Transcript IT Security in Schools

IT Security in Schools
Tony Wong
Senior Systems Manager
IT Security Infrastructure Services
Information Technology Services Department
The Story of
Nimda
The Story of “Nimda”

Infection via E-Mail
Internet
mail server
INTRANET
INTERNET
infected PC
The Story of “Nimda”


Infection via E-Mail
Scan and Exploit IIS Web
Server Vulnerability
vulnerable infected IIS
IIS server web server
INTRANET
INTERNET
The Story of “Nimda”



Infection via E-Mail
Scan and Exploit IIS Web
Server Vulnerability
Exploit IE Browser Vulnerability
infected IIS
web server
INTRANET
unpatched
IE browser
INTERNET
The Story of “Nimda”




Infection via E-Mail
Scan and Exploit IIS Web
Server Vulnerability
Exploit IE Browser Vulnerability
Infection via Network File
Sharing
desktop PC
file server
INTRANET
infected PC
INTERNET
INTRANET
INTERNET
Moral of the Story





Nimda is a model of modern virus/worm
Fast & globalize spreading, hits 2.2 million
systems in 24 hours
Affect beyond end user PCs
Multi-points attack (e-mail, software loophole,
file server, web server etc.)
Blended threats (virus, mass mailing, DoS,
Trojan horse, intrusion etc.)
Common Internet Threats

Virus and Worm

Web Defacement

Hacking & Intrusion

DoS / DDoS
Web Defacement



Exploit system and software vulnerabilities
Insider attack
Automatic tools available on the Internet






detect vulnerable system
crack server password
launch attack and remove logging
install Trojan horse (back door)
Attacks are easy to launch but difficult to trace
An average of 500 defacements are recorded
by Zone-H each day

http://www.zone-h.com/en/defacements/filter/
Web Defacement
A Sample Defaced Web Site
Hacking & Intrusion


Exploit system and software vulnerabilities
Use automatic tools







crack server password
detect vulnerable system
locate Trojan horse (back door)
Remote access and control other systems
Access, change or delete programs and files
Deface web site
Attack other systems
Remote Control Trojan (Sub7)

Installed in the victim’s computer through:




Allows the attacker to do many things in
your computer remotely including:


e-mail attachment
access to unprotected network shares
install manually by hacker (or insider)
run any commands; upload/download/delete
files; capture monitor display; capture from
webcam; record from microphone; capture what
you type; steal passwords; and many more
Ref: http://rr.sans.org/toppapers/subseven.php
Remote Control Trojan (Sub7)
Sample Sub7 Client Screen (Used by Hacker)
DoS / DDoS








(Distributed) Denial of Service attack
Continuous flooding of data to target system
System or network overload or down
Legitimate users cannot access the system
Exploit system and software vulnerabilities
Use automatic tools, virus, Trojan horse etc.
Plant attack program to large number of
infected systems
Trigger global attack to a targeted system
The Problem


Vulnerable products
Internet was not designed for high security





Readily available tools
Human errors




Spoofing is easy
The infrastructure (DNS, Routers) is vulnerable
to attacks
Governance is open
Mis-configured or unpatched systems
Default or easily guessed passwords
Abuse, hacking
Lack of awareness and ethic
The Impact to School







Can be a target or a source of attack
Service interruption
Compromise of sensitive information
Cost to recover
Counter-example to ethic development
Lost reputation
Criminal liability
Technical Countermeasures

Remove unused programs and services

Anti-virus and anti-spam system

Traffic/Content filtering system

Firewall

System Logging

Intrusion Detection & Response System

Timely apply security patches and updates
Technical Countermeasures

Password and access management

File and data management

Segregation of networks, systems and data

Disconnect from Internet when not in use

Shutdown workstations when not in use

Periodic system housekeeping (system cloning)

Regular risk assessment and review

and many more….
Risk Management

Know your risk and priority

Physical security and access control

Adopt best practices & guidelines

Develop acceptable use policy

Setup incident response team

Ethic development

Security awareness and education

Information security is everyone’s business
Useful Resources
Government Web Sites:


http://www.itginfo.gov.hk/content/itsecure/ (login required)
http://www.infosec.gov.hk/
HKCERT/CC:

http://www.hongkongcert.org
Microsoft Security Bulletins:

http://www.microsoft.com/technet/security/current.asp