Transcript PPT - EDUCAUSE Library

How to Secure the “End-User”:
Same Goal, Varied Approaches
Carrie McCoy – University of Missouri-Columbia
Rebecca Fowler – University of Missouri-Columbia
Jodi Ito – University of Hawaii
© 2004 Curators of the University of Missouri and the University of Hawaii
University of Missouri - Columbia
• Public University
• Flagship campus in a four campus system
• 15000+ employees
• Outreach and Extension programs (statewide)
University of Missouri - Columbia
• Approximately 27,000 students
– ~20,500 undergraduates
– ~6500 graduate/professional
• Approximately 6000 students live in
University housing
– Most have high speed internet access
(ResNet)
MU IT Structure
• Information Access & Technology Services
(IATS) is the central IT group
–
–
–
–
–
–
–
–
–
E-mail
Campus wired & wireless network
Voice
Cable
Central storage
Help desk
Desktop support
Account Management
Security
MU Distributed IT Support
• IT Professional community
– Selected by individual departments
• Act as first-tier desktop support for departments
• Liaison between IAT Services and the campus
• Monthly meetings
MU Computing Environment
• 18000 devices on network
– 70.7% Windows, 29.3% other (Mac, Unix, Printers)
• Over 48,000 Active Directory accounts
• 35 computing sites (public and residence halls)
– 1300 public computers
• Wireless coverage is continuing to grow
– 66 campus buildings are wireless
– 232 access points across campus
MU Wireless Coverage
University of Hawaii
• Statewide public university & community
college system
–
–
–
–
–
–
Governed by one Board of Regents
Publicly funded institution
Three 4-year campuses
Seven community college campuses
One employment training center
Five education centers
University of Hawaii
• System-wide:
–
–
–
–
Approximately 46,000 students
40,000 undergraduates, 6000 graduates
Approximately 8600 faculty & staff
Approximately 2800 students in residence
halls at Manoa
• Most have high speed access (ResNet)
UH IT Structure
• UH Information Technology Services is IT
support organization (voice, video, data,
institutional applications)
• Dual roles:
– System-wide: plan/manage/maintain:
• Primary Internet connections (Internet2, Australia, Japan,
commodity Internet),
• Inter-campus connections
– Manoa campus: provide IT support at all levels
UH Distributed IT Support
• Establish IT coordinators group
– To be appointed by Deans, Directors, & Unit Heads
• Will serve as point-of-contact for IT-related
incidents/advisories
• Have meetings each semester in addition to
workshops and training opportunities
• Form close working relationships to better
coordinate IT activities
UH Computing Environment
• Between 20,000-30,000 devices
connected to the network
• Over 1000 publicly-accessible computers
in labs
• 100,000+ UH Usernames issued
UH Manoa Wireless Coverage
Common Problems
• Combat security incidents proactively
– Worms and viruses
– Spyware
– Copyright violations
– Account Compromises
• People don’t understand that security is
their responsibility
MU Worm/Virus Statistics
• Blaster
– 3689 infected systems (September 2003)
• Beagle
– 530 infected systems (March 2004)
• Sasser
– 251 infected systems (May 2004)
Other MU Incident Statistics
• Currently blocking over 500 IP/MAC addresses
• 97 copyright infringement complaints since July
2003
• 743 probing/unauthorized attempt complaints
since July 2003
• 105 complaints of spam relayed through an MU
host
UH Virus Statistics
Other UH Incident Statistics
• Week of May 3rd, 2004 - over 240 unique IPs infected
with Sasser/Gaobot variant
– Using DHCP in some areas - more than one system may have used a single IP
or same compromised system may have used a different IP
• Currently blocking over 330 IP/MAC addresses
• Approximately 70 copyright infringement complaints
since January 2004
• 200+ spam/probing/unauthorized attempt complaints
since January 2004
Overall Approach to Common
Problems
• Both MU and UH decided that it would not
be enough to just use technology solutions
to combat or prevent problems
• Dual focus:
– End-user education
– Technology efforts
MU End-User Education
• Creation of a comprehensive security
awareness program
• Theme: “You are the key to security!”
• Worked with internal Creative Services
group to create a logo
MU Security Awareness Program
• Two main components of program
– Activities based on monthly topics
– Security awareness training
• Trying to reach varied audiences
– Faculty/Staff
– On-campus students
– Off-campus students
Monthly Topics
• Planned topics 10 months in advance with the
idea that they could change
• Example topics:
–
–
–
–
–
–
Password safety and security
Virus protection
DMCA
AUP
Workstation security
E-Mail security
Monthly Activities
• Technology newsletter articles (goes to all students and 9000
faculty/staff)
• Poster campaigns
• Guest speakers
• Payroll stuffers
• Presentations to organizations
• Targeted mass e-mails
Examples of Monthly Activities
• January: Password Safety and Security
– Posters
– Technology newsletter article
– Mass e-mail about password reset campaign to all
faculty, staff, and students
• April: Cyber Security
– Guest speaker from FBI cyber crime task force
– Presentation to graduate class in College of
Business
– Security awareness webpage highlighting cyber
security
Security Awareness Training
• One hour instructor led course
–
–
–
–
–
–
Password safety
Workstation security
Physical security
Internet and e-mail security
Social Engineering/Principle of least privilege
FERPA/HIPAA overview
• Online course in development
– Same topics as instructor led course
– Student version and faculty/staff version
Lesson 2: Password Safety &
Security
Key Points
•Don’t use your PawPrint and password
on external entities.
• Always choose a secure password!
Password Cracking – It’s Easier Than You Think!
# of Characters
26(abc)
36(abc123)
52(AaBbCc)
6
7
51.5 minutes
3.74 hours
13.7 days
22.3 hours
9.07 days
3.91 months
8
9
10
24.2 days
10.7 months
17.0 years
1.72 years
32.2 years
8.82 centuries
44.8 years
1.16 millennia
45.8 millennia
11.6 centuries
41.7 millennia
2,384 millennia
30.3 millennia
1,503 millennia
123,946
millennia
11
12
What Could Someone Do If They
Had Your Password?
• Send threatening e-mail on your behalf
• Access Web sites on which you have
enabled one-click ordering and purchase
items with your credit card
What Could Someone Do If They
Had Your Password?
• Connect to MU e-mail servers and spam
thousands of people
• Gain access to the MU network and
attack other entities on your behalf
Choose a Secure Password
• Easy to remember
• Can be typed quickly without having to
look at the keyboard
• Mix of apparently random letters, digits,
and punctuation
Xms25thoD* = “Christmas is on the 25th
of December*”
Ihomdf5y. = “I have owned my dog for 5
years.”
UMC PawPrint Password
Requirements
• Your password MUST:
– Consist of between 8 and 26 characters
– Contain at least one character from each of the
following:
• Lowercase letters: a-z
• Uppercase letters: A-Z
• Digits: 0-9
• Special Characters: ( * & ) = ? | ^ } / _ > # : - + ; ] ~ , [ < .
UMC PawPrint Password
Requirements
• Your password MAY NOT:
– Be a word found in a dictionary
– Be the same as your PawPrint
– Contain a space
– Contain symbols other than the approved special
characters
– Contain UMC related terms (tiger, truman, jesse,
etc)
Things To Avoid When Choosing
a Password
• Simple keyboard patterns
• University or state team names
• Use of the word “password” or “secret”
Password Safety
Never share your password with
anyone!
There are other methods of granting
access to data and systems if there is a
legitimate need.
Password Safety (Continued)
• Change your password regularly using
the Password Manager.
• Don’t record your passwords any place
they could be vulnerable, including Web
pages that can store your login ID and
password.
Key Point
If it wasn’t hard for you to think
of, it won’t be hard for someone
else to figure out!
Treat Your Password Like Your
Signature
Your password is the major form of
protection for your computer account and
the University resources that you have
permission to access.
UH End User Education
• Information table at Campus Center’s Wireless Day
• Presentations at professional group meetings (clerical,
fiscal officers, EEO/gender equity, etc.)
• Departmental meetings
• Invitation by faculty to speak to their class
• ITS workshops each semester
UH Security Awareness Training
• In-person, 1.5 hours, targeting end-user
• Topics:
– Why care about security? (horror stories)
– Current threats
– How to protect computers (passwords, antivirus,
vulnerabilities/patching, firewalls, etc.)
– How to protect information (don’t use SSN, shred
personal papers, use of public computers/wireless
networks
Education Alone Is Not Enough
• In addition to educating end users, the
University of Missouri-Columbia and the
University of Hawaii also focus on
technology-based efforts to secure our
networks
UH Technology Based Efforts
• Proactive vulnerability scanning and
assessments
• Proactive notification of vulnerabilities and
patches
• Blocking of problem systems by IP/MAC
address
UH Vulnerability Scans
• The Plan:
– Schedule scans in advance
– Give results back to IT coordinator
– Work with IT coordinator to secure
vulnerabilities
UH Proactive Notification
• ITS subscribes to Symantec Deep Sight
Alerting Services & other security lists
• Notify mailing lists of threats and fixes
– ITS evaluates threat and vulnerability
notifications and alerts departmental contacts
Blocking Compromised Systems
From the UH Network
• Block offending systems by IP or MAC address at
closest router
• Blocked IP and MAC address listed on a web page
• User contacts department support staff or ITS Help Desk
• Repeat offenders user must contact Security Officer and
system must be inspected by ITS technician
MU Vulnerability Scans
• Receive vulnerability notifications from
Microsoft Premier Support and other
security mailing lists
• Scan daily for known vulnerabilities until
we reach an acceptable level of risk
MU Proactive Notification
• Working on making daily results available
to entire IT professional community
• Update Fix-It-Now tool, SUS server, and
patch.missouri.edu server
• In emergency situations we send an email to all on-campus students
Blocking Compromised Systems
from the MU Network
• MAC addresses of wired systems are blocked on the
current switch
• Wireless systems are blocked on all access points
• Attempt to notify IT professionals when departmental
machines are blocked
• Students – re-enable once in good faith
• Departments – re-enable at request of IT professional
Comparison of Philosophy
• MU Philosophy
– People are always the weakest link, so we must
focus on technology based efforts and education at
the same time to be successful in improving
information security at MU
• UH Philosophy
– Solutions that will protect/educate the most people
with the fewest resources are given highest priority in
an effort to quickly improve information security at UH
Results of Different Philosophies
MU
• Attempts to reach people
on a monthly basis in
addition to pre-existing
events (such as back to
school activities)
• Security awareness
program focuses on
changing user behavior
• Addresses current threats
with publications and
technology
UH
• Utilizes pre-existing events
to reach a large number of
people quickly (such as
meetings and workshops)
• Addresses current events
in end-user training in
addition to ways for the
user to protect themselves
• Focuses on addressing
current threats with
technology
Results of Different Philosophies
MU
•
•
•
•
Relies on vendors and security
organizations to receive
vulnerability and threat alerts
Attempts to notify IT
professionals individually when
network access is disabled
Regularly scans entire campus
for vulnerabilities
Notifies IT professionals of
vulnerabilities and relies on
them to remediate
UH
•
•
•
•
Utilizes Symantec alerting
services to receive vulnerability
and threat alerts quickly
Publishes list of disabled
systems to select group of IT
support people to allow for quick
notification
Schedules vulnerability scans
on a department by department
basis
Works with departmental
support people to help
remediate vulnerabilities
On-Going Problems at MU
• Metrics are difficult if not impossible to
achieve
• Constant struggle to be restrictive in the
University environment
• IT is secondary to the job of most people
at the University
On-Going Problems at UH
• Not me or don’t care attitude
• Not enough IT support staff
• IT is not a primary responsibility for many
department staff/faculty - security is an
afterthought
• Security risks/threats are increasing at a rapid
pace
Future MU Initiatives
• Publish online security awareness course that
we hope to require for all students
• Develop policies and procedures to help us
adequately address new security threats or
issues without having to reinvent the wheel each
time
• Continue to revise the security awareness
program to make it relevant for the current user
base
Future MU Initiatives
• Complete network efforts currently in progress
–
–
–
–
–
Blocking outbound SMTP
802.1x authentication for network access
Require MAC address registration for network access
Implement a secure VPN pool for system administrators
IPS
• Require SMTP authentication to send mail through
campus e-mail servers
• Finalize and implement a data classification
system
Future UH Initiatives
• Complete implementation of current initiatives
• Evaluate additional network policies (restricting SMTP
servers, implementing institutional VPNs, develop
firewall policies)
• Institute required end-user security training
• Evaluate new technologies/strategies
• Develop method of identifying user/system on the
network
While we have different philosophies and different
ways of combating problems, both MU and UH
have one common goal:
Change user behavior and the culture of
our organizations to improve the overall
security of our campuses
Questions?
• Feel free to contact us:
– Carrie McCoy: [email protected]
– Rebecca Fowler: [email protected]
– Jodi Ito: [email protected]