Security@IU Mark Bruhn Indiana University IT Policy Officer

No incident response capability existed January 1997 - Michael McRobbie arrives as the first CIO at Indiana University March 1997 – self-proclaimed “privacy advocate” finds 2760 records of personal info via an gopher-http gateway Posts them to his web site Notifies major media outlets Information Security Officer was in buried in Administrative Computing department No incident response capability existed

Developed an action plan Subsequent actions: University Computer Security Task Force appointed University Computer Security Office created with an interim Director One of the best technicians available assigned to the UCSO immediately External reviews (company and peer) commissioned Interim IT Policy Officer appointed External reviews: No real surprises Peer review recommended permanent IT Policy and Security Offices Developed an action plan CIO presented the action plan to the President, who directed that it be implemented

Offices created in August 1998: Positioned in the Office of the Vice President and CIO, not in computing department Several new staff positions created, including two high-level “officers” IT Policy Officer reports to the CIO, and is a member of OVPIT executive management IT Security Officer reports to the IT Policy Officer, but with dotted-line to the CIO

IT Policy Office IT Security Office 14 full-time staff variously responsibly for Policy development Incident response Identification, authentication, authorization services Enterprise directory Disaster recovery IT Security Office 7 full-time staff responsible for Maintaining a wide-breadth and specific in-depth technical expertise Developing security resources for technicians Developing/maintaining tools for technicians Security consulting Security reviews on request

University Information Technology Policy Office Office of the Vice President for Information Technology September 2001 Michael McRobbie VP/CIO Mark Bruhn IT Policy Officer/ Contracts & Agreements Officer Admin Asst Tom Davis IT Security Officer Disaster Recovery Program Manager Data Administrator Info Mgt Officer Merri Beth Lavagnino Deputy IT Policy Officer 2 Principal Security Engineers 3 Lead Security Engineers 1 Senior Security Analysts Cross-Unit Recovery Planning Team Information Technology Security Office Global Directory Services Team Computer Accounts Manager Incident Response Coordinator 1 Lead Data/ Applications Analyst 2 Senior Data/ Applications Analysts 6 Accounts Administrators Technical Investigators

February 2001 – Bursar’s Office Technician inadvertently allowed anon FTP Gigabytes of bootleg movies and music stashed by unknown individuals A file of personal data amongst these media files, and was downloaded In May 2001, Trustees pass a resolution directing VP/CIO to take steps to improve security Proactive Reactive

Creating an enterprise directory June 2001 – School of Music Web server exploited via known vulnerability School was collecting personal information from prospective students Data was stored in directory accessible to the intruder June 2001, CIO directed University units to eliminate unnecessary files of sensitive information and to secure the rest By December 2001, 55 major units indicated projects underway or projects completed Creating an enterprise directory Permits applications to access central secure store of person information instead of maintaining distributed stores “Translate service” permits departments to store username instead of SSN and convert as required

Developed talking points Developed issues list Developed strategy Developed talking points CIO and ITPO/ITSO use all opportunities to discuss security issues with various constituencies Key is to translate vulnerabilities and issues into INSTITUTIONAL RISKS Role for CIO and IT Policy Officer Security Officer many times mostly technical (which is a good thing) and not schmoozy But, key person is the CIO (if organizationally positioned correctly): Especially if also an academic Understands technology Understands business/mission Has the attention of executive administration

Published general best practices documents: Best Practices for Security IT Resources Best Practices for Handling Sensitive Electronic Information (long and short) Deliver formal technician seminars which include general information and technical security (partner with computing department and Human Resources Management) Deliver non-credit technician Security Education/Certification courses, which are already proving very popular (partner with computing department; plans to make these mandatory) Deliver an enhanced suite of technician support tools (for vulnerabilities assessment, anti-virus, advisory service, etc.) Made available many technician/user how-to guides

Purchased: Locally developed: Intrusion Detection: Shadow Style Securing Linux: Step-by-Step Solaris Security: Step-by-Step Windows NT Security: Step-by-Step Windows 2000 Security: Step by Step Windows 2000 Vulnerabilities and Solutions Locally developed: Handle a system compromise Install and Use SSH Install and Use TCP Wrappers Obtain a certificate for an IU-based web server Prevent mail relay abuse Protect against viruses Protect your home PC Protect your IIS web server Protect your laptop computer Recover from a System Compromise Secure your personal computer accounts Secure your Windows FTP server Secure your Windows NT system Secure your Windows 95/98 system Secure your UNIX system

Eliminated several insecure email communications protocols; working to eliminate all Developed “virtual private network”, which provides for authentication and encryption for: Connections from off-campus On-campus wireless networks Commissioned a group to develop a comprehensive enterprise firewalling proposal, with specific self-defense goals: A large portion of the ~65,000 networked IU systems support campus functions and do not need to be visible to the Internet On the remaining systems, only certain services (e.g., web pages) need to be visible to the Internet IUB Halls of Residence student computers need special protection from external influences; services that students provide to the Internet must be limited Security consulting engagements to projects and systems within UITS and departments increasing dramatically

Placement of a firewall at the edge of the IU network to protect workstations and local servers from many types of attacks. Departmental servers providing services beyond the IU network would exist on a separate Class B network than workstations. Servers on this network would be registered and hardened and would be protected via router ACLs. Servers residing in the UITS machine rooms on each campus would use a separate firewall with unique rule sets for each server.

Created new IT policies: Use of Indiana University Information Technology Resources Sanctions for Misuse or Abuse of Indiana University Technology Resources Eligibility to Use Indiana University Technology Resources Privacy of University Information Technology Resources Information Technology Facilitative/Fair Usage Policy Security of University IT Resources Network and Computer Accounts Administration Extending the Network Wireless Networking Use of Electronic Mail Policy on Use of Email for Mass Communications Created Deputy IT Policy Officer based at IUPUI; affords more presence there and at regional campuses

Web-based scanner management interface ISS and Nessus as scan engines Several scan engines Scans are required and automatically executed for OVPIT systems Scans are requested by administrators, security staff, or auditors Web-based incident tracking system Incidents are triaged by full-time IRC, and other handled by that person or assigned