EDUCAUSE Systems Security Task Force - March 19, 2001
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

EDUCAUSE Systems Security Task Force - March 19, 2001

  • 1,351 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,351
On Slideshare
1,351
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Educause Task Force on System Security Dan Updegrove, University of Texas at Austin H. Morrow Long, Yale University NERCOMP 2001, Worcester MA March 19, 2001 <www.educause.edu/security>
  • 2. Outline
    • Some history
    • The current situation
    • “Simple” steps towards security
    • One university’s response
    • Other security initiatives
    • SANS “Top 10 List” of vulnerabilities
    • The EDUCAUSE Task Force
    • How you can participate
  • 3. Some Recent Internet History
    • 1986 – Major NSF funding for national backbone & regional supercomputer centers
    • 1988 – Robert Morris & the Internet Worm
    • 1988 – Creation of CERT at CMU
    • 1989 – The Cornell Commission report
    • 1989 – Clifford Stoll’s The Cuckoo’s Egg
    • 1991 – CIX, commercial use, & Gopher
  • 4. Internet History, cont’d
    • 1993 – Mosaic browser released by UIUC
    • 1993-4 ISP Sniffing attacks (PANIX, NearNet)
    • 1994-5 Kevin Mitnick demos TCP Hijacking.
    • 1995 – National backbone privatized
    • 1995 – SATAN released by Farmer & Venema
    • 1996 – PANIX, Internet Chess Server, and other web sites shut down by SYN attacks.
    • 1996 – Internet 2 consortium formed
  • 5. 2000-2001 Academic InfoSec
    • Feb – Distributed Denial of Service (DDoS) attacks bring down key .COM sites; university sites implicated (UC Davis, UCLA, Stanford, etc.)
    • June – SANS Top Ten list released.
    • June-July – Univ. of Washington Medical Center intrusion. 4000 medical records involved. No firewall protecting server.
    • Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records.
    • March – 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert.
  • 6. The Current Situation
    • The Internet is a world-wide, increasingly mission-critical infrastructure
    • Internet’s underlying structure, protocols, & governance are still primarily open
    • Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS )
    • Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce
    • Many college & university networks are insecure
  • 7. Information Security in HE
    • Research universities: deployment of workstations & servers by researchers whose talents are usually focused elsewhere
    • Smaller institutions: dearth of tech skills
    • Dorm networking: little adult supervision
    • Too few security experts; weak tools; most institutions have no InfoSec office.
    • Few policies regarding systems security
  • 8. Information Security in US HE
    • 3500+ Colleges and Universities
    • > 1000 Community colleges
    • < 100 major research universities
    • 125+ University Medical Schools
    • 400 Teaching Hospitals
    • 150+ Institutional members of Internet2
  • 9. Targets of Opportunity on US HE Computer Networks
    • Sensitive Data
      • Credit Card #s, ACH (NACHA) bank #s
      • patient records (SSN)
      • student records (SSN)
      • institution financial records
      • Investment records
      • donor records
      • research data
  • 10. Why US HE Computer Networks are attractive targets
    • Platforms for launching attacks
      • Wired dorms (insecure Linux PCs, PC Trojans)
      • High bandwidth Internet (Fract T3, T3, T3+)
      • High computing capacity (scientific computing clusters, even web servers, etc.).
      • “ Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs)
      • Trust relationships between departments at various Universitiess for research (e.g. Physics)
      • Univ research lab computers are often insecure and unmanaged.
  • 11. Unique Challenges to implementing Information Security in Higher Ed
    • Academic “Culture” and tradition of open and free networking
    • Lack of control over users
    • Decentralization (no mainframe anymore)
    • Lack of financial resources
    • Creative Network Anarchy – anyone can attach anything to the network
    • IT has not always been central to institutional mission -- changing attitudes and getting “buy in” requires politics and leadership.
  • 12. What should US HE IT be doing W.R.T. Information Security
    • Investigating network security methods.
    • Investigating strong authentication methods (e.g. smart cards, tokens).
    • Evaluating “best practices” in:
      • Higher Education
      • Corporations
      • Government
      • Military
    • Developing common recommended policies.
  • 13. Trends in Academic InfoSec
    • E-Commerce site threaten litigation against future DDoS sites. Liability for negligence?
    • Insurance companies begin to rewrite liability policies, separate ‘cyber’ policies to require info security vulnerability assessments & changes.
    • Funding agencies to require firewalls, security?
    • HIPAA is a “forcing function” in academic Medical Centers.
    • FERPA, COPPA, DMCA, Privacy legislation.
    • If HE InfoSec doesn’t improve, will more federal legislation be far behind?
  • 14. InfoSec Trends Elsewhere
    • Some of the K-12 school system networks are the only sites (in the US) which have worse network and system security than .EDU sites.
    • Information security at State gov. agencies and municipal goverments is a mixed bag.
    • Outside US some academic institutions are more tightly controlled (e.g. Internet access is severely restricted), some not.
  • 15. InfoSec Trends Elsewhere
    • .MIL sites take steps to secure data and servers (Mac web servers, data isolation/classification). Broke initial ground in IDS (Intrusion Detection Systems).
    • .GOV – NIST has released draft guidelines/recommendations for info security to be implemented at Federal Government agencies.
  • 16. InfoSec Trends Elsewhere
    • .COM sites – Some web sites have poor security (even those outsourced), some (e.g. financial) strive to be state of the art.
    • Insurance/auditors requiring security assessments for policies.
    • BS 7799 / ISO/IEC 17799-1 InfoSec Mgt stds
    • CISSP / CISA / SANS GIAC / Vendor (Microsoft/Cisco/Checkpoint) certifications of Information Security personnel
  • 17. Corporate InfoSec Trends, (relatively rare in US HE)
    • Firewalls, proxies, user access control
    • Network monitoring, bandwidth management
    • Extensive logging, logfile analysis
    • IDS – Intrusion Detection Systems
    • VPNs (Virtual Private Networks)
      • PPTP, L2TP, IPSEC
    • Strong Authentication – PKI, Smartcards
    • Vulnerability scanning (internal, external)
    • Change Control / Management
    • Managed Security Services (e.g. outsourced)
  • 18. Simple Steps to Info Security
    • Accept/Understand the dangers (current threat env.)
    • Inventory your critical systems (Virginia Tech Excel)
    • Risk Mgt: Assess/prioritize the risks to these systems
    • Secure critical (and legally mandated systems) by patching/hardening the OS and applications
    • Move critical systems into data centers where they will be physically and environmentally secure as well as under pro system admin.
    • Use internal firewalls to secure data center server subnets (the protected enclave model) and other critical sites -- even where perimeter firewall(s) exists.
    • Scan and fix your systems – prioritize.
  • 19. More “Simple Steps”
    • Create and fund an InfoSec Office(r)
    • Empower the InfoSec Office(r)
      • Authorize & fund network scanning
      • Authorize “pulling the plug”
      • Create policies - particularly regarding calling law enforcement – legal advice.
      • Restrict NT domain administration severely (e.g to InfoSec)
    • Centralized 7x24 hour production operations
    • Professional system administration
    • Network partitioning (admin servers, DMZ, residential colleges, student clusters/labs, research labs, etc.) via routers, firewalls, subnets / VLANs, separate Internet feeds.
  • 20. Less “Simple Steps” 
    • Abolish or strongly discourage “insecure” network protocols (telnet, ftp, rlogin/rsh, std HTTP forms for sensitive data)
    • Encourage or require encryption for network protocols (passwords, data streams / stores)
    • Attempt to abolish use of Social Security # as a unique identifier as well as as a PIN/password.
    • Require/encourage strong authentication (good passwords, smartcards or physical tokens, biometrics, Kerberos or X.509 certificates) particularly for privileged access and sensitive important applications.
    • Conduct a massive education campaign – give examples of incidents and “bad practices”.
  • 21. Lesser “Simple Steps” 
    • Provide dis/incentives (sticks & carrots) to shift the existing cost/benefit security calculus.
    • Flip “allow everything / deny by exception” vs. “deny everything / allow …” net access rule.
    • Put critical systems & net under change mgt.
    • Install Tripwire™, ISS System Scanner™ or similar systems (AIDE) on critical systems
      • so that you know when they have changed (and you have been hacked)
    • Get Anti-Virus software installed campus-wide.
  • 22. Least “Simple Steps” 
    • Manage passwords
      • Require strength and changing (30-90 days)
      • Expect resistance (do you have political will)
    • Manage vendor upgrades and “hot fixes”
      • Microsoft “hot fixes” for NT, W2K, IIS are out of control and many believe unmanagable.
    • Secure software obtained from Vendors
      • Tough because most application software is shrink-wrapped or outsourced.
      • But you can create alternate ‘secure’ builds of software such as Red Hat Linux, Unix, NT, Windows 2000.
  • 23. One University’s Response
    • Yale University : 11,000 students, 11,000 faculty & staff; 16,000 hosts; wired dorms; 500 modem lines; I1 & I2; wireless pilots
    • Information Security Officer hired in 1997; two additional staff added by 1999, one focused on admin, one on research/students
    • This office is extremely busy!
  • 24. One University, cont’d
    • Internet Security Systems (ISS) licensed 1998
    • Found numerous vulnerabilities, many severe
    • Some systems admins grateful for the info; some overwhelmed by the tasks ahead
    • One user complaint when home net scanned
    • Student paper assumed search for MP3s
  • 25. One University, cont’d
    • IT Appropriate Use Policy amended to authorize scans, even for personal machines
    • Automated report dist by running a ‘.BAT’ script of NT cmd line ISS scanner, PGP-encrypting, & sending E-mail to dept admins
    • Distribute ISS s/w & license keys so depts can scan themselves, perform repairs.
  • 26. One University, cont’d
    • 2nd data center w/ mirrored disk for disaster recovery
    • Extensive use of IBM’s ADSM for backup
    • Firewalls: Internet gateway & Data Centers
    • System admin hygiene, SSH, et al .
    • Eliminated insecure Telnet/FTP to central servers, distributed SSH and other tools
    • Promotion of encryption (more policy issues)
    • VPN server set up and publicized
    • Campus-wide Anti-Virus software license obtained, software distributed.
  • 27. Other Security Initiatives
    • Computer Security Institute
    • Forum of Incident Response & Security Teams
    • System Administrators Guild of USENIX
    • USENIX Security Conference
    • CERT Coordination Center
    • NIST Computer Security Division
  • 28. Other Initiatives (cont’d)
    • Commercial & public domain software
    • CREN Certificate Authority; Net@ Edu PKI working group ; Internet 2 PKI Labs , Internet2 Security Working Group
    • SANS -- System Administration, Networking, & Security Institute
    • Center for Internet Security
  • 29. SANS Top 10 Vulnerabilities
    • BIND weaknesses: nxt, qinv & in.named allow immediate root compromise
    • Vulnerable CGI programs & app extensions
    • RPC weaknesses in ToolTalk, Calendar Manager, rpc.statd allow immed root cmp
    • RDS security hold in Microsoft’s Internet Information Server
    • Sendmail buffer overflow, pipe attacks, MIMEbo allow immed root compromise
  • 30. SANS Top 10, cont’d
    • Sadmind & mountd
    • Global file sharing, inappropriate info sharing via NetBIOS, UNIX NFS, MacOS
    • User Ids, esp root/admin weak passwords
    • IMAP & POP buffer overflow, misconfig
    • Default SNMP community strings set to “public” & “private”
  • 31. SANS Top 10, cont’d
    • ISS, other tools can scan for them
    • Eliminating top 10 not sufficient
    • Top 10 a moving target
    • But how many institutions have got these ten vulnerabilities under control?
    • And couldn’t we make more progress if we engaged in joint action?
  • 32. SANS SSH.COM SSH for Educational Institutions
    • SANS worked with SSH.COM to obtain free SSH2 implementations for US educational institutions.
    • http://www.ssh.com/license.html
    • http://www.ssh.com/commerce/non-commercial_site_license_request.html
    • http://www.ssh.com/about/press/2000/release15082000.html
  • 33. FBI NIPC/Microsoft IIS Alert
    • MS99-025, Unauthorized Access to IIS Servers Through ODBC Data Access with RDS.
    • MS00-014, SQL Query Abuse.
    • MS00-095, Registry Permissions.
    • MS00-086, Web Server File Request Parsing.
  • 34. Educause Task Force
    • Announced to all member reps in July email from Mark Luker, VP for Networking
    • Co-chaired by Gordon Wishon, Associate VP & Associate Vice Provost for IT, Georgia Tech; & Dan Updegrove , VP for Information Technology, University of Texas at Austin
    • Committee co-chairs named
  • 35. TF Committees - 1
    • Detection, prevention, & response to attacks
    • Jack Suess, CIO, University of Maryland, Baltimore County
    • Steve Hansen, Security Policy Officer, Stanford
  • 36. TF Committees - 2
    • Campus Policies
    • Mark S. Bruhn, IT Policy Officer, Indiana U
    • Rodney Petersen, Dir, Policy & Planning, U of Maryland, College Park
  • 37. TF Committees - 3
    • Education & awareness
    • Michelle Norin, Director for IT Outreach, University of Arizona (norin@u.arizona.edu)
    • Gordon Wishon, VP & Vice Provost for IT, Georgia Tech
  • 38. TF Committees - 4
    • Emerging Technologies
    • Clifford Collins, Ohio Academic & Research Network (OARnet)
    • Ken Klingenstein, University of Colorado & Chief Technologist/Middleware Project Director, Internet 2
  • 39. EDUCAUSE Initiatives
    • Education/Awareness – Speakers; Developing or obtaining high quality seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.).
    • “ Best” Practices Security Recommendations - publish
    • Tools – Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, etc.
    • Federal (NSF) grant proposal?
    • Vendor contacts / potential group purchase discounts.
    • PKI (HEPKI-PAG, HEPKI-TAG) – Public Key Infra
    • Obtaining security consulting/assessment/emergency notification (e.g. Internet 911) services for academia?
  • 40. How You Can Participate
    • Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs!
    • Meetings, email, website, white papers
    • < http://www.educause. edu /security >