Title: Working Together to Protect the Campus Area Network
1!
Working Together to Protect the Campus Area
Network
8-13-07 SIUC IT Security TeamRob Craig, Chet
Langin, Curt Wilson SIUC IT Network Engineering
Jerry Richards SIUC LAN Administrators
2Presentation goals
- To empower you with new information and tools to
help protect faculty, staff and student private
data, your systems and the campus network - To raise awareness about current active threats
and security-related processes - To review past security incidents on campus with
an eye towards reducing future events
3Current threats
- Threats to our computer systems and data are
numerous and continually growing - Shift in motivation attackers are now generally
motivated by financial gain - Malicious code and activities are getting harder
to detect, and more of it - Amount of Windows malware skyrocketing
- Trojan horses, spyware/adware, bots, worms
- Other operating systems also attacked but not as
often as Windows
4Current threats
- Targeted attacks
- One example that we know about
- Within the last month attacks seen coming in from
China specifically targeted towards .edus - Looking to compromise databases to steal SSNs
- Using SQL Injection attacks on web applications
- Attackers know that .edus are a often a soft
target, and dont care about your production
schedules or anything else.
5Current threats
- Many ways to compromise a system
- Exposed and vulnerable network services
- Oldschool, but still popular and deadly
- Mitigation patch, firewall, proper configuration
- Vulnerabilities in Operating System
- Remote and local threats
- Vulnerabilities in client software
- Web browsers Firefox, Internet Explorer
- Mail clients Outlook, Outlook Express, etc
- Multimedia apps Quicktime, Flash, RealPlayer,
IM - Other apps Java, backup software, webapps,
antivirus - Migitation patch, dont let general users use
Administrative level accounts, teach users to be
more careful
6Solution Quicklist
- Patches/Updates for OS and apps
- Be aware of update mechanisms
- Use automatic updates whenever possible
- Pay attention to client-side apps as well
- Offline patching processes work nicely
- Firewall enabled
- Modern versions of Windows have a built-in
firewall. Use it, enable it before the computer
ever touches any network connection. - Privilege control
- Greatly restrict use of administrative
credentials - Most malware wont install unless user is Admin
7Solution Quicklist
- Anti-virus
- Antivirus not perfect but a critical component
- Keep it updated as often as possible, dont let
users disable it - Strong passwords/passphrases
- Use strong passphrases that cant be guessed.
Never use a blank or simple password and dont
reuse them - User awareness
- Dont be fooled by deception techniques via email
or websites that want you to click on a link they
provide. Often some type of enticement is used
too good to be true offers and/or fear, negative
consequence if you dont click now - These are the absolute basics.
8Solution Quicklist
- Please see the SIUC IT Security website for
further suggestions on how to reduce your risk to
computer compromise - http//infotech.siu.edu/security
9(No Transcript)
10Active Directory passwords
- In the interests of following auditor
requirements and security best practices, Jerry
Richards from Network Engineering will discuss
new password security standards for the SIUC
Active Directory. - The Network ID system already enforces the
auditors requirements however there are a smaller
number of Active Directory only accounts that
are still out of compliance - This pending change resolves non-compliance
11Protecting Sensitive Data
12Protecting Sensitive Data
- Our faculty, staff and student sensitive data is
one of the most important things we must protect - SSNs, credit cards, bank numbers, etc.
- If sensitive data is stored on a system that is
compromised or stolen, that data is considered
compromised as well - Unless the data is encrypted
- An encryption project is pending
13Protecting Sensitive Data
- State of IL (and many others) has a data
disclosure law that requires notification of any
person affected by a private data compromise. - Costly
- Expensive
- Time-consuming
- Damaging to reputation
- http//www.siuc.edu/policies/policies/prsnlinfopr
otectionact.htm/ - Protection costs less than infection!
- Estimated costs 182 per compromised record!
14Protecting Sensitive Data
- The SIUC Administration is discussing how to
proceed with a larger and more coordinated
initiative that helps protect sensitive data.
More information to come. - In the meanwhile, we still must find, delete, and
protect sensitive data whenever possible. To do
that, we must first know where the data is.
15Protecting Sensitive Data
- Cornell Spider
- http//www.cit.cornell.edu/security/tools/
- Finds SSN, credit cards and custom search
- Windows, Linux, Unix, OSX
- Well documented, widely used
- SIUC IT only tested Windows version, worked well
- Price is right (free)
16Protecting Sensitive Data
- Suggestions for Cornell Spider use
- Read all documentation first (rtfm!)
- Be aware of limitations
- Clear web browser cache before run
- Close all open files before run
- Disconnect mapped drives when running on a
workstation, unless you wish to scan all the
mapped drives (slow) - Install on server to check server disks directly
- Tool appears solid and has a good reputation
17Protecting Sensitive Data
- Suggestions for Cornell Spider use
- Validate each result
- Remove the sensitive data whenever possible
- Protect the log files as they could end up as a
map for attackers or disgruntled employees.
Remove them, shred them when no longer needed. - If data must stay on that system, then it should
be protected, with encryption and with strong
security practices
18(No Transcript)
19Protecting Sensitive Data
- What is encryption?
- The translation of data into a secret code.
Encryption is the most effective way to achieve
data security. To read an encrypted file, you
must have access to a secret key or password that
enables you to decrypt it. Unencrypted data is
called plain text encrypted data is referred to
as cipher text. - SSH, SSL examples of encryption that you use now
- AES (Advanced Encryption Standard) is the current
standard
20Basic encryption based on a single key
21Encrypted e-mail message
22Decrypted e-mail message
23Protecting Sensitive Data
- Encrypting sensitive data
- IT has future plans to offer a more comprehensive
recommendation - In the meanwhile, there are a few options for
encryption but proceed carefully - Some tools that I have used
- WinZip (with AES encryption feature) -
- TrueCrypt (encrypted virtual disks) - free
- PGP (Pretty Good Privacy) -
- GPG (GNU Privacy Guard) - free
- Others
24Protecting Sensitive Data
- Encrypting sensitive data - Important
considerations - Who has access to encryption keys
- Data backup
- Data recovery
- Imaging/mirroring processes
- Encryption key management
- Decisions about authentication
- Passphrase, key, hardware token/strong auth
- Databases, web applications, groupware apps
25Protecting Sensitive Data
- Encrypting sensitive data - Important
considerations - Data needs to be protected encrypted
- At rest (on disk, tape, USB drive, etc)
- In transit (disk, tape, LAN, email, net)
- In use (through strict security standards)
- Various solutions exist to fulfill needs at each
level
26Protecting Sensitive Data
- Encrypting sensitive data - Important
considerations data at rest - Laptops and mobile devices that must contain
sensitive data are high-risk due to higher chance
of theft. - Dont store sensitive data on laptops and mobile
devices (unless you must, then use encryption) - Laptops should at least use Full Disk Encryption
software. - Desktops (and laptops) should ideally also use
file and folder encryption - IT Security plans to evaluate commercial
encryption software in the near future
27Protecting Sensitive Data
- Encrypting sensitive data - Important
considerations - Encryption is only as good as the keys that are
used. - If using only passphrases a strong passphrase is
critical. Dont forget passphrase and protect it
from disclosure. - For stronger security, the key can be based on
the presence of a certificate, a hardware token
and/or biometrics in addition to a passphrase
28Protecting Sensitive Data
- Encrypting sensitive data - Important
considerations - To reduce passphrase issues, the use of strong
authentication (something you have, something you
know, something you are) is suggested for highest
security. - USB access tokens often used with passphrase
- RSA SecureID
- Biometric devices plus passphrase
- Entrust USB and Identityguard tokens
29Protecting Sensitive Data
- Encryption/authentication tokens
30Protecting Sensitive Data
- Encryption increases management overhead. Reduce
your sensitive data storage as much as possible
to reduce your workload. Consolidate the data in
a central location if you can. - Each usage scenario needs to be analyzed to
determine what type of encryption system is the
best fit - This is only a very basic introduction to data
encryption. Contact me for further discussions or
check www.google.com
31Active threat Storm Worm/Nuwar
32Active threat Storm Worm/Nuwar
- Rob Craig, SIUC IT Security Team
- Storm worm often arrives as a fake ecard but has
been seen disguising itself as other content - Complex botnet used for spam and DDoS
- Very large, estimated between 25,000 and
1,000,000 compromise hosts on botnet - Students will be bringing infected systems to
campus - Awareness!
33(No Transcript)
34Fall 2007 incident goals
- At least a 50 reduction in vulnerable Windows
systems - Patching, oversight, installation procedures
- At least a 50 reduction in compromised Windows
systems - Patching, following best security practices as
previously outlined - Lets work together to reach these goals
- How else can we help?
35IT Security Procedures
- When IT security finds a computer system with a
critical vulnerability, we - Disconnect the system from the campus network (if
a LAN or RezNet connection) - Other systems on the same hub/switch will also be
disconnected - Disable the ID (if a VPN or dialin user)
- Notify all affected parties, create extensive
documentation coordinate with the Computer
Support Center - Time to compromise can be very, very short
- Restore connectivity when vulnerability is
resolved
36IT Security Procedures
- When IT security discovers a system that has been
compromised - Disconnect the system from the campus network (if
a LAN or RezNet connection) - Other systems on the same hub/switch will also be
disconnected - Disable the ID (if a VPN or dialin user)
- Notify all affected parties, create extensive
documentation coordinate with the Computer
Support Center - Require a full reinstall of the operating system
before connectivity is restored - Begin investigation if necessary
37Questions, comments?
38Summary
- Protecting the campus network and our sensitive
data is everyone's job - We must work together to make progress
- IT Security is here to help
- Thank you for your presence!
- security_at_siu.edu
- http//infotech.siu.edu/security