Security Scene: Implementing an Internet2 Network Security Program
Security Scene: Part 2
This is the second post in a series of articles that will explore the experiences and benefits of implementing a security program for the Internet2 Network. The creation of the Chief Cyberinfrastructure Security Officer role at Internet2 grew out of an increasing concern on the part of leadership that research and education (R&E) networks may become more attractive to potential attackers.
Security Scene: Part 2
This is the second post in a series of articles that will explore the experiences and benefits of implementing a security program for the Internet2 Network. The creation of the Chief Cyberinfrastructure Security Officer role at Internet2 grew out of an increasing concern on the part of leadership that research and education (R&E) networks may become more attractive to potential attackers. My first assignment as CCSO was to determine the security posture of the network (i.e., Advanced Layer 1, Layer 2 and Layer 3 Services) by identifying significant risks and proposing solutions to mitigate each risk. The findings were then presented to Internet2 leadership so that risk management decisions could be made and next steps planned. In the nearly twenty years that the Internet2 Network has been in operation, this was the first time a baseline security risk assessment had been performed. It was clear that a proactive security program was needed that would appropriately protect the network from attack. Read Security Scene: Part 1.
Managing information technology security is the ongoing process of balancing risks and required resources, which includes identifying and analyzing institutional IT assets (i.e., information, information systems, computers, network components), assessing their vulnerabilities and risks, determining the level of acceptable risk (based on business considerations), and selecting/implementing safeguards to mitigate high risks. The information technology security management process also includes monitoring and auditing the implementation of the selected risk mitigation strategies. This month's security article focuses on the value of performing a security risk assessment and how Internet2 used this to establish the foundation upon which a security program was initiated.
Risk Assessment Overview
A security risk assessment helps to expose security weaknesses, gauge the reality of perceived system shortcomings, and provide a baseline for the existing security posture. Consequently, it is a technique that can identify potential problems, and can offer a variety of solutions before such problems are discovered and exploited by those seeking to do harm.
Most security experts agree that security is a process. This process provides a methodical way of assessing and mitigating risks. Depicted below, the process begins with an assessment. Results from the assessment are used as input to deciding which risks should be mitigated as well as which risks are acceptable. The implementation of security improvements addresses what it is you’re trying to protect and from whom you’re trying to protect it. Once technical and non- technical countermeasures are implemented, it’s important to measure the effectiveness of the selected solutions. When complete, the entire cycle periodically repeats.
Figure 1 Risk Management Process
The use of a formal security risk assessment methodology is a key factor in the developing maturity of a security program within an organization. Managing the security & business value of information infrastructures has become a primary concern, with security risk assessments playing a key role. Benefits of an assessment and implementing the corrective measures identified include:
- Ensuring that senior leaders/executives recognize the importance of managing information security risk and establishing appropriate governance structures for managing such risk
- Fostering an organizational climate where information security risk is considered within the context of the design of mission/business processes, the definition of an overarching enterprise architecture, and system development life cycle processes
- Risk assessments are required for certain regulatory compliance (e.g., HIPAA, many federal contracts) and for contractual compliance
- Operating in the most effective and cost-efficient manner with a known and acceptable level of risk
- Reducing the likelihood and associated cost of serious IT security incidents
- Efficiently mitigating the highest risks rather than applying limited resources to all possible risks
- Moving to a proactive security posture vs. a reactive process
- Identifying key performance indicators that show the value of improvements to the security posture
Internet2 Risk Assessment
In conducting the first ever baseline security risk assessment of the Internet2 Network, it was important that a comprehensive process be used to evaluate both technical (e.g., device configurations) and non-technical (e.g., policies) areas in order to provide the leadership with an accurate assessment of the existing security posture.
Thus, the risk assessment approach used by Internet2 relied upon the following steps:
- Technical interviews of network and systems engineering staff operating the network.
- Questions (moderate control set used) from NIST Special Publication 800-53, which provides a security controls catalog divided into families. Each family has multiple control questions designed to identify gaps in security implementations.
- Examination of the operational environment through: review of logs, policies, and configurations; review of existing policies; and site visits of data centers and co-location facilities.
- Identification of threats and vulnerabilities.
- Analysis of risks and proposed corrective actions.
- Presentation of findings to leadership for decisions.
- Implementation of approved security improvements.
Based upon the baseline security risk assessment findings, which determined that the Internet2 national research and education network was at considerable risk to a targeted attack and at moderate risk to an opportunistic attack, numerous short-term and long-term recommendations were made.
Short-term recommendations were made to address those underlying risks that could be remedied quickly to improve our security posture in response to increasingly sophisticated risks. Implementation of the short-term activities have been completed, and will significantly mitigate the risk of a targeted attack on the Internet2 Network. Long-term recommendations were made to provide subsequent actions to enhance and sustain the establishment of a security program.
Next month's security article will examine many of the short-term and long-term improvements and discuss the rationale for their implementation.