Download - Security Interchange
Security InterchangePaul Howell
Information Systems Security OfficerMAIS / Technical Infrastructure Operations
June 2002
2
Agenda
• UM and the Internet• The Internet: past, present, and future• Security problems• Challenges for Higher Education• Security solutions• MAIS efforts and status• Working together• Update on a security incident at MAIS
3
UM and the Internet
• Full connectivity with the Internet and Internet2
• Approximately 50,000 live hosts on UM networks
• Mission critical business processes run over the
network
• Education and research depend upon the network
5
The Internet, Circa 1969
OOnce upon a time, there was a network, where all users worked together in harmony towards common goals
8
More Sophisticated Intruders
Intruders are:
• growing in number and type• building technical knowledge and skills• gaining leverage through automation• building skills in vulnerability discovery• becoming more skilled at masking their
behavior
9
Attack Sophistication vs. Intruder Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Intruders
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
DDoS attacks
network worms
10
Modus Operandi
• A typical attack pattern consists of– Reconnaissance of the victim site
– Gaining access to a user's account
– Gaining privileged access
– Performing desired activity
• It is possible to accomplish all these steps manually in as little as a few minutes
• got root?
13
It’s going to get worse – 1
• Explosive growth of the Internet continues– Where will capable system administrators come
from?
• Market pressures will drive vendors– Time to market, features, performance, and cost
are primary– “Invisible” quality features such as security are
secondary
14
It’s going to get worse – 2
• More sensitive applications will be connected to the Internet– Low cost of communications, ease of
connection, and power of products engineered for the Internet will drive out other forms of networking
– Hunger for connectivity, data and benefits of electronic interaction will continue to push widespread use of Internet technology
15
It’s going to get worse – 3
• “The death of the firewall” – Traditional approaches depend on complete
administrative control and strong perimeter controls– Today’s business practices and wide area networks
violate these basic principles• no central point of network control• more interconnections with customers, suppliers, partners• more network applications
- “the network is the computer”• who’s an “insider”and who’s an “outsider”
16
Incident Costs in the Big 10
0
1
2
3
4
5
6
7
8
$0 - $5,000
$5,001 - $15,000
$15,001 - $50,000
$50,001 - $100,00
> $100,00
Source: 1997 – 1998 ICAMP Study
Num
ber
of
Inci
dents
17
The Risks
While computer networks revolutionize the way organizations operate, the risks computer networks introduce can be fatal to their mission.
Network attacks lead to lost:
– Money– Time– Work products &
research– Reputation– Privacy– Sensitive information– Lives
18
What’s Wrong?
• The Internet was designed to be resilient, not secure
• Insecure Products– Poor quality control leads to a large number of patches
– Products ship with open configurations
– Security is an add-on
– Security is hard to configure
• Cryptography is not ubiquitous
19
What’s Wrong?
On the Internet, every– hacker/cracker (professional, script kiddie)– hacktavist– criminal (pedophile, extortionist, fraud, …)– sociopath– terrorist– espionage/intelligence agent– military cyber warrior– copy cat
IS O
UR
NEIGHBOR
20
The Challenges of Security inHigher Education
1. Diversity of the Higher Ed Industry
2. Complexity of Service Offerings Drives Complexity of Architectures
3. Cultural Challenges
21
Diversity of the Higher Ed Industry
• 3500+ Colleges and Universities
• > 1000 Community colleges
• < 100 major research universities
• 125+ University Medical Schools
• 400 Teaching Hospitals
• 150+ Institutional members of Internet2
22
Complex Service Offerings
• The University is an Educational and Research Entity
• The University is a Corporation
• The University is an ISP
23
Cultural Challenges• Loose confederation of autonomous entities• Lack of control over users• Academic “culture” and tradition of open access to
information• Complex trust relationships between departments at various
Universities for research (e.g. Physics community)• Creative Network Anarchy – anyone can attach anything to
the network• University research lab computers are often insecure and
poorly managed, Libraries provide open terminals• Dorm Networking: little adult supervision
24
Why US Higher Ed Computer Networks are Attractive Targets
• Excellent platforms for launching attacks– Wired dorms (insecure Linux PCs, PC Trojans)– High bandwidth Internet – Sophisticated computing capacity (scientific computing clusters,
even web servers, etc.)– “Open” network security environment (no firewalls or only “light”
filtering routers on many high bandwidth WANs and LANs)• Many college & university networks are insecure
– Too few security experts; weak tools;most institutions do not have an InfoSec office
– Few policies regarding systems security– Dearth of funding
25
Targets of Opportunity on US Higher Education Computer Networks• Sensitive Data
– Credit Card #s, ACH bank #s
– Patient Records
– Student Records
– Institution Financial Records
– Investment Records
– Donor Records
– Research Data & Other Intellectual Property
26
Increasing Visibility of Security Issues in Higher Ed
• Increasing concerns about liability: Will E-Commerce sites recover damages from institutions implicated in future DDoS attacks?
• Federal funding agencies to require firewalls, security?• HIPAA is a “forcing function” in academic Medical Centers,
Campus Health Centers• FERPA, COPPA, CIPA, DMCA, Privacy legislation• Threats from terrorist activities, protection of the national
infrastructure• Recent incidents: Massive Virus Attacks, Intrusions Leading
to Potential for Identity Theft, Liability
27
Educause Action Statement• Make IT security a higher and more visible priority in
higher education• Do a better job with existing security tools, including
revision of institutional policies• Design, develop, and deploy improved security for future
research and education networks• Raise the level of security collaboration among higher
education, industry, and government• Integrate higher education work on security into the
broader national effort to strengthen critical infrastructure
28
Statement on Stewardship, UM
• Maintaining systems security and a secure computer environment for financial and other University records
• Storing information you obtain under secure conditions and taking every reasonable effort to maintain privacy and confidentiality of the data
29
Security is a Process
Risk Analysis
Security Policy
Countermeasures
Audit
It’s All About Risk Management
Security
30
Security Objectives
• Confidentiality: Information is disclosed to authorized individuals
• Integrity: Information and programs are changed only in a specified and authorized manner
• Availability: Assure that systems work promptly and service is not denied to authorized users
31
Primary Activities
• Prevention– Security policy– Firewalls, encryption
• Detection– Logging and monitoring– Intrusion detection, integrity management
• Reaction– Incident response team– Recovery of resources/information
32
Elements of Security
• Should support the mission of the organization
• Is a means to an end and not an end in itself
• Is an integral element of good management
• Should be cost-effective
33
Basic Steps
• Identify what you are trying to protect
• Determine what you are trying to protect it from
• Determine how likely the threats are
• Implement measures that will protect your assets in a cost-effective manner
• Review the process continuously and make improvements each time a weakness is found
34
MAIS Participation in Security Organizations• InfraGard - government and private sectors
working together to protect critical infrastructure
• CIC Security Working Group - Big 10 security officers meet quarterly
• Host the UM Security Round Table - people from UM and the region attend for quarterly meetings
35
MAIS Data Center• Approx. 4,000 square foot computer room• Central records for HR, SA, and Fin• Houses about 130 servers
– Citrix– Oracle (e.g., Fin and HE Prod)– Wolverine Access– Development, Alumni, and Constituency– Library (Mirlyn)– Axis (ITCom billing system)– Alumni Association Self Service– Printers
36
MAIS Enterprise Systems
• Security assessment completed January 2001
– “administrative information systems in the data center are at considerable risk to technology-based security attacks”
• Recommendations made to correct this are fully funded and being implemented
• Infrastructure Protection Group formed with members from different areas
37
Our Vulnerabilities
2526
9.9%
8.2%
81.9%
High 9.9%Med 8.2%Low 81.9%Total:100.0%
Percent of Vulnerabilities by Severity
VulnerabilitiesIdentified
38
Security Project StatusCompleted Started Planned
Firewall Encrypt Network Traffic Authentication Review of Admin Systems
Network Time Protocol Security Policy Account Usage Analysis
Improve WA Encryption Central Logging 24 X 7 Vulnerability Detection
Intrusion Detection Disaster Recovery Security Assessments as a Service
Routine Patching User Security Awareness
DMZ Integrity Management
40
Some Future Things
• Secure Shell to replace FTP
• Use VPNs to access systems remotely
• Authentication systems review and recommendations, i.e., currently up to 9 passwords– Strong yet simple
• Cooperatively work towards providing the same level of security for administrative information across campus
41
User Security Awareness
• Increase awareness of security issues• Communicate advisories • Team up with technical staff within the Units
to work with on technical items• Hold periodic Security Interchange meetings• Web site with security information http://www.mais.umich.edu
42
Teaming Up
• Identify technical support staff working on security in their respective areas
• Establish an email list for discussing and sharing information regarding security
• Share tools and techniques used to assess and secure our operational environments
• Two-way communication is vital
43
Reporting Incidents
• If your system has been compromised and it might affect HR, SA, Library, or Fin information and/or systems, please contact the MAIS Help Desk
• If you suspect your account has been compromised, please contact the MAIS Help Desk
• If it’s an emergency send email to [email protected] and my pager is in the online directory
• Still contact your local system administrators
44
Incident Response
• January 2001 – a critical server is compromised
• Serious threat to UM
• Tracing the connections backwards– UM Physics
– University of Maryland
– University of Illinois
– ADSL modem in Corpus Christi, TX operated by Southwest Bell
45
Criminal Matter
• Felony in MI
• Coordinated with– UM DPS (local)
– MI High Tech Crime Unit (state)
– MI State Police (state)
– Detroit FBI Computer Intrusion Unit (federal)
– Corpus Christi, TX PD (local)
– TX High Tech Crime Unit (state)
46
Prosecuted• April 25, 2001 search
warrant is executed
• Suspect is 16 years old
• Evidence found on seized equipment
• Case transferred to TX for prosecution
• Guilty plea on May 28, 2002