Transcript BFS Storage and Disaster Recovery Upgrade Proposal

Jason Borinski
Security Operations
Manager (Interim)
10/12/16
 Security Operations Metrics
 UCOP Audit results
 DNS firewall
 AD password reset
 Firewall Management Updates
 Qualys scanning and border blocking
 Border filtering of Telnet TCP 23
 Anti-Phishing Engine
 SOC Metrics for September 2016
 Compromised Hosts – 313 (~ 10 hosts per day)
 Wireless – 215
 Wired – 86
 132.239.0.0/16 – 56
 137.110.0.0/16 – 21
 169.228.0.0/16 – 9
 VPN – 12
 Compromised AD Accounts – 185
 Third Party Abuse Reports – ~100
 Electronic Resource Abuse Reports – ~10
 Spam/Phishing Reports - ~2800
 Reducing Compromised Hosts






Implement the PPM 135-3 controls
Firewall – host and/or network based; employ network segmentation
Vulnerability scanning
OS and application patch management
Credential management – default or easily-guessed passwords
Anti-malware, system hardening, etc.
 Reducing Compromised Accounts
 Phishing awareness
 Password management (periodic password changes, discourage reuse, increase
password complexity)
 Anti brute-force mechanisms (SSH - Fail2Ban, RDP - IPBan, RDPGuard)
 Multi-factor authentication
 See above list for host security
 Credential Management - Use Complex Passwords
 Host-based Firewall
 Block all incoming connections by default (exceptions allowed)
 Allow communication only from necessary clients (inbound)
 Allow communication only to required services (outbound)
 Network-based Firewalls
 Recommended for additional layer of security on normal networks
 Required for sensitive data networks, PCI, HIPPA, ICS, etc.
 Patch and Update Software
 Register All Devices
 No Unencrypted Authentication
 Overall Score: C External scan – Internet-facing (DMZ) vulnerabilities
 129 Critical/High Vulnerabilities
 76 hosts out of 1000 hosts (7.5%)
 Passwords – None, Defaults, or Easily Guessed
 Telnet, SSH, HTTP, and others
 SSL Vulnerabilities – Heartbleed, Shellshock, etc.
 End of Life Systems – XP, 2003
 Printers, IPMI/BMC, ESXi Hosts on DMZ
 XSS of CMS websites - Drupal, Wordpress, Joomla
 Overall Score: D Compromised printers, VTC, cameras
 Telnet/SSH open to world, default or easily-guessed credentials
 Compromised XP machines
 Obtained write access to file system through unpatched vulnerabilities
 Compromised JMX (Java) Vulnerability
 Acquired a remote shell, compromised systems, elevated privilege
 Executed brute-force attack on AD
 Compromised web servers – Shellshock
 SQL injection – database queries executed
 42 instances of the MS12-020 RDP Vulnerability (DOS)
 Good news
 No compromise of critical infrastructure (AD, DNS, etc.)
 No compromise of PII or sensitive info
 Remediation activities




Almost all scanned vulnerabilities were remediated – thank you
Pen test results – most have been remediated – thank you
EOL systems still a significant challenge
Large portion of remediation was a border-blocked (residual risk)
 Latest Qualys External Scan results
 232 level 4-5 vulnerabilities as of 10/12/16
 Awaiting UCOP final report
 Assign Strong Passwords to Default Accounts
 Change Credentials for Externally Available Services
 Change Default Configurations
 Retire EOL Operating Systems
 Upgrade Applications (EOL Versions)
 Patch Critical Vulnerabilities
 Implement Strong SSL/TLS Security (TLS 1.1+)
 Filter User-Supplied Input (SQL Injection/XSS)
 Network Controls
 Improve firewall controls – host and/or network firewall
 Employ better network segmentation, limit use of DMZ networks, encourage use
of non-routable, private space (RFC 1918 – 172.16.x.x)
 Vulnerability Management




Proactive use of vulnerability scanning service (Qualys)
Configure automatic weekly external scan reports
Mitigate all critical vulnerabilities, particularly on DMZ networks
Please do not wait for Security to contact you
 Patch management
 Encourage use of centralized patch management tools
 Host and network registration
 Register your networks and your hosts in Infoblox
 IS-3 will become active June 2017
 Asset (data and systems) inventory
 Security classification (P1-P4)
 Protection Level 3+
 Segmented networks restricted to similarly classified IT Resources
 Ingress and egress points protected by appropriate network security controls
 Protection Level 4
 Use the most restrictive rules possible.
 Detect and log unauthorized access or access attempts.
 Network segmentation by security classification
 Accompanied by UC standards documents
 Local UCSD standards will be revised (PPM 135)
 Firewall standards -> “reference design”
 Will be shared on SysWiki, available for comments/improvements, etc.
 Implementation/evaluation underway at ITS
 Begin preparation for IS-3 update
 Inventory of network resources
 Security classification of information and associated systems/hosts
 Visibility requirements
 Infoblox registration
 Continue to promote discussion on firewalls, network
segmentation, use of the DMZ, establishing perimeter security.
 What is your network security policy?
 Vision
 Deliver firewall services that enable customers to define and centrally enforce a
network security policy appropriate for their environment.
 Requirements








Customer self-service, visibility, and perhaps even manageability
Virtual firewall technology w/ role-based access control
10 Gbps inspected throughput
FW bypass for high-performance flows
Ability to scale and support firewall across all UCSD networks
Support for IP Mobility, Cloud or Hybrid Cloud, and SDN capabilities
User or group-defined security, regardless of location (wired or wireless)
IPS – anti-DDOS technology, anti-malware, zero-day vulnerability protection, SSL
exploit protection, etc.
 Resuming weekly external scanning and blocking
 Infoblox – please register admin/email contact info
 Block Notification Levels
 Block Notification – CRITICAL RISK – remote exploits available
 System is blocked and the registered contacts are notified.
 Block Pending – HIGH RISK – critical vulnerabilities
 Notification that block is pending – 2 weeks to remediate
 Advisory – MEDIUM RISK – high vulnerabilities
 Notification and recommended remediation
 AmIBlocked tool
 http://amiblocked.ucsd.edu/
 Syswiki info
 DNS firewall based on Response Policy Zones (RPZ)
 Allows local UCSD DNS to block (NXDOMAIN) or redirect
(CNAME) confirmed malicious domains and host records.
 Redirects to Blink information page
 Allows DNS firewall/blocking of reported phishing email
 Integrated threat feed/blacklist known malicious domains
 Increased granularity over IP-based blocking
 Reduces effectiveness of phishing
 Enables proactive protection against malware
 Prevents command and control (C2) and exfiltration
 Chance of false positive - redirecting a legitimate site
 Send issues to [email protected]
 Some systems may be negatively impacted and require access
to an unfiltered DNS server.
 Please contact [email protected] for opt-out information.
 Deployed to primary DNS on Wednesday night (10/6)
 No false positives or issues reported
 All redirects have been confirmed malicious
Results from 10/6, 6am – 6pm:
 369 redirected DNS requests
 104 unique clients
 25 malicious domains
 Confirmed through VirusTotal
 Example Suricata alerts from
22283.bodis.com:
 ET TROJAN FakeAV Landing Page
 ET TROJAN Ponmocup Trojan-Downloader
 ETPRO TROJAN Win32/Comame
Malicious Domains
22283.bodis.com
api-nyc01.exip.org
bt1.511yly.com
control.coolkey.org
dongtaiwang.com
epekware.com
fake.andmeaningless.com
jordanembassyus.org
lh3.googleusercontent4.com
live-genieo-feed.com
modstats.org
mondeca.com
newhorizons.twentyforty.me
oyag.prugskh.com
oyag.prugskh.net
pghmom.com
pmicgowz.datingds.ru
rss.nbcpost.com
sso.anbtr.com
tracker.blucd.org
update.searchcubed.net
www.dongtaiwang.com
www.tracker.blucd.org
xmp.down.co.sandai.net
Hits
166
5
39
6
9
3
6
2
1
10
2
4
4
17
20
4
1
3
8
4
19
6
2
9
Why do we reset passwords?
 Advanced Persistent Threat (APT) breach in 2013
 Chancellor mandated annual password reset
 Continue to see a high volume of compromised accounts
Benefits
 Resets any accounts that may have been compromised
 Mitigates the pass the hash attack and persistent threats
 Reduces phishing/spam activity (compromised accounts)
 Reduces Libraries electronic resources abuse
 Serves as an annual AD housekeeping process
Process
 Passwords must have been changed between the period of
April 22, 2016 and October 21, 2016
 Accounts start disabling accounts 11/1-11/3
 Will communicate tools/tips through Slack and Sysadmin-l
 Will send reports of accounts needing reset
Discussion
 Complexity increase to 10 characters for faculty/staff?
 Password Manager - campus offering, cost-sharing?
 AD Expiry Tool – contact [email protected]
 Proposed additional of Telnet TCP/23
 Motivation




Unencrypted authentication – policy violation (PPM-135)
Source of compromised credentials
Known vector for compromising IoT devices
Large volumes of traffic, noise on our security tools
 Process




Exception requests should be submitted to [email protected]
External network scan – 40 hosts listening on port 23
Contact registered owners in Infoblox
Communication to sysadmin-l, and then will implemented block
 ITS testing anti-phishing engine on IronPorts
 Phishing engine evaluates/scores all email
 Scores above threshold results in URL link rewrites
 URLs are redirected/opened in a sandbox environment
 User can preview and choose to mark as safe
 Contact [email protected] if you are interested in testing
 Deploying to all ITS staff soon
 Security Outreach
 Security would like to visit with you – please contact me:
 Jason Borinski – [email protected], x46487
 Security Contact Info
 General Inquires – [email protected]
 Requests – [email protected]
 Q&A
 Thank you!