930 likes | 949 Vues
Join us for a discussion on security in higher education, covering topics such as layering security, virtualization, phishing countermeasures, and the role of the ISO. Learn how to prepare, prevent, and protect your institution from security threats.
 
                
                E N D
IT Security in Higher Education: Prepare, Prevent, Protect.It's Everyone's Responsibility! Robert Sarao, UMass Boston Bruce Barrett, Community College of Rhode Island Dean J. Williams, University of Vermont Sam Hooker, University of Vermont Chuck Young, Tufts University Sherry Horeanopoulos, Fitchburg State University
Agenda 8:30-8:40 Introductions 8:45-9:30 Layering Security, from Desktop to Demark (Bob Sarao) 9:30-10:00 Security in a Virtual World(Bruce Barrett) 10:00-10:30 Break 10:30-11:00 Phishing Countermeasures (Sam Hooker and Dean Williams) 11:00-11:30 Wheel of Security (Chris Young) 11:30-11:55 What is the role of the ISO? (Sherry Horeanopoulos) 11:55-Noon Closing
Layering Securityfrom Desktop to Demark • Bob Sarao • ISO, University Of Massachusetts, Boston • Robert.Sarao@umb.edu • AKA “Bruno” • Hobbies: Phishing
Securityin a Virtual World • Bruce Barrett • Community College of Rhode Island • bbarrett@ccri.edu
Security in a Virtual World Security Objectives • Prioritize levels of trust and confidence(0-4 tier policies) • Who has access to what? Internal versus external access? • Data traffic visibility and monitoring • What do I virtualize, what stays physical?
The Virtual Environment • Virtualizationa method of partitioning one physical server (host) into multiple virtual servers (machines, guests, clients), giving the appearance and capabilities of running on its own dedicated machine. Each virtual server functions as a full fledged server. • Mobility and instantiation within physical environment • Common vendors: VMWare ESX, Microsoft Hyper-V, Citrix, Xen, Proprietary (Solaris) • Virtual applications: • Data Center/private cloud • Desktop • Hybrid Cloud (up in the air) • Virtual storage (evolving) • Virtual backup (VEEAM, evolving)
The Virtual Data Center • Physical host serves virtual guests • Hypervisor-virtualization operating system that allocates hardware resources of the host to each virtual guest • Virtual Switch • Groups guests in common virtual network segments • Virtual LANS • are a means of segmentation required to interface with outside physical world • Connects virtual machines to each other and to external networks. • VMware, Cisco Nexus 1000 (additional features such as traffic monitoring and layer 2 security)
The Virtual Data Center, cont. • Zones • groups of virtual machines within VLANS and between VLANS, and across physical hosts in accordance to common security policies • keeps virtual machines guests separate from other virtual guests that are on a common VLAN • Zone usage: PCI compliance, multi-tenancy, intellectual privacy • Created using VMware vShield
Virtual Security Gateway (firewall) • Perform physical firewall functionality such as ACL’s, port monitoring etc within virtual environment • Dynamic provisioning of security policies during virtual machine movement and instantiation • Create trusted multi-tenant environments • Secure access to hypervisor by limiting direct administrative rights • Data inspection of inter-VLAN virtual traffic for troubleshooting and optimization • Detect malicious activity directed at hyper-visor
Virtual Desktop Infrastructure (VDI) • Anti-virus is centralized at the physical servers (hosts), not at desktop • Is your anti-virus (Symantecs, Sophos) compatible with VMware (Trendmicro) • Even if is, how does it impact licensing? • How does NAC translate to virtual world? • Issues of mobility. • Devices not under the colleges control • Smart devices • Hot spot network connectivity • Home networks
The Cloud! • Hybrid cloud • Need secure network connection, how many ISP’s go through? • Multi-tenancy protection? • Integrated security policies/practices between college and cloud • Reporting/visibility into the cloud. • Vulnerability with cloud? (DR plan)
Conclusions • Don’t forget storage • Secure physical storage to VM’s via zones • Isolated storage group • VLans • Zones • Gateway
Phishing Countermeasures Dean Williams • University of Vermont • Dean.Williams@uvm.edu • Sam Hooker • University of Vermont • sthooker@uvm.edu
Phish: A brief History Dean Williams The University of Vermont
Phish at UVM: A Brief History • 1983: Trey, Ernie, Jeff, Jon, Mike are UVM students • Oct. 30, 1983: Trey, Mike, Jeff, Jon are jeered at ROTC Halloween dance • Nov. 3, 1983: First gig as “Phish” played at UVM’s Slade Hall • 1984: Trey Anastasio takes semester off, records demo
Phishing at UVM: A Brief History • 1996: Email “lures” enticing unsuspecting AOL subscribers to reveal passwords • 1997: Phish – compromised accounts – traded online • 2004: UVM’s first phishing warning: VISA • 2005: Phishers target higher education accounts • 2008: Many more targeted attacks for higher education credentials • Scripting webmail to send spam & more phish • Chronicle: “E-Mail Scam Targets Colleges” • 20??: vishing
The Good Old Days Date: Mon, 29 Jun 2009 09:55:43 +0000 From: UVM Webmaster online <uvm.edu-webmaster@mchsi.com> Reply-To: UVM Webmaster online <uvm.edu-webmaster@mchsi.com> Dear UVM Webmail online Email Account Owner, Important notice, harmful virus was detected in your account which can be harmful to our subscriber unit.You are to enter your Username and Password here {____________, __________} to enable us set in an anti virus in your user account to clear up this virus. we do need your co-operation in this, Providing us with this information we enable us insert in your account an anti virus machine for clean up. We are sorry for the inconveniences this might have cost you. Failure to do this, we are sorry to let you know that your account will be deleted immediately to prevent it from arming our subscriber unit. Thank you for using UVM Webmail, We are glad at your service, UVM Webmaster online.
Prevention: Securing the Human • Encourage reporting • Make it easy to report • Respond to all reports • There are no dumb questions • "We'll never ask" campaign • Teach skepticism and cursor-hovering
Securing the Human (2) • Student-to-student listservs • Ignore most phish and scams not targeting our domain (avoid excessive warnings) • Make our own spam less phishy • “If you are concerned this is a scam …” • No tricky links (Constant Contact, bm23.com) • Affiliates need to improve, too • Cybersecurity Awareness Month
“Bite” Prevention: Safety Nets • Flagging deceptive links in webmail • Browser phishing and malware protection; WOT • Incoming spam detection • CISCO ASA botnet filter • Outgoing spam trap
Not Tried Yet • Student newspaper • Digitally signed “official” email • Anti-Phishing Phil & Phyllis (Wombat Security) • Paypal phishing challenge • Purple fish costume (Karen McDowell, U. Va.)
Detection & Response NOTICE: The site you tried to go to is actually a phishing site. You received an email message from someone trying to trick you into providing your username and password. UVM will never ask for your password via email. If you have questions about the validity of an email message, contact the UVM Helpline at helpline@uvm.edu or 802-656-2604, or visit the ETS website at http://www.uvm.edu/it/
Challenges & Scary Thoughts • What other use made of credentials? • Legal obligations; due diligence • 2,500+ new people to educate every year • Odds are against us • Phishing use of legitimate sites (forms, surveys) • In the cloud: you don’t control the mail system or web server
Questions for You • Have you smelled all of these phish in your domain? • What other interesting phish are swimming your way? • Should we phish our users? • Have you found countermeasures that work?
Phishing at UVM: Countermeasures • Sam Hooker | 20110328
The Challenges: Awareness • Messages appear convincing • Link inspection requires time-consuming user attention (see Herley, 2009http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf) • Even automated link inspection can be circumvented (“Just-Click-OK Syndrome”)
The Challenges: Prevention • Very little restriction on outbound connectivity • Collisions with legitimate usage (“The Scalpel vs. the Saw”)
The Challenges: Detection • No content-filtering on outbound email • Difficult to automate • Politically-unpopular
How Can We Win? • We probably can’t with technical measures alone, short of • deploying user-friendly digital signatures to all constituents • deploying two-factor authentication to all services for all constituents
OK, How Can We…Not Lose So Badly? • Predominantly through our awareness campaigns, backstopped with some relatively simple technology • By “staying loose” and thinking creatively • By recognizing worthwhile approaches and using them even when they don’t solve the whole problem
Awareness: Poisoned Images • Phishers just love to scrape our webmail login pages, don’t they? • Not so keen to host the other web assets, though • Tip: Keep a blank image on your login page. Once scraped, replace with a warning image to your users.
Awareness: Poisoned Images • Pros: simple to do, brands the phisher site visually • Cons: won’t work under certain conditions; phishers will eventually catch on
Prevention: DNS Interception • “Sealing the deal” frequently requires that the victim fill out a form on a remote website • Tip: Pretend to be that website. Configure its hostname into your DNS servers, and redirect users to a local site that tells them what they were about to do.
Prevention: DNS InterceptionBEFORE… UVM DNS Scammer website
Prevention: DNS Interception…AND AFTER UVM warning UVM DNS Scammer website
Prevention: DNS Interception • Pros: simple to implement, prevents “campus” users from giving away the farm • Cons: won’t work for constituents who don’t use your DNS servers (working from home, non-resident students, Extension sites, etc.); cumbersome when a given scam uses multiple domains/fast-flux DNS; has the potential to disrupt legitimate use of the intercepted domain
Prevention: DNS Interception UVM DNS ISP DNS Scammer website UVM warning ☺ ☹
Prevention: anti-phishing-email-reply • Some scams ask the victim to send their credentials in an email • Tip: Deploy anti-phishing-email-reply to alert when someone has responded • Pros: provides an opportunity to intercede prior to exploitation, and an opportunity for (*ahem*) “targeted education” • Cons: address list can become stale, alert on legitimate messages; constituents don’t like the idea that we might be “monitoring” their mail
Detection: anti-phishing-email-reply What this project is “The intent of this project is to maintain a list of accounts that are being used (or have been used) in the reply-to address of phishing campaigns. Email service administrators can use this list to actively block outgoing smtp submissions destined for these accounts. The list can also be used to scan recent SMTP logs to determine if any users have already replied.” (from http://code.google.com/p/anti-phishing-email-reply)