk/high-value network applications changes the utility/cost equation for everyone who uses the network

We need to change the way UW approaches security:

• Policy first, then design supporting procedures and technical measures
• The cost of the security procedures should be consistent with the value of the resources being protected (risk management)
• Fix organizational disconnects between responsibility, authority, funding
• Fix desktop host management (one machine at a time is not working)
• Evolve UW network architecture to meet new requirements

We cannot do it just centrally. We could make some inroads if we had the resources (scanning, assessments, consulting, training, awareness).
It is expensive. We have no choice.

Seven Security Axioms

1. Network security is maximized when we assume there is no such thing.
2. Large security perimeters mean large vulnerability zones.
3. Firewalls are such a good idea, every computer should have one. Seriously.
4. Remote access is fraught with peril, just like local access.
5. One person's security perimeter is another's broken network.
6. Isolation strategies are limited by how many PCs you want on your desk.
7. Network security is about psychology as much as technology.

Technical Recommendations

• Central/collective desktop configuration management is essential (including group access policies, integral firewalling, and aggressive patch management).
• If central configuration management is not immediately possible, deploy centrally-managed host-based firewalls.
• Use good passwords on all accounts
• Minimize use of "administrator" account.
• Use private addresses with web proxies or NAT when possible, or…
• Consider Logical Firewalls for an additional layer of defense.
• Regularly scan for vulnerabilities.

• Put them in well-secured server facilities.
• Failing that, put them behind logical or physical firewalls.
• Aggressively manage them.
• Regularly scan for vulnerabilities.
• Use private addresses if external access is not required.

TEG HOME