security assessments the baylor university experience
TRANSCRIPT
![Page 1: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/1.jpg)
Security Assessments
Security AssessmentsThe Baylor University ExperienceThe Baylor University Experience
![Page 2: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/2.jpg)
Baylor in Overview
13,800 students, 2000 employees
85 buildings networked
Server farm in DMZ
![Page 3: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/3.jpg)
Why an Assessment?
Helps you stay out of the news!
Legal and PR issues
Defines a baseline for Risk Level
![Page 4: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/4.jpg)
Choosing a VendorUnbiased look at your system
Expertise, experience
Documentation -- Formal report
Good -- documents your vulnerabilities, engages your people.
Bad -- documents your vulnerabilities, now you’re on the hook!
![Page 5: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/5.jpg)
Three types of vendorsTier Three
Relatively inexpensive
Relatively limited in scope, results.
Tier Two
External and internal scans
medium to high cost.
![Page 6: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/6.jpg)
The High Priced Spread
Scope, scans are customizable
Verification of vulnerabilities
Detailed (380pp!) report with recommendations
![Page 7: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/7.jpg)
Take-Away LessonsIt’s about trust and confidence
Remember non-disclosure agreements
Redefine scope after first meeting
Watch those sensitive times -- things may break!
Name a point person to handle ALL issues
![Page 8: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/8.jpg)
Take-away LessonsSocial engineering will go on. Put ‘em in a hidden location, don’t warn rest of CIT.
Social engineering is scary stuff!
It takes a while, 2 weeks off-campus, 2 weeks on.
Prioritize vulnerabilities and remediation
![Page 9: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/9.jpg)
Was it worth it?Got the attention of the right people
Be inclusive of findings
IT personnel
Departmental IT personnel
General Counsel
Executive staff
Multi-year agreement can reduce cost
![Page 10: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/10.jpg)
The BotHerd is Coming
The BotHerd is Coming
University of Albany
Martin Manjak, ISO,Justin Azoff, Network Analyst
University of Albany
Martin Manjak, ISO,Justin Azoff, Network Analyst
![Page 11: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/11.jpg)
About UAlbany17,400 students, 700 faculty, 8000 residents
September 2004
over 800 systems booted from network
1000+ open tickets first week of class
3 week wait for remediation appointment
![Page 12: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/12.jpg)
Never Again!
Technical Track (later)
Social Engineering Track
More about people than technology
Never stop working on awareness
![Page 13: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/13.jpg)
Need a Narrative
“Didn’t you read the letter we sent?”
Technology is a turn-off to many.
Craft a narrative where students can self-identify, “Did you hear the story about...”
Focus on behaviour and change
![Page 14: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/14.jpg)
Design is Key
Attractive format, good graphics
People, not screen shots.
Series of brochures were created
Trade ‘em, collect the whole set!
Advertised the Network Survival Kit
![Page 15: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/15.jpg)
The Security QuizOnline Quiz in Ethics and Security
Required to gain Network access
Must get 10 out of 10 right to pass
Using the network means you passed, therefore you know the requirements, so
No excuses when you’re kicked off.
![Page 16: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/16.jpg)
2004 vs. 2005 Results
Cut September’s trouble tickets in half
While network registrations increased 23%
![Page 17: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/17.jpg)
Technology lags education
XP SP2 Firewall, patches responsible for some reduction in vulnerabilities, but
New threat vectors (AIM, Web links) are emerging.
Patches won’t stop students (and staff!) from clicking
Firewall on -- unable to scan it.
![Page 18: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/18.jpg)
Technical Measures80k HTTP flows and 1 IRC? (not 6667)
Never-admit IRC on Packetshaper, with a whitelist of servers
Scan IPs using blocked IRC, collecting banners, if open.
Interesting things can be observed...
![Page 19: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/19.jpg)
Not your father’s FTP serverNot your father’s FTP server
![Page 20: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/20.jpg)
IRC Bots come in 2^32 typesBots have one or more C&C IP addresses embedded in them
IP based
Whack-a-mole, easy to detect
DNS based
HA, load-balanced, redundant botnet!
![Page 21: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/21.jpg)
You.GotPwndBy.us
When DNS bots wake up, they must resolve that C&C address.
Log your DNS queries
Frequent flyers, bad hostname list
hosts in .info, .us, .cx, not .com, .edu
IDS, IPS also a help (they didn’t have)
![Page 22: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/22.jpg)
Resources
Conference site: http://www.educause.edu/Program/8355
Botnet slides: http://www.albany.edu/~ja6447/educause/
UNiversity Security Operations Group, [email protected] (http://www.dshield.org/mailman/listinfo/unisog)
REN-ISAC, http://ren-isac.net/
![Page 23: Security Assessments The Baylor University Experience](https://reader035.vdocuments.us/reader035/viewer/2022062314/56649ec65503460f94bd28dd/html5/thumbnails/23.jpg)
Shameless PlugShameless PlugSuggestions? Comments?
Smaller Colleges -- Interested?
Presentation Topics, Tracks, Training?
Suggestions? Comments?
Smaller Colleges -- Interested?
Presentation Topics, Tracks, Training?