ICPL 7/25/2007ICPL 7/25/2007

Policy Issues for Incident Detection and Vulnerability Scanning

H. Morrow Long , MS, CISSP, CISM, CEHDirector of Information SecurityYale University

Policy Issues for Incident Detection and Vulnerability Scanning

H. Morrow Long , MS, CISSP, CISM, CEHDirector of Information SecurityYale University

Comcast Cablevision

InternetATT(SBC/SNET)

Qwest CEN

Internet2

NoXHarvard

Bifrost

LustCentral Campus

Medical Campus

YNHHnetwork

VPN.Med.YALE.EDU

Med Wireless

YNHH-YaleFirewall

VPN.Net.Yale.EDU

CentralWireless

Yale University - The Network

The Yale University network serves 11, 390 total students (5,316 undergraduate students and 6,074 graduate students). Of those, approximately 6,000 students live on campus. The network also provides access for 11,338 faculty (3,333) and staff (8,005), as well as approximately 7,000 other affiliated individuals (associates, etc.). Approximately 260 buildings comprise the University, almost all of which are located in downtown New Haven.

Technically, there are two campuses (soon 3) – the medical campus and the central campus – that are bisected by a highway.

Yale University - The Network

There are 12 residential “colleges,” (based on the Oxford/Cambridge system, similar to dormitories but much more) and two new ones are planned. Each college is connected at 100 megabit/s or greater, and all are behind one router connected to the gigabit backbone. There are over 25,000 active Ethernet outlets, a mix of 10/10/100, 10/100/1000Mb/s, with no restriction of protocols or speeds. There are 25,000 to 28,000 IP devices on the network, and an incalculable number of wireless access points.

Yale University - The Network

Cisco VPN servers are used for off-site and wireless access to the network, and Cisco PIX firewalls are employed internally. The firewalls for both campuses have many departmental servers, thre are also separate firewalls for police security, HVAC, building sensors, investments, developments, the health plan and more. Most hosts are periodically scanned for vulnerabilities.

Yale University - The Network

There is roughly two to four hundred megabits per second of external connectivity, half of which is commodity Internet over AT&T (up to 100 Mb/sec), Qwest (up to 100 M/sec), I2 / NoX (virtual T3 up to 100 Mb/sec), and CEN - Connecticut Educational Network (virtual T3 up to 100 Mb/sec). All Internet access currently travels via one Cisco border router, which has a Packeteer inline to campus. The network is multi-homed to local, regional, and national networks.

Yale University - The Network

Internet bandwidth is shaped on the campus network with Packeteer. Individual off-campus inbound sessions are limited to 56Kb/s by the Packeteer. The total aggregate off-campus outbound traffic is capped at 1Mb/s by a global Packeteer class. Only some inbound TCP and UDP ports are blocked. Some Quality of Service guarantees are also being used on a VoIP pilot. Known “bandwidth hogs” can be removed from the network.

Yale University - The Network

The university network has a Cisco router ACL egress and ingress filtering of a few ports and protocols at the border router. There is also some blocking in Packeteer based on IP addresses, but no intrusion prevention system or dedicated commercial firewall at the network border.

• Snort Intrusion Detection Systems are used at the border and in front of core internal firewalls.

• The LanCope/Stealthwatch Intrusion Detection System is also used at the border and on the campus network, particularly to analyze the Cisco NetFlow data. This is the only kind of packet analysis done on inside of the network

Yale University - The Network

Spam blacklists block SMTP connections from blacklisted Internet hosts. Anyone on the network who wishes to run his or her own mail server must register it first. Clam/AV and some custom milter filters are used to filter out some email. SpamAssassin is used to identify and label likely spam. There is also the managed Symantec client on Yale-owned computers. There are un-managed Symantec clients on non-Yale-owned computers. “Clam”AntiVirus and other similar products are used on non-Exchange e-mail servers.

Yale University - The Network

No technical enforcement of a requirement for anti-virus protection to use the campus network (except for a limited deployment of NAC at the medical student residential hall) but the university has a campus-wide license with Symantec. Network users are also encouraged to use personal firewalls and other security measures

We attempt to scan all network devices once per month. Yale Information Security blocks infected and / or

compromised computers from Internet access and notifies owners, rarely blocking campus access.

Incident Detection Legal Issues

• Legal Right to Monitor - ECPA & PA-98-142• Intellectual Property - RIAA vis-à-vis DMCA ‘safe harbor’• Content Liability - Prodigy case• eDiscovery exposure - IDS historical data, logs, reports• National Security / Law Enforcement exposure?• CALEA implications?• Running incident detection (as with heavy network monitoring)

may mean that we potentially have “knowledge” of a lot of activity which should be private and possibly some of which is illegal.

Vulnerability Assessment Legal Issues

• PCI/DSS requires us to ‘scan’ our Internet-facing servers and CC handling systems.

• Current best practice is to externally scan computer systems for vulnerabilities -- to not do so (at least for University-owned systems) could be negligent.

• But our student’s own their computer systems and we don’t want any liability from looking inside them…

Computing Policy Overview

Students, faculty, and staff are treated the same by the Yale University Information Technology Services under most policies (our philosophy and a core value).

Student’s computers are their own possessions, so the Yale University privacy policy reflects that tenet. However, although they are non-Yale computers, they can still be taken off the network. The Yale-owned computers are afforded some privacy but there are well-defined procedures to access the disks and data requiring a high level of approval under an appropriate procedure with checks and balances.

Incident Detection Legal Issues

• Legal Right to Monitor– ECPA allows a private enterprise as well as common carriers to

monitor for security events/problems on their networks.

– HIPAA Security Rule : covered entities should detect, respond/report.

– CT Public Act 98-142, An Act Requiring Notice to Employees of Electronic Monitoring of Employers

HIPAA Final Security Rule

“Standard: Security incident procedures. Implement policies and procedures to address security incidents.” [45 C.F.R. § 164.308(6)(i)]The security incident procedures standard includes the following required implementation specification:

“Implementation Specification: Response and Reporting: (Required). Identify and respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of security incidents, that are known to the covered entity; and document security incidents and their outcomes.” [45 C.F.R. § 164.308(a)(6(ii)]

Intellectual Property - RIAA vis-à-vis DMCA ‘safe harbor’

ACE/RIAA/MPAA workshop April 19-20 Wash DC

RIAA argued that if we can instrument our networks to examine packets for intrusions and security events we could (should?) do the same for copyright infringements (Q: how to we verify that a binary stream is copyrighted IP being used illicitly?).

P2P networks harm national security

Tuesday July 24, 2007

http://news.com.com/Congress+P2P+networks+harm+national+security/2100-1029_3-6198585.html

By Anne BroacheStaff Writer, CNET News.comJuly 24, 2007

WASHINGTON -- Politicians charged on Tuesday that peer-to-peer networks can pose a "national security threat" because they enable federal employees to share sensitive or classified documents accidentally from their computers.At a hearing on the topic, Government Reform Committee Chairman Henry Waxman (D-Calif.) said, without offering details, … ….

Rep. Darrell Issa (R-Calif.) warned Gorton that Lime Wire's practices may open the company up to serious legal liability.

CT Public Act 98-142

– An Act Requiring Notice to Employees of Electronic Monitoring of Employers requires that a notice be posted of Intent to Monitor Electronic Communications. 1998.

• The employer can post a notice -- this is defined as written notice.

• The State of CT Labor Commissioner can levy civil penalties, not exceeding $3,000 if an employer is found to be in violation.

• http://www.cga.state.ct.us/ps98/act/pa/pa-0142.htm

Incident Detection & Vulnerability Assessment - Yale Policy Issues

• Relevant Yale Policies– 1601 - Information Access and Security– 1607 - Yale IT Appropriate Usage Policy

• We can scan systems connected to the Yale network.• We can examine traffic on our network• We can remove systems from our network.

– 5142 Information System Activity Review• Information Security & Audit are requested to audit systems.

– 5143 IT Security Incident Response Policy:• 5143.8 Incident Prevention Wherever possible, the

University will undertake to prevent Incidents by monitoring and scanning its own network for anomalies, and developing clear protection procedures for the configuration of its IT resources.

Yale Policy 1602 Section 2.A

A. Conditions. In accordance with state and federal law, the University may access all aspects of IT Systems, without the consent of the User, in the following circumstances:

1. When necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity of the IT Systems; or

2. When required by federal, state, or local law or administrative rules; or 3. When there are reasonable grounds to believe that a violation of law or

a significant breach of University policy may have taken place and access and inspection or monitoring may produce evidence related to the misconduct; or

4. When such access to IT Systems is required to carry out essential business functions of the University; or

5. When required to preserve public health and safety.

Yale Policy 1602 Section 2.D & E

D. Use of security scanning systems. By attaching privately owned personal computers or other IT resources to the University's network, Users consent to University use of scanning programs for security purposes on those resources while attached to the network.

E. Logs. Most IT systems routinely log user actions in order to facilitate recovery from system malfunctions and for other management purposes. All Systems Administrators are required to establish and post policies and procedures concerning logging of User actions, including the extent of individually- identifiable data collection, data security, and data retention.

Incident Detection Technical Implementation

– Snort IDS sensors at :

• Internet border

• In front of central ITS firewall

• In front of E-Mail firewall

• In front of Med School firewall

– LanCope StealthWatch correlates :

• Netflow (aggregated traffic session records) data from all routers

• Snort data

• Firewall logs

Network Topology/Security

Yale IDS Practice

• We primarily use our Snort IDS at the border as a RIDS (REVERSE IDS) to look for outbound attacks and traffic patterns from Yale computers.

• We use our own Snort rules to detect compromised hosts at Yale.

• The LanCope StealthWatch is new and is allowing us to see scans & attacks purely internal to Yale.

Issues

• We end up with discoverable logs and reports.• Even without storing content we end up knowing

things we wish we didn’t.• We end up with massive amounts of alerts -- a large

number of which are false positives.• A good SIM/SEM (Security Incident/Event Manager)

with correlation engine provides great exception info in priority order by data reduction and ‘weighting’.

Incident Response Procedure

QuickTime™ and aH.264 decompressor

are needed to see this picture.

QuickTime™ and aH.264 decompressor

are needed to see this picture.

Conclusions…Conclusions…

Questions?Questions?

This has been a chalk outline™ production.This has been a chalk outline™ production.