Transcript Presentation - The University of Texas at Dallas

INFORMATION SECURITY OFFICE
Information Security Student Night
Wednesday, Oct 19
7 p.m. - 9 p.m. Location: JSOM 11.305
Games, prizes, pizza! The
Information Security Office will
provide students with ways to protect
their property and information along
with how to avoid phishing scams
and Look for the Hook! The winner
of the ISO Anti-Phishing poster
contest will be announced and
information on how to develop a
career in cyber security will be
provided.
INFORMATION SECURITY OFFICE
CISO U PDATE
NATE HOWE
CHIEF INFORMATION SECURITY OFFICER
[email protected]
INFORMATION SECURITY OFFICE
LEWIS WATKINS
INFORMATION SECURITY OFFICE
CISO U PDATE
• Annual Report to President Benson
– Increased use of NetIDplus powered by Duo
– Financial responsibility for incidents
• SecureWorks partnership for 24x7 monitoring
• Recent investigations
• LastPass password utility
• Network and web testing partnerships
INFORMATION SECURITY OFFICE
DISTRIBUTED DENIAL OF SERVICE (DDOS)
BRIAN MCELROY
INFORMATION SECURITY MANAGER
[email protected]
INFORMATION SECURITY OFFICE
BACKGROUND INFO
• Malicious party tries to make an online service
unavailable by flooding target with traffic
• Over 2,000 DDoS attacks occur daily world-wide1
• $150 can buy a week-long DDoS attack2
1 - https://www.arbornetworks.com/threats/
2 - http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.pdf
INFORMATION SECURITY OFFICE
WHAT
WE KNOW
• Network Time Protocol (NTP) amplification attack
• Traffic sent to www.utdallas.edu IP
 Overwhelmed CPUs on external firewall
 External connectivity unusable
 Degradation of service for legitimate requests
INFORMATION SECURITY OFFICE
INFORMATION SECURITY OFFICE
WHAT WE KNOW
• Five attacks
– 9/26 @
– 9/26 @
– 9/27 @
– 9/28 @
– 10/1 @
9:40am – 9:43am
4:50pm – 4:53pm
9:31am – 11:03am
11:14am – 11:25am
2:06pm – 3:48pm
INFORMATION SECURITY OFFICE
WHAT
WE ’ RE DOING ABOUT IT
• Moved www.utdallas.edu to new IP addresses
• LEARN & OTS able to black hole incoming traffic
• CISO feedback from other institutions
• FBI has been notified
• Partnered with DDoS prevention company
INFORMATION SECURITY OFFICE
SSN USE ON CAMPUS
STEPHENIE EDWARDS
AWARENESS & OUTREACH
[email protected]
INFORMATION SECURITY OFFICE
SSN S
ARE STILL IN USE ON CAMPUS
• SSNs sometimes are needed on campus to identify faculty,
staff, and students (HR, Payroll, Financial Aid)
• However, sometimes they are used as a unique identifier
when another would work (UTD-ID, NetID)
* Google image search,
not real UT Dallas data!
INFORMATION SECURITY OFFICE
IT
CAN HAPPEN TO ANYONE
• Imagine that you’ve always received a report that
included SSNs and no longer find it unusual.
• You create a document and move all of the unnecessary
data to another page away from your work space.
• You send an email and include your document.
INFORMATION SECURITY OFFICE
SSN S
AND YOU
• Use lower-risk unique identifiers
• Remove SSNs from report queries
• Redact SSNs when possible
• Look for old office forms and
webpages that still request SSNs
• Work with the ISO for ideas on how
to avoid using SSNs
INFORMATION SECURITY OFFICE
IDENTITY F INDER
• Identity Finder will help locate SSNs stored on
campus computers.
• Identity Finder will be rolled out initially areas that
work with sensitive data more frequently, or
requested exemptions to disk encryption.
INFORMATION SECURITY OFFICE
NICK MCCORMICK
SENIOR INFORMATION SECURITY ANALYST
[email protected]
OFFICE OF BUDGET AND FINANCE
<Unit Name>
INFORMATION SECURITY OFFICE
INFORMATION SECURITY OFFICE
G ETTING
TO KNOW L AST PASS
• Password vaulting utility, plus strong password
generator
• One master passphrase to memorize
• Password data and notes stored in encrypted format
INFORMATION SECURITY OFFICE
USAGE METRICS – INITIAL T ESTING
• Current Users
– 37 users
– 5 departments
– 12 shared password folders
• Savings
– 520 Total Logins entered with LastPass
– About 2.17 hours not typing passwords
INFORMATION SECURITY OFFICE
P ERSONAL ACCOUNTS
• To upgrade your existing account, or to get a free premium
account, go to https://lastpass.com/utdallas
• Premium personal account can be linked to enterprise
account for convenience
– UTD can never gain access to
personal accounts
– Keep personal passwords and
work passwords separate
INFORMATION SECURITY OFFICE
• Enterprise accounts allow for department
collaboration
• Integration Options
– Batch Provisioning of Users
– Automatic Provisioning Using Windows Login
– Active Directory Sync Client
– LastPass Provisioning API
INFORMATION SECURITY OFFICE
G ENERAL USE
• Importing browser-saved passwords is not
recommended
• NetIDplus is supported and strongly encouraged
INFORMATION SECURITY OFFICE
PASSWORD R ECOVERY
• No way to look up saved passwords without taking
over the whole account
• Consider a “passphrase” for the master password to
improve security and memorability
INFORMATION SECURITY OFFICE
SHIBBOLETH
FEDERATED AUTHENTICATION
JEFF REYNOLDS
SENIOR INFORMATION SECURITY ANALYST
[email protected]
INFORMATION SECURITY OFFICE
WHAT IS FEDERATED
AUTHENTICATION?
INFORMATION SECURITY OFFICE
B ENEFITS
• Single Sign On
– One authentication allows a user to access many
resources
– It’s convenient, but is it secure?
• Third party sites do not need to know our passwords
• Account management can often be simplified
INFORMATION SECURITY OFFICE
SOME
OF THE MORE TECHNICAL DETAILS
Shibboleth uses SAML 2.0
• Authentication protocol designed and supported by
OASIS Organization
• SAML 2.0 provides Single Sign On
• Some other SSO types include
– Google OAuth
– CAS
– Kerberos
INFORMATION SECURITY OFFICE
A DIAGRAM
OF THE
AUTHENTICATION P ROCESS
S HAMELESSLY S TOLEN FROM THE I NTERNET
INFORMATION SECURITY OFFICE
P LAN YOUR I NTEGRATION
• You will need to install a Service Provider
• Review the format of your user names
• Consider what additional information you would
like from Shibboleth
INFORMATION SECURITY OFFICE
S END
A
R EQUEST
TO THE
ISO
• Send a request with your SP metadata and a list of
attributes you’d like to receive
• The data requested will need to be approved
– This is more for third parties
• We will try to plan out a schedule that works for
you and your users
INFORMATION SECURITY OFFICE
T EST
AND
D EPLOY
• The new configurations will be added to our test
environment
• Use requires a host file change
• After a successful test, configurations will be moved
to production.
INFORMATION SECURITY OFFICE
3RD PARTY
NETWORK SECURITY ASSESSMENT
NATE HOWE
CHIEF INFORMATION SECURITY OFFICER
[email protected]
INFORMATION SECURITY OFFICE
BACKGROUND
• Not performed previously
• Additional perspective and experience
• Learning opportunity for ISO staff and system owners
INFORMATION SECURITY OFFICE
OVERVIEW
• Scope: All systems residing within UTD address space - 129.110.0.0/16
• Rules of Engagement (RoE):
– Only perform enough testing to validate vulnerability is exploitable
– Do not perform heavy post-exploitation (Password Cracking, Internal
Network Pivot, etc.)
– No social engineering or Denial of Service (DoS) testing.
– Testing can be performed 24/7 during the testing timeframe to allow
for maximum amount of findings enumerated
• Goal: Identify as many ways to improve UTD’s external security posture
within the given testing timeframe
INFORMATION SECURITY OFFICE
ATTACKER P ERSPECTIVE
INFORMATION SECURITY OFFICE
SUCCESS STORIES
•
UTD does a great job at changing default credentials for technology exposed to the
Internet
•
UTD has good controls in place to mitigate brute force attacks
•
UTD does not expose excessive protocols to the Internet
– No RDP, SMB/Samba, telnet, SNMP, etc.
•
UTD has good vulnerability management practices in place because they leverage web
vulnerability scanning tools
– Most organizations do not address web applications with separate tools and
techniques; they rely on network vulnerability scanning tools to identify vulnerabilities
in web technologies.
•
UTD has excellent communication with the Information Security Office, and has good
blocking mechanisms in place
•
UTD quickly responds to vulnerability findings to resolve the issue
INFORMATION SECURITY OFFICE
A REAS
OF
C ONCERN
• A lot of outdated content hosted on web infrastructure is not tied
into the main application.
– Outdated content was a large source of the vulnerability findings
throughout the assessment.
– Outdated content was also the source of sensitive information
disclosure.
• Applications that do not leverage the NetID for authentication have
weak authentication mechanisms.
INFORMATION SECURITY OFFICE
N EXT S TEPS
• Resolve any remaining findings (most were closed
during assessment)
• Enhance ISO vulnerability testing methods
• Though we scored better than average universities,
continuously improve our security by repeating
external network assessment at least annually
INFORMATION SECURITY OFFICE
THANK YOU
QUESTIONS OR COMMENTS?