Download Educause Task Force on Systems Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
Document related concepts

Multilevel security wikipedia , lookup

Cyberwarfare wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Wireless security wikipedia , lookup

Information security wikipedia , lookup

Airport security wikipedia , lookup

Unix security wikipedia , lookup

Distributed firewall wikipedia , lookup

Mobile security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Transcript 
Educause Task Force on
System Security
Dan Updegrove, University of Texas at Austin
H. Morrow Long, Yale University
NERCOMP 2001, Worcester MA
March 19, 2001
<www.educause.edu/security>
EDUCAUSE Systems Security Task Force - March 19, 2001
Outline
•
•
•
•
•
•
•
•
Some history
The current situation
“Simple” steps towards security
One university’s response
Other security initiatives
SANS “Top 10 List” of vulnerabilities
The EDUCAUSE Task Force
How you can participate
EDUCAUSE Systems Security Task Force - March 19, 2001
Some Recent Internet History
• 1986 – Major NSF funding for national
backbone & regional supercomputer centers
• 1988 – Robert Morris & the Internet Worm
• 1988 – Creation of CERT at CMU
• 1989 – The Cornell Commission report
• 1989 – Clifford Stoll’s The Cuckoo’s Egg
• 1991 – CIX, commercial use, & Gopher
EDUCAUSE Systems Security Task Force - March 19, 2001
Internet History, cont’d
•
•
•
•
•
•
1993 – Mosaic browser released by UIUC
1993-4 ISP Sniffing attacks (PANIX, NearNet)
1994-5 Kevin Mitnick demos TCP Hijacking.
1995 – National backbone privatized
1995 – SATAN released by Farmer & Venema
1996 – PANIX, Internet Chess Server, and
other web sites shut down by SYN attacks.
• 1996 – Internet 2 consortium formed
EDUCAUSE Systems Security Task Force - March 19, 2001
2000-2001 Academic InfoSec
• Feb – Distributed Denial of Service (DDoS)
attacks bring down key .COM sites; university
sites implicated (UC Davis, UCLA, Stanford,
etc.)
• June – SANS Top Ten list released.
• June-July – Univ. of Washington Medical
Center intrusion. 4000 medical records
involved. No firewall protecting server.
• Feb 2001 – Indiana University Bursar server
with anon FTP enabled and student records.
• March – 40+ E-Commerce NT/IIS servers
hacked from E. Europe. Credit card #s. FBI
NIPC alert. EDUCAUSE Systems Security Task Force - March 19, 2001
The Current Situation
• The Internet is a world-wide, increasingly
mission-critical infrastructure
• Internet’s underlying structure, protocols, &
governance are still primarily open
• Many vendors ship systems w/ insecure
configs (NT, Linux, W2K, Unixes, IIS )
• Massive CPU power & bandwidth available to
crackers as well as scientists, e-commerce
• Many college & university networks are
insecure
EDUCAUSE Systems Security Task Force - March 19, 2001
Information Security in HE
• Research universities: deployment of
workstations & servers by researchers
whose talents are usually focused
elsewhere
• Smaller institutions: dearth of tech skills
• Dorm networking: little adult supervision
• Too few security experts; weak tools;
most institutions have no InfoSec office.
• Few policies regarding systems security
EDUCAUSE Systems Security Task Force - March 19, 2001
Information Security in US HE
•
•
•
•
•
•
3500+ Colleges and Universities
> 1000 Community colleges
< 100 major research universities
125+ University Medical Schools
400 Teaching Hospitals
150+ Institutional members of Internet2
EDUCAUSE Systems Security Task Force - March 19, 2001
Targets of Opportunity on US
HE Computer Networks
• Sensitive Data
– Credit Card #s, ACH (NACHA) bank #s
– patient records (SSN)
– student records (SSN)
– institution financial records
– Investment records
– donor records
– research data
EDUCAUSE Systems Security Task Force - March 19, 2001
Why US HE Computer
Networks are attractive targets
• Platforms for launching attacks
– Wired dorms (insecure Linux PCs, PC Trojans)
– High bandwidth Internet (Fract T3, T3, T3+)
– High computing capacity (scientific computing
clusters, even web servers, etc.).
– “Open” network security environment (no firewalls
or only “light” filtering routers on many high
bandwidth WANs and LANs)
– Trust relationships between departments at
various Universitiess for research (e.g. Physics)
– Univ research lab computers are often insecure
and unmanaged.
EDUCAUSE Systems Security Task Force - March 19, 2001
Unique Challenges to implementing
Information Security in Higher Ed
• Academic “Culture” and tradition of open and free
networking
• Lack of control over users
• Decentralization (no mainframe anymore)
• Lack of financial resources
• Creative Network Anarchy – anyone can attach
anything to the network
• IT has not always been central to institutional mission
-- changing attitudes and getting “buy in” requires
politics and leadership.
EDUCAUSE Systems Security Task Force - March 19, 2001
What should US HE IT be doing
W.R.T. Information Security
• Investigating network security methods.
• Investigating strong authentication methods
(e.g. smart cards, tokens).
• Evaluating “best practices” in:
–
–
–
–
Higher Education
Corporations
Government
Military
• Developing common recommended policies.
EDUCAUSE Systems Security Task Force - March 19, 2001
Trends in Academic InfoSec
• E-Commerce site threaten litigation against future
DDoS sites. Liability for negligence?
• Insurance companies begin to rewrite liability policies,
separate ‘cyber’ policies to require info security
vulnerability assessments & changes.
• Funding agencies to require firewalls, security?
• HIPAA is a “forcing function” in academic Medical
Centers.
• FERPA, COPPA, DMCA, Privacy legislation.
• If HE InfoSec doesn’t improve, will more federal
legislation be far behind?
EDUCAUSE Systems Security Task Force - March 19, 2001
InfoSec Trends Elsewhere
• Some of the K-12 school system networks
are the only sites (in the US) which have
worse network and system security than
.EDU sites.
• Information security at State gov. agencies
and municipal goverments is a mixed bag.
• Outside US some academic institutions are
more tightly controlled (e.g. Internet access is
severely restricted), some not.
EDUCAUSE Systems Security Task Force - March 19, 2001
InfoSec Trends Elsewhere
• .MIL sites take steps to secure data and
servers (Mac web servers, data
isolation/classification). Broke initial
ground in IDS (Intrusion Detection
Systems).
• .GOV – NIST has released draft
guidelines/recommendations for info
security to be implemented at Federal
Government agencies.
EDUCAUSE Systems Security Task Force - March 19, 2001
InfoSec Trends Elsewhere
• .COM sites – Some web sites have poor
security (even those outsourced), some (e.g.
financial) strive to be state of the art.
• Insurance/auditors requiring security
assessments for policies.
• BS 7799 / ISO/IEC 17799-1 InfoSec Mgt stds
• CISSP / CISA / SANS GIAC / Vendor
(Microsoft/Cisco/Checkpoint) certifications
of Information Security personnel
EDUCAUSE Systems Security Task Force - March 19, 2001
Corporate InfoSec Trends,
(relatively rare in US HE)
•
•
•
•
•
Firewalls, proxies, user access control
Network monitoring, bandwidth management
Extensive logging, logfile analysis
IDS – Intrusion Detection Systems
VPNs (Virtual Private Networks)
– PPTP, L2TP, IPSEC
•
•
•
•
Strong Authentication – PKI, Smartcards
Vulnerability scanning (internal, external)
Change Control / Management
Managed Security Services (e.g. outsourced)
EDUCAUSE Systems Security Task Force - March 19, 2001
Simple Steps to Info Security
•
•
•
•
Accept/Understand the dangers (current threat env.)
Inventory your critical systems (Virginia Tech Excel)
Risk Mgt: Assess/prioritize the risks to these systems
Secure critical (and legally mandated systems) by
patching/hardening the OS and applications
• Move critical systems into data centers where they will
be physically and environmentally secure as well as
under pro system admin.
• Use internal firewalls to secure data center server
subnets (the protected enclave model) and other
critical sites -- even where perimeter firewall(s) exists.
• Scan and fix your systems – prioritize.
EDUCAUSE Systems Security Task Force - March 19, 2001
More “Simple Steps”
• Create and fund an InfoSec Office(r)
• Empower the InfoSec Office(r)
– Authorize & fund network scanning
– Authorize “pulling the plug”
– Create policies - particularly regarding calling law
enforcement – legal advice.
– Restrict NT domain administration severely (e.g to InfoSec)
• Centralized 7x24 hour production operations
• Professional system administration
• Network partitioning (admin servers, DMZ, residential
colleges, student clusters/labs, research labs, etc.)
via routers, firewalls, subnets / VLANs, separate
Internet feeds. EDUCAUSE Systems Security Task Force - March 19, 2001
Less “Simple Steps” 
• Abolish or strongly discourage “insecure” network
protocols (telnet, ftp, rlogin/rsh, std HTTP forms for
sensitive data)
• Encourage or require encryption for network protocols
(passwords, data streams / stores)
• Attempt to abolish use of Social Security # as a unique
identifier as well as as a PIN/password.
• Require/encourage strong authentication (good
passwords, smartcards or physical tokens, biometrics,
Kerberos or X.509 certificates) particularly for
privileged access and sensitive important applications.
• Conduct a massive education campaign – give
examples of incidents and “bad practices”.
EDUCAUSE Systems Security Task Force - March 19, 2001
Lesser “Simple Steps” 
• Provide dis/incentives (sticks & carrots) to shift
the existing cost/benefit security calculus.
• Flip “allow everything / deny by exception” vs.
“deny everything / allow …” net access rule.
• Put critical systems & net under change mgt.
• Install Tripwire™, ISS System Scanner™ or
similar systems (AIDE) on critical systems
– so that you know when they have changed (and
you have been hacked)
• Get Anti-Virus software installed campus-wide.
EDUCAUSE Systems Security Task Force - March 19, 2001
Least “Simple Steps” 
• Manage passwords
– Require strength and changing (30-90 days)
– Expect resistance (do you have political will)
• Manage vendor upgrades and “hot fixes”
– Microsoft “hot fixes” for NT, W2K, IIS are out of control and
many believe unmanagable.
• Secure software obtained from Vendors
– Tough because most application software is shrinkwrapped or outsourced.
– But you can create alternate ‘secure’ builds of software
such as Red Hat Linux, Unix, NT, Windows 2000.
EDUCAUSE Systems Security Task Force - March 19, 2001
One University’s Response
• Yale University: 11,000 students, 11,000
faculty & staff; 16,000 hosts; wired dorms;
500 modem lines; I1 & I2; wireless pilots
• Information Security Officer hired in 1997; two
additional staff added by 1999, one focused
on admin, one on research/students
• This office is extremely busy!
EDUCAUSE Systems Security Task Force - March 19, 2001
One University, cont’d
• Internet Security Systems (ISS) licensed 1998
• Found numerous vulnerabilities, many severe
• Some systems admins grateful for the info; some
overwhelmed by the tasks ahead
• One user complaint when home net scanned
• Student paper assumed search for MP3s
EDUCAUSE Systems Security Task Force - March 19, 2001
One University, cont’d
• IT Appropriate Use Policy amended to
authorize scans, even for personal machines
• Automated report dist by running a ‘.BAT’
script of NT cmd line ISS scanner, PGPencrypting, & sending E-mail to dept admins
• Distribute ISS s/w & license keys so depts
can scan themselves, perform repairs.
EDUCAUSE Systems Security Task Force - March 19, 2001
One University, cont’d
• 2nd data center w/ mirrored disk for disaster
recovery
• Extensive use of IBM’s ADSM for backup
• Firewalls: Internet gateway & Data Centers
• System admin hygiene, SSH, et al.
• Eliminated insecure Telnet/FTP to central
servers, distributed SSH and other tools
• Promotion of encryption (more policy issues)
• VPN server set up and publicized
• Campus-wide Anti-Virus software license
obtained, software distributed.
EDUCAUSE Systems Security Task Force - March 19, 2001
Other Security Initiatives
• Computer Security Institute
• Forum of Incident Response & Security
Teams
• System Administrators Guild of USENIX
• USENIX Security Conference
• CERT Coordination Center
• NIST Computer Security Division
EDUCAUSE Systems Security Task Force - March 19, 2001
Other Initiatives (cont’d)
• Commercial & public domain software
• CREN Certificate Authority; Net@Edu
PKI working group; Internet 2 PKI Labs,
Internet2 Security Working Group
• SANS -- System Administration,
Networking, & Security Institute
• Center for Internet Security
EDUCAUSE Systems Security Task Force - March 19, 2001
SANS Top 10 Vulnerabilities
• BIND weaknesses: nxt, qinv & in.named allow
immediate root compromise
• Vulnerable CGI programs & app extensions
• RPC weaknesses in ToolTalk, Calendar
Manager, rpc.statd allow immed root cmp
• RDS security hold in Microsoft’s Internet
Information Server
• Sendmail buffer overflow, pipe attacks,
MIMEbo allow immed root compromise
EDUCAUSE Systems Security Task Force - March 19, 2001
SANS Top 10, cont’d
• Sadmind & mountd
• Global file sharing, inappropriate info sharing
via NetBIOS, UNIX NFS, MacOS
• User Ids, esp root/admin weak passwords
• IMAP & POP buffer overflow, misconfig
• Default SNMP community strings set to
“public” & “private”
EDUCAUSE Systems Security Task Force - March 19, 2001
SANS Top 10, cont’d
•
•
•
•
ISS, other tools can scan for them
Eliminating top 10 not sufficient
Top 10 a moving target
But how many institutions have got
these ten vulnerabilities under control?
• And couldn’t we make more progress if
we engaged in joint action?
EDUCAUSE Systems Security Task Force - March 19, 2001
SANS SSH.COM SSH for
Educational Institutions
• SANS worked with SSH.COM to obtain
free SSH2 implementations for US
educational institutions.
• http://www.ssh.com/license.html
• http://www.ssh.com/commerce/noncommercial_site_license_request.html
• http://www.ssh.com/about/press/2000/re
lease15082000.html
EDUCAUSE Systems Security Task Force - March 19, 2001
FBI NIPC/Microsoft IIS Alert
• MS99-025, Unauthorized Access to IIS
Servers Through ODBC Data Access with RDS.
• MS00-014, SQL Query Abuse.
• MS00-095, Registry Permissions.
• MS00-086, Web Server File Request Parsing.
EDUCAUSE Systems Security Task Force - March 19, 2001
Educause Task Force
• Announced to all member reps in July email
from Mark Luker, VP for Networking
• Co-chaired by Gordon Wishon, Associate VP
& Associate Vice Provost for IT, Georgia Tech;
& Dan Updegrove, VP for Information
Technology, University of Texas at Austin
• Committee co-chairs named
EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 1
• Detection, prevention, & response to
attacks
• Jack Suess, CIO, University of
Maryland, Baltimore County
• Steve Hansen, Security Policy Officer,
Stanford
EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 2
• Campus Policies
• Mark S. Bruhn, IT Policy Officer, Indiana
U
• Rodney Petersen, Dir, Policy &
Planning, U of Maryland, College Park
EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 3
• Education & awareness
• Michelle Norin, Director for IT Outreach,
University of Arizona ([email protected])
• Gordon Wishon, VP & Vice Provost for
IT, Georgia Tech
EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 4
• Emerging Technologies
• Clifford Collins, Ohio Academic &
Research Network (OARnet)
• Ken Klingenstein, University of
Colorado & Chief
Technologist/Middleware Project
Director, Internet 2
EDUCAUSE Systems Security Task Force - March 19, 2001
EDUCAUSE Initiatives
• Education/Awareness – Speakers; Developing or
obtaining high quality seminar materials; AN-MSI
information security tutorials (e.g. CA Native American
C.C.).
• “Best” Practices Security Recommendations - publish
• Tools – Vulnerability Scanners (commercial and noncommercial), DDoS zombie detectors, patch tools, etc.
• Federal (NSF) grant proposal?
• Vendor contacts / potential group purchase discounts.
• PKI (HEPKI-PAG, HEPKI-TAG) – Public Key Infra
• Obtaining security consulting/assessment/emergency
notification (e.g. Internet 911) services for academia?
EDUCAUSE Systems Security Task Force - March 19, 2001
How You Can Participate
• Welcome: info security officers, network
& systems experts, policy specialists,
attorneys, vendors, -- even CIOs!
• Meetings, email, website, white papers
• <http://www.educause.edu/security>
EDUCAUSE Systems Security Task Force - March 19, 2001
Related documents
TH 3.4 Tech Talk for Those Not Technically Inclined (Metro C)
TH 3.4 Tech Talk for Those Not Technically Inclined (Metro C)
Artificial Intelligence in Teaching and Learning
Artificial Intelligence in Teaching and Learning
Policy Development Worksheet
Policy Development Worksheet
ppt - Common Solutions Group
ppt - Common Solutions Group
IT Networking in Higher Education
IT Networking in Higher Education
Using Data from Learning Tools to Improve Student Success
Using Data from Learning Tools to Improve Student Success
Techniques for and Conquences of Packet Filtering, Interception
Techniques for and Conquences of Packet Filtering, Interception
Recent Developments in Web/IT Accessibility Law
Recent Developments in Web/IT Accessibility Law
Emerging Technologies, Access and Accommodation
Emerging Technologies, Access and Accommodation
Information Security in the New Millennium
Information Security in the New Millennium