Transcript 920 different phishing scams - People

“permit ip any any” – The
Challenge of Information Security
on a University Campus
Harvard Townsend
Chief Information Security Officer
Kansas State University
[email protected]
October 27, 2011
It requires thick skin…
“Don’t let anybody tell ya it’s easy!”
Agenda
• The environment
• The challenges
– Unique to higher education
– Common to all large organizations
• Never a dull moment
• The strategy
• Q&A
Kansas State University
•
•
•
•
•
•
•
•
•
•
•
•
23,863 students from all 50 states, 90 countries
5,350 students living in on-campus housing
6,218 faculty, staff, administrators
~5,000 new faces every year… and 5,000 departures
Public, land grant institution
Three campuses – Manhattan, Salina, and now Olathe; plus a
recruiting office in China
2 Gbps pipe to Internet/Internet2 (250,000 flows/min, 360 million
flows/day); moving to 10 Gbps core network
~35,000 devices on the network on a typical weekday, many with
static, public, routable IP addresses
47 credit card Merchant IDs
Numerous affiliated 501c3 corporations (Athletics, Foundation,
Alumni Association, Student Union, Student Publications,…)
Veterinary Medicine (hooray for no medical center/hospital!)
BRI, NBAF
The Challenges – Unique?
• Dr. Simon Ou’s and Dr. Eugene Vasserman’s
cybersecurity students are on our network!
• Turnover of 5,000-6,000 users every year (20%)
• Providing services to prospective students, alumni,
parents
• Student-owned personal systems in residence halls,
campus apartments, and wireless
• Highly distributed administration, budget, technology
• Shared governance – little tolerance for top-down
edicts
• Culture of autonomy, open expression of opinions
• Tenure
• Protecting freedom of speech, academic freedom (“I’m
studying for my human sexuality class.”)
The Challenges – Unique?
• “Incidental personal use” allowed by policy
• Up until four years ago, the student ID
number was their SSN
• State library and federal document
repository (public access mandated)
• Plethora of affiliated organizations
• No central control of technology purchases
or what gets plugged into the network
• Plethora of mobile devices with
expectation that we support all of them
The Challenges - Common
•
•
•
•
Multiple campuses, including an office in China
Accommodating campus visitors
International collaborations
Providing secure, reliable services to “customers”
(i.e., students) throughout the world
• Outsourcing to the cloud
• Limited resources (IT services in general, IT
security specifically)
• Plethora of laws and regulations
– FERPA, HEOA (DMCA)
– PCI DSS, HIPAA, CALEA, GLBA, …
DMCA-P2P File Sharing
• Higher Education Opportunity Act of 2008
mandates use of “one or more technology-based
deterrents” to combat copyright infringement
(recording industry lobbyists were quite busy that
year)
• We block P2P file sharing protocols – one of the
few things we block
• Surprisingly little push-back from students
• 83 DMCA violation notices in 2010, 29 in 2009
• Interesting DMCA notices from porn industry lately
offering settlement for $200 to avoid legal action –
sleazy tactic
Never a dull moment
• I’m starting to get a phobia about announcing
any kind of change!
• For example, due to state of Kansas policy,
security best practice, and plain ol’ common
sense, we now require annual IT security
training for all employees.
• Some responses were downright venomous
• One said it was the worst piece a junk they’d
seen in their 21 years at K-State; another
said it was the best training they’d ever seen
in their 20 years at K-State.
Change is Evil
• Summer 2011, implemented WPA2Enterprise wireless network, phasing out
WEP-based wireless (turned off Oct. 25)
– Collegian reporter: “Why are you changing the
Internet?”
– Email from a faculty member: “I have AT&T
Internet service at home. Should I change to
‘KSU Wireless?’ If so, how much does it cost and
how do I install it?”
– Email from a graduate student, another from a
campus system administrator:
Privacy
• What do you think is the expectation of privacy for
a faculty, staff, or student at K-State?
• Privacy is an interesting animal in higher
education – a hybrid species
• “We respect your privacy, but you have none.”
• We’re not watchdogs; only snoop when specific
conditions are met, several of which require
permission of the CIO in consultation with General
Counsel; annually report these accesses to
Faculty Senate
How Dare You!
• I’m a glutton for punishment – now I plan to block
remote access protocols at the border, like SSH and
RDP
• Due to:
– Multiple compromises, some via successful brute force
cracking of accounts with weak passwords
– Massive DDoS that buried a core router
– Morto worm infections
– Many instances of SSH and RDP scans, incoming and
outgoing
– Security best practice, common sense, etc.
• Will have to use a VPN before remotely logging in.
• No brainer… right? Not in higher ed…
Incidents @ K-State
3 per day in 2010 - not a good trend!!
15
K-State IT Security
Incidents in 2010
• Categories
–
–
–
–
–
–
–
–
–
–
–
–
–
–
408 Spear phishing
355 Spam source
344 Unauthorized access
103 Malicious code activity
93 Policy violation
83 DMCA violation
23 Criminal activity/investigation
10 Web/BBS defacement
8 Reconnaissance activity
3 Confidential data exposure
1 Rogue server/service
0 Un-patched vulnerability
0 Denial of Service
82 No incident
16
K-State IT Security
Incidents in 2010
• Categories
–
–
–
–
–
–
–
–
–
–
–
–
–
–
408 Spear phishing
Mostly due to spear
355 Spam source
phishing scams (74%)
344 Unauthorized access
103 Malicious code activity
93 Policy violation
83 DMCA violation
23 Criminal activity/investigation
10 Web/BBS defacement
8 Reconnaissance activity
3 Confidential data exposure
1 Rogue server/service
0 Un-patched vulnerability
0 Denial of Service
82 No incident
}
17
A better trend!
(0.6 -> 0.9 -> 0.6 -> 0.7 per day)
18
First phishing scam detected at K-State on January 31, 2008
1,067 compromised eIDs since then (2011 not included) and,
920 different phishing scams… that we know of
19
A good trend!
User awareness efforts and additional security
measures are working
20
Demographics of Phishing
Scam Replies in 2010
• 390 Students (87% of total eIDs that replied to scams)
•
•
•
•
•
•
–
–
–
–
–
–
–
–
–
95 Newly admitted, have not attended yet
89 Freshmen
55 Sophomore
35 Junior
54 Senior
43 Graduate (31 Master’s, 12 PhD)
6 Vet Med
10 Alumni
9 non-degree
}
They should
know better!
26 Staff (24 current, 2 retired)
16 Faculty (6 current, 3 adjunct, 2 Instructor, 5 emeritus/retired)
1 Post-Doc
0 Senior administrators
231 employees (i.e., lots of student employees duped)
13 Repeat offenders (retired faculty wins the prize for replying 5
times; barely beat retired music faculty @ 4 replies)
21
Demographics of Phishing Scam
Replies in 2010
• Gender
• Female: 264 (58%)
• Male: 192 (42%)
• (60/40 in 2009)
22
More Phun Phishing
Phacts
• In 2009, 79 of the 296 (27%) phishing
scams were “successful” (i.e., got
replies with passwords) – no wonder the
hackers don’t stop given this success
rate!!
• Significant shift in the form of phishing
since September 2010
– Before, was 60-70% “reply to this email with
your password”
– Since September 2010, 60+% are “click on
this link and fill out the form”
23
Typical phishing form
• Usually hosted on compromised server
• Use of PHP Form Generator very common
24
Typical phishing form
Sometimes we can get administrative access to the form
and delete or modify it, even view list of people who filled it
out in order to identify who from K-State was duped by the
phishing scam.
25
Most
Effective
Spear
Phishing
Scam
26
Most
Effective
Spear
Phishing
Scam
27
Most
Effective
Spear
Phishing
Scam
28
Spear phishing scam received by K-Staters in January 2010
If you clicked on the link…
29
The malicious link in the scam email took you to an exact replica
of K-State’s single sign-on web page, hosted on a server in the Netherlands,
that will steal their eID and password if they enter it and click “Sign in”.
Clicking on “Sign in” then took the user to K-State’s home page.
Note the URL – “flushandfloose.nl”, which is obviously not k-state.edu30
Fake SSO
web page
Real SSO
web page
31
Fake SSO
web page –
site not
secure (http,
not https) and
hosted in the
Netherlands
(.nl)
Real SSO
web page –
note “https”
32
Fake SSO
web page
Real SSO
web page –
Use the eID
verification
badge to
validate
33
Result of clicking on eID verification badge on the fake SSO web site, or
any site that is not authorized to use the eID and password
34
Result of clicking on eID verification badge on a legitimate K-State web
site that is authorized to use the eID and password for authentication
35
Strategy
“permit ip any any”
Strategy
• Operate within the culture of the institution
– Respect and embrace the culture; if you fight it, you’ll
only make enemies who will ignore your policies and
undermine everything you do
• Independent, opinionated “customers”
• Highly distributed power/budget/control/technology (accept
the fact that we cannot centralize or control everything)
– Mixed model of centralized vs. distributed
resources/control (we’re IT Services, not “Infotech
Take-over Services”)
– Remember our primary purpose – to SUPPORT
faculty, staff, students, and administration
• To enable their work, not hinder it
• Security is not the sole consideration, or always the most
important; strongly consider impact on user experience
Culture continued
– Be willing to compromise
• RDP/SSH block good example – don’t block every
remote access protocol, just ones that pose greatest
risk; allow exceptions for departmental remote access
servers
– Give them input into the process; prove you listen
by adjusting policies, procedures, and project
timelines based on their feedback
– Take the time to respond professionally to the
flaming emails (coffee shops are great
cybersecurity tools)
– Communicate in as many ways as you can, with
clear explanation of the reasons for the change
Security Organization at K-State
• Information Security & Compliance department in
central IT Services (that’s me and my team – six of
us total)
• CIO plays key role in communicating, esp. up the
ladder
• SIRT – Security Incident Response Team and
advisory council
– Play a critical role in gaining buy-in from the campus
– Reps from every academic college and major
administrative unit
• Departmental security contacts – at least one in
every department
Communicate! Communicate! Communicate!
•
•
•
•
•
•
Email
Web site
Blog
Twitter
RSS
Policies/procedures/gui
delines/standards
• Weekly IT newsletter
articles
• K-State Today news
• Student newspaper
articles
•
•
•
•
•
•
Advertisements
Video
Seminars
Online training
Face-to-face training
Monthly IT security
roundtables
• Annual day-long
security workshop
• Personal visits to
committees,
councils, departments
Battling the John Mallery “Stupid People”
Problem, or thinning the Bozone
• User awareness and training
– Only so much technology can do, especially in
our open, distributed environment
– Regular “IT Tuesday” articles were pretty well
read
– Annual IT day-long security workshop with more
technical and less technical tracks
– Started mandatory annual security training last
year
• Focused on phishing scams and password mgmt
• Had some positive effect in spite of venomous pushback
– And something new this year…
National Cyber Security
Awareness Month
Strategy
• Usual set of security technologies (Snort IDS, Nessus
vuln scanner, QRadar log mgr, Procera PacketLogic
traffic shaper, IronPort email security appliance,
EnCase+FRED for forensics, netflow analysis tools,
Cisco ASA firewalls, Cisco AnyConnect SSL VPN,
Impulse NAC, Trend Micro AV, PGP WDE)
• Network segmentation
• Strong security policy base, including data classification
• Jericho Forum firewall strategy apropos for higher ed
(www.jerichoforum.org)
– “De-perimeterisation”
– Move the security controls closer to the things you’re trying to
protect (i.e., the data… which resides who-knows-where)
Q&R – Question & Response
(i.e., I don’t have all the answers!)
What’s on your mind?
?
? ?
?
?
?
? ?
? ?