470 likes | 625 Views
Security Interchange. Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002. Agenda. UM and the Internet The Internet: past, present, and future Security problems Challenges for Higher Education Security solutions MAIS efforts and status
E N D
Security Interchange Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002
Agenda • UM and the Internet • The Internet: past, present, and future • Security problems • Challenges for Higher Education • Security solutions • MAIS efforts and status • Working together • Update on a security incident at MAIS
UM and the Internet • Full connectivity with the Internet and Internet2 • Approximately 50,000 live hosts on UM networks • Mission critical business processes run over the network • Education and research depend upon the network
The Internet, Circa 1969 Onceupon a time, there was a network, where all users worked together in harmony towards common goals
More Sophisticated Intruders Intruders are: • growing in number and type • building technical knowledge and skills • gaining leverage through automation • building skills in vulnerability discovery • becoming more skilled at masking their behavior
Attack Sophistication vs. Intruder Technical Knowledge network worms Tools “stealth” / advanced scanning techniques High packet spoofing denial of service DDoS attacks sniffers www attacks Intruder Knowledge sweepers automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code Intruders password guessing Low 1980 1985 1990 1995 2000
Modus Operandi • A typical attack pattern consists of • Reconnaissance of the victim site • Gaining access to a user's account • Gaining privileged access • Performing desired activity • It is possible to accomplish all these steps manually in as little as a few minutes • got root?
Published on Bugtraq 2001 data is incomplete http://www.securityfocus.com/vdb/stats.html
It’s going to get worse – 1 • Explosive growth of the Internet continues • Where will capable system administrators come from? • Market pressures will drive vendors • Time to market, features, performance, and cost are primary • “Invisible” quality features such as security are secondary
It’s going to get worse – 2 • More sensitive applications will be connected to the Internet • Low cost of communications, ease of connection, and power of products engineered for the Internet will drive out other forms of networking • Hunger for connectivity, data and benefits of electronic interaction will continue to push widespread use of Internet technology
It’s going to get worse – 3 • “The death of the firewall” • Traditional approaches depend on complete administrative control and strong perimeter controls • Today’s business practices and wide area networks violate these basic principles • no central point of network control • more interconnections with customers, suppliers, partners • more network applications • “the network is the computer” • who’s an “insider”and who’s an “outsider”
Incident Costs in the Big 10 Number of Incidents Source: 1997 – 1998 ICAMP Study
While computer networks revolutionize the way organizations operate, the risks computer networks introduce can be fatal to their mission. Network attacks lead to lost: Money Time Work products & research Reputation Privacy Sensitive information Lives The Risks
What’s Wrong? • The Internet was designed to be resilient, not secure • Insecure Products • Poor quality control leads to a large number of patches • Products ship with open configurations • Security is an add-on • Security is hard to configure • Cryptography is not ubiquitous
What’s Wrong? On the Internet, every • hacker/cracker (professional, script kiddie) • hacktavist • criminal (pedophile, extortionist, fraud, …) • sociopath • terrorist • espionage/intelligence agent • military cyber warrior • copy cat IS OUR NEIGHBOR
The Challenges of Security inHigher Education • Diversity of the Higher Ed Industry • Complexity of Service Offerings Drives Complexity of Architectures • Cultural Challenges
Diversity of the Higher Ed Industry • 3500+ Colleges and Universities • > 1000 Community colleges • < 100 major research universities • 125+ University Medical Schools • 400 Teaching Hospitals • 150+ Institutional members of Internet2
Complex Service Offerings • The University is an Educational and Research Entity • The University is a Corporation • The University is an ISP
Cultural Challenges • Loose confederation of autonomous entities • Lack of control over users • Academic “culture” and tradition of open access to information • Complex trust relationships between departments at various Universities for research (e.g. Physics community) • Creative Network Anarchy – anyone can attach anything to the network • University research lab computers are often insecure and poorly managed, Libraries provide open terminals • Dorm Networking: little adult supervision
Why US Higher Ed Computer Networks are Attractive Targets • Excellent platforms for launching attacks • Wired dorms (insecure Linux PCs, PC Trojans) • High bandwidth Internet • Sophisticated computing capacity (scientific computing clusters, even web servers, etc.) • “Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) • Many college & university networks are insecure • Too few security experts; weak tools;most institutions do not have an InfoSec office • Few policies regarding systems security • Dearth of funding
Targets of Opportunity on US Higher Education Computer Networks • Sensitive Data • Credit Card #s, ACH bank #s • Patient Records • Student Records • Institution Financial Records • Investment Records • Donor Records • Research Data & Other Intellectual Property
Increasing Visibility of Security Issues in Higher Ed • Increasing concerns about liability: Will E-Commerce sites recover damages from institutions implicated in future DDoS attacks? • Federal funding agencies to require firewalls, security? • HIPAA is a “forcing function” in academic Medical Centers, Campus Health Centers • FERPA, COPPA, CIPA, DMCA, Privacy legislation • Threats from terrorist activities, protection of the national infrastructure • Recent incidents: Massive Virus Attacks, Intrusions Leading to Potential for Identity Theft, Liability
Educause Action Statement • Make IT security a higher and more visible priority in higher education • Do a better job with existing security tools, including revision of institutional policies • Design, develop, and deploy improved security for future research and education networks • Raise the level of security collaboration among higher education, industry, and government • Integrate higher education work on security into the broader national effort to strengthen critical infrastructure
Statement on Stewardship, UM • Maintaining systems security and a secure computer environment for financial and other University records • Storing information you obtain under secure conditions and taking every reasonable effort to maintain privacy and confidentiality of the data
Security is a Process Risk Analysis Audit Security Policy Security Countermeasures It’s All About Risk Management
Security Objectives • Confidentiality: Information is disclosed to authorized individuals • Integrity: Information and programs are changed only in a specified and authorized manner • Availability: Assure that systems work promptly and service is not denied to authorized users
Primary Activities • Prevention • Security policy • Firewalls, encryption • Detection • Logging and monitoring • Intrusion detection, integrity management • Reaction • Incident response team • Recovery of resources/information
Elements of Security • Should support the mission of the organization • Is a means to an end and not an end in itself • Is an integral element of good management • Should be cost-effective
Basic Steps • Identify what you are trying to protect • Determine what you are trying to protect it from • Determine how likely the threats are • Implement measures that will protect your assets in a cost-effective manner • Review the process continuously and make improvements each time a weakness is found
MAIS Participation in Security Organizations • InfraGard - government and private sectors working together to protect critical infrastructure • CIC Security Working Group - Big 10 security officers meet quarterly • Host the UM Security Round Table - people from UM and the region attend for quarterly meetings
MAIS Data Center • Approx. 4,000 square foot computer room • Central records for HR, SA, and Fin • Houses about 130 servers • Citrix • Oracle (e.g., Fin and HE Prod) • Wolverine Access • Development, Alumni, and Constituency • Library (Mirlyn) • Axis (ITCom billing system) • Alumni Association Self Service • Printers
MAIS Enterprise Systems • Security assessment completed January 2001 • “administrative information systems in the data center are at considerable risk to technology-based security attacks” • Recommendations made to correct this are fully funded and being implemented • Infrastructure Protection Group formed with members from different areas
Some Future Things • Secure Shell to replace FTP • Use VPNs to access systems remotely • Authentication systems review and recommendations, i.e., currently up to 9 passwords • Strong yet simple • Cooperatively work towards providing the same level of security for administrative information across campus
User Security Awareness • Increase awareness of security issues • Communicate advisories • Team up with technical staff within the Units to work with on technical items • Hold periodic Security Interchange meetings • Web site with security information http://www.mais.umich.edu
Teaming Up • Identify technical support staff working on security in their respective areas • Establish an email list for discussing and sharing information regarding security • Share tools and techniques used to assess and secure our operational environments • Two-way communication is vital
Reporting Incidents • If your system has been compromised and it might affect HR, SA, Library, or Fin information and/or systems, please contact the MAIS Help Desk • If you suspect your account has been compromised, please contact the MAIS Help Desk • If it’s an emergency send email to mais.security@umich.edu and my pager is in the online directory • Still contact your local system administrators
Incident Response • January 2001 – a critical server is compromised • Serious threat to UM • Tracing the connections backwards • UM Physics • University of Maryland • University of Illinois • ADSL modem in Corpus Christi, TX operated by Southwest Bell
Criminal Matter • Felony in MI • Coordinated with • UM DPS (local) • MI High Tech Crime Unit (state) • MI State Police (state) • Detroit FBI Computer Intrusion Unit (federal) • Corpus Christi, TX PD (local) • TX High Tech Crime Unit (state)
Prosecuted • April 25, 2001 search warrant is executed • Suspect is 16 years old • Evidence found on seized equipment • Case transferred to TX for prosecution • Guilty plea on May 28, 2002
Questions and Discussion Paul Howell grue@umich.edu 734-763-0609