Transcript Basic Internet Security - Home : Texas State University

Server Security
Office of the Vice President for Information Technology, Texas State
University-San Marcos
Mr. Shawn Pearcy, Information Security Analyst
Mr. Corbett Consolvo, Senior Information Security Analyst
Ms. Lori McElroy, Information Security Officer
Mr. Don Volz, Special Assistant to the Vice President for Information
Technology
April 3-4, 2008
http://www.vpit.txstate.edu/security.html
Agenda
• Who is IT Security at Texas State
University?
• Our Mission
• Server Hardening and Checklists
• Incident Detection
• Incident Reporting
Who is IT Security?
• Sarmita Tuladhar, Student Technical Assistant
• Shawn Pearcy, Information Security Analyst
• CompTIA Security+, Network+, A+, MCP 2K
• Mr. Corbett Consolvo, Senior Information Security
Analyst
• Ms. Lori McElroy, Information Security Officer
• CISSP, GIAC Certified Incident Handler (GCIH)
• Mr. Don Volz, Special Assistant to the Vice
President for Information Technology
Mission
IT Security at Texas State exists to ensure
the confidentiality, integrity, and availability
of University data, information,
communications and services.
Server Hardening and Checklists
•
•
•
•
•
Best practices
Server hardening
Server checklists
Tools overview
Hands-on practice
Server Incident Detection
• SANS Intrusion Discovery Cheat Sheets
• Linux commands
• Hands on practice
• Windows commands
• Hands on practice
• X-cleaner
Spyware at Texas State
Spyware Rule Summary Report
Spyware Type: Download Source/Phone Home
Period: 3/1/2008-3/31/2008
Infecting Product
Covenanteyes
180 Search Assistant
Agobot.gen
Xrenoder
Bandjammer
Covenanteyes
Bandjammer
Ardamax Keylogger
RK-70164
Bandjammer
NextDoor
GRI.Bot
w32.Kmeth Worm
NextDoor
NextDoor
GRI.Bot
Category
Commercial Monitoring Software
Adware
Trojan
Adware
Trojan
Commercial Monitoring Software
Trojan
Commercial Monitoring Software
Trojan
Trojan
Worm
Worm
Worm
Worm
Worm
Worm
Threat
Rating
Attempts (1-10)
12
7
84
7
1461
8
261
7
27
7
877
7
9
7
4
7
25
7
2
7
1
8
2
7
1
7
1
8
1
8
20
7
SPAM at Texas State
SPAM Volume Over 7 Days
Server Incident Detection
• Vulnerability scanning
• Core Impact
• Hands on – MBSA and Nmap
• Network based intrusion detection systems
• Demo – Current solutions
• Hands on – packet capture and Snort
• Securing Services
• Hands on – SSH and RDP
• Logs
• Remote logging and regular review
Incident Reporting
•
•
•
•
•
What is an incident
Incident lifecycle
Common incidents at Texas State
Incident priorities
Incident response and mitigation
What is an Incident?
• Attempted or successful unauthorized
access
• Theft or exposure of confidential or
sensitive data either intentionally or
unintentionally
• Wrongful modifications of data
• Inappropriate use (excessive bandwidth
use, spam, etc…)
What is an Incident?
• Violates state or federal law
• Ex: Copyright violation
• Violates Appropriate Use UPPS (04.01.07)
• Is determined to be harmful to the security
and privacy of University data, or IT
resources
• Is construed as harassment
• Involves the unexpected disruption of
University services
Laptop Theft
EDUCAUSE 2006 Security Awareness Video Contest
Honorable Mention
By Adam Stackhouse, College of William & Mary
Incident Lifecycle
•
•
•
•
•
Alert / Notification
Investigation / Analysis
Containment & Eradication
Recovery
Assessment
Our Priorities - Incident Response
• Contact law enforcement if incident involves
criminal activity
• Limit exposure
• Maintain / restore service
• Protect students / faculty / staff
• Support prosecution / legal action
** The order of priorities may vary by incident **
Incident Prevention – Our Part
• Perimeter and LAN firewalls
• Hands on - VPN access
• Intrusion Prevention and Detection
• Patch Management
• Keep Windows and McAfee Up-To-Date
• Education and Awareness
• Annual Risk Assessments
Incident Response – Our Part
• We use our logs to attempt to locate:
• Attacking computers
• Attack method
• Other vulnerable computers (warn and
fix)
• Other victims (warn, possibly block)
Incident Response – Our Part
• We disable ports on computers that have
been compromised
• Protects the individual machine as well as the
rest of campus
• Evaluating additional tools for automation and
quarantine
Avoid Infection
EDUCAUSE 2007 Security Awareness Video Contest
Gold Award - 1st Prize Winner
Joseph Ellis and Eric Collins, University of Delaware
Incident Response – Your Part
• UPPS 04.01.01 – Section 4.02: Individuals are
responsible for the security of any computer
account issued to them and are accountable for
any activity that takes place in their
account. Individuals who discover or suspect that
the security of their account has been
compromised must immediately change their
password and report the incident to their
supervisor. Any suspected or attempted violation
of system security should be reported immediately
to the Office of the Assistant Vice President for
Technology Resources at 245-2501.
• Policy is in revision – Contact IT Security
Incident Response – Your Part
• If you suspect a compromise:
• Notify us immediately
• 512-245-4225 (HACK), After hours contact UPD
• Email to [email protected]
• If IT Security is not reachable, contact
• Information Technology Assistance Center
• 245-4822 (ITAC), by e-mail at [email protected]
**Do not send sensitive information via
email**
Incident Response – Your Part
• Important information to gather:
• Detailed description of suspected incident
• What led you to believe an incident has occurred
• Who, what, where, when, how
• Be as specific as possible
• Do not attempt to gather evidence or
perform any technical investigation before
contacting IT Security
• This may contaminate data and destroy critical
evidence
Incident Prevention – Your Part
• Backup and recovery
• Patch Management
• Keep Windows and McAfee Up-To-Date
• Restrict Power User Access
• Disable unused / unnecessary services
• http://www.vpit.txstate.edu/security/items_inter
est/server.html
Incident Prevention – Your Part
• Install / activate software firewall
• Hands on – IP Tables
• Windows XP and Server 2003
• Physical and environmental security
• Examples of not-so-good practices
• Examples of good practices
Other IT Security Services
• Consulting
•
•
•
•
Backup strategies
Vendor contract review
Software analysis
Risk Assessments
• Customized training
• Vulnerability Scanning
• Penetration testing
University Policies (UPPS)
• Security of Texas State Information
Resources
• UPPS 04.01.01
• Appropriate Use of Information Resources
• UPPS 04.01.07
• Appropriate Release of Information
• UPPS 01.04.00
Summary
• Technology alone will not keep our systems
safe
• By protecting your own computer system,
you're also doing your part to protect
computers throughout the university
• IT Security is here to help YOU!
Tools
• ListServs
• http://groups.txstate.edu/mailman/listinfo/
• TSP-Security
• TxState-ServerAdmins
Tools on DVD
• IT Security Best Practices
• http://www.vpit.txstate.edu/security/items_interest/server.html
• SANS Hardening Checklists
• http://www.sans.org/score/checklists.php?portal=85501419b5313f
fba77bde5e9cc6f136
• Microsoft Security Baseline Analyzer (MSBA)
• http://www.microsoft.com/technet/security/tools/mbsahome.mspx
• Wireshark
• www.wireshark.org/
• Nmap
• http://nmap.org/
• Spybot
• http://www.safer-networking.org/en/index.html
• Proventure
• http://www.proventsure.com/Proventsure%20Self%20PII%20Dete
ction.zip
Questions?
• Q&A
Contact Info
IT Security
[email protected]
512-245-4225 (HACK)
Thanks for attending!
Please complete your evaluation form!
http://www.vpit.txstate.edu/security.html