Transcript ppt
CU – Boulder Security Incidents Jon Giltner Our Challenge What do we face… The campus computing environment: – ~ 20,000 PC-class systems – ~ 6,000 Server-acting systems – ~ 40,000 accounts Like most universities the campus is highly decentralized What do we face, part 2… We’re responding to about 50 incidents per week: 42% network worms 18% “Root kits” 18% SPAM bots 15% copyright 7% email worm Few involve protected data High Visibility Incidents October 2004 - Continuing Education: CCs and PII July 2005 (all PII) – – – – Wardenberg Health Center College of Architecture and Planning Department of Housing including ID Card Office of the Registrar Invoke Incident Response Process Formal documented process established in 2004 “Requires” notification and involvement of central IT CERIAS Incident Response Database – – – Center for Education and Research for Information Assurance and Security IRDB https://cirdb.cerias.purdue.edu/website/ Web Based tool for managing security incidents Supports email, contact management, rolebased access and multi-level access to hierarchical domains of confidentiality. Data Breach Response Team Team is formed if incident involves potential breach of sensitive data Mandate independent forensics – Credit card companies mandate the firms you can use. The team’s primary role is to handle communications: – – – – – – Notification to affected individuals via US postal mail using best last known address Notification to affected individuals via email when email addresses are available Press release Web content Follow-up communications with press Establish and man hot-line for notified individuals (department responsibility) Data Breach Response Team Who is involved: – – – – – – – – – Legal Counsel Department head for the compromised department IT Security Coordinator Technical lead for the compromised department Campus Police University Communications University Privacy Officer University Officer with oversight for the compromised department Treasure's office if compromise involves credit cards Vulnerabilities Windows patches Oracle updates Third-party software, i.e., Veritas backup software Stale databases Culpability (Discussion) Application and system administration within departments? Controls at network layer? Vendor software? Existence and/or enforcement of well communicated policies regarding data management? Questions: Have we over responded to these specific incidents? – (Not according to established IR process) Has CU-Boulder been victimized more than others, or have we just acknowledged it more publicly? Negative Impacts: PII potentially spilled – (ultimate perception is that it has) University reputation Target squarely on our backs – “script kiddies, look there” Positive Impacts Real-time honing of our Incident Response System Security initiatives getting executive attention Gotten attention of local system admins and their dept. heads Proposed sweeping changes Scoping the Challenge Ahead Must meet academic, research and administrative needs Multi-layered Approach – – – – Host administration Network access must be earned Awareness & Education Frequent Risk Assessments Compounding 70% solutions! The Passel of Solutions 1. 2. 3. 4. 5. Private IP addresses for desktop-class systems Require Host-based Intrusion Detection Software Risk Assessments performed by 3rd party Further Restrict Inbound Internet Traffic Server Registration