Working Together to Protect the Campus Area Network

1
!
Working Together to Protect the Campus Area
Network
8-13-07 SIUC IT Security TeamRob Craig, Chet
Langin, Curt Wilson SIUC IT Network Engineering
Jerry Richards SIUC LAN Administrators
2
Presentation goals

• To empower you with new information and tools to
  help protect faculty, staff and student private
  data, your systems and the campus network
• To raise awareness about current active threats
  and security-related processes
• To review past security incidents on campus with
  an eye towards reducing future events

3
Current threats

• Threats to our computer systems and data are
  numerous and continually growing
• Shift in motivation attackers are now generally
  motivated by financial gain
• Malicious code and activities are getting harder
  to detect, and more of it
• Amount of Windows malware skyrocketing
• Trojan horses, spyware/adware, bots, worms
• Other operating systems also attacked but not as
  often as Windows

4
Current threats

• Targeted attacks
• One example that we know about
• Within the last month attacks seen coming in from
  China specifically targeted towards .edus
• Looking to compromise databases to steal SSNs
• Using SQL Injection attacks on web applications
• Attackers know that .edus are a often a soft
  target, and dont care about your production
  schedules or anything else.

5
Current threats

• Many ways to compromise a system
• Exposed and vulnerable network services
• Oldschool, but still popular and deadly
• Mitigation patch, firewall, proper configuration
• Vulnerabilities in Operating System
• Remote and local threats
• Vulnerabilities in client software
• Web browsers Firefox, Internet Explorer
• Mail clients Outlook, Outlook Express, etc
• Multimedia apps Quicktime, Flash, RealPlayer,
  IM
• Other apps Java, backup software, webapps,
  antivirus
• Migitation patch, dont let general users use
  Administrative level accounts, teach users to be
  more careful

6
Solution Quicklist

• Patches/Updates for OS and apps
• Be aware of update mechanisms
• Use automatic updates whenever possible
• Pay attention to client-side apps as well
• Offline patching processes work nicely
• Firewall enabled
• Modern versions of Windows have a built-in
  firewall. Use it, enable it before the computer
  ever touches any network connection.
• Privilege control
• Greatly restrict use of administrative
  credentials
• Most malware wont install unless user is Admin

7
Solution Quicklist

• Anti-virus
• Antivirus not perfect but a critical component
• Keep it updated as often as possible, dont let
  users disable it
• Strong passwords/passphrases
• Use strong passphrases that cant be guessed.
  Never use a blank or simple password and dont
  reuse them
• User awareness
• Dont be fooled by deception techniques via email
  or websites that want you to click on a link they
  provide. Often some type of enticement is used
  too good to be true offers and/or fear, negative
  consequence if you dont click now
• These are the absolute basics.

8
Solution Quicklist

• Please see the SIUC IT Security website for
  further suggestions on how to reduce your risk to
  computer compromise
• http//infotech.siu.edu/security

9
(No Transcript)
10
Active Directory passwords

• In the interests of following auditor
  requirements and security best practices, Jerry
  Richards from Network Engineering will discuss
  new password security standards for the SIUC
  Active Directory.
• The Network ID system already enforces the
  auditors requirements however there are a smaller
  number of Active Directory only accounts that
  are still out of compliance
• This pending change resolves non-compliance

11
Protecting Sensitive Data
12
Protecting Sensitive Data

• Our faculty, staff and student sensitive data is
  one of the most important things we must protect
• SSNs, credit cards, bank numbers, etc.
• If sensitive data is stored on a system that is
  compromised or stolen, that data is considered
  compromised as well
• Unless the data is encrypted
• An encryption project is pending

13
Protecting Sensitive Data

• State of IL (and many others) has a data
  disclosure law that requires notification of any
  person affected by a private data compromise.
• Costly
• Expensive
• Time-consuming
• Damaging to reputation
• http//www.siuc.edu/policies/policies/prsnlinfopr
  otectionact.htm/
• Protection costs less than infection!
• Estimated costs 182 per compromised record!

14
Protecting Sensitive Data

• The SIUC Administration is discussing how to
  proceed with a larger and more coordinated
  initiative that helps protect sensitive data.
  More information to come.
• In the meanwhile, we still must find, delete, and
  protect sensitive data whenever possible. To do
  that, we must first know where the data is.

15
Protecting Sensitive Data

• Cornell Spider
• http//www.cit.cornell.edu/security/tools/
• Finds SSN, credit cards and custom search
• Windows, Linux, Unix, OSX
• Well documented, widely used
• SIUC IT only tested Windows version, worked well
• Price is right (free)

16
Protecting Sensitive Data

• Suggestions for Cornell Spider use
• Read all documentation first (rtfm!)
• Be aware of limitations
• Clear web browser cache before run
• Close all open files before run
• Disconnect mapped drives when running on a
  workstation, unless you wish to scan all the
  mapped drives (slow)
• Install on server to check server disks directly
• Tool appears solid and has a good reputation

17
Protecting Sensitive Data

• Suggestions for Cornell Spider use
• Validate each result
• Remove the sensitive data whenever possible
• Protect the log files as they could end up as a
  map for attackers or disgruntled employees.
  Remove them, shred them when no longer needed.
• If data must stay on that system, then it should
  be protected, with encryption and with strong
  security practices

18
(No Transcript)
19
Protecting Sensitive Data

• What is encryption?
• The translation of data into a secret code.
  Encryption is the most effective way to achieve
  data security. To read an encrypted file, you
  must have access to a secret key or password that
  enables you to decrypt it. Unencrypted data is
  called plain text encrypted data is referred to
  as cipher text.
• SSH, SSL examples of encryption that you use now
• AES (Advanced Encryption Standard) is the current
  standard

20
Basic encryption based on a single key
21
Encrypted e-mail message
22
Decrypted e-mail message
23
Protecting Sensitive Data

• Encrypting sensitive data
• IT has future plans to offer a more comprehensive
  recommendation
• In the meanwhile, there are a few options for
  encryption but proceed carefully
• Some tools that I have used
• WinZip (with AES encryption feature) -
• TrueCrypt (encrypted virtual disks) - free
• PGP (Pretty Good Privacy) -
• GPG (GNU Privacy Guard) - free
• Others

24
Protecting Sensitive Data

• Encrypting sensitive data - Important
  considerations
• Who has access to encryption keys
• Data backup
• Data recovery
• Imaging/mirroring processes
• Encryption key management
• Decisions about authentication
• Passphrase, key, hardware token/strong auth
• Databases, web applications, groupware apps

25
Protecting Sensitive Data

• Encrypting sensitive data - Important
  considerations
• Data needs to be protected encrypted
• At rest (on disk, tape, USB drive, etc)
• In transit (disk, tape, LAN, email, net)
• In use (through strict security standards)
• Various solutions exist to fulfill needs at each
  level

26
Protecting Sensitive Data

• Encrypting sensitive data - Important
  considerations data at rest
• Laptops and mobile devices that must contain
  sensitive data are high-risk due to higher chance
  of theft.
• Dont store sensitive data on laptops and mobile
  devices (unless you must, then use encryption)
• Laptops should at least use Full Disk Encryption
  software.
• Desktops (and laptops) should ideally also use
  file and folder encryption
• IT Security plans to evaluate commercial
  encryption software in the near future

27
Protecting Sensitive Data

• Encrypting sensitive data - Important
  considerations
• Encryption is only as good as the keys that are
  used.
• If using only passphrases a strong passphrase is
  critical. Dont forget passphrase and protect it
  from disclosure.
• For stronger security, the key can be based on
  the presence of a certificate, a hardware token
  and/or biometrics in addition to a passphrase

28
Protecting Sensitive Data

• Encrypting sensitive data - Important
  considerations
• To reduce passphrase issues, the use of strong
  authentication (something you have, something you
  know, something you are) is suggested for highest
  security.
• USB access tokens often used with passphrase
• RSA SecureID
• Biometric devices plus passphrase
• Entrust USB and Identityguard tokens

29
Protecting Sensitive Data

• Encryption/authentication tokens

30
Protecting Sensitive Data

• Encryption increases management overhead. Reduce
  your sensitive data storage as much as possible
  to reduce your workload. Consolidate the data in
  a central location if you can.
• Each usage scenario needs to be analyzed to
  determine what type of encryption system is the
  best fit
• This is only a very basic introduction to data
  encryption. Contact me for further discussions or
  check www.google.com

31
Active threat Storm Worm/Nuwar
32
Active threat Storm Worm/Nuwar

• Rob Craig, SIUC IT Security Team
• Storm worm often arrives as a fake ecard but has
  been seen disguising itself as other content
• Complex botnet used for spam and DDoS
• Very large, estimated between 25,000 and
  1,000,000 compromise hosts on botnet
• Students will be bringing infected systems to
  campus
• Awareness!

33
(No Transcript)
34
Fall 2007 incident goals

• At least a 50 reduction in vulnerable Windows
  systems
• Patching, oversight, installation procedures
• At least a 50 reduction in compromised Windows
  systems
• Patching, following best security practices as
  previously outlined
• Lets work together to reach these goals
• How else can we help?

35
IT Security Procedures

• When IT security finds a computer system with a
  critical vulnerability, we
• Disconnect the system from the campus network (if
  a LAN or RezNet connection)
• Other systems on the same hub/switch will also be
  disconnected
• Disable the ID (if a VPN or dialin user)
• Notify all affected parties, create extensive
  documentation coordinate with the Computer
  Support Center
• Time to compromise can be very, very short
• Restore connectivity when vulnerability is
  resolved

36
IT Security Procedures

• When IT security discovers a system that has been
  compromised
• Disconnect the system from the campus network (if
  a LAN or RezNet connection)
• Other systems on the same hub/switch will also be
  disconnected
• Disable the ID (if a VPN or dialin user)
• Notify all affected parties, create extensive
  documentation coordinate with the Computer
  Support Center
• Require a full reinstall of the operating system
  before connectivity is restored
• Begin investigation if necessary

37
Questions, comments?
38
Summary

• Protecting the campus network and our sensitive
  data is everyone's job
• We must work together to make progress
• IT Security is here to help
• Thank you for your presence!
• security_at_siu.edu
• http//infotech.siu.edu/security