Security After Blaster

Slide 1:Security After Blaster(what we have been able to do that we could not have imagined beforehand)

Angel Cruz, CISSP Director & University ISO The University of Texas at Austin ------------------------------------------------- Calvin Weeks, CISSP, CISM Director, IT Security The University of Oklahoma Expand on Angel�s experience Expand on Calvin�s experience Explain the interactions between Angel and Calvin Combination of three presentations Take you through the process of identifying the risk Take you through a recent history of threat events Take you to the creation of a security remediation planExpand on Angel�s experience Expand on Calvin�s experience Explain the interactions between Angel and Calvin Combination of three presentations Take you through the process of identifying the risk Take you through a recent history of threat events Take you to the creation of a security remediation plan

Slide 2:Higher Education�sInformation SecurityRisk Landscape(the sky is falling!)

Presentation to a campus IT steering group in early 2003 Made as a result of some high profile events Discusses what makes higher education unique Call for vigilancePresentation to a campus IT steering group in early 2003 Made as a result of some high profile events Discusses what makes higher education unique Call for vigilance

Slide 3:Higher Education In The News

Hackers Steal Vital Data Credit Card Numbers Stolen from University Hackers Access Medical Database Hacker Steals SSNs from Database Worm cripples University email Data on 59,000 People Stolen Virus may damage personal data University of Georgia Georgia Tech University of Washington Medical Center University of Indiana University of California � Riverside Oregon State University University of Michigan McGill University Yale University University of Texas at AustinUniversity of Georgia Georgia Tech University of Washington Medical Center University of Indiana University of California � Riverside Oregon State University University of Michigan McGill University Yale University University of Texas at Austin

Slide 4:Our Technology at Risk

High-performance computers Desktops & laptops LANS: wired & wireless pipes Residential Networks: processing power, networks Home computers via high speed access Internet & Internet2 gateways Many users Many computers Major bandwidth Juicy targetsMany users Many computers Major bandwidth Juicy targets

Slide 5:Our Data at Risk

Confidential, Sensitive, & Private Data Credit Card #s, ACH (NACHA) bank #s Student & Employee Records (SSN) Patient Records (SSN) Institutional Financial Records Investment Records Donor Records Research Data, Other Intellectual Property Homeland Security Data Identity theft (FTC) 2001 86,212 (39%) 2002 161,836 (40%) 2003 214,905 (42%) Uses of identity theft Credit card fraud 33% Phone/utilities fraud 21% Bank fraud 17% Employment fraud 11% Govt documents/benefits fraud 8% Loan fraud 6% Top victim states (per capita) Arizona Nevada California Texas FloridaIdentity theft (FTC) 2001 86,212 (39%) 2002 161,836 (40%) 2003 214,905 (42%) Uses of identity theft Credit card fraud 33% Phone/utilities fraud 21% Bank fraud 17% Employment fraud 11% Govt documents/benefits fraud 8% Loan fraud 6% Top victim states (per capita) Arizona Nevada California Texas Florida

Slide 6:Info Security Threats

Distributed denial of service & enumerations Viruses and worms SPAM Vendor shipped insecure systems (Windows, Linux, Unix, IIS, SQL) Software project practices Na�ve or untrained/under-trained users How many incidents each year (CERT)? 2000 21,756 2001 52,658 2002 82,094 2003 137,529 How many incidents each year (CERT)? 2000 21,756 2001 52,658 2002 82,094 2003 137,529

Slide 7:More Info Security Threats

Massive CPU power & bandwidth available to crackers as well as HE, e-commerce New concerns about cyber-terrorism Bandwidth hogging applications - File Sharing Improperly managed security devices User activities Research Networks Internet 2 National Lamda Rail SURA LEARN Homeland Security Appropriate Use Security Management Rules How well are users indoctrinated?Research Networks Internet 2 National Lamda Rail SURA LEARN Homeland Security Appropriate Use Security Management Rules How well are users indoctrinated?

Slide 8:Environmental Security Challenges

Perimeter difficult to define Diverse HW/SW with wide range of ownership System administrators distributed, autonomous; many lack formal training Increasing demands for distributed computing, mobile/wireless Lack of central authority Grants rarely buy IT support Few clearly-defined security goals The world is the perimeter Follow the money, find the technology Care and feeding of the students who stayed Have a laptop! Care for the laptop? Rogue WAPs? Herding BIG cats. Research buys Sun boxes, but how about tech staff? Do departments know how to?The world is the perimeter Follow the money, find the technology Care and feeding of the students who stayed Have a laptop! Care for the laptop? Rogue WAPs? Herding BIG cats. Research buys Sun boxes, but how about tech staff? Do departments know how to?

Slide 9:Cultural Security Challenges

Tolerance, experimentation, & anonymity valued Top-down regulations generally resisted Faculty independence Fear of change Many theoretical & technical experts Persistent belief that security is counter to academic freedom What make higher education a great environment is also a risk. Hard to apply governance Faculty own the curriculum, how about private data? Many uncomfortable with new technology or changes to their environment. Experts may not be recently operational. Security enables privacy. Security and anonymity may clash (accountability)What make higher education a great environment is also a risk. Hard to apply governance Faculty own the curriculum, how about private data? Many uncomfortable with new technology or changes to their environment. Experts may not be recently operational. Security enables privacy. Security and anonymity may clash (accountability)

Slide 10:Campuses especially vulnerable

We operate open networks with weak firewalls at the Internet border We welcome personally-owned computers on the campus network We resist standards We run �thin� on technical staff in many depts We value innovation over stability Many of our users are especially na�ve Our rules are typically implicitly allow and explicitly deny. We push laptops so we can lower our support costs, but the impact? It is hard to get compliance unless it can be specifically worded. Staff is the highest cost, and the easiest budget cut. Many departments typically run in the bleeding edge. Awareness continues to be a challenge.Our rules are typically implicitly allow and explicitly deny. We push laptops so we can lower our support costs, but the impact? It is hard to get compliance unless it can be specifically worded. Staff is the highest cost, and the easiest budget cut. Many departments typically run in the bleeding edge. Awareness continues to be a challenge.

Slide 11:How to survive � risk protection

Identify high value information resources; Assess risk and countermeasures; Select and implement balanced protection; Maintain and support your protections. Risk management 101 Quantitative models vs. qualitative models Defense in depth? Religious tech wars? Not install and forget, must be fed.Risk management 101 Quantitative models vs. qualitative models Defense in depth? Religious tech wars? Not install and forget, must be fed.

Slide 12:How to survive - resources

Provide resources for: Computer systems administration System administrator training End-user training: faculty, staff, students Assign an Info Security Officer/Liaison; Know your ISAC contacts. This cannot happen by itself. Need to invest in supporting an infrastructure Who gets called? What do they do? Can you rely on outside help?This cannot happen by itself. Need to invest in supporting an infrastructure Who gets called? What do they do? Can you rely on outside help?

Slide 13:What ISO offers to UT

Security risk assessments (not audits) Disaster recovery planning support Security standards & best practices White-Hat scanning Security policy Legislative analysis Intrusion detection Incident response Forensic analysis Project advisement Technology management support User education & targeted training (role-based) ISO web site Typical (large) security office menu What is the university�s priority? What are the legal priorities? What skill sets do you have? What can be farmed out (internal IT? Outsource?) Typical (large) security office menu What is the university�s priority? What are the legal priorities? What skill sets do you have? What can be farmed out (internal IT? Outsource?)

Slide 14:The Threat Landscape(the sky HAS fallen!)

Presentation to the University Leadership Council in early fall 2003 Made as a result of RPC/Blaster events Discusses what happened and the impact Call for action Presentation to the University Leadership Council in early fall 2003 Made as a result of RPC/Blaster events Discusses what happened and the impact Call for action

Slide 15:UT Info Sec Incidents Jan � Aug 03

Many were handling garden variety viruses in early to mid 2003. Note how the pattern rises as the semester goes on and falls as the semester wanes. Then RPC hits! We presented some specific events.Many were handling garden variety viruses in early to mid 2003. Note how the pattern rises as the semester goes on and falls as the semester wanes. Then RPC hits! We presented some specific events.

Slide 16:SQL SlammerJanuary 24-27 2003

11:40 PM - UT T&N tools indicate DDOS event 12:40 AM - T&N edge filters placed 1:00 AM - Campus network stabilized Until 8:00 AM - Emails -- UT departments, TX agencies, UT System & other educational institutions. Saturday/Sunday - Work continues to filter/un-filter networks and systems. The fastest moving Internet event on record Ten computers consumed 400M of bandwidth We started filtering infected machines We blocked the 1434 ports Then an infected laptop walked in Our communications could have been betterThe fastest moving Internet event on record Ten computers consumed 400M of bandwidth We started filtering infected machines We blocked the 1434 ports Then an infected laptop walked in Our communications could have been better

Slide 17:UT SSN TheftFebruary to March 2003

Intruder accesses UT web site Discovers SSN query design flaw Runs script to �harvest� SSNs Detected after 5 days (2M+ attempts) Captures 55,000+ SSNs Secret Service confiscates PCs in 2 cities UT Student arrested and charged Case being adjudicated by U.S. Attorney A Case study in the lifecycle of an application A systems was designed for internal use and with a trusting interface to track employee training System placed into service for environmental training Evolved from 3270 user log-in to web-enabled Connected to a massive user database with SSN as a search key and name and results of classes taken returned One of over 2000 applications on the mainframe Changes to the mainframe were suspected to have caused crashes, thus activity not detected until the weekend Acceleration of �elimination of SSN as an identifier� project Major (first) institutional IT risk assessment project (today at 4:30 in Lincoln East)A Case study in the lifecycle of an application A systems was designed for internal use and with a trusting interface to track employee training System placed into service for environmental training Evolved from 3270 user log-in to web-enabled Connected to a massive user database with SSN as a search key and name and results of classes taken returned One of over 2000 applications on the mainframe Changes to the mainframe were suspected to have caused crashes, thus activity not detected until the weekend Acceleration of �elimination of SSN as an identifier� project Major (first) institutional IT risk assessment project (today at 4:30 in Lincoln East)

Slide 18:Microsoft �RPC� Vulnerability

7/16: Microsoft announces vulnerability in RPC interface � attacker can run any command on unpatched systems 7/24: Dept of Homeland Defense issues alert 7/27: UTNet initial scan shows vulnerability 7/28: Email to all urges that patch be installed 7/28: Scans continue: breached systems blocked at border & closest UTNet switch Signal to noise ratio for patches? How many patches each year (CERT)? 2000 1,090 (MS 100) 2001 2,437 (MS 60) 2002 4,129 (MS 72) 2003 3,784 (MS 51) Note � MS now does multi vulnerability patches (ENT News)! Signal to noise ratio for patches? How many patches each year (CERT)? 2000 1,090 (MS 100) 2001 2,437 (MS 60) 2002 4,129 (MS 72) 2003 3,784 (MS 51) Note � MS now does multi vulnerability patches (ENT News)!

Slide 19:More �Blaster�

7/29: Full scan shows X000+ vulnerable; Y00+ breached � most with attack software/tools to transfer copyrighted material 7/30: 2nd email to all urges immediate action 7/31: Remaining vulnerable computers blocked at the UTNet border 8/01: Massive effort to clean breached systems, remove network blocks, install patches Note � this is almost 2 weeks after the vulnerability is announced How many technical staff on vacation? We actually saw rooting activity in one of our 4 class B�s Distributed nature of IT means departments must remediate. Got departments to triage How many hours lost? Result: Ability to filter any breached host and to filter vulnerable but not yet breached hosts as needed.Note � this is almost 2 weeks after the vulnerability is announced How many technical staff on vacation? We actually saw rooting activity in one of our 4 class B�s Distributed nature of IT means departments must remediate. Got departments to triage How many hours lost? Result: Ability to filter any breached host and to filter vulnerable but not yet breached hosts as needed.

Slide 20:RPC Containment Progress

Illustrates action by department and central IT staffIllustrates action by department and central IT staff

Slide 21:2nd worm: �Welchia�

8/18: Initially thought to be a �clean up� worm � scanned for same vulnerability, replaced 1st worm, generated massive amounts of network traffic (Internet2 backbone graph below) After a brief respite (to get labs put together for the semester) � Mostly cause confusion and more clean-up After a brief respite (to get labs put together for the semester) � Mostly cause confusion and more clean-up

Slide 22:Then �Sobig.F�

8/19: �A mass-mailing, network-aware virus that sends itself to all email addresses it finds �� Subject: Re: Details � Re: Approved � Re: My details � Re: Thank you! � Re: That movie � Re: Wicked screensaver � Re: Your application � Thank you! Body: See the attached file for details Many (!) email users clicked on the attached file Also installed a �trojan horse� program Most virulent email virus up to that time We had just moved from McAfee to Symantec AV! Result � Mandate is AV for all university machines. We had just moved from McAfee to Symantec AV! Result � Mandate is AV for all university machines.

Slide 23:Sobig.F (cont�d)

One UT user received 5,000 copies! Filter on <mail.utexas.edu> stopped 30,000 copies in the first hour; 4.6 million from 8/20 through 9/1 � 32% of msg traffic (And there are 150+ email servers at UT) Scheduled to cease propagation 9/10 When will we see Sobig.G? How many email servers can a university support? Result � discussions on how many are really needed and how to accommodate �vanity servers�.How many email servers can a university support? Result � discussions on how many are really needed and how to accommodate �vanity servers�.

Slide 24:Our Response

Scan for vulnerabilities, breached systems Only works with active machines, must keep scanning Patch impacted systems by the thousands Filter problem hosts & block �at risk� ports Breached machines are removed from UT-Net until fully rebuilt Vulnerable machines are later removed from UT-Net NetBIOS port blocked -- ITS �white list� created Communicate to internal/external communities Lessons learned from SQL Slammer last January Result � Authority to scan for vulnerabilities Result � Permanent port blocks Result � Communications formalized in response planResult � Authority to scan for vulnerabilities Result � Permanent port blocks Result � Communications formalized in response plan

Slide 25:Then Students & Faculty Returned

High proportion of Windows computers not patched vs. RPC; no anti-virus vs. Sobig.F Immediate impact in ResNet Also evident in UTNet wireless & Telesys Any laptop brought to campus is a risk Help desk working overtime; CDs available How to assist students off campus? Result � More coordination with help-desk and the residence network staff Result � Residence network no longer hands-off Result � Installed capability to isolate the Residence network.Result � More coordination with help-desk and the residence network staff Result � Residence network no longer hands-off Result � Installed capability to isolate the Residence network.

Slide 26:What�s a User to Do?

Here�s what Microsoft recommends: Basis for our recommendationBasis for our recommendation

Slide 27:Our Desktop Recommendation

AntiVirus � Symantec avail at no charge on �Bevoware� web site � should set �auto update� Windows �critical� security patches � available from Microsoft.com � should set �auto update� Firewall � Symantec now recommended, also available in �Bevoware� suite Backup frequently Similar advice for Macintosh users Recommended for all users Result � Will be required for university computersRecommended for all users Result � Will be required for university computers

Slide 28:How Easy? How Realistic?

Not only all computers on campus, but also UT-owned laptops All faculty/staff computers used at home for UT work All student computers in ResNet All student laptops that are ever brought to campus All student computers connected to Telesys How much effort to comply? To audit? Any penalties for non-compliance? ITS is the test case Result � Discussing the concept of managed desktop computers, both centrally and in departments. Result � Consideration of the computers not owned by us that connect to us. Result � Initial test on central IT groupResult � Discussing the concept of managed desktop computers, both centrally and in departments. Result � Consideration of the computers not owned by us that connect to us. Result � Initial test on central IT group

Slide 29:What can be done?

Firewall protection at the Internet border Better tools to detect vulnerabilities & intrusions More systematic approach, professional mgmt for UT-owned end-user systems: Administrative staff Non-technical faculty Research projects Required training for all users Security campaign w/ Microsoft & h/w partners Need to think seriously about security Can we afford to do anything differently? Why don�t computers have born on date (this computer is at patch status as of February 25, 2004).Need to think seriously about security Can we afford to do anything differently? Why don�t computers have born on date (this computer is at patch status as of February 25, 2004).

Slide 30:Cultural changes

UTNet & the Internet are mission-critical. No systems can be allowed to threaten UTNet. UT has an obligation to the Internet, too. UT must provide minimum standards for all IT resources PLUS higher standards for �islands of protection�. Many users do not need/want technical responsibility; we need to develop programs to assist them. Connecting a computer to the network is like taking a car on the highway: machine & user must meet minimum standards, owner & user must accept responsibility for any problems they cause. The IT risk environment has to change! Do we really need 1 in 3 staff members and most faculty members to be system administrators? How do we equip them or discourage them? What is the hammer?The IT risk environment has to change! Do we really need 1 in 3 staff members and most faculty members to be system administrators? How do we equip them or discourage them? What is the hammer?

Slide 31:University Leadership Response

We want you to take a strong leadership role in university security! We want you to create a plan for improving information security. We want you to coordinate the university�s information security planning. Result � The campus wants a plan! But how do you pay for the plan without robbing Peter to pay Paul?Result � The campus wants a plan! But how do you pay for the plan without robbing Peter to pay Paul?

Slide 32:The Information Security Improvement Plan(the sales pitch)

Presentation to be made the University Leadership Council in early spring 2004 Discusses what has been done Discusses what needs to be done Compares with other higher ed campuses Call for funding considerations Presentation to be made the University Leadership Council in early spring 2004 Discusses what has been done Discusses what needs to be done Compares with other higher ed campuses Call for funding considerations

Slide 33:Our Security ChallengeA secure, yet open environment

Best usability/security balance � �islands of protection�. The right solution in the right place � �defense in depth�. Hard to know what is occurring in UTNet. Need to secure the data wherever it may go. Want a more secure desktop. Scale = complexity & cost. Proper value proposition: �Don�t build a $50 fence for a $5 horse � Unless the horse can escape and cause $500 in damage.� Visionary statement Makes major points Adds findings from security risk assessment project Mentions the $ impactVisionary statement Makes major points Adds findings from security risk assessment project Mentions the $ impact

Slide 34:Holistic Approach to SecuritySeven Security Layers

Network/Internet Security Server/Systems Security Applications/Data Security Desktop/Workstation Security Mobile Security Physical Security Security Management Seven seems to be a good number for modelsSeven seems to be a good number for models

Slide 35:ITS approaches to date (1)

Network/Internet Security Port and service filters at the UTNet edge Virtual Private Network (VPN) Service (pilot) Server/Systems Security More aggressive scanning and communication of potential issues Applications/Data Security �Pad Lock� System to augment EID for high risk transactions Enhancements to increase EID security Scan for private/sensitive/confidential data Assess identity management processes VPN project in pilot testing More use of web spiders and commercial tools PadLock is a pin-based second access system (not a second factor) EID � Electronic ID system (secure password) still primary factorVPN project in pilot testing More use of web spiders and commercial tools PadLock is a pin-based second access system (not a second factor) EID � Electronic ID system (secure password) still primary factor

Slide 36:Desktop/Workstation Security ITS E-Mail Services Spam Filtering Desktop Anti-Virus Desktop Firewalls Desktop Auto-update Mobile Security Public Network Access (PNA) System Physical Security Building Access Control System (BACS) Upgrades Security Management Create security policies ISRA Risk Assessment project ITS Disaster Recovery Plan

ITS approaches to date (2) Continue to test desktop and centralized spam solutions Our TN staff has created a solid product for wireless authentication. Physical security upgrades are important Comprehensive disaster plan has helped focus what is important!Continue to test desktop and centralized spam solutions Our TN staff has created a solid product for wireless authentication. Physical security upgrades are important Comprehensive disaster plan has helped focus what is important!

Slide 37:New strategies (1)

Network/Internet Security Improve internet and network filtering Provide secure outside access to UTNet by approved off-campus users. Enhance detection/prevention of intrusions & malicious activity. Server/Systems Security Better identify and disable/re-enable �problem� hosts. Minimum standards for ALL IT resources. We need to ID and filter the garbage like malicious activity We do not feel the need is there for �content filtering� Filters can be too coarse, need a trusted access path Standards for computers! We need to ID and filter the garbage like malicious activity We do not feel the need is there for �content filtering� Filters can be too coarse, need a trusted access path Standards for computers!

Slide 38:Applications/Data Security Secure the external and internal transfer of confidential/sensitive/private data. Improve web user access controls. Create identity management goals. Desktop/Workstation Security Provide unobtrusive desktop security. Security Management Security Awareness and Training IT Security Policies, Guidelines, Procedures (better standards)

New strategies (2) Proof of concept on real two factor authentication and authorization � challenges will come up! So busy with incidents can�t focus on awareness, but better awareness can decrease incidents! Proof of concept on real two factor authentication and authorization � challenges will come up! So busy with incidents can�t focus on awareness, but better awareness can decrease incidents!

Slide 39:Network/Internet SecurityImprove internet and network filtering

FIREWALLS Special purpose software/hardware for separating un-trusted networks from trusted networks (automated pass/block). Flexible rule sets to accommodate various department missions. Several firewalls in use on campus. Deployment Phased Approach High Bandwidth Segments to Buildings/Depts. Lifecycle Support Firewall Administrators, Firewall Management System Implementation 2 + year project with 1 to 2? additional ITS FTEs Where do you apply firewalls? Edge? Important segments? Important servers? Can they stand-up? Who manages them? What is the exception process?Where do you apply firewalls? Edge? Important segments? Important servers? Can they stand-up? Who manages them? What is the exception process?

Slide 40:Network/Internet Security Provide secure outside access

VIRTUAL PRIVATE NETWORKS Special purpose software/hardware for permitting trusted outside users to safely access resources inside UTNet. ITS TN is piloting VPN Services. Deployment Special Purpose Hardware/Software or Part of Firewall VPN Clients to support campus user platforms Lifecycle Support Helpdesk Support & User Training How do you apply VPNs? At firewall? At switches? On stand-alone devices? Who is the target user? How do you apply VPNs? At firewall? At switches? On stand-alone devices? Who is the target user?

Slide 41:Network/Internet SecurityEnhance detection/prevention

INTRUSION SYSTEMS Software/hardware to identify real-time security events. Some only alerts, new systems alert AND block intrusions. ISO has been testing Intrusion products. Deployment Phased Approach High Bandwidth Segments to Buildings/Depts. Lifecycle Support Intrusion Event Correlation System Implementation 2 + year project with 1 to 2? additional ITS FTEs Outsource? Where do you apply IDS? Edge? Important segments? Important servers? Can they stand-up? Who manages them? What kind of policy is needed? Where do you apply IDS? Edge? Important segments? Important servers? Can they stand-up? Who manages them? What kind of policy is needed?

Slide 42:Server/Systems SecurityBetter identify �problem� hosts

DISTRIBUTED VULNERABILITY TESTING Software/hardware to improve proactive testing capability. ISO has campus scanning tools, few tools used by departments. Near future goals include: Scanning users upon connection for compliance. Automatically blocking & unblocking problem hosts. Deployment Phased Approach Central Distributed Scanning Critical/Other Departments Lifecycle Support Vulnerability Correlation System Implementation 1 + year project with 1 additional ITS FTE Can a central ISO still do this? How about desktop firewalls? How technical must a department need to be to do it themselves? What kind of policy is needed?Can a central ISO still do this? How about desktop firewalls? How technical must a department need to be to do it themselves? What kind of policy is needed?

Slide 43:Applications/Data Security Improve web user access controls

APPLICATION FIREWALL Protects web-enabled services Identifies suspicious activity Can take automated actions Alert, Log, Block Deployment Central Web Services Lifecycle Support Coordination with firewall management systems Implementation 1 year project with 1 additional ITS FTE Are traditional firewalls enough or should we consider targeted devices that look at http/https? What actions need to be taken? Who decides?Are traditional firewalls enough or should we consider targeted devices that look at http/https? What actions need to be taken? Who decides?

Slide 44:Applications/Data Security Secure transfer of data

Identify best methods to achieve in our environment Improve data transmission security for sensitive and confidential data. Replace insecure protocols with secure methods for transmission of sensitive data. Identify methods and technology to eliminate �clear-text� passwords. Reduce compliance risk from privacy regulations (emerging HIPAA/GLB/SOX requirements). How much data in the clear is confidential, sensitive, or private? What are the laws? Needs to be discussed and prioritized. Cannot be a single campus solution (we are an ISP)How much data in the clear is confidential, sensitive, or private? What are the laws? Needs to be discussed and prioritized. Cannot be a single campus solution (we are an ISP)

Slide 45:Desktop Environment

Computer vendors aim for easy �out of the box� experience � no need for manuals, security info. No effective market pressure on Microsoft � risk of a worldwide, technical �monoculture�. Dark side of the �always-connected� Internet Home broadband is a new, serious security risk So is wireless, at home, in kiosks, in enterprises Laptops can bring worms, viruses with them Worm & virus creators are more sophisticated How quickly can a machine be hacked/infected out of the box? Blaster � 30 seconds! How safe is home wireless � do we use our university laptops on the same home network where John or Jane is downloading music or malware? How quickly can a machine be hacked/infected out of the box? Blaster � 30 seconds! How safe is home wireless � do we use our university laptops on the same home network where John or Jane is downloading music or malware?

Slide 46:Desktop/Workstation Security Unobtrusive desktop security

Identify best ways to improve desktop management Configuration standards -- lower costs? Better training for TSCs/users Tools for ITS and TSC management Patch automation Desktop security and A/V management Remote administration of campus computers Backups Personally-owned computers that use UTNet need some level of management/control (Concern is 45,000 university-owned plus 75,000? personally-owned computers) Discussion of how to do this continues.Discussion of how to do this continues.

Slide 47:Security Management

Improve Security Awareness and Training User based on their role(s) Technical Staff Create Appropriate IT Security Standards Top-level policies Operational policies and guidelines Security procedures Measures for risk management Materials for awareness and training We hired a security awareness experienced analyst We are studying the best ways to train technical staff (remember, the student who stayed and now manages our critical resources?). New security policy (brief, to be signed by the President) More security standards (longer document, reviewed by major committees and approved by VPIT.We hired a security awareness experienced analyst We are studying the best ways to train technical staff (remember, the student who stayed and now manages our critical resources?). New security policy (brief, to be signed by the President) More security standards (longer document, reviewed by major committees and approved by VPIT.

Slide 48:Sample Security Standards

Top Level Policies IT Security Appropriate Use Privacy Internet/Network Use Email Use Operational Policies Security Management Incident Management Security Awareness Disaster Recovery Procedures/Standards Minimum Platform Standards Server Security Password Policy Account Management Back-up & Recovery Patch/Change Management Authorized Software System Blocking System Monitoring Software Development Some as a result of Texas law (1 TAC 202) Some as a result of other compliance documents (GLB, etc).Some as a result of Texas law (1 TAC 202) Some as a result of other compliance documents (GLB, etc).

Slide 49:Higher EducationEmbracing security strategies

Source: EDUCAUSE (ECAR) IT SECURITY RESEARCH STUDY; SEPTEMBER, 2003 Educause security survey results Shaded strategies are in our plan or things we have done. We are not bleeding edge, others are doing this!Educause security survey results Shaded strategies are in our plan or things we have done. We are not bleeding edge, others are doing this!

Slide 50:Research institutionsAdopting security strategies

Source: EDUCAUSE (ECAR) IT SECURITY RESEARCH STUDY; SEPTEMBER, 2003 Specific comparison to research institutionsSpecific comparison to research institutions

Slide 51:HE security approaches used

Source: EDUCAUSE (ECAR) IT SECURITY RESEARCH STUDY; SEPTEMBER, 2003 Educause security survey results Shaded strategies are in our plan or things we have done. We are not bleeding edge, others are doing this! Educause security survey results Shaded strategies are in our plan or things we have done. We are not bleeding edge, others are doing this!

Slide 52:HE security approaches adopted

Source: EDUCAUSE (ECAR) IT SECURITY RESEARCH STUDY; SEPTEMBER, 2003 Specific comparison to research and large institutions Specific comparison to research and large institutions

Slide 53:Security Planning Committee

Identify and propose strategies. Analyze the operational and technical environment. Recommend appropriate security initiatives and make the business case. Committee Co-Chairs � ISO/Networking Director (soon) Committee membership from ITS, OTS, College of Engineering, School of Business, General Libraries, Department of Computer Science, Campus Planning & Facilities Mgmt, Office of the VP and CFO, Office of the VP for Research. Desktop Management � User Services Cross-functional teams Business case key!Cross-functional teams Business case key!

Slide 54:The Constituent Group Role

Sounding Board Counsel Support for budget needs Ombudsman Reality Check Need to vet and get approvals as we go. Gives us the voice of faculty and researchers.Need to vet and get approvals as we go. Gives us the voice of faculty and researchers.

Slide 55:The Next Step

Create the plan Put it before executive management Get their approval for funding Prioritize the projects Do the work Create the policies Plan � Do � Check � Act Cycle Outline of plan elements What can we get approved? We can dream, can�t we? Your mileage may vary.Outline of plan elements What can we get approved? We can dream, can�t we? Your mileage may vary.

Slide 56:Questions?

Slide 57:Contact Information

Angel Cruz, CISSP, Director & University ISO The University of Texas at Austin (512) 475-9462 e-mail a.cruz@its.utexas.edu Calvin Weeks, CISSP, CISM, Director of IT Security The University of Oklahoma (405) 325-8334 e-mail cweeks@ou.edu