Transcript Security Interchange Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002

Security Interchange
Paul Howell
Information Systems Security Officer
MAIS / Technical Infrastructure Operations
June 2002
Agenda
•
•
•
•
•
•
•
•
UM and the Internet
The Internet: past, present, and future
Security problems
Challenges for Higher Education
Security solutions
MAIS efforts and status
Working together
Update on a security incident at MAIS
2
UM and the Internet
• Full connectivity with the Internet and Internet2
• Approximately 50,000 live hosts on UM networks
• Mission critical business processes run over the
network
• Education and research depend upon the network
3
4
The Internet, Circa 1969
Oallnceusersuponworked
a time, there was a network, where
together in harmony towards
common goals
5
The Internet, Present
6
The Internet, Future
7
More Sophisticated Intruders
Intruders are:
• growing in number and type
• building technical knowledge and skills
• gaining leverage through automation
• building skills in vulnerability discovery
• becoming more skilled at masking their
behavior
8
Attack Sophistication vs. Intruder
Technical Knowledge
network worms
Tools
“stealth” / advanced
scanning techniques
High
packet spoofing denial of service
DDoS
attacks
sniffers
Intruder
Knowledge
sweepers
GUI
back doors
disabling audits
www
attacks
automated probes/scans
network mgmt. diagnostics
hijacking
burglaries sessions
Attack
Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
Intruders
password guessing
Low
1980
1985
1990
1995
2000
9
Modus Operandi
• A typical attack pattern consists of
– Reconnaissance of the victim site
– Gaining access to a user's account
– Gaining privileged access
– Performing desired activity
• It is possible to accomplish all these steps manually
in as little as a few minutes
• got root?
10
Code Red: 359,000 Infected Hosts
11
Published on Bugtraq
2001 data is incomplete
12
http://www.securityfocus.com/vdb/stats.html
It’s going to get worse – 1
• Explosive growth of the Internet continues
– Where will capable system administrators come
from?
• Market pressures will drive vendors
– Time to market, features, performance, and cost
are primary
– “Invisible” quality features such as security are
secondary
13
It’s going to get worse – 2
• More sensitive applications will be
connected to the Internet
– Low cost of communications, ease of
connection, and power of products engineered
for the Internet will drive out other forms of
networking
– Hunger for connectivity, data and benefits of
electronic interaction will continue to push
widespread use of Internet technology
14
It’s going to get worse – 3
• “The death of the firewall”
– Traditional approaches depend on complete
administrative control and strong perimeter
controls
– Today’s business practices and wide area
networks violate these basic principles
• no central point of network control
• more interconnections with customers, suppliers, partners
• more network applications
- “the network is the computer”
• who’s an “insider”and who’s an “outsider”
15
Incident Costs in the Big 10
8
Number of Incidents
7
6
5
4
3
2
$0 - $5,000
$5,001 - $15,000
$15,001 - $50,000
$50,001 - $100,00
> $100,00
1
0
Source: 1997 – 1998 ICAMP Study
16
The Risks
While computer networks Network attacks lead to
lost:
revolutionize the way
– Money
organizations operate, the
– Time
risks computer networks
– Work products &
research
introduce can be fatal to
– Reputation
their mission.
– Privacy
– Sensitive information
– Lives
17
What’s Wrong?
• The Internet was designed to be resilient, not secure
• Insecure Products
– Poor quality control leads to a large number of patches
– Products ship with open configurations
– Security is an add-on
– Security is hard to configure
• Cryptography is not ubiquitous
18
What’s Wrong?
On the Internet, every
–
–
–
–
–
–
–
–
hacker/cracker (professional, script kiddie)
hacktavist
criminal (pedophile, extortionist, fraud, …)
sociopath
terrorist
espionage/intelligence agent
military cyber warrior
copy cat
19
The Challenges of Security in
Higher Education
1. Diversity of the Higher Ed Industry
2. Complexity of Service Offerings Drives
Complexity of Architectures
3. Cultural Challenges
20
Diversity of the Higher Ed Industry
•
•
•
•
•
•
3500+ Colleges and Universities
> 1000 Community colleges
< 100 major research universities
125+ University Medical Schools
400 Teaching Hospitals
150+ Institutional members of Internet2
21
Complex Service Offerings
• The University is an Educational and
Research Entity
• The University is a Corporation
• The University is an ISP
22
Cultural Challenges
• Loose confederation of autonomous entities
• Lack of control over users
• Academic “culture” and tradition of open access to
information
• Complex trust relationships between departments at
various Universities for research (e.g. Physics community)
• Creative Network Anarchy – anyone can attach anything to
the network
• University research lab computers are often insecure and
poorly managed, Libraries provide open terminals
• Dorm Networking: little adult supervision
23
Why US Higher Ed Computer Networks
are Attractive Targets
• Excellent platforms for launching attacks
– Wired dorms (insecure Linux PCs, PC Trojans)
– High bandwidth Internet
– Sophisticated computing capacity (scientific computing clusters,
even web servers, etc.)
– “Open” network security environment (no firewalls or only “light”
filtering routers on many high bandwidth WANs and LANs)
• Many college & university networks are insecure
– Too few security experts; weak tools;
most institutions do not have an InfoSec office
– Few policies regarding systems security
– Dearth of funding
24
Targets of Opportunity on US Higher
Education Computer Networks
• Sensitive Data
– Credit Card #s, ACH bank #s
– Patient Records
– Student Records
– Institution Financial Records
– Investment Records
– Donor Records
– Research Data & Other Intellectual Property
25
Increasing Visibility of Security Issues
in Higher Ed
• Increasing concerns about liability: Will E-Commerce sites
recover damages from institutions implicated in future DDoS
attacks?
• Federal funding agencies to require firewalls, security?
• HIPAA is a “forcing function” in academic Medical Centers,
Campus Health Centers
• FERPA, COPPA, CIPA, DMCA, Privacy legislation
• Threats from terrorist activities, protection of the national
infrastructure
• Recent incidents: Massive Virus Attacks, Intrusions Leading to
Potential for Identity Theft, Liability
26
Educause Action Statement
•
•
•
•
•
Make IT security a higher and more visible priority in
higher education
Do a better job with existing security tools, including
revision of institutional policies
Design, develop, and deploy improved security for future
research and education networks
Raise the level of security collaboration among higher
education, industry, and government
Integrate higher education work on security into the
broader national effort to strengthen critical infrastructure
27
Statement on Stewardship, UM
• Maintaining systems security and a secure
computer environment for financial and
other University records
• Storing information you obtain under secure
conditions and taking every reasonable effort
to maintain privacy and confidentiality of the
data
28
Security is a Process
Risk Analysis
Audit
Security
Security Policy
Countermeasures
It’s All About Risk Management
29
Security Objectives
• Confidentiality: Information is disclosed to
authorized individuals
• Integrity: Information and programs are changed
only in a specified and authorized manner
• Availability: Assure that systems work promptly
and service is not denied to authorized users
30
Primary Activities
• Prevention
– Security policy
– Firewalls, encryption
• Detection
– Logging and monitoring
– Intrusion detection, integrity management
• Reaction
– Incident response team
– Recovery of resources/information
31
Elements of Security
• Should support the mission of the
organization
• Is a means to an end and not an end in itself
• Is an integral element of good management
• Should be cost-effective
32
Basic Steps
• Identify what you are trying to protect
• Determine what you are trying to protect it from
• Determine how likely the threats are
• Implement measures that will protect your assets in
a cost-effective manner
• Review the process continuously and make
improvements each time a weakness is found
33
MAIS Participation in Security
Organizations
• InfraGard - government and private sectors
working together to protect critical
infrastructure
• CIC Security Working Group - Big 10
security officers meet quarterly
• Host the UM Security Round Table - people
from UM and the region attend for quarterly
meetings
34
MAIS Data Center
• Approx. 4,000 square foot computer room
• Central records for HR, SA, and Fin
• Houses about 130 servers
–
–
–
–
–
–
–
–
Citrix
Oracle (e.g., Fin and HE Prod)
Wolverine Access
Development, Alumni, and Constituency
Library (Mirlyn)
Axis (ITCom billing system)
Alumni Association Self Service
Printers
35
MAIS Enterprise Systems
• Security assessment completed January 2001
– “administrative information systems in the data center are
at considerable risk to technology-based security attacks”
• Recommendations made to correct this are fully
funded and being implemented
• Infrastructure Protection Group formed with
members from different areas
36
Our Vulnerabilities
37
Security Project Status
Completed
Started
Planned
Firewall
Encrypt Network Traffic
Authentication Review of
Admin Systems
Network Time Protocol
Security Policy
Account Usage Analysis
Improve WA Encryption
Central Logging
24 X 7 Vulnerability
Detection
Intrusion Detection
Disaster Recovery
Security Assessments as a
Service
Routine Patching
User Security Awareness
DMZ
Integrity Management
38
39
Some Future Things
• Secure Shell to replace FTP
• Use VPNs to access systems remotely
• Authentication systems review and
recommendations, i.e., currently up to 9 passwords
– Strong yet simple
• Cooperatively work towards providing the same
level of security for administrative information
across campus
40
User Security Awareness
• Increase awareness of security issues
• Communicate advisories
• Team up with technical staff within the Units
to work with on technical items
• Hold periodic Security Interchange meetings
• Web site with security information
http://www.mais.umich.edu
41
Teaming Up
• Identify technical support staff working on
security in their respective areas
• Establish an email list for discussing and
sharing information regarding security
• Share tools and techniques used to assess
and secure our operational environments
• Two-way communication is vital
42
Reporting Incidents
• If your system has been compromised and it might
affect HR, SA, Library, or Fin information and/or
systems, please contact the MAIS Help Desk
• If you suspect your account has been compromised,
please contact the MAIS Help Desk
• If it’s an emergency send email to
[email protected] and my pager is in the
online directory
• Still contact your local system administrators
43
Incident Response
• January 2001 – a critical server is compromised
• Serious threat to UM
• Tracing the connections backwards
–
–
–
–
UM Physics
University of Maryland
University of Illinois
ADSL modem in Corpus Christi, TX operated by
Southwest Bell
44
Criminal Matter
• Felony in MI
• Coordinated with
– UM DPS (local)
–
–
–
–
MI High Tech Crime Unit (state)
MI State Police (state)
Detroit FBI Computer Intrusion Unit (federal)
Corpus Christi, TX PD (local)
– TX High Tech Crime Unit (state)
45
Prosecuted
• April 25, 2001 search
warrant is executed
• Suspect is 16 years old
• Evidence found on
seized equipment
• Case transferred to TX
for prosecution
• Guilty plea on May 28,
2002
46
Questions and Discussion
Paul Howell
[email protected]
734-763-0609