ࡱ> ~@ Ijbjb uhh#Cl       4hThJnXX(WJYJYJYJYJYJYJ,L (NJ J  X  WJ@hD    WJ$ B  H,,&vD8HJJDNNHNSF DeAnza Security Course Task Overview Document Version 3.1-Industry Review #Business Case/Student TaskStudent DeliverablesLearning Objectives CoveredTimeMajor topics1Review and Refine Security Policy and Procedures Business Problem: C-Bay Inc. a real-estate auction company just went public. Their servers have been down intermittently due to a possible security glitch. CEO of C-Bay has auditors, investors and stock holders questioning the Security of C-Bay networks. C-Bay customers are worried about their data privacy. The Head of IT has brought you on as part of a team to to review C-Bays Security Policy and make recommendations on how well it is implemented and provide recommendations for ongoing monitoring, bolt-down the network and educate C-Bays community about its security policy. If you complete these jobs to the Head of ITs satisfaction, you will be hired as a full-time employee. To perform the task, youre given C-Bay critical business requirements, excerpts of interviews, stakeholder meeting minutes, a sketch of problems the company has experienced in form of email chain, etc. Student Task: Conduct a review of C-Bays Security Policy (if one is available), detailing which areas need significant improvements. Provide recommendations on how you will fix the areas that need improvement. Provide a work plan on how you will qualify your recommendation and implement them. Note: Well keep students in syncin fiction, at end of task, a security person or group reviews students recommended changes to the policy, recommendations, and work plan, gives out a revised version of each that students will work from in next tasks. So students leave this task with same security policy, recommendations, and work plan. 1-Refined Security Policy that addresses omissions, errors, contradictions, tenability 8 hours 2. Recommendation on how the problem with the servers can be fixed, possibly. 3. Work plan to validate recommendations and implement them. This includes Educating the general audience. 8 hours 1. Review the provided Security Policy in context of a defined company network looking for omissions, contradictions, tenability, and errors. 2. Refine the Security Policy based on findings 3. Make recommendations on how to address security problems at a company 4. Create a work plan to validate and implement these recommendations.16 hoursReview and Refine Security Policy and Procedures2Perform Risk Analysis and Assessment based on the Security Policy and document exceptions Necessary Input: Security Policy, Workplan, Recommendations from Task 1 Business Problem: Current Enterprise Network Setup should be surveyed to find out the reason of the server outages. Shortcomings should be documented appropriately and reconciled with the implementation of the security policy. Prepare a Problem Area report and present to Management. Optionally Possible solutions to fix the flaws in the Network Implementation may be documented and presented. Students will be provided with server logs, OS, apps, hardware information, etc. Student Task: 1. Survey the network for causes of Server Outages 2. Prepare a Problem Report documenting the causes. 3. Optionally Provide recommendation to bring Network Implementation close to the documented Security Policy, or the security policy closer to the business critical needs. Possible shortcomings: Firewall and router are consumer grade, not business grade The security policy isnt molded to critical business needs, e.g., Theres no remote access but it is critical to the business that employees access files, e.g., medical records, remotely Unrealistic requirements in policy, e.g., 0% downtime Exceptions leading to vulnerabilities, e.g., no remote access except for certain employees Note: Well keep students in syncin fiction, at end of task, a security person or group reviews students recommendations and problem report including any changes to the policy, and sends out revised versions of each, so students leave task with same problem report, recommendations for changes to business practices/network/security policy. 1a. Network Audit 5 hours 1b. Documentation of Problem Report presenting causes of outages and shortcomings in Network as reconciled with Security Policy 5 hours 2. Recommendations for changes to the Business Practices/Network, and/or Security Policy to align the Network Implementation with the Security Policy, and/or to align the Security Policy with critical business requirements and the network. 5 hours 3. Presentation summarizing problem report and recommendations (each group will present to, and listen to, one other groups report, as opposed to each group listening/presenting to all the other groups)1. Survey implementation of the Security Policy 2. Document and report on areas in implementation that dont follow Security Policy procedures 3. Provide high-level recommendations to align the requirements of the Security Policy with its implementation, and with critical business requirements and the physical network. 15 hoursPerform Risk Analysis and Assessment based on the Security Policy and document exceptions3Deliver a comprehensive set of items to review periodically in the Security Policy; monitor network and report/analyze results Necessary Input: network logs, output from Tasks 1,2. Business Problem: Enterprise Monitoring to assure that Security Policy is enforced is a key element for the growth of an organization. Monitoring systems must change with changing business environment, therefore should be continually improved. This monitoring is not just limited to software, or data collection, it should also include asking employees how they are creating passwords, checking email, etc. Students shouldnt just diagnose existing problems, they should plan for and try to preempt expected problems, both malicious and accidental, e.g., someone tripping over a cord and bringing down a server. Student Task: 1. Based on diagnosed or expected problems, recommend monitoring procedures and schedule. 2. Document monitoring procedures and provide report templates to document monitoring results (for both periodic and incident reports). 3. Monitor network; analyze and report on results using appropriate templates. Additional Notes on Scenario/Task: What Ifs Well first say to students: Given the system that currently exists, what do you monitor. Then, To enable us to have students address certain issues, well give them some what ifs. We can give them a capacity change or changes to the baseline. Example: C-Bay has been able to support 100 requests per second, but now it needs to double that capacity, so students need to change a network layer. Students need to look at implications for network hardware, software, security policy. Monitoring for Improvement Students should be recommending a monitoring policy that not only reacts to existing problems and preempts expected problems, but that also monitors with eye towards improving the performance of the system and the policy. Change Management This task should focus on change management and encourage upgrades to security policy, deployment, and monitoring procedures. When there is a change in network, the security monitoring should take into account what changes have been made, and whether those changes require a change to policy or in security monitoring procedures There is a difference between a security monitoring document and a security policy. Actual steps are in the security monitoring document. Changes to the security monitoring document dont necessarily require a change to the security policy. For example, adding new servers will change the security monitoring document, but not the security policy. But changes in the layers, e.g., network, OS, application, sometimes require changes to the security policy. Monitoring Tools: Teaching them about what tools are available and how they can help monitor is important: Microsoft tool that summarizes logs: Microsoft Operations Manager, Farimba(sp?) (CEO Kim), Moonlight. Students could use monitoring software and evaluate the software. Daily vs. Less Frequent Monitoring: There should be some policy for doing analysis of raw data from key events, e.g., password changes, access to certain directories. In general you probably want to look at those things periodically rather than on a daily basis, in real time. For daily, or hourly monitoring, students might go to CERT and see what is highlighted as an impending or current problem, e.g., NIMDA hit Europe first. Having a few hours notice was helpful. Reaching Full Capacity As part of this monitoring task, students should track when theyre going to reach full capacity and their current infrastructure needs to be upgraded. 1.Document monitoring procedures-5hrs 2.Create periodic and incidental report templates, e.g.,: daily, weekly, summary of trends, incident reports. The audience of reports is someone above learner in systems admin food chain. Templates must highlight most important findingsshould have at a glance sections and what the section should contain (Potential report template categories: implicationslong and short term, resolution, well-defined rating system to prioritize issues) 3. Completed periodic report documenting monitoring results and analysis (Students will do this using network logs) 1. Document ongoing procedures to perform periodic audits of the Enterprise Network, including criteria for evaluating and prioritizing threat levels, and listing what steps need to be taken for each threat level 2. Prepare templates to document periodic and incident reports 3. Monitor network logs and prepare a periodic report recording and analyzing monitoring results 8 hours?Deliver a comprehensive set of items to review periodically in the Security Policy; monitor network and report/analyze results4 Black hat/white hat: Adopt hacker mindset/ Respond to hacker attack Learners get email: Weve been hacked! They receive server logs of the hack or are given access to actual VPN and need to counter the attack. Or, students get instructions on how to participate in a White Hat/Black Hat contest: 2 people within a group could launch an attack on a network and the rest of the group would counter the attack, then reverse. They wouldnt be allowed to launch any type of attack; theyd pick from a list of possible types of attacks. Or this could be done with one group vs. another. If lab time is an issue, we could break 30 into groups of 10, with 5 white hats, 5 black hats each Possible Types of Attacks: Intrusion detection and denial of service Wire tapping Traffic analysis IP spoofing Sniffers Disgruntled employees Social engineering Kids Hard core hackers Spammers Denial of service attacks Replaying attacks For white/hat black hat: Participate in a discussion and/or write up an analysis of what they did right/wrong as both black hats/white hats. Discussion of what they would do differently should be included. -or- If students receive only logs, a step-by-step write up of how they would counter the attack Alsorecommended changes to the security monitoring procedures or policy, based on attack experience?1. Recognize the common types of abnormal occurrences in the computing environment that need immediate action (e.g., 12 most common attacks) 2. Propose response/countermeasure. 3. Respond to an attack (taken from a list of common types) and evaluate the effectiveness of the response. TBDRespond to hacker attack5Educate and Raise Awareness of Security Policy/Procedures to General User Population Business Problem: An Enterprise is secure when its employees are aware of and continually looking for security risks. Education and training enhance employees awareness and ability to avoid and/or spot risks. Student Task: Identify areas from the refined security policy that should be conveyed to the general population, e.g., social engineering risks, passwords--dont use a yellow sticky on your computer, disgruntled former employee scenarios Prepare a presentation or FAQ that can be understood by and delivered to a general audience in a short period of time. Presentation should be compelling and engaging its important to make people care about thisnot just to tell them what to do/ not do and raise security consciousness, but to explain why its so important. Can use reverse psychology--start presentation with This world is a safe place Or give them a worst case scenario: Imagine someone had your mortgage application. Presentation should also prompt employees to report anomalous events TBD: Respond to individual employee inquiries re security policy or problems they are experiencing. Additional Notes on Scenario/Tasks: Suggested procedure for students: Go through security policy, provide a common sense rationale for aspects of security policy that employees are likely to encounter and/or that have the most disastrous results if not followed, translate into English (from tech), categorize aspects and present in a clear, engaging, compelling way. Help Desk Simulation We can do a help desk simulation in addition to the presentation. Students will receive some queries that they have to deal with. Can be real-time or ellipsis. This simulation will be used to require students to address specific issues. Collaborative vs. Individual Work As a group, we can ask students to effectively educate general user population. We can then provide each student with fictional general user emails re security, and each student must respond to one or several emails. We wont let students choose which emails to respond to. Resources: Kevin Mitnicks research on social engineering Ray has access to a software engineering rubric Communication: It is important to focus on communication in this task. We could suggest role playing help desk/general user. Education should contain the advice: Dont use a word thats in the dictionary for your password. A report of key points that should be conveyed to the general population 3 hours A presentation or FAQ to take the end user through the education. 3 hours Possibly: Written responses to general users inquiries 1. Identify and document aspects of the Security Policy that should be conveyed to general audience 2. Develop a short, engaging, compelling presentation or FAQ to communicate these aspects to the general audience 3. Effectively respond to security related inquiries from general user population 6 hoursEducate and raise awareness about Security Policy to general user population6Document Procedures for Emergency Response Business Problem: While monitoring helps validate that Security Policy is enforced, the documented results from monitoring may lead to observation of patterns of abnormal activity. This can provide an early stage diagnosis of threats (can be malicious or accidental threats). It is crucial for an organization to be prepared with a set of actions to take when there is an emergency. Student Task: Identify the possible emergencies and prepare recognition conditions, a set of steps for each emergency to bring the business operations back to its original state, and expected outcomes for each set of procedures. All threats and attendant procedures that dont take the systems back to their original state must be documented. Additional Notes on Scenario/Task: Re Emergency Response document: In some sense youre creating a cookbook. You have recognition conditions for threats. Once threats are recognized, you have steps to take. Once youve taken steps, you have expected outcomes. Re expected outcome section: Business needs to understand the expected outcome section, esp. for risk procedures that wont fully restore systems to their original state. To mitigate risk, someone in upper management should be aware of the implications of these scenarios. Output Sharing Because all student groups might not choose to address the same emergencies, we should have groups give presentations or provide a master list after the fact, to share task outcomes. Resource: CERT Re procedures: Where relevant, should include steps like who to call, e.g., Do we know who to call at the IFC when a denial of service attack occurs? 1. Emergency Response document that, for a set of common security emergencies, documents (for each emergency): recognition conditions recovery steps expected outcomes Any case in which recovery is less than 100% reflects a flaw in the monitoring systems. But, it may not make business sense to address the flaw. All risks that dont take the systems back to their original state must be documented. (Must explain why 100% recovery isnt tenable?) 1. Be able to recognize common abnormal occurrences in Networks 2. Draft recovery steps for each of the most likely emergencies 3. Be aware of and document expected outcomes for each set of emergency procedures 4. For cases where 100% recovery isnt possible, explain why 14 hoursDocument Procedures for Emergency Response NSF DeAnza Security Course  PAGE 10 Task Overview Version 3.1 NSF DeAnza Security Course  PAGE 9 Task Overview Version 3 MOa o :;<MN)\?lm{ #$$$%%!&"&'''*****h,-D-I/J///00004222T3U333344(8L8M8n8CJ5OJQJ6CJOJQJ56CJOJQJ 5OJQJ CJOJQJ5CJOJQJQ2NOQl $If !H$If^H` H$If$a$ 2NOQl` a o A B  [d;<N)\?@WN78TU78                         I#$$Ifl4ֈglD%/17   t <ffffff04 l4a` a o A B  $If^` H h$If^h & F$If$If[d $If !$If $If $If^` $If^` H*$$IflֈglD%/17   t <04 l4a;<N)\?@WN78TU & F $If$If$If$If$If$If78NH$If^H`$If^`$If 8NOQlm{_ !!!P"Q"##$$$%%"&'''''((((i*j********************++,,h,i,j,                LNOJ$$IflֈglD%/17   t <04 l4aOQlm{_ !!!P"$If$If $If $If$If$IfP"Q"##$$$%%"&'''''((((i*j*******$If$If $If H$If**************++,,h,i,j,k,H$If^H H$If^` H & FH$If^H` pH$If$Ifj,k,l,m,n,o,p,q,r,s,t,},,,,D--/J////000&0<0O0T0f0o0000j1k1p1q1114222Žxpl                                                         *k,l,m,n,o,p,q,r,s,t,},,$IfH$If^H H ,,$$IflֈglD%/17   t <04 l4a,,D--/J////000&0<0O0T0f0o0000j1k1 & F$If & F$If & F $If & F $If $Ifk1p1q111422222T3U3V3Z3s3H$If^H HH$If^H` $If$If & F$If $$Ifa$222T3U3V3Z3s3t3v33334445577'8(8L8M8o8999:::;; <><?<N<<<<!="=#=$=%=x=y====?????0A1A?ABBBCCDDDiEjEyEzEFFFF                        Is3t3<0$$IflֈglD%/17   t <04 l4at3v33334445577'8(8L8M8o8999:::; $If e h$If^h & Fh$If^h e$If$Ifn899::;;><N<<<>,?????1A?ABBBBBCCDDjEtEzEEFFGH#I%I'INIOIUIVIXIYItIvIxIzIIIIIIIIIIƿƿ0JmH0J j0JU CJOJQJ 5OJQJ5CJCJ6CJOJQJ56CJOJQJOJQJ5CJOJQJ CJOJQJ9;; <><?<N<<<<!="=#=$=%=x=y=====>d>e>>>H$If^H` h$If^h & Fh$If^h $If>,?-?5??$IfH$If^H HH$If^H`??t&$$IflֈglD%/17   t <04 l4a?????0A1A?ABBBCCDDDiEjEyEzEFFFFF & F$If^` $If$If$IfFFFFFGGGHHWHXHHHHHI I!I"I#I$I%I&I'IVIXIZIhItIuIII      FFFFGGGHHWHXHHHHHI H$If]HHH$If]H^H`$If & F$If^` I I!I$$IflֈglD%/17   t <04 l4a!I"I#I$I%I&I'IZIhItIuIvIwIxIyIzIIIIIIII$a$#1h0= /!"#8$8%& 01h0= /!"#8$8%& 01h0= /!"#8$8% i8@8 NormalCJ_HaJmH sH tH F@F Heading 1$@&5CJOJQJ\^JaJ2@2 Heading 2$@&5\F@F Heading 3$@&5CJOJQJ\^JaJ<A@< Default Paragraph Font,@, Header  !, @, Footer  !&)@& Page Number:>": Title$a$5CJOJQJ\^J8O28 A.8^8`CJOJQJaJ,B@B, Body Text5\>P@R> Body Text 2CJOJQJ^JaJ>Q@b> Body Text 3CJOJQJ^JaJ!C"CC%M !v%v%v%v%v%v%v%v% v' v 8NO{Q!"#$`&t&&&t-o2%799>@C C!C"CC-ox#*     SSSSSSSSSSWWn8I&<NOP"*k,,,k1s3t3;>??FI!II')*+,-.01235678:;=>?@BCD8j,2FI(/49A+25~!! QSW[  *%*f*n*55#C+C1CNCYC~CCCCCCaq"""#' (((#CNCYCCCCC:::NYSCNYSCNYSCNYSCNYSCNYSCNYSCbareiss FHDA FHDAMacintoshHD:Users:janeostrander:Desktop:Summer Sukhjit:1- Workshop Task 1 to CA:Linked resources:NSFDeAnzaTaskOverview-v3.1.doc FHDA FHDAGMacintoshHD:Users:janeostrander:Desktop:webct:docs:nsf_da_taskover_v3.1Mt EtXux PeKNsBM: 2;30nFA"v>t#/\3m|-Q/:<6 ;p L?By@>AAF4"hCBҮKfG UDfI0:BL,|`GGdO2$rFUV:4CW0jGtWiNz \;=snֳ.=~^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h^`.hpp^p`.h@ L@ ^@ `L.h^`.h^`.hL^`L.h^`.hPP^P`.h L ^ `L. hh^h`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo( ^`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo( hh^h`OJQJo(o ^`OJQJo(o ^`OJQJo( ^`OJQJo( hh^h`OJQJo(o 88^8`OJQJo( ^`OJQJo(   ^ `OJQJo(o   ^ `OJQJo(^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h ^`OJQJo(h ^`OJQJo(oh ^`OJQJo(h   ^ `OJQJo(h XX^X`OJQJo(oh ((^(`OJQJo(h ^`OJQJo(h ^`OJQJo(oh ^`OJQJo(^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h^`.h pp^p`OJQJo(h@ L@ ^@ `L.h^`.h^`.hL^`L.h^`.hPP^P`.h L ^ `L. ^`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo( ^`OJQJo(o ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo( hh^h`OJQJo( ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.^`.PLP^P`L.  ^ `.  ^ `.L^`L.^`.``^``.0L0^0`L. hh^h`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo( hh^h`OJQJo(o 88^8`OJQJo( ^`OJQJo(   ^ `OJQJo(o   ^ `OJQJo(^`o(.^`.PLP^P`L.  ^ `.  ^ `.L^`L.^`.``^``.0L0^0`L. hh^h`OJQJo(o ^`OJQJo(o ^`OJQJo( ^`OJQJo( hh^h`OJQJo(o 88^8`OJQJo( ^`OJQJo(   ^ `OJQJo(o   ^ `OJQJo( ^`OJQJo( pp^p`OJQJo(o @ @ ^@ `OJQJo( ^`OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( PP^P`OJQJo(o   ^ `OJQJo(^`o(.^`.PLP^P`L.  ^ `.  ^ `.L^`L.^`.``^``.0L0^0`L.^`.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.H^`o(.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.^`o(.^`.PLP^P`L.  ^ `.  ^ `.L^`L.^`.``^``.0L0^0`L.eK2;3 L?Q/:KfGL=snjGtW.=~z \FA"DfIFUV>AGdOAMt \3Xux #/y@W"hC6 ;                                    R                                                     ^*U                  Cr        |        R        b                           b       b        OQl [ d 8NOQ"$t&}&&&&*4,V-Z-s-t-v-%78-959999@ABBC CC@O$$C@ @GTimes New Roman5Symbol3 Arial;Helvetica;Wingdings? Courier New"1hvFvFtF [7 v 9 yY80dC#C7K 3qHNSF DeAnza Security Coursesfurlong FHDA FHDA Oh+'0  , H T ` lx'NSF DeAnza Security Course.SF  sfurlonga SfurfurNormalg FHDA FHDA S2DAMicrosoft Word 10.1@F#@(2P@2P@2P  [7 ՜.+,0 hp  'ehigherecuationvCr NSF DeAnza Security Course Title  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmopqrstuwxyz{|}Root Entry F ' P1TableFNWordDocumentuSummaryInformation(nDocumentSummaryInformation8vCompObjXObjectPool ' P ' P FMicrosoft Word DocumentNB6WWord.Document.8