Defending Laptops with MinUWet By Erick Engelke

Laptops and our future? laptops now outsell desktops laptops now outsell desktops we expect continued growth of laptops we expect continued growth of laptops laptops present new opportunities for learning and budgets, but also new IT staff challenges laptops present new opportunities for learning and budgets, but also new IT staff challenges laptop security issues are time-consuming for staff laptop security issues are time-consuming for staff outdated antivirus definitions and OS updates need Internet connectivity to be updated outdated antivirus definitions and OS updates need Internet connectivity to be updated

Solution: We need a strategy which encourages responsible client laptop management

Possible Solutions Cisco NAC (Network Admission Control) - forklift upgrade Cisco NAC (Network Admission Control) - forklift upgrade Microsoft… NAP (Network Access Protection) vapourware due with Vista server Microsoft… NAP (Network Access Protection) vapourware due with Vista server UToronto Endpoint Security Policy (see Managing Self-Managed Computers at this conference) (just learned about it this May) UToronto Endpoint Security Policy (see Managing Self-Managed Computers at this conference) (just learned about it this May)

Continuum of Security none - anarchy available but optional encouraged / accessible heavily enforced

Accessible Security? make technology simple to conceptualize though not necessarily understand make technology simple to conceptualize though not necessarily understand it becomes part of the culture it becomes part of the culture examples: examples: privacy of PIN numbers on debit cards privacy of PIN numbers on debit cards security of SSL web sites security of SSL web sites eventual tolerance by users eventual tolerance by users

How to Encourage Security Educate Educate Reward Reward Remind Nag Embarrass Punish or

Possible Education Points 1. secure your computer Antivirus, Workstation Firewall, Updates, … Antivirus, Workstation Firewall, Updates, … 2. secure your applications MyWaterloo, SSH, Secure IMAP, VPN MyWaterloo, SSH, Secure IMAP, VPN 3. secure yourself best practices, (strong secret passwords), avoid probable malware best practices, (strong secret passwords), avoid probable malware users can conceptualize these points, but will they act ?

MinUWet Setting minimum standards NAA detects OS at login screen NAA detects OS at login screendetects highly vulnerable OS’s must endure a scan using MinUWet (currently only MS Windows) highly vulnerable OS’s must endure a scan using MinUWet (currently only MS Windows)MinUWet Antivirus enabled and up-to-date? Freshen! Antivirus enabled and up-to-date? Freshen! OS getting patches? OS getting patches?

MinUWet Setting minimum standards (cont.) NAA detects OS at login screen NAA detects OS at login screendetects highly vulnerable OS’s must endure a scan using MinUWet(currently only MS Windows) highly vulnerable OS’s must endure a scan using MinUWet(currently only MS Windows) MinUWet Antivirus enabled and up-to-date? Freshen! Antivirus enabled and up-to-date? Freshen! OS getting patches? OS getting patches? HTTP always allowed, download patches HTTP always allowed, download patches pass test… get additional or “premium” network access pass test… get additional or “premium” network access

MinUWet Setting minimum standards (cont) only test once per week, cache results only test once per week, cache results other OS’s are not affected other OS’s are not affected users who do not wish to participate or fail are granted web-only access users who do not wish to participate or fail are granted web-only access web only access is sufficient for AV and OS updates web only access is sufficient for AV and OS updates will still do existing security scans and SNORT will still do existing security scans and SNORT complementary solutions add more security complementary solutions add more security

Some MinUWet Facts idea is similar to Cisco NAC and MS NAP idea is similar to Cisco NAC and MS NAP MinUWet is compatible with all existing hardware and safe with non-MS OSs (challenging, many PDAs claim to be Windows). MinUWet is compatible with all existing hardware and safe with non-MS OSs (challenging, many PDAs claim to be Windows). local expertise, we can adapt it local expertise, we can adapt it Cisco and MS solutions are stronger but more difficult to run and inflexible Cisco and MS solutions are stronger but more difficult to run and inflexible MinUWet doesn’t have to be hack-proof, it just has to be better than today’s mess! MinUWet doesn’t have to be hack-proof, it just has to be better than today’s mess! MinUWet - retired upon better options MinUWet - retired upon better options

Statistics from Two Week Engineering Trial 6486 NAA Windows sessions 6486 NAA Windows sessions 3161 or 49% of sessions ran MinUWet 3161 or 49% of sessions ran MinUWet 628 distinct users ran MinUWet 628 distinct users ran MinUWet 168 or 26% of them failed the test initially 168 or 26% of them failed the test initially 75 or 45% of those who failed later passed. 75 or 45% of those who failed later passed. this indicate users upgraded their systems this indicate users upgraded their systems zero security threats observed (snort) zero security threats observed (snort)

Campus-wide Rollout March 2 nd March 2 nd “help desks” co-ordinate information sharing “help desks” co-ordinate information sharing March 3 rd – March 3 rd – appears in daily newsletter appears in daily newsletter brief message appears at each wireless user login brief message appears at each wireless user login both messages point to a web site where users can learn more and test their laptops ( both messages point to a web site where users can learn more and test their laptops ( Two Weeks Later: March 16 th Two Weeks Later: March 16 th MinUWet goes live and enforces user security MinUWet goes live and enforces user security

Adding Memory Users didn’t like testing every time Users didn’t like testing every time we subsequently added memory - computers need only validate once per week we subsequently added memory - computers need only validate once per week 2/3rds of passes are typically pre-approved 2/3rds of passes are typically pre-approved

How it Works Client System user logs in using browser user logs in using browser browser Identifies OS browser Identifies OS download MinUWet download MinUWet run MinUWet run MinUWet collect stats collect stats transmit stats transmit stats displays decision displays decision Web server logs user in checks OS against list looks for prior pass sets routing rules informs user of status makes decision changes router settings

What we did right… MinUWet is not too strict MinUWet is not too strict not testing for absolute latest patch, look for trend not testing for absolute latest patch, look for trend users can still download the patches they need users can still download the patches they need Web access granted until user demonstrates compromised/vulnerable system Web access granted until user demonstrates compromised/vulnerable system one week between tests, good compromise of security versus annoyance one week between tests, good compromise of security versus annoyance MinUWet is still strict MinUWet is still strict Not a one-time deal, we catch computers that fall out of scope for patches Not a one-time deal, we catch computers that fall out of scope for patches

Future move to a shared database to store notes of problem users move to a shared database to store notes of problem users adopt a self-remediation system – some prefer human contact, others want automation. adopt a self-remediation system – some prefer human contact, others want automation. wider deployment, grad student offices, maybe residences wider deployment, grad student offices, maybe residences eventual retirement when vendor product is better eventual retirement when vendor product is better

Thank you