Transcript ppt
CU – Boulder
Security Incidents
Jon Giltner
Our Challenge
What do we face…
The campus computing environment:
– ~ 20,000 PC-class systems
– ~ 6,000 Server-acting systems
– ~ 40,000 accounts
Like most universities the campus is
highly decentralized
What do we face, part 2…
We’re responding to about 50
incidents per week:
42% network worms
18% “Root kits”
18% SPAM bots
15% copyright
7% email worm
Few involve protected data
High Visibility Incidents
October 2004
- Continuing Education: CCs and PII
July 2005 (all PII)
–
–
–
–
Wardenberg Health Center
College of Architecture and Planning
Department of Housing including ID Card
Office of the Registrar
Invoke Incident Response Process
Formal documented process established in
2004
“Requires” notification and involvement of
central IT
CERIAS Incident Response Database
–
–
–
Center for Education and Research for
Information Assurance and Security IRDB
https://cirdb.cerias.purdue.edu/website/
Web Based tool for managing security incidents
Supports email, contact management, rolebased access and multi-level access to
hierarchical domains of confidentiality.
Data Breach Response Team
Team is formed if incident involves potential breach of
sensitive data
Mandate independent forensics
–
Credit card companies mandate the firms you can use.
The team’s primary role is to handle communications:
–
–
–
–
–
–
Notification to affected individuals via US postal mail using best
last known address
Notification to affected individuals via email when email
addresses are available
Press release
Web content
Follow-up communications with press
Establish and man hot-line for notified individuals (department
responsibility)
Data Breach Response Team
Who is involved:
–
–
–
–
–
–
–
–
–
Legal Counsel
Department head for the compromised department
IT Security Coordinator
Technical lead for the compromised department
Campus Police
University Communications
University Privacy Officer
University Officer with oversight for the compromised
department
Treasure's office if compromise involves credit cards
Vulnerabilities
Windows patches
Oracle updates
Third-party software, i.e., Veritas backup software
Stale databases
Culpability
(Discussion)
Application and system administration
within departments?
Controls at network layer?
Vendor software?
Existence and/or enforcement of well
communicated policies regarding data
management?
Questions:
Have we over responded to these
specific incidents?
– (Not according to established IR process)
Has CU-Boulder been victimized more
than others, or have we just
acknowledged it more publicly?
Negative Impacts:
PII potentially spilled
– (ultimate perception is that it has)
University reputation
Target squarely on our backs – “script
kiddies, look there”
Positive Impacts
Real-time honing of our Incident
Response System
Security initiatives getting executive
attention
Gotten attention of local system
admins and their dept. heads
Proposed sweeping changes
Scoping the Challenge Ahead
Must meet academic, research and
administrative needs
Multi-layered Approach
–
–
–
–
Host administration
Network access must be earned
Awareness & Education
Frequent Risk Assessments
Compounding 70% solutions!
The Passel of Solutions
1.
2.
3.
4.
5.
Private IP addresses for desktop-class
systems
Require Host-based Intrusion Detection
Software
Risk Assessments performed by 3rd
party
Further Restrict Inbound Internet Traffic
Server Registration