Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. IT Professionals Roundtable A security discussion… July 13th, 2005 Agenda: Section 1: Risks Section 2: Security Primer Section 3: Organization Section 4: Evolution of the UNCG Network Section 5: Where are we going? Seciton 6: Questions
  2. 2. IT Professionals Roundtable A security discussion… July 13th, 2005 Section 1: Risks Chuck Curry Assistant Vice Chancellor - Technology Planning ITP Security Officer
  3. 3. U VA Video
  4. 4. InformationWeek Daily Newsletter Tuesday, June 21, 2005 40 ... million ... credit cards. MasterCard, Visa, Discover, and American Express. That's enough accounts to represent roughly one card each for 19% of the U.S. population that's 18 and over. In the last four months we've had at least 14 episodes of exposed data--be it by loss, theft, or hacking. In most of these cases, common sense and or the application of basic security measures appeared to have been lacking. In many of these cases, the victimized companies moved to change their security procedures following the often- belated revelations of the breaches.
  5. 5. ECU, state probe computer security breach By Corey G. Johnson The Daily Reflector Wednesday, June 22, 2005 ECU officials and the State Bureau of Investigation are investigating a computer security breach that allowed someone to access 250 students' personal information, officials said Tuesday. The breach, which occurred during May on an Internet server in the department of physician assistant studies at East Carolina University…
  6. 6. Univ. Texas at Austin February – March 2003 • • The University of Texas at Austin regrets that one of its administrative databases was breached in March by a deliberate attack through the Internet. Thousands of names and Social Security numbers were illegally accessed and downloaded to a personal computer. Fortunately, it appears that prompt action by the Travis County District Attorney's Office, the U.S. Attorney's Office, and the U.S. Secret Service has secured the stolen data before they could be misused or further disseminated. • Compromise of UT-Austin’s BANNER equivalent system.
  7. 7. Univ. California – Berkeley March 11, 2005 • • UC Berkeley police are investigating the theft of a campus laptop computer that contained files with the names and Social Security numbers of more than 98,000 individuals, mostly graduate students or applicants to the campus’s graduate school programs. The computer was stolen March 11, 2005, when an individual entered a restricted area of the Graduate Division that was momentarily unoccupied. • California law required UC-Berkeley to notify all compromised identities.
  8. 8. Chronicle of Higher Education • Higher-Education Organizations Plan a Coordinated Approach to Network Security (4/18/02) – “Today more than a half-dozen higher- education organizations are expected to endorse a national effort to improve the security of computer networks and information systems used by colleges and universities”
  9. 9. Internet2 Publication • Information Technology Critical Infrastructure in Higher Education – A Framework for Action • (Archived Link) • ActionFramework.pdf – "This action statement is a solid first step in responding to the special challenges faced by higher education in the area of information technology security," said Molly Corbett Broad, president of the University of North Carolina and chair of the Higher Education Information Technology Alliance. "Increased attention and resources are required to ensure that information technologies continue to support the open exchange of ideas that is at the heart of academia."
  10. 10. Widespread Adoption of Broadband
  11. 11. Broadband Connection Speed Trend – Home Users (US)
  12. 12. Web Connection Speeds Trend – Work Users (US)
  13. 13. In 2004, Hackers became more organized Beagle Virus, MyDoom, Netsky, Phatbot and Sasser fought it out on unpatched machines • Scores of new and recycled backdoor trojans were injected to compromised hosts • New techniques were created to steal personal information
  14. 14. CASH! Moolah! Coin! Money! Each of the worms in 2004, with few exceptions, were designed to insert an agent for internet crime! Spams, Scams, DDoS for Hire and Credit Card Theft pays well in online crime
  15. 15. How do Spammers make money – Its tough, but spam does pay if you keep at it long enough – Spammers are paid for selling known email address lists • Downloading images in email can tell spammers that you exist • Performing directory harvest attacks tell spammers who the real users are – Most spam is used to deliver other attack vectors, such as phishing scams, viruses, trojans, etc, but there is still some money to be made for selling products or services – Spammers sell lists of email addresses to other spammers – Spammers sell lists of open email proxies and compromised spam/virus infected proxies
  16. 16. SCAMS – Nigerian 419 Scams • Promise of money in exchange for moving cash out of country • Ultimately a kidnapping scheme – Bogus Lottery Scams • Pay thousands of dollars in phony legal fees to recover lottery winnings • July, 2004, 60 year old victim called a radio show during a broadcast, asking where her lottery winnings were. She reported that she spend $20K on phony legal fees! – Cheap Prescription Scams • Cialis, Viagra, Oxycontin and other drugs • Accept payments on bogus websites and do not deliver purchased goods
  17. 17. DDos for Hire – SCO, RIAA, Microsoft, RNC, Akamai, Yahoo, Google and many others have been victims of DosBot DDoS attacks – Hackers for hire will shut down any site for just thousands of dollars per day – Criminal Organizations will threaten to use Botnets to extort money from Online Ecommerce sites such as gambling sites and porn sites
  18. 18. Personal Information Theft – Most worms over the past year have opened backdoors to allow attackers to harvest personal information from users by installation of keyloggers and trojans – Most attackers want serial numbers for games – Stealing credentials for online banking, Porn Sites, AOL account info, job search info, Search Engine Queries and web based email such as hotmail and yahoo – Steals credit card numbers by recording input into online purchase forms
  19. 19. Credit Card Theft/Trade – Credit Cards are the new ―Gold Standard‖ in online crime. – Prices are set for each for each valid credit card number both with and without the 3 digit verification Security Code – Prices are higher if there is other personal information accompanying the CC#, such as SSN, last residences, other credit history information – IRC chat rooms can automatically check validity of credit card numbers – Cash transferred to traders in packages by mail forwarders and remailer agents
  20. 20. Phishing Phishing as we know it in its current form is on its way out- • Not enough new victims coming online • Efforts of law enforcement, ISP’s and private financial institutions are limiting the ―shelf life‖ of phishing sites • High risk and not enough yield for the attacker- New wave is to compromise Web Servers to install keylogger and formlogger agents • Formlogger site has longer shelf life because it is harder to detect • Victims don’t know they have been compromised • Collect a wide variety of commodity information for more than just credit card info- – Online job search credentials to move the cash (remailer services) – Search engine query results to mine for information about the credit card holders to answer free online credit report challenge questions – Porn account and other online account credentials
  21. 21. Putting it all together – Install Keyloggers on your (ro)botnet- – Log to a 3rd Party Server – Harvest information: • Credit Card numbers from multiple ecommerce sites • Porn, AOL, Email Accounts, other credentials • Monster.Com login information to post jobs for Remailers for Credit Card Trade and Payment – Sell your harvested data: $2,000 – Sell your botnet: $500 – Total Value of all information from 1000 node botnet: $2,500
  22. 22. Example BOT-Herd Attack Bot-Herder Controller Agent Agent IRC Server Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Joe Victim
  23. 23. BOTs - May’s top 9 (plus 1) United States 19.08% 964020 China 14.56% 735598 South Korea 9.61% 485492 Germany 5.99% 302618 France 5.69% 287368 Brazil 5.56% 281168 Japan 3.70% 186691 United Kingdom 3.13% 158009 Spain 2.96% 149634 European Union 26.16% 1320985
  24. 24. UNCG MailFrontier Good Email vs Junk Email Sunday, July 10, 2005 Junk Good
  25. 25. Poor Awareness Exposed… “It’s a frightening fact, but nine out of ten employees would unwittingly open or execute a dangerous virus-carrying email attachment” “Two-thirds of security managers felt that the overall level of security awareness is either inadequate or dangerously inadequate” “Nine out of ten employees revealed their password on request in exchange for a free pen” These things don’t happen as a result of malicious intent, but rather a lack of awareness of security risks.
  26. 26. Top Ten Most Common Security Mistakes… 1. Passwords on Post-it Notes 2. Leaving your computer on, unattended 3. Opening e-mail attachments from strangers 4. Poor password etiquette 5. Laptops on the loose 6. Blabber mouths 7. Plug and play without protection 8. Not reporting security violations 9. Always behind the times (the patch procrastinator) 10. Not knowing internal threats
  27. 27. Awareness Requires a Change in Culture Analogy - Seatbelts "Culture does not change “ It should be noted that because we desire to it took many years to get change it. Culture the seatbelt usage up to changes when the its present level, and it organization is takes a heavy hand from transformed; the culture the police to persuade reflects the realities of the stupid to do the people working together obvious.” every day." — Peter N. Wadham — Frances Hesselbein Key to Cultural Transformation "Out at sea it takes 30 miles for an oil tanker to reverse its direction. It takes time and commitment to change, based on foundational values, principles and quality relationships to positively affect your company's culture -- its way of doing things. " — The Freeman Institute Changing the Culture of Your Organization
  28. 28. IT Professionals Roundtable • A security discussion… • July 13th, 2005 Section 2: Security Primer John C. Gale, CISSP • Security Analyst
  29. 29. Security Primer • Security is risk management – Risk transference • Insurance to cover losses • Outsourcing – Risk mitigation • Software controls (patches, logs) • Hardware controls (firewalls, VPNs) • Transit protection (encryption, traffic normalization) • Training and education (good passwords, proper use of tools)
  30. 30. Security Primer • Security is information security – This means that data is being secure in proper ways • In properly secured file cabinets • In properly secured computers • Privacy for phone conversations • Information transmitted securely over a network (or not transmitted) • Is only being conducted between authorized parties. – This is not just about computers.
  31. 31. Security Primer • Whose problem is it? – Not the dept. – Not the technician in that dept. – It is a University problem.
  32. 32. Security Primer • Who makes decisions around security policy? • The top management level of the University • This includes: – Chancellor – Provost – Vice Chancellors – University Counsel • This is the only group who makes policy for the University.
  33. 33. Security Primer • What do you do if asked to break policy? – Don’t take it upon yourself – Don’t circumvent procedures and controls • This makes YOU responsible. – Talk to your manager / supervisor. – Make sure the business need goes up the chain for approval.
  34. 34. Security Primer • What problem is security creating? – Harder to use a computer resource / less flexible – More steps to get something / makes things slower
  35. 35. Security Primer • What problem is security solving? – Risk management (exposure, theft, damage to reputation) – Compliance • FERPA • HIPAA • GLBA • Copyright • DMCA • State Auditing
  36. 36. Security Primer • It sure would be nice… – If everyone were honest – If we didn’t need security • This is not reality and security is not a choice anymore.
  37. 37. Security Primer – How? • How do we do Information Security (in the computing realm) – Physical security (door locks and vigilance) – Authentication and Authorization – Software patches – Desktop anti-malware solutions. – Network controls – Firewalls – Traffic normalization devices – Transit based malware reduction – Detectors, monitors, logs – User education
  38. 38. Physical Security • Why it is important – Confidentiality, integrity, and availability – Any physical access to a computer yields all information on that system. – Critical to the success of all other security (foundation)
  39. 39. Authentication and Authorization • ―Hi! I’m John student.‖ and here is my network id to prove it (Authentication) • ―I want to open my Lotus email.‖ (Authorization – allowing John to see only his email) • ―I want to change my final physics grade.‖ (Authorization – not allowing John to do what he is NOT authorized to do)
  40. 40. Software Patches • ―Waterfall model‖ of software development yields early releases in cycle. • Early releases always have defects. • Patching updates your software to later milestone in release cycle. • Patches solve known problems at a point in the release cycle. – Sophos: ―There is now a 50% chance of being infected by an Internet worm within just 12 minutes of being online using an unprotected, unpatched Windows PC‖
  41. 41. Desktop Anti-Malware Solutions • Anti-virus • Anti-spyware • Personal firewalls • O/S anomaly detection agents • Anti-spam
  42. 42. Network controls • Preventing local mis-direction • Network layer transaction tracking • DHCP tracking and enforcement • Address Resolution Protocol (ARP) poisoning prevention • Preventing network traffic bridging.
  43. 43. Firewalls • Enforcement of policy – Traffic rules mirror organizational policy – Enforce client and server communications relationships – Enforce some protocol compliance.
  44. 44. Traffic Normalization Devices • Intrusion Prevention Systems (IPS) are a traffic normalization device. • Transit layer application level compliance checking – Stop malformed URLs, excessive denial attempts – Exploits, Worms, Viruses, and Mal-ware.
  45. 45. Transit based mal-ware reduction • Email based anti-spam, anti-virus filtering systems. • Threats: – Phishing – Scams – Spam – Viruses • UNCG is using MailFrontier for this purpose.
  46. 46. Detectors, Monitors and Logs • Logging and log review is critical – Server logs – Firewall logs – Intrusion prevention logs • Traffic Anomaly detection and TAR Pits.
  47. 47. User Education • Spot social engineering and phishing • Choose good passwords – PLEASE… choose good passwords • Choose your internet sites carefully • Don’t download just anything • Don’t open email attachments – Be careful, bad things can arrive from known email sources (faked)
  48. 48. IT Professionals Roundtable A security discussion… July 13th, 2005 Section 3: Organization
  49. 49. UNCG Information Security Organization Chancellor Information Security Executive Staff CIO Committee ITP Information Security ITP Compliance
  50. 50. UNCG Information Security Organization Chancellor CIO Information Security Executive Staff Committee ITP Information Security ITP Compliance IT
  51. 51. University Security Policies • Acceptable Use of Computing and Electronic Resources Policy • Data Classification Policy • Security of Networks and Networked Data Policy • Wireless Communications Policy • Copyright Compliance for Users of UNCG Technology Resources Policy • Electronic Records Retention Policy (E-mail Retention Policy)
  52. 52. UNCG Information Security Organization Chancellor Information Security CIO Committee Executive Staff ITP Information Security ITP Compliance
  53. 53. ITP Compliance • HIPAA (Health Insurance Portability and Accountability Act) Security • DMCA (Digital Millennium Copyright Act) • FERPA (Family Educational Rights and Privacy Act) • GLB (Financial Services Modernization (Graham-Leach- Bliley) Act) • ADA (Americans with Disabilities Act) Web Accessibility • USA Patriot Act • North Carolina Public Records Act • Protection of Children from Sexual Predators Act of 1998 (Sexual Predators Act)
  54. 54. UNCG Information Security Organization Chancellor Information Security CIO Committee Executive Staff ITP Information Security ITP Compliance
  55. 55. UNC System Security President UNC system Chancellors CIO CIO Steering Committee NetStudy Security Subcommittee
  56. 56. Security Timelines • May 2002 – UNCG designated by UNC Board of Governors as an Information Technology Management Flexibility campus. • Spring 2003: – UNC Office of the President (OP) approves a Security Baseline document. – UNCG IT staff draft a security planning report for internal purposes. – Chancellor creates the UNCG Information Security Committee.
  57. 57. Security Timelines • Fall 2003 – Spring 2004: – University Information Security committee is informed about UNC-OP Security Baseline. – Information Security committee reviews draft security planning report. – Information Security committee delivers suggested security policies to executive staff. • July 2004: – Chancellor and executive staff approves several new security policies.
  58. 58. Security Timelines • Fall 2004: – UNC OP authorized a UNC wide Security Assessment. • Spring-Summer 2005: – UNC wide Security Assessment is complete.
  59. 59. Security Assessment Overview • Phase 1: Perform a review and security assessment of the CIO approved UNC Security Baseline based upon industry standards and other applicable regulations • Identified policy/operational weaknesses found in the Security Baseline • Security Baseline recommendations categorized by UNC and federal guidelines and ten domains of the ISO17799 framework • Sample security baseline material from similar Unisys customers • Unisys recommended changes are planned to be addressed by the NetStudy Security Sub-committee • Phase 2: Assess UNC member institutions against the Security Baseline – The Phase II assessment tool and report format is based upon the UNC Security Baseline – Additional assessment elements are based upon ISO 17799, other industry standards or state and federal guidelines – Unisys met with CIO designates at each member institution, performed the assessment and then prepared the Phase 2 report and baseline assessment tool
  60. 60. Security Baseline Assessment Purpose • Provides the member institution a quantifiable measurement against the NetStudy Security Baseline Recommendations and known standards • Highlights strengths and opportunities for improvement within the security posture of the member institution • Provides observations and recommendations to strengthen the UNC Security Baseline Document • Provides a repeatable, packaged assessment of each member institution against the UNC Security Baseline Document • The deliverables for each member institution include an Assessment Report and the Assessment Tool. The tool can be used by the member institution as needed to re- assess the organizations security posture
  61. 61. IT Professionals Roundtable A security discussion… July 13th, 2005 Section 4: Evolution of UNCG’s Network Jonathan (Joff) S. Thyer Campus Network Manager
  62. 62. Traditional University Networks • Open access! • All machines are 100% exposed to the Internet. • Lingering historical perception that Internet users can be trusted. (it used to be a research network!) • Computer security is a user responsibility.
  63. 63. What has changed? • The first generation Internet is now a commercial entity. • The data network, application and database repositories are critical to the University core mission. • Computing devices have transformed into a business and academic utility over the past decade. • The Internet2 is now the global research network
  64. 64. What else has changed? • UNCG’s data network infrastructure has dramatically improved. • Computer processing power doubles annually bringing enhanced ability to hacking tools. • From a modern PC, an individual user can transmit 125MB of data in 10 seconds • Equivalent to 40 copies of Tolstoy’s ―War and Peace‖. (1500 pages) • A modern PC can store more than 50 DVD’s!
  65. 65. What else has changed? • Hacking is no longer the domain of the computer expert minority. • Any user on the Internet has access to pre- packaged and sophisticated computer intrusion kits. • Hacking is a federally recognized cyber- terrorism weapon. • Any PC on the UNCG campus can be used as a weapon against other Internet users.
  66. 66. The challenges facing us • Protect UNCG enterprise and critical database repositories. • Protect UNCG enterprise application services and enhance maximum ―up time‖. • Provide services to help our users abide by the law. (HIPPA, FERPA) • Service academic research network access needs. Do not let protections get in the way or provide alternatives.
  67. 67. How to meet the challenges • Build a highly protected separate network that contains the enterprise critical data and application services. • Educate our users on security threats and how to ―safely‖ compute in our new environment. • Encourage computer science research in the Internet2 domain.
  68. 68. Evolution of UNCG Network • 1995-1998: – ―Newbridge‖ Asynchronous Transfer Mode (ATM) based network. – 10 million bits per second (Mbps) to building boundaries. (OC/3) – Shared media 10Mbps thin-wire connects desktop systems. – Internet/NCREN connection at 45Mbps (DS3) • Later moved up to 155Mbps (OC3) – No network level security. • Spans from Windows 3.11 predominate desktop through to Windows 95.
  69. 69. Evolution of UNCG Network • 1999-2002: – ―Cisco Systems‖ Ethernet based network – 100 Mbps to building boundaries – Dedicated 10Mbps connections for desktop systems. – Internet/NCREN connection at 622Mbps (OC12) – Basic network perimeter level security in the form of access control lists. • Spans from Windows 98 up through Windows 2000.
  70. 70. Evolution of UNCG Network • 2003-2005: – ―Cisco Systems‖ Ethernet based network. – 1000Mbps (Gigabit) to building boundaries. – Dedicated 100Mbps connections for desktop systems. – Internet/NCREN connection at 2.4Gbps (OC48) – Some degree of network layer security: • Perimeter network security access control lists • Server Farm firewall • Intrusion prevention systems • E-Mail Virus/Worm filtering. • Spans from Windows 2000 up through Windows XP. – Windows XP SP2 introduces security features.
  71. 71. UNCG Events Timeline • 2001 – 2002 – Secure Server Farm Infrastructure build: • Installation and testing of Cisco Catalyst 4006 series switch/routers. • Installation and testing of Cisco Pix-535 firewalls. • Installation and testing of Cisco VPN 3000 series concentrator. • Fall 2002 – Departmental systems classified as Enterprise begin to be secured in new Secure Server Farm. • 2003 – Lotus email environment is secured behind server farm firewall. – ―MailFrontier‖ – anti-spam/anti-virus email filtering system implemented.
  72. 72. UNCG Events Timeline • 2004 – New BANNER environment secured behind firewall. • 2004 – 2005 – Remaining enterprise servers begin to be secured. – Tipping Point (IPS) implemented on network perimeter • August 15, 2005 Milestone – All Windows/Netware and Banner environment secured behind firewall.
  73. 73. IT Professionals Roundtable • A security discussion… • July 13th, 2005 Section 5: Where are we going?
  74. 74. Security Defense In Depth Perimeter Defenses Network Defenses Host Defenses Application Defenses Data and Resources
  75. 75. Defensive Wall 1: Blocking Attacks: Network Based • Intrusion Prevention Systems (Network) • Intrusion Detection • Secure Web Filtering • Managed Security Services • Firewalls • Secure Email – Anti-Spam • Discovery and Mitigation
  76. 76. Defensive Wall 2: Blocking Attacks: Host Based • Scan & Block/Quarantine Systems • Host Intrusion Prevention System • Spyware Removal • Personal Firewall • Personal Anti-virus
  77. 77. Defensive Wall 3 : Eliminating Security Vulnerabilities • Vulnerability Management & Penetration Testing • Patch Management/Vulnerability Remediation • Configuration Management • Security Configuration Compliance • Application Security Testing
  78. 78. Defensive Wall 4 : Safely Supporting Authorized Users • ID & Access • Management • File Encryption • Secure Communication • PKI Public Key Infrastructures(PKIs) • Virtual Private Networks (VPNs) • IPSEC-Based Virtual Private Network • SSL Virtual Private Network • Secure Remote Access
  79. 79. Defensive Wall 5: Tools to Minimize Business Losses and Maximize Effectiveness • Security Information Management • Business Transaction Integrity Monitoring • Security Skills Development • Forensics Tools • Regulatory Compliance Tools • Business Recovery • Back-Up
  80. 80. IT Professionals Roundtable • A security discussion… • July 13th, 2005 Section 6: Questions