Transcript Effective Cybersecurity Practices for Higher Education

Securing Unmanaged
Computers
Solutions, Strategies and Effective
Practices
Costs of Security
Residential Security Strategies/Case
Studies
Discussion of Georgia State University’s
Solutions and Practices
Small Group Case Study Exercises
Reference Materials
1
Why Care About
Unmanaged Computers?
Protecting user privacy - computers often
contain personal, sensitive information.
Limiting institutional liability - managing incidents
after the fact is expensive.
Reputation - these computers are part of your
network domain and reflect on the institution.
Bandwidth cost - compromised systems may be
used for serving copyrighted material that can
generate a lot of bandwidth.
DDoS - large numbers of compromised
computers are being used in Denial of service
2
attacks.
What Is Security?
Security is a strategy that requires tools, policies
and user awareness/education to be effective.
Security is an on-going process.
 It does not end once a computer is provided access to
a network or information resource, it only begins.
For effective security:
 Assume your network is a perpetually hostile
environment
 Assume your weakest link is the user device
(desktop/laptop)
 Develop proactive security strategies
3
What Is Security?
The development of security practices at your
institution may involve:







Department and central IT services
Faculty senate
General Counsel
Internal Auditing
Security office if designated
Student technology support group (ResNet)
Students
4
Security: Negative
Deliverable
Security is a negative deliverable.
You don’t know when you have it.
You only know when you’ve lost it.
Jeffrey I. Schiller, MIT’s Security Architect
5
Definition of
Managed Computers
For this presentation, managed computer
systems fall into one or more categories:
 Systems that are controlled through an automated
mechanism that enforces certain aspects of the
institution’s security measures or policy.
 Systems that have professional IT staff assigned to
“manage” them.
Trust is bestowed upon a managed computer
 Risk assessment
 Degree they are managed
Note: managed computer systems may still
possess security issues!
6
Definition of
Unmanaged Computers
For this presentation, an unmanaged computer
system relies upon the owner of that system to do
the right thing at the right time to secure their
computer.
At a higher education institution, different members
of the community will potentially operate unmanaged
computers.
 Student owned computers
 Faculty owned computers, particularly those used for
research
 Staff computers may also fall into this category
 Personally owned computers connecting from home
 Guest computers, conference attendees
7
Forces Causing
Unmanaged Computers
Laptops are becoming ubiquitous on campus
and wireless networks are commonplace.
Institutions may not own the computer in
question as in the case of student computers or
systems acquired through grants and research.
Faculty research activity may prevent updates or
changes from occurring.
Institutions may have a culture where there is an
“expectation” to work from home -- how do we
help manage their system?
8
Solution Strategies
Solutions can fall into these broad areas. A
combination, dependent on your institution
environment, can offer an effective strategy:
Network architecture
Host-based firewalls
Agent-based products
Patch management and anti-virus
Response and Remediation strategies
Effective practices and policies
 Netauth working group documents
User education through security awareness and
9
training
Network Architecture
Network design and segmentation
Network security devices can help secure
unmanaged systems either proactively or
reactively.
 Proactive devices can block problems - these include
intrusion prevention, firewalls, and router access
control lists.
 Reactive devices can identify systems with security
vulnerabilities -- intrusion prevention, intrusion
detection, vulnerability scanners, and packet shapers.
10
Host-based Firewalls
Running a firewall on the computer system
provides additional protection. Techniques
being used:
 Windows XP - SP2 provides a basic firewall
for Windows that is enabled by default.
 Other commercial products provide firewalls
and IPS with more advanced features than
those found on SP2.
• Some institutions package a firewall product with
anti-virus
11
Agent-Based Products
These products install an agent-based program
on the computer that validates configuration
settings. This agent can be queried during
authentication to the network to ensure
compliance.
Commercial products include Perfigo, Vernier,
and BlueSocket. Each of these products has the
capability to validate security settings for
compliance prior during or after authentication
Many institutions have developed their own
agents.
12
Patch Management and
Anti-virus
Anti-virus software with regular updates is
essential.
Promptly updating software to fix security
vulnerabilities is a requirement to keep an
unmanaged computer system secure.
Techniques available for Microsoft Windows
 Enabling auto-update for Windows XP and 2000
 Creating an institution-wide Windows Update Server
and using that to update machines
 Using commercial patch management products such
as Bigfix and Patchlink
 Regularly scanning systems for compliance
13
Response and
Remediation
Institutions need a business process to support
the remediation of compromised systems.
Some issues that must be considered:
 Do you have a policy that allows the institution to
deny access to a compromised system?
 Under what circumstances do you deny access?
 Can remediation occur if access is denied?
 What assistance do you offer in fixing this system?
 How do you validate that remediation has occurred?
 How do you perform remediation in a timely fashion?
What is the user’s expectation?
14
Remediation Techniques
Examples of remediation techniques
 CMU’s NetNotify is a completely online system for
managing remediation.
http://www.net.cmu.edu/epidemic/
 Some institutions delay service
• Systems are off the network
• Used as a motivator to student to maintain security
 Some institutions charge students to perform
remediation.
 Some institutions trust students to confirm that
remediation has occurred.
15
Effective Practices and
Policies
The effective practices guide has a number of
case studies that can help:








IDS deployment -- Notre Dame, MIT, U. Florida
Vulnerability scanning -- Purdue and Indiana
Security architecture - UMich, GaTech, GMU
Network registration/scanning - U. Conn.
Router ACL - Cornell
Firewall - Brown
NAT - Bethune Cookman, Perdue
Wireless - Penn State, Purdue, Simon Fraser
http://www.educause.edu/EffectiveSecurityPracticesGuide/1246
16
NetAuth Working Group
Internet2/NetAuth working group is
focusing on issues of network
authentication and federated wireless
authentication.
Salsa NetAuth whitepaper--frames the
issue and identifies solution strategies for
typical residential network situations.
http://security.internet2.edu/netauth/docs/draft-internet2-salsa-netauthsummary-02.html
17
NetAuth Working Group
Work is beginning on defining a model and
developing frameworks for future NetAuth
systems.
Making NetAuth systems architectural
components of a network, not add-on
components to existing systems
See the working group roadmap for a
deeper investigation of this work.
http://security.internet2.edu/netauth/index.html#Docs
18
Security Awareness and
Education
Education and awareness programs are critical
in getting buy-in and understanding for these
efforts to “protect” users and their systems.
EDUCAUSE has a CD that contains materials
that can give ideas for starting a security
awareness program
Many institutions produce a security CD for their
users. This security CD will often auto-configure
a computer to receive Windows updates and
ensure that virus protection is installed and
enabled. Please visit the url:
http://www.educause.edu/Browse/645&PARENT_ID=639
19
The Costs of attacks
Article: Costs of virus cleanups goes up
 United Kingdom blue chip companies security costs
• $213,000 per incident (2003)
• $52,000 per incident (2002)
 Corporate IT Forum survey
• Average 365 man hours lost
• 1/3 reported over 3000 man hours lost
 Computer Crime and Security Survey
• $65 million in DoS attacks
• 82% reported virus incidents, costing $27 million
Source:http://searchsecurity.techtarget.com/originalContent/0,2891
42,sid14_gci941270,00.html
20
The Costs of attacks
Article: Colleges Face Rising Costs for
Computer Security
 501 institutions surveyed
 Issues
• Nearly 100% experienced worm and virus in the past year
• 73% have seen an escalation
• 53% reported attempts to adversely effect their network
 Concerns
• Unauthorized access to financial, medical records
• Tension of closing a traditionally open society
 Result
• 39% do security awareness training for user community
• 42% have Chief Information Security Officers
• Anti-virus, spam filtering and firewalls almost universally used
21
http://chronicle.com/prm/weekly/v51/i17/17a00101.htm
The Costs of attacks
Article: Colleges Brace for the Next Worm
The Tipping Point: Blaster, 5 weeks in summer 2003
 19 research institutions
• $299, 579 on average
 Stanford University
• $806,000
• 18,460 repair hours
 University of Michigan
• $543,000
• 16,100 repair hours
 University of Chicago
• $377,000
• 9000 repair hours
http://chronicle.com/free/v50/i28/28a02901.htm
22
Cost of Prevention
Use the figures to do your Risk
Assessment
 Don’t do an ROI – this is prevention, not an
investment
 Share the information of what can happen if
you don’t reduce your risks
 Identify your threats and your vulnerabilities
23
Security and the Support of
Residential Communities
David Futey, Stanford University
EDUCAUSE/Internet2 Computer and Network Security Task Force
ResNet Steering Committee, Chairperson
24
A Question of Philosophy
and Resources
If we were only a Fortune 500…
Variety of solutions
 Registration, patch management appliances
 Client agents
 Scanning
Policy that guides the solutions
Resources to enact solutions
How and from whom are your residential students
supported? Specific area (designated ResNet
group) and or part of overall IT services?
25
Recent Security
Challenges
Welchia - July 2003
Blaster - August 2003
Worms - ongoing
Agobot/Gaobot -2004
Malware - 2004
Adware - 2004
Spyware - 2004
Rodin: The Gates of Hell
D. Futey photograph
26
Residential
Security Priorities
Protecting user privacy
User education
Responsible control and management
Network integrity
Institution integrity
Limiting institutional liability
27
The Process
Registration
Detection
 Active
 Passive
 Agents
Isolation
Remediation
28
Security Options
Commercial




Microsoft Software Update Server
Bradford Campus Bandwidth Manager
Perfigo
Still Secure - Safe Access
Open Source
 Nessus-vulnerability assessment
 Snort-intruder detection
Network Segmentation
29
Security Options
Email
 CanIt ( http://www.canit.ca/)
 ClamAV for virus scanning
http://www.clamav.net/
 BlueCatNetworks Meridius Email
• http://www.bluecatnetworks.com/products/meridius
/index.html
 Sophos (www.sophos.com)
30
Enterprise Spyware
Options
WebRoot's SpySweeper Enterprise
Adaware SE Pro
Anti Virus
 McAfee ePolicy
 Symantec version 10
Desktop IPS
 ISS Proventia desktop
31
Georgia State University
Perfigo (now Cisco) Clean Machines
 Checked for running AV, ISS desktop IPS, Windows
updates
 Ran a Nessus scan to detect worms or familiar
anomalies
AV and ISS policy sigs were “auto” pushed to
residents’ computers
At the edge of the network, we unidirectionally
blocked P2P traffic coming in from the “outside”
world—resulted in stopping the copyright
violation letters from watchdog agencies
Incidents decreased dramatically
32
Tufts University
ResNet installer
 Checks for Windows Auto Update
 “Advises” students to select if not configured
Under Evaluation
 Provide services through a domain
• Access file storage and resources
• Centrally evaluate patch level and virus definitions
• Student must agree evaluation process for domain access
 Intel LANDesk
– Presently used for faculty and staff patch management
– Evaluating other utilities
At issue
 Sensitivity regarding ‘control’ of the computer
33
University of
Western Florida
No registration utility at present
 Switch ports mapped to rooms
 DHCP for IP assignment
Periodically scan network for vulnerabilities
(Sasser)
De-activate computers that are not patched




Letter delivered by the student's Resident Assistant
Student contacts ResNet office
ResNet office patches student’s computer
Educate the student on proper security measures
Re-activate
34
Iowa State University
New student computers registered with Netreg
 Computers redirected to Netreg web server when they are first
connected.
 Students authenticate to kerberos servers during initial Netreg
session
If Windows 2000 or XP computer is detected
 Students are directed to download Computer Inspector
 Computer Inspector verifies connection standards
35
Iowa State University
Connection standards that must be met








Weak passwords
Service Pack Levels
Hot fixes
Automatic Windows Updates
Antivirus available
Antivirus on Access scan
Antivirus update
Antivirus on Demand
Future
 Enhancements to Computer Inspector
 Develop policy for student connectivity
36
University of Twente
The Netherlands
New and unregistered students quarantined
 Must register
 Access to patch and antivirus sites
Quarantine if infected once on the network
 Detected through infecting a honeypot
 Network Operators
Student corrects problem
 Requests access to routable network
 Option available once every 6 months
37
University of Twente
If student is still or becomes re-infected
 Honeypot can detect within 15 minutes (95%)
 Staff intervention to determine status
 Possible re-installation by staff
Results
 Reduction in external complaints
 Educate university community
38
Swarthmore College
Site License antivirus software
Centrally manage antivirus updates
 ePolicy
• Automatic updates
• Client agent (1.3MB) connects to ePolicy server
Virus event reporting
Email scanned prior to delivery
39
Hebrew Union College
 Small seminary –
• 4 locations
– New York, Los Angeles, Cincinnati, Jerusalem
 500 Students – 230+ employees
 No student dorm access
 Limited public access labs
• Labs are locked down W2K machines
• Thin client terminals
40
Hebrew Union College
Students can NOT connect personal
computers to campus network
Researchers and visiting scholars must let
IT staff clean and patch machines
Limited staff – limited access
Capital budget to upgrade network to allow
Netreg type solution.
41
Stanford University
Contact students prior to arrival and request install
of anti-virus software-CD provided, on line sources.
Student’s register computer
 Review and confirm acceptance of University and
residential AUP
BigFix
 Patch management
 Concern by students on information collected
 Approval from Chief Security Officer, General Counsel
and Internal Audit may be required for changes in
collected data
RCC assists with remediation
Stanford Security Self-Test tool
42
University of
Massachusetts Amherst
Students register computer
 Review and confirm acceptance of University and
residential AUP/Conditions of use
Safetynet
 Infected systems are isolated at layer2 or layer 3
 Help Desk ticketing system is notified/email sent to
student
 Student has access to Help Desk ticketing system
 Student may self-remediate
 Software group approves restoration of service
43
ResNet Vulnerability
Survey (n=94)
Tool to register student's computer (Y=85%)
 Lack of resources (3%)
 Do not register (6%)
Registration Tools
 Homegrown utility
 Southwestern University NetReg
• www.netreg.org




Bradford Campus Manager
Perfigo
Cisco switches with VMPS
CMU NetReg
44
ResNet Vulnerability
Survey
Tool to evaluate student's computer (Y=69%)
 Lack of resources (9%)
 Evaluating how others approach it (11%)
Evaluation Tools





Homegrown utility
Perfigo
Nessus or Nessus in combination with other utilities
Bradford Campus Manager
Microsoft SUS
Evaluate off campus student laptop when accessing
through on campus wireless
 No (64%)
45
Georgia State University
Effective Practices and
Techniques to Prevent Attacks
and Intrusions
46
First, Some 2004 Statistics
2 million attacks launched against our systems each
week
95% or more of the successful ones targeted Win2k or
XP workstations
5% aimed at servers and network equipment
580+ desktops ravaged by Sasser within a week’s time
250+ of these compromised by hackers within a day or
two later
40-60 successful malware invasions per day on
university and residential systems combined
Reduced by 95% in late 2004 to 1 or 2 incidents a day
47
Most Common Threats
Emailed worm attachments and URL’s that install
spyware and Trojan Horses
Exploited backdoors left behind by worms used to get
“root” and install hacker utilities
Cracking weak passwords to get root
Using automated exploits such as “DCOM” to get root
NT and unix rootkits
IRC hackers turning systems into bots for use in DDOS
attacks or as warez servers
Spam propagation through various exploits that install
SMTP engines on workstations and mail servers
misconfigured as open mail relays
48
Effective Practices and
Solutions
In addition to AV on the desktops and/or servers, robust gateway
scanners… √
Control and restriction at the edge or on segments via a firewall
Dynamic blocking at the edge via IPS…√
Centrally-maintained patch management… √
IPS at the desktop, on servers, at the edge… √
Ability to mandate use of “strong” passwords, through a combination of
policy and technology… √
VPN for remote access…√
Encrypted data transmission… √
Secure email and/or FTP
Vulnerability assessment and risk analysis… √
A SIM or central logging facility to gather disparate data gathered daily from
firewalls, IDS, IPS, AV, etc., with data correlation and reporting
24/7 monitoring and incident detection/response
49
Effective Practices and
Solutions
Taking advantage of current federal legislative
requirements such as GLBA and HIPAA to enforce
minimum levels of security on networked devices
processing sensitive info…√
Developing (in our case a WebCT Vista) security
awareness course that can be distributed to faculty, staff,
and students …√
Establishment of secure, trusted zones that are
separated from the rest of the network…√
Access/authentication requirements on every wired port
(except public access stations) and wireless areas…√
Identity management
Self defending networks – endpoint security enforcement
and compliance
50
Where Do You Start?
With an external audit or risk assessment if funding is
available
With a strategic plan that ties your security objectives in
with your university’s academic and IT goals
With a tactical plan or roadmap that identifies the major
risks, threats, and vulnerabilities on your network and
what is needed to mitigate them—in both qualitative and
quantitative measures
With a detailed network security architecture design that
provides defense indepth
With the development of facilitating structures such as
security committees, taskforces, incident response
teams
With a review of existing policies, procedures,
guidelines, security technology in use, and regulatory 51
requirements
Case Study Exercises
The following scenarios are found at many
universities and they require decisions
based on staff resources, funding
requirements, and more often than not,
political concerns
There are no right or wrong answers
Perhaps the best results will involve
thinking outside the box and creative
brainstorming without limitations
52
Residential Computing
You’re the ISO at a mid-sized college with 2000 residential students
that will be moving back to the dorms in the fall. The IT support
people have warned you that they received calls the previous year
about the network being unstable or crashing occasionally and the
network gurus stated that the cause of this appears to be related to
worm outbreaks and problem systems in the dorms. They ask you
to advise them on what to do to prevent that from happening this
next academic year.
 What course of action would you suggest?
 Would you advise them to “turn off” P2P downloading or cap
bandwidth? Why or why not?
 Would you require the students to install protective programs on their
pc’s such as AV or desktop firewalls? Why or why not?
 Would you advise the network gurus to separate the residential network
from the campus network? Why or why not?
53
Selecting A Security
Architecture
You’re the new ISO at a small mid-western college, with approximately 3000 students
and centrally managed information technology resources. You find when you accept
this position that the only security mechanism in place at the college is antivirus
software. You feel that based on what you’ve heard from the network staff about
numerous abuse complaints that came in through email about 1) systems on the
network attacking external agencies and 2) a faculty member’s web server that
contained SSN’s and other student information that was recently compromised, that
there is a need to better protect the university’s information technology resources.
However, when you suggest that the college invest in a commercial firewall solution
you are familiar with, the CIO tells you there is no security budget available this fiscal
year.




What would you then suggest as a possible course of action?
Would you focus on host security mechanisms or ACL’s at the edge of the network? Why or
why not?
Are there any free or open source tools you would want to use for vulnerability assessments,
IDS, firewalls, removal of malware, etc.? What are they?
How would you engender support for funding commercial security solutions that you felt
needed to be implemented?
54
Regulatory Compliance
Your Legal Affairs office informs you that there are HIPAA
covered entities and business associate relationships
and you have to ensure the university is in compliance
with “the Security Rule.” Your Comptroller is worried
about GLBA and SOX Sarbanes Oxley. You have
concerns about potential exposures of credit card
transactions or FERPA data.
 What course of action would you recommend?
 Would you try to mandate security standards for those who are
affected? Why or why not?
 Would you push through some new policies or standards? What
types of policies or standards would you recommend or
develop?
 How would you go about ensuring compliance?
55
Defending the Network
Charles, the network manager, wants to set up a Checkpoint firewall
at the edge and on various segments of your mid to large-sized
university’s decentralized network, and close ports or restrict
services as needed. Campus departmental administrators would
have to request exceptions to the firewall rules. Systems
administrators on campus are in favor of an IPS solution that will
allow you to institute dynamic blocking and protocol analysis.
Others are telling your CIO that neither is a good solution and too
hard to deploy.
 What course of action would you recommend?
 Which solution do you feel is most effective—a network firewall or IPS
and why?
 What factors would be most important in your decision making process
as to the type of solution you would choose?
 What factors would be most important in your decision making process
as to the specific solution you would select?
56
Reference Material
The remainder of this class guide is
comprised of reference materials compiled
by various university contributors
57
Yale’s Effective
Practices and Policies
Unmanaged clients:
 Site-wide licenses for Symantec Anti-Virus and Spysweeper
 Multiple campus SUS/WUS patch/update servers.
 Education and awareness (website, guides, training)
Network:








IDS deployment -- SNORT IDS - bidirectional or RIDS
Vulnerability scanning -- ISS and Nessus
Security architecture - Internal Firewalls, some RFC1918
Network registration/scanning - NetReg system w/scanning
Router ACL - Some ports blocked at Internet router
Firewall - external router ACL + Packetshaper, internal FWs
NAT - currently no global NAT but local NAT routers
Wireless - MAC registered DHCP, VPN
58
Network IDS Effective
Practices and Policies
IDS Deployment
 Inside Internet router (mirrored port)
 Outside critical server networks (E-Mail, Web,
DB)
 At border of sensitive networks (Police,
Hospital/Medical Labs)
59
Network IDS Effective
Practices and Policies
IDS Usage:
 Bidirectional or RIDS (Reverse Intrusion Detection System)
 Look for attacks emanating on your network(s) outbound -as this tells you what computers are infected or under malicious control.
 Also look for services (FTP, SSH, E-Mail, Web proxy, IRC) running on
internal computers on non-standard ports
 Look for PCs sending infected or spam e-mail
 Look for computers scanning network IP ranges or port ranges
 Look for IRC “bot” drones (on rogue channels or servers, running
XDCC)
 Look for login failures (better to do this with a HIDS or log analysis on
client PCs, servers and authentication services) or similar errors.
60
Network VAT Effective
Practices and Policies
VAT (Vulnerability Assessment Tools) -- ISS and Nessus








Get a policy allowing network vulnerability scanning.
Notify the community.
Scan for one or a few vulnerabilities if doing a network wide scan.
Scan for vulnerabilities currently being exploited and/or for which
warnings and patches have just been announced.
Scan for the most commonly found and exploited vulnerabilities (SANS
top)
Notify the owner/users of vulnerable computers.
Follow up.
Rescan on a regular basis (monthly).
61
Network Architecture
Effective Practices/ Policies
Network Security architecture
 Firewalls
 IPS
 Packetshaping / Bandwidth management / QoS
guarantees
 Router ACLs
 RFC1918 IP subnets (10, 172.16 - 172.31, 192.168.* )
 VLANs
 Switches
62
Netflow
“NetFlow technology efficiently
provides the metering base for a
key set of applications including
network traffic accounting, …”
Data export mechanism that records
information about router flows.
 Src/dst IP, port, etc
 Bytes
 No packet content is logged
63
Netflow
NetFlow exports a LOT of data,
especially if you have big fat pipes…
 Need a quick system to process it all
 Must rotate and summarize data frequently
 Substantial upfront time to install,
configure, and optimize
 But once you have it, there is no going
back
64
Netflow
NetFlow exports a LOT of data,
especially if you have big fat pipes…
 Need a quick system to process it all
 Must rotate and summarize data frequently
 Substantial upfront time to install,
configure, and optimize
 But once you have it, there is no going
back
65
NetFlow Add-ons and
Tools
Several commercial and freely available
tools to manipulate and develop reports
from NetFlow data
FlowScan
• http://www.caida.org/tools/utilities/flowscan
Flow-tools
• http://www.splintered.net/sw/flow-tools
66
NetFlow Add-ons and
Tools
Several commercial and freely available
tools to manipulate and reporting from
NetFlow data
Argus is a separate system (doesn’t use
NetFlow data but uses packet capture in
promiscious mode) which can obtain
similar more detailed results :
• http://www.qosient.com/argus
67
NetFlow Caveats
Great tool for detecting Denial of
Service attacks
 However, it is prone to data loss under
abnormal load
 Visual analysis is often the most efficient
detector
Great tool for post-incident analysis
 Provided the data has not been cycled off
the system
68
NetFlow Caveats
As links become faster, many flow
exports are sampled
 You get a statistical representation of data
across your network
 Still useful for Capacity planning and DoS
detection, but of limited use for forensics
purposes
Not necessarily the first tool in your
toolkit, but an invaluable one to
complement all the others
69
NetFlow Graphs:
Detecting Anomalies
70
NetFlow Graphs:
Detecting Anomalies
71
Example: flow-print data
srcIP
dstIP
prot srcPort dstPort
80.116.163.85 xxx.yyy.131.204 17 3111
81.3.162.10
xxx.yyy.131.182 17 1514
200.74.27.228 xxx.yyy.131.246 6
447
200.74.27.228 xxx.yyy.131.246 6
64068
200.74.27.228 xxx.yyy.131.246 6
50265
142.179.169.213 xxx.yyy.131.178 17 1126
213.60.21.96
xxx.yyy.131.171 17 1923
212.180.2.68
xxx.yyy.131.114 6
63559
200.29.164.162 xxx.yyy.131.233 17 1051
202.103.13.62 xxx.yyy.131.35 6
9001
213.119.233.63 xxx.yyy.131.7 17 1246
216.51.150.219 xxx.yyy.131.7 17 1157
24.112.24.160 xxx.yyy.131.122 17 1129
octets
1434
1434
8080
80
3128
1434
1434
41544
1434
30185
1434
1434
1434
packets
404
1
404
1
40
1
40
1
40
1
404
1
404
1
40
1
404
1
40
1
404
1
404
1
404
1
72
Darknets
Combining netflow with network
infrastructure can improve network
awareness
 Malware generally scans local address
space preferentially
 Many organizations have unused network
address space
Analyzing traffic destined for these
unused networks is a valuable detection
tool
73
Network ACLs Effective
Practices and Policies
External / Internet Network Router ACLs:
 Anti-Spoofing Ingress (discard RFC1918 and all bogus source IP)
 Anti-Spoofing Egress (only allow your public IPs as source IP) “Good Neighbor Policy”
 Block broadcast and other obvious DoS attacks (detect SYN
floods?)
 Block Windows Networking (TCP/UDP 135-139, 445, 42),
SunRPC/NFS
 Block other ports you consider dangerous (1433/1434, 23, 25)
 Limit SMTP inbound/outbound to known e-mail servers?
74
Darknets
Since the darknet address space is
unused, traffic destined there is at least
spurious and probably malicious
Local hosts connecting to this space are
likely infected
 Or at least misconfigured
Use of address space at the top and
bottom of ranges are often scanned first
 Much malware still scans sequentially.
75
Darknets
Non-local hosts connecting to this
address space provide interesting
situational awareness
 Current scanning trends
 Possible perimeter defense weaknesses or
misconfigurations
 Network reconnaissance analysis
76
Forensics
Once an incident has occurred, often we
need to be able to reconstruct events.
To determine if we are still vulnerable.
To recover data
To identify attacker
To work with law enforcement and/or
legal counsel
77
Non-Commercial
Forensics Tools
The Coroner’s Toolkit
 “A collection of programs … for a postmortem analysis of a UNIX system after
break-in”
http://www.porcupine.org/forensics/tct.html
TASK/Autopsy
 Open Source forensic toolkit for analyzing
Microsoft and UNIX filesystems.
• http://www.atstake.com/research/tools/task
• http://www.atstake.com/research/tools/autopsy
78
Non-Commercial
Forensics Tools
Foundstone’s Forensic Toolkit v2.0 and
other tools
http://www.foundstone.com/knowledge/forensics.htm
l
79
Forensics: Autopsy
Screenshot
http://www.atstake.com/research/tools/autopsy/images/timeline1.gif
80
Commercial Forensics
Tools
Guidance Software's Encase™
Access Data’s Forensic Toolkit™ (FTK™)
Parabne Corporation PDA Seizure
The following companies sell tools only to
government, DOD and law enforcement:
Fred Cohen's ForensiX (http://all.net/ForensiX/ )
NTI (http://www.forensics-intl.com/tools.html)
81
Guidance Software's
Encase™ 4.0
The most popular computer forensics
software package currently used is
Guidance Software's Encase(tm) http://www.encase.com/ -- as it allows the
use of Windows and integrates a number
of functions within an easy to use GUI
interface.
82
Network ACLs Effective
Practices and Policies
Internal Network Router ACLs:
 Anti-Spoofing Ingress (discard all bogus source IPs)?
 Anti-Spoofing Egress (only allow your public IPs as source IP) “Good Neighbor Policy”
 Disable directed broadcasts.
 Disable other obvious DoS attacks (detect SYN floods?)
 Any ports you consider dangerous?
 Limit any services to the local subnet (RPC, NFS, etc.)?
83
NAT & Firewall Effective
Practices and Policies
For most part the same as Internal Network Router ACLs:
 Anti-Spoofing Ingress (discard all bogus source IPs)?
 Anti-Spoofing Egress (only allow your public IPs as source IP) “Good Neighbor Policy”
 Disallow directed broadcasts & other obvious DoS attacks (SYN floods)
 Any ports you consider dangerous?
 Limit any services to the local subnet (RPC, NFS, etc.).
But also…




Open any ports/services on the protected network to the outside?
Don’t allow certain hosts access to the outside?
Block outbound connections (e.g. to disarm ‘worms’
How do you now identify infected/malicious computers?
Computers with DMCA complaints?
84
WiFi Security Effective
Practices and Policies
On ‘open’ wireless networks:
Encourage or require ‘secure’ network application protocols.
Encourage or require VPN connections over the wireless network.
On ‘medium’ security wireless networks:
Require and use MAC address network registration / scanning.
Use MAC address filtering if possible and scalable.
Disable SSID broadcasts in beacon frames.
For higher security wireless networks:
Use 802.1X authentication with PEAP and RADIUS.
Use WPA or WPA2 encryption rather than WEP -- e.g. use 802.11i
Monitor for both rogue WAPs (Wireless Access Points) and clients as well as rogue
WLANs. Note dangers of accidental assocation as well as malicious overpowering.
85
Security Resources
http://www.sans.org
• Sans (SysAdmin, Audit, Network, Security)
http://www.cert.org
• Computer Emergency Response Team
http://www.incidents.org
• Internet Storm Center tracking site
http://www.secinf.net
• Windows Network Security
http://www.securityfocus.com/
• Unix, Windows, Virus, IDS
86
Email Resources
Email Lists
 www.counterpane.com Bruce Schneier
– Monthly email digest of Computer security issues
 www.ntbugtraq.com
– Windows NT security list
 www.intrusions.org
– Daily digests of port probes and good discussions
 www.microsoft.com/security
– Links to Microsoft’s security page
 http://survey.mailfrontier.com/survey/quiztest.html
– Online phishing quiz
87
Acknowledgment
This material has been developed by a variety of
individuals at campuses and members of the
EDUCAUSE/Internet2 Security Task Force.
Their able assistance in the development of this
material is gratefully acknowledged.
88