1 / 47

Security Interchange

Security Interchange. Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002. Agenda. UM and the Internet The Internet: past, present, and future Security problems Challenges for Higher Education Security solutions MAIS efforts and status

vladimir-howe
Download Presentation

Security Interchange

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Interchange Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002

  2. Agenda • UM and the Internet • The Internet: past, present, and future • Security problems • Challenges for Higher Education • Security solutions • MAIS efforts and status • Working together • Update on a security incident at MAIS

  3. UM and the Internet • Full connectivity with the Internet and Internet2 • Approximately 50,000 live hosts on UM networks • Mission critical business processes run over the network • Education and research depend upon the network

  4. The Internet, Circa 1969 Onceupon a time, there was a network, where all users worked together in harmony towards common goals

  5. The Internet, Present

  6. The Internet, Future

  7. More Sophisticated Intruders Intruders are: • growing in number and type • building technical knowledge and skills • gaining leverage through automation • building skills in vulnerability discovery • becoming more skilled at masking their behavior

  8. Attack Sophistication vs. Intruder Technical Knowledge network worms Tools “stealth” / advanced scanning techniques High packet spoofing denial of service DDoS attacks sniffers www attacks Intruder Knowledge sweepers automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code Intruders password guessing Low 1980 1985 1990 1995 2000

  9. Modus Operandi • A typical attack pattern consists of • Reconnaissance of the victim site • Gaining access to a user's account • Gaining privileged access • Performing desired activity • It is possible to accomplish all these steps manually in as little as a few minutes • got root?

  10. Code Red: 359,000 Infected Hosts

  11. Published on Bugtraq 2001 data is incomplete http://www.securityfocus.com/vdb/stats.html

  12. It’s going to get worse – 1 • Explosive growth of the Internet continues • Where will capable system administrators come from? • Market pressures will drive vendors • Time to market, features, performance, and cost are primary • “Invisible” quality features such as security are secondary

  13. It’s going to get worse – 2 • More sensitive applications will be connected to the Internet • Low cost of communications, ease of connection, and power of products engineered for the Internet will drive out other forms of networking • Hunger for connectivity, data and benefits of electronic interaction will continue to push widespread use of Internet technology

  14. It’s going to get worse – 3 • “The death of the firewall” • Traditional approaches depend on complete administrative control and strong perimeter controls • Today’s business practices and wide area networks violate these basic principles • no central point of network control • more interconnections with customers, suppliers, partners • more network applications • “the network is the computer” • who’s an “insider”and who’s an “outsider”

  15. Incident Costs in the Big 10 Number of Incidents Source: 1997 – 1998 ICAMP Study

  16. While computer networks revolutionize the way organizations operate, the risks computer networks introduce can be fatal to their mission. Network attacks lead to lost: Money Time Work products & research Reputation Privacy Sensitive information Lives The Risks

  17. What’s Wrong? • The Internet was designed to be resilient, not secure • Insecure Products • Poor quality control leads to a large number of patches • Products ship with open configurations • Security is an add-on • Security is hard to configure • Cryptography is not ubiquitous

  18. What’s Wrong? On the Internet, every • hacker/cracker (professional, script kiddie) • hacktavist • criminal (pedophile, extortionist, fraud, …) • sociopath • terrorist • espionage/intelligence agent • military cyber warrior • copy cat IS OUR NEIGHBOR

  19. The Challenges of Security inHigher Education • Diversity of the Higher Ed Industry • Complexity of Service Offerings Drives Complexity of Architectures • Cultural Challenges

  20. Diversity of the Higher Ed Industry • 3500+ Colleges and Universities • > 1000 Community colleges • < 100 major research universities • 125+ University Medical Schools • 400 Teaching Hospitals • 150+ Institutional members of Internet2

  21. Complex Service Offerings • The University is an Educational and Research Entity • The University is a Corporation • The University is an ISP

  22. Cultural Challenges • Loose confederation of autonomous entities • Lack of control over users • Academic “culture” and tradition of open access to information • Complex trust relationships between departments at various Universities for research (e.g. Physics community) • Creative Network Anarchy – anyone can attach anything to the network • University research lab computers are often insecure and poorly managed, Libraries provide open terminals • Dorm Networking: little adult supervision

  23. Why US Higher Ed Computer Networks are Attractive Targets • Excellent platforms for launching attacks • Wired dorms (insecure Linux PCs, PC Trojans) • High bandwidth Internet • Sophisticated computing capacity (scientific computing clusters, even web servers, etc.) • “Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) • Many college & university networks are insecure • Too few security experts; weak tools;most institutions do not have an InfoSec office • Few policies regarding systems security • Dearth of funding

  24. Targets of Opportunity on US Higher Education Computer Networks • Sensitive Data • Credit Card #s, ACH bank #s • Patient Records • Student Records • Institution Financial Records • Investment Records • Donor Records • Research Data & Other Intellectual Property

  25. Increasing Visibility of Security Issues in Higher Ed • Increasing concerns about liability: Will E-Commerce sites recover damages from institutions implicated in future DDoS attacks? • Federal funding agencies to require firewalls, security? • HIPAA is a “forcing function” in academic Medical Centers, Campus Health Centers • FERPA, COPPA, CIPA, DMCA, Privacy legislation • Threats from terrorist activities, protection of the national infrastructure • Recent incidents: Massive Virus Attacks, Intrusions Leading to Potential for Identity Theft, Liability

  26. Educause Action Statement • Make IT security a higher and more visible priority in higher education • Do a better job with existing security tools, including revision of institutional policies • Design, develop, and deploy improved security for future research and education networks • Raise the level of security collaboration among higher education, industry, and government • Integrate higher education work on security into the broader national effort to strengthen critical infrastructure

  27. Statement on Stewardship, UM • Maintaining systems security and a secure computer environment for financial and other University records • Storing information you obtain under secure conditions and taking every reasonable effort to maintain privacy and confidentiality of the data

  28. Security is a Process Risk Analysis Audit Security Policy Security Countermeasures It’s All About Risk Management

  29. Security Objectives • Confidentiality: Information is disclosed to authorized individuals • Integrity: Information and programs are changed only in a specified and authorized manner • Availability: Assure that systems work promptly and service is not denied to authorized users

  30. Primary Activities • Prevention • Security policy • Firewalls, encryption • Detection • Logging and monitoring • Intrusion detection, integrity management • Reaction • Incident response team • Recovery of resources/information

  31. Elements of Security • Should support the mission of the organization • Is a means to an end and not an end in itself • Is an integral element of good management • Should be cost-effective

  32. Basic Steps • Identify what you are trying to protect • Determine what you are trying to protect it from • Determine how likely the threats are • Implement measures that will protect your assets in a cost-effective manner • Review the process continuously and make improvements each time a weakness is found

  33. MAIS Participation in Security Organizations • InfraGard - government and private sectors working together to protect critical infrastructure • CIC Security Working Group - Big 10 security officers meet quarterly • Host the UM Security Round Table - people from UM and the region attend for quarterly meetings

  34. MAIS Data Center • Approx. 4,000 square foot computer room • Central records for HR, SA, and Fin • Houses about 130 servers • Citrix • Oracle (e.g., Fin and HE Prod) • Wolverine Access • Development, Alumni, and Constituency • Library (Mirlyn) • Axis (ITCom billing system) • Alumni Association Self Service • Printers

  35. MAIS Enterprise Systems • Security assessment completed January 2001 • “administrative information systems in the data center are at considerable risk to technology-based security attacks” • Recommendations made to correct this are fully funded and being implemented • Infrastructure Protection Group formed with members from different areas

  36. Our Vulnerabilities

  37. Security Project Status

  38. Some Future Things • Secure Shell to replace FTP • Use VPNs to access systems remotely • Authentication systems review and recommendations, i.e., currently up to 9 passwords • Strong yet simple • Cooperatively work towards providing the same level of security for administrative information across campus

  39. User Security Awareness • Increase awareness of security issues • Communicate advisories • Team up with technical staff within the Units to work with on technical items • Hold periodic Security Interchange meetings • Web site with security information http://www.mais.umich.edu

  40. Teaming Up • Identify technical support staff working on security in their respective areas • Establish an email list for discussing and sharing information regarding security • Share tools and techniques used to assess and secure our operational environments • Two-way communication is vital

  41. Reporting Incidents • If your system has been compromised and it might affect HR, SA, Library, or Fin information and/or systems, please contact the MAIS Help Desk • If you suspect your account has been compromised, please contact the MAIS Help Desk • If it’s an emergency send email to mais.security@umich.edu and my pager is in the online directory • Still contact your local system administrators

  42. Incident Response • January 2001 – a critical server is compromised • Serious threat to UM • Tracing the connections backwards • UM Physics • University of Maryland • University of Illinois • ADSL modem in Corpus Christi, TX operated by Southwest Bell

  43. Criminal Matter • Felony in MI • Coordinated with • UM DPS (local) • MI High Tech Crime Unit (state) • MI State Police (state) • Detroit FBI Computer Intrusion Unit (federal) • Corpus Christi, TX PD (local) • TX High Tech Crime Unit (state)

  44. Prosecuted • April 25, 2001 search warrant is executed • Suspect is 16 years old • Evidence found on seized equipment • Case transferred to TX for prosecution • Guilty plea on May 28, 2002

  45. Questions and Discussion Paul Howell grue@umich.edu 734-763-0609

More Related