400 likes | 427 Vues
Explore the history, vulnerabilities, and initiatives regarding information security in higher education networks. Learn about recent internet attacks, challenges in implementation, and recommended security practices.
E N D
Educause Task Force on System Security Dan Updegrove, University of Texas at Austin H. Morrow Long, Yale University NERCOMP 2001, Worcester MA March 19, 2001 <www.educause.edu/security> EDUCAUSE Systems Security Task Force - March 19, 2001
Outline • Some history • The current situation • “Simple” steps towards security • One university’s response • Other security initiatives • SANS “Top 10 List” of vulnerabilities • The EDUCAUSE Task Force • How you can participate EDUCAUSE Systems Security Task Force - March 19, 2001
Some Recent Internet History • 1986 – Major NSF funding for national backbone & regional supercomputer centers • 1988 – Robert Morris & the Internet Worm • 1988 – Creation of CERT at CMU • 1989 – The Cornell Commission report • 1989 – Clifford Stoll’s The Cuckoo’s Egg • 1991 – CIX, commercial use, & Gopher EDUCAUSE Systems Security Task Force - March 19, 2001
Internet History, cont’d • 1993 – Mosaic browser released by UIUC • 1993-4 ISP Sniffing attacks (PANIX, NearNet) • 1994-5 Kevin Mitnick demos TCP Hijacking. • 1995 – National backbone privatized • 1995 – SATAN released by Farmer & Venema • 1996 – PANIX, Internet Chess Server, and other web sites shut down by SYN attacks. • 1996 – Internet 2 consortium formed EDUCAUSE Systems Security Task Force - March 19, 2001
2000-2001 Academic InfoSec • Feb – Distributed Denial of Service (DDoS) attacks bring down key .COM sites; university sites implicated (UC Davis, UCLA, Stanford, etc.) • June – SANS Top Ten list released. • June-July – Univ. of Washington Medical Center intrusion. 4000 medical records involved. No firewall protecting server. • Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records. • March – 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert. EDUCAUSE Systems Security Task Force - March 19, 2001
The Current Situation • The Internet is a world-wide, increasingly mission-critical infrastructure • Internet’s underlying structure, protocols, & governance are still primarily open • Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS ) • Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce • Many college & university networks are insecure EDUCAUSE Systems Security Task Force - March 19, 2001
Information Security in HE • Research universities: deployment of workstations & servers by researchers whose talents are usually focused elsewhere • Smaller institutions: dearth of tech skills • Dorm networking: little adult supervision • Too few security experts; weak tools;most institutions have no InfoSec office. • Few policies regarding systems security EDUCAUSE Systems Security Task Force - March 19, 2001
Information Security in US HE • 3500+ Colleges and Universities • > 1000 Community colleges • < 100 major research universities • 125+ University Medical Schools • 400 Teaching Hospitals • 150+ Institutional members of Internet2 EDUCAUSE Systems Security Task Force - March 19, 2001
Targets of Opportunity on US HE Computer Networks • Sensitive Data • Credit Card #s, ACH (NACHA) bank #s • patient records (SSN) • student records (SSN) • institution financial records • Investment records • donor records • research data EDUCAUSE Systems Security Task Force - March 19, 2001
Why US HE Computer Networks are attractive targets • Platforms for launching attacks • Wired dorms (insecure Linux PCs, PC Trojans) • High bandwidth Internet (Fract T3, T3, T3+) • High computing capacity (scientific computing clusters, even web servers, etc.). • “Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) • Trust relationships between departments at various Universitiess for research (e.g. Physics) • Univ research lab computers are often insecure and unmanaged. EDUCAUSE Systems Security Task Force - March 19, 2001
Unique Challenges to implementing Information Security in Higher Ed • Academic “Culture” and tradition of open and free networking • Lack of control over users • Decentralization (no mainframe anymore) • Lack of financial resources • Creative Network Anarchy – anyone can attach anything to the network • IT has not always been central to institutional mission -- changing attitudes and getting “buy in” requires politics and leadership. EDUCAUSE Systems Security Task Force - March 19, 2001
What should US HE IT be doing W.R.T. Information Security • Investigating network security methods. • Investigating strong authentication methods (e.g. smart cards, tokens). • Evaluating “best practices” in: • Higher Education • Corporations • Government • Military • Developing common recommended policies. EDUCAUSE Systems Security Task Force - March 19, 2001
Trends in Academic InfoSec • E-Commerce site threaten litigation against future DDoS sites. Liability for negligence? • Insurance companies begin to rewrite liability policies, separate ‘cyber’ policies to require info security vulnerability assessments & changes. • Funding agencies to require firewalls, security? • HIPAA is a “forcing function” in academic Medical Centers. • FERPA, COPPA, DMCA, Privacy legislation. • If HE InfoSec doesn’t improve, will more federal legislation be far behind? EDUCAUSE Systems Security Task Force - March 19, 2001
InfoSec Trends Elsewhere • Some of the K-12 school system networks are the only sites (in the US) which have worse network and system security than .EDU sites. • Information security at State gov. agencies and municipal goverments is a mixed bag. • Outside US some academic institutions are more tightly controlled (e.g. Internet access is severely restricted), some not. EDUCAUSE Systems Security Task Force - March 19, 2001
InfoSec Trends Elsewhere • .MIL sites take steps to secure data and servers (Mac web servers, data isolation/classification). Broke initial ground in IDS (Intrusion Detection Systems). • .GOV – NIST has released draft guidelines/recommendations for info security to be implemented at Federal Government agencies. EDUCAUSE Systems Security Task Force - March 19, 2001
InfoSec Trends Elsewhere • .COM sites – Some web sites have poor security (even those outsourced), some (e.g. financial) strive to be state of the art. • Insurance/auditors requiring security assessments for policies. • BS 7799 / ISO/IEC 17799-1 InfoSec Mgt stds • CISSP / CISA / SANS GIAC / Vendor (Microsoft/Cisco/Checkpoint) certificationsof Information Security personnel EDUCAUSE Systems Security Task Force - March 19, 2001
Corporate InfoSec Trends, (relatively rare in US HE) • Firewalls, proxies, user access control • Network monitoring, bandwidth management • Extensive logging, logfile analysis • IDS – Intrusion Detection Systems • VPNs (Virtual Private Networks) • PPTP, L2TP, IPSEC • Strong Authentication – PKI, Smartcards • Vulnerability scanning (internal, external) • Change Control / Management • Managed Security Services (e.g. outsourced) EDUCAUSE Systems Security Task Force - March 19, 2001
Simple Steps to Info Security • Accept/Understand the dangers (current threat env.) • Inventory your critical systems (Virginia Tech Excel) • Risk Mgt: Assess/prioritize the risks to these systems • Secure critical (and legally mandated systems) by patching/hardening the OS and applications • Move critical systems into data centers where they will be physically and environmentally secure as well as under pro system admin. • Use internal firewalls to secure data center server subnets (the protected enclave model) and other critical sites -- even where perimeter firewall(s) exists. • Scan and fix your systems – prioritize. EDUCAUSE Systems Security Task Force - March 19, 2001
More “Simple Steps” • Create and fund an InfoSec Office(r) • Empower the InfoSec Office(r) • Authorize & fund network scanning • Authorize “pulling the plug” • Create policies - particularly regarding calling law enforcement – legal advice. • Restrict NT domain administration severely (e.g to InfoSec) • Centralized 7x24 hour production operations • Professional system administration • Network partitioning (admin servers, DMZ, residential colleges, student clusters/labs, research labs, etc.) via routers, firewalls, subnets / VLANs, separate Internet feeds. EDUCAUSE Systems Security Task Force - March 19, 2001
Less “Simple Steps” • Abolish or strongly discourage “insecure” network protocols (telnet, ftp, rlogin/rsh, std HTTP forms for sensitive data) • Encourage or require encryption for network protocols (passwords, data streams / stores) • Attempt to abolish use of Social Security # as a unique identifier as well as as a PIN/password. • Require/encourage strong authentication (good passwords, smartcards or physical tokens, biometrics, Kerberos or X.509 certificates) particularly for privileged access and sensitive important applications. • Conduct a massive education campaign – give examples of incidents and “bad practices”. EDUCAUSE Systems Security Task Force - March 19, 2001
Lesser “Simple Steps” • Provide dis/incentives (sticks & carrots) to shift the existing cost/benefit security calculus. • Flip “allow everything / deny by exception” vs. “deny everything / allow …” net access rule. • Put critical systems & net under change mgt. • Install Tripwire™, ISS System Scanner™ or similar systems (AIDE) on critical systems • so that you know when they have changed (andyou have been hacked) • Get Anti-Virus software installed campus-wide. EDUCAUSE Systems Security Task Force - March 19, 2001
Least “Simple Steps” • Manage passwords • Require strength and changing (30-90 days) • Expect resistance (do you have political will) • Manage vendor upgrades and “hot fixes” • Microsoft “hot fixes” for NT, W2K, IIS are out of control and many believe unmanagable. • Secure software obtained from Vendors • Tough because most application software is shrink-wrapped or outsourced. • But you can create alternate ‘secure’ builds of software such as Red Hat Linux, Unix, NT, Windows 2000. EDUCAUSE Systems Security Task Force - March 19, 2001
One University’s Response • Yale University: 11,000 students, 11,000 faculty & staff; 16,000 hosts; wired dorms; 500 modem lines; I1 & I2; wireless pilots • Information Security Officer hired in 1997; two additional staff added by 1999, one focused on admin, one on research/students • This office is extremely busy! EDUCAUSE Systems Security Task Force - March 19, 2001
One University, cont’d • Internet Security Systems (ISS) licensed 1998 • Found numerous vulnerabilities, many severe • Some systems admins grateful for the info; some overwhelmed by the tasks ahead • One user complaint when home net scanned • Student paper assumed search for MP3s EDUCAUSE Systems Security Task Force - March 19, 2001
One University, cont’d • IT Appropriate Use Policy amended to authorize scans, even for personal machines • Automated report dist by running a ‘.BAT’ script of NT cmd line ISS scanner, PGP-encrypting, & sending E-mail to dept admins • Distribute ISS s/w & license keys so depts can scan themselves, perform repairs. EDUCAUSE Systems Security Task Force - March 19, 2001
One University, cont’d • 2nd data center w/ mirrored disk for disaster recovery • Extensive use of IBM’s ADSM for backup • Firewalls: Internet gateway & Data Centers • System admin hygiene, SSH, et al. • Eliminated insecure Telnet/FTP to central servers, distributed SSH and other tools • Promotion of encryption (more policy issues) • VPN server set up and publicized • Campus-wide Anti-Virus software license obtained, software distributed. EDUCAUSE Systems Security Task Force - March 19, 2001
Other Security Initiatives • Computer Security Institute • Forum of Incident Response & Security Teams • System Administrators Guild of USENIX • USENIX Security Conference • CERT Coordination Center • NIST Computer Security Division EDUCAUSE Systems Security Task Force - March 19, 2001
Other Initiatives (cont’d) • Commercial & public domain software • CREN Certificate Authority; Net@Edu PKI working group; Internet 2 PKI Labs, Internet2 Security Working Group • SANS -- System Administration, Networking, & Security Institute • Center for Internet Security EDUCAUSE Systems Security Task Force - March 19, 2001
SANS Top 10 Vulnerabilities • BIND weaknesses: nxt, qinv & in.named allow immediate root compromise • Vulnerable CGI programs & app extensions • RPC weaknesses in ToolTalk, Calendar Manager, rpc.statd allow immed root cmp • RDS security hold in Microsoft’s Internet Information Server • Sendmail buffer overflow, pipe attacks, MIMEbo allow immed root compromise EDUCAUSE Systems Security Task Force - March 19, 2001
SANS Top 10, cont’d • Sadmind & mountd • Global file sharing, inappropriate info sharing via NetBIOS, UNIX NFS, MacOS • User Ids, esp root/admin weak passwords • IMAP & POP buffer overflow, misconfig • Default SNMP community strings set to “public” & “private” EDUCAUSE Systems Security Task Force - March 19, 2001
SANS Top 10, cont’d • ISS, other tools can scan for them • Eliminating top 10 not sufficient • Top 10 a moving target • But how many institutions have got these ten vulnerabilities under control? • And couldn’t we make more progress if we engaged in joint action? EDUCAUSE Systems Security Task Force - March 19, 2001
SANS SSH.COM SSH for Educational Institutions • SANS worked with SSH.COM to obtain free SSH2 implementations for US educational institutions. • http://www.ssh.com/license.html • http://www.ssh.com/commerce/non-commercial_site_license_request.html • http://www.ssh.com/about/press/2000/release15082000.html EDUCAUSE Systems Security Task Force - March 19, 2001
FBI NIPC/Microsoft IIS Alert • MS99-025, Unauthorized Access to IIS Servers Through ODBC Data Access with RDS. • MS00-014, SQL Query Abuse. • MS00-095, Registry Permissions. • MS00-086, Web Server File Request Parsing. EDUCAUSE Systems Security Task Force - March 19, 2001
Educause Task Force • Announced to all member reps in July email from Mark Luker, VP for Networking • Co-chaired by Gordon Wishon, Associate VP & Associate Vice Provost for IT, Georgia Tech; & Dan Updegrove, VP for Information Technology, University of Texas at Austin • Committee co-chairs named EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 1 • Detection, prevention, & response to attacks • Jack Suess, CIO, University of Maryland, Baltimore County • Steve Hansen, Security Policy Officer, Stanford EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 2 • Campus Policies • Mark S. Bruhn, IT Policy Officer, Indiana U • Rodney Petersen, Dir, Policy & Planning, U of Maryland, College Park EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 3 • Education & awareness • Michelle Norin, Director for IT Outreach, University of Arizona (norin@u.arizona.edu) • Gordon Wishon, VP & Vice Provost for IT, Georgia Tech EDUCAUSE Systems Security Task Force - March 19, 2001
TF Committees - 4 • Emerging Technologies • Clifford Collins, Ohio Academic & Research Network (OARnet) • Ken Klingenstein, University of Colorado & Chief Technologist/Middleware Project Director, Internet 2 EDUCAUSE Systems Security Task Force - March 19, 2001
EDUCAUSE Initiatives • Education/Awareness – Speakers; Developing or obtaining high quality seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.). • “Best” Practices Security Recommendations - publish • Tools – Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, etc. • Federal (NSF) grant proposal? • Vendor contacts / potential group purchase discounts. • PKI (HEPKI-PAG, HEPKI-TAG) – Public Key Infra • Obtaining security consulting/assessment/emergency notification (e.g. Internet 911) services for academia? EDUCAUSE Systems Security Task Force - March 19, 2001
How You Can Participate • Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs! • Meetings, email, website, white papers • <http://www.educause.edu/security> EDUCAUSE Systems Security Task Force - March 19, 2001