Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Interchange Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002.

Published byDwayne Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Interchange Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002."— Presentation transcript:

1 Security Interchange Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002

2 2 Agenda UM and the Internet The Internet: past, present, and future Security problems Challenges for Higher Education Security solutions MAIS efforts and status Working together Update on a security incident at MAIS

3 3 UM and the Internet Full connectivity with the Internet and Internet2 Approximately 50,000 live hosts on UM networks Mission critical business processes run over the network Education and research depend upon the network

4 4

5 5 The Internet, Circa 1969 O O nce upon a time, there was a network, where all users worked together in harmony towards common goals

6 6 The Internet, Present

7 7 The Internet, Future

8 8 More Sophisticated Intruders Intruders are: growing in number and type building technical knowledge and skills gaining leverage through automation building skills in vulnerability discovery becoming more skilled at masking their behavior

9 9 Attack Sophistication vs. Intruder Technical Knowledge High Low 19801985199019952000 password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Intruders Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics DDoS attacks network worms

10 10 Modus Operandi A typical attack pattern consists of –Reconnaissance of the victim site –Gaining access to a user's account –Gaining privileged access –Performing desired activity It is possible to accomplish all these steps manually in as little as a few minutes got root?

11 11 Code Red: 359,000 Infected Hosts

12 12 Published on Bugtraq http://www.securityfocus.com/vdb/stats.html 2001 data is incomplete

13 13 It’s going to get worse – 1 Explosive growth of the Internet continues –Where will capable system administrators come from? Market pressures will drive vendors –Time to market, features, performance, and cost are primary –“Invisible” quality features such as security are secondary

14 14 It’s going to get worse – 2 More sensitive applications will be connected to the Internet –Low cost of communications, ease of connection, and power of products engineered for the Internet will drive out other forms of networking –Hunger for connectivity, data and benefits of electronic interaction will continue to push widespread use of Internet technology

15 15 It’s going to get worse – 3 “The death of the firewall” –Traditional approaches depend on complete administrative control and strong perimeter controls –Today’s business practices and wide area networks violate these basic principles no central point of network control more interconnections with customers, suppliers, partners more network applications -“the network is the computer” who’s an “insider”and who’s an “outsider”

16 16 Incident Costs in the Big 10 Source: 1997 – 1998 ICAMP Study Number of Incidents

17 17 The Risks While computer networks revolutionize the way organizations operate, the risks computer networks introduce can be fatal to their mission. Network attacks lead to lost: –Money –Time –Work products & research –Reputation –Privacy –Sensitive information – Lives

18 18 What’s Wrong? The Internet was designed to be resilient, not secure Insecure Products –Poor quality control leads to a large number of patches –Products ship with open configurations –Security is an add-on –Security is hard to configure Cryptography is not ubiquitous

19 19 What’s Wrong? On the Internet, every –hacker/cracker (professional, script kiddie) –hacktavist –criminal (pedophile, extortionist, fraud, …) –sociopath –terrorist –espionage/intelligence agent –military cyber warrior –copy cat IS OUR NEIGHBOR

20 20 The Challenges of Security in Higher Education 1.Diversity of the Higher Ed Industry 2.Complexity of Service Offerings Drives Complexity of Architectures 3.Cultural Challenges

21 21 Diversity of the Higher Ed Industry 3500+ Colleges and Universities > 1000 Community colleges < 100 major research universities 125+ University Medical Schools 400 Teaching Hospitals 150+ Institutional members of Internet2

22 22 Complex Service Offerings The University is an Educational and Research Entity The University is a Corporation The University is an ISP

23 23 Cultural Challenges Loose confederation of autonomous entities Lack of control over users Academic “culture” and tradition of open access to information Complex trust relationships between departments at various Universities for research (e.g. Physics community) Creative Network Anarchy – anyone can attach anything to the network University research lab computers are often insecure and poorly managed, Libraries provide open terminals Dorm Networking: little adult supervision

24 24 Why US Higher Ed Computer Networks are Attractive Targets Excellent platforms for launching attacks –Wired dorms (insecure Linux PCs, PC Trojans) –High bandwidth Internet –Sophisticated computing capacity (scientific computing clusters, even web servers, etc.) –“Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) Many college & university networks are insecure –Too few security experts; weak tools; most institutions do not have an InfoSec office –Few policies regarding systems security –Dearth of funding

25 25 Targets of Opportunity on US Higher Education Computer Networks Sensitive Data –Credit Card #s, ACH bank #s –Patient Records –Student Records –Institution Financial Records –Investment Records –Donor Records –Research Data & Other Intellectual Property

26 26 Increasing Visibility of Security Issues in Higher Ed Increasing concerns about liability: Will E-Commerce sites recover damages from institutions implicated in future DDoS attacks? Federal funding agencies to require firewalls, security? HIPAA is a “forcing function” in academic Medical Centers, Campus Health Centers FERPA, COPPA, CIPA, DMCA, Privacy legislation Threats from terrorist activities, protection of the national infrastructure Recent incidents: Massive Virus Attacks, Intrusions Leading to Potential for Identity Theft, Liability

27 27 Educause Action Statement Make IT security a higher and more visible priority in higher education Do a better job with existing security tools, including revision of institutional policies Design, develop, and deploy improved security for future research and education networks Raise the level of security collaboration among higher education, industry, and government Integrate higher education work on security into the broader national effort to strengthen critical infrastructure

28 28 Statement on Stewardship, UM Maintaining systems security and a secure computer environment for financial and other University records Storing information you obtain under secure conditions and taking every reasonable effort to maintain privacy and confidentiality of the data

29 29 Security is a Process Risk Analysis Security Policy Countermeasures Audit It’s All About Risk Management Security

30 30 Security Objectives Confidentiality: Information is disclosed to authorized individuals Integrity: Information and programs are changed only in a specified and authorized manner Availability : Assure that systems work promptly and service is not denied to authorized users

31 31 Primary Activities Prevention –Security policy –Firewalls, encryption Detection –Logging and monitoring –Intrusion detection, integrity management Reaction –Incident response team –Recovery of resources/information

32 32 Elements of Security Should support the mission of the organization Is a means to an end and not an end in itself Is an integral element of good management Should be cost-effective

33 33 Basic Steps Identify what you are trying to protect Determine what you are trying to protect it from Determine how likely the threats are Implement measures that will protect your assets in a cost-effective manner Review the process continuously and make improvements each time a weakness is found

34 34 MAIS Participation in Security Organizations InfraGard - government and private sectors working together to protect critical infrastructure CIC Security Working Group - Big 10 security officers meet quarterly Host the UM Security Round Table - people from UM and the region attend for quarterly meetings

35 35 MAIS Data Center Approx. 4,000 square foot computer room Central records for HR, SA, and Fin Houses about 130 servers –Citrix –Oracle (e.g., Fin and HE Prod) –Wolverine Access –Development, Alumni, and Constituency –Library (Mirlyn) –Axis (ITCom billing system) –Alumni Association Self Service –Printers

36 36 MAIS Enterprise Systems Security assessment completed January 2001 –“ administrative information systems in the data center are at considerable risk to technology-based security attacks ” Recommendations made to correct this are fully funded and being implemented Infrastructure Protection Group formed with members from different areas

37 37 Our Vulnerabilities

38 38 Security Project Status CompletedStartedPlanned FirewallEncrypt Network TrafficAuthentication Review of Admin Systems Network Time ProtocolSecurity PolicyAccount Usage Analysis Improve WA EncryptionCentral Logging24 X 7 Vulnerability Detection Intrusion DetectionDisaster RecoverySecurity Assessments as a Service Routine PatchingUser Security Awareness DMZIntegrity Management

39 39

40 40 Some Future Things Secure Shell to replace FTP Use VPNs to access systems remotely Authentication systems review and recommendations, i.e., currently up to 9 passwords –Strong yet simple Cooperatively work towards providing the same level of security for administrative information across campus

41 41 User Security Awareness Increase awareness of security issues Communicate advisories Team up with technical staff within the Units to work with on technical items Hold periodic Security Interchange meetings Web site with security information http://www.mais.umich.edu

42 42 Teaming Up Identify technical support staff working on security in their respective areas Establish an email list for discussing and sharing information regarding security Share tools and techniques used to assess and secure our operational environments Two-way communication is vital

43 43 Reporting Incidents If your system has been compromised and it might affect HR, SA, Library, or Fin information and/or systems, please contact the MAIS Help Desk If you suspect your account has been compromised, please contact the MAIS Help Desk If it’s an emergency send email to mais.security@umich.edu and my pager is in the online directory mais.security@umich.edu Still contact your local system administrators

44 44 Incident Response January 2001 – a critical server is compromised Serious threat to UM Tracing the connections backwards –UM Physics –University of Maryland –University of Illinois –ADSL modem in Corpus Christi, TX operated by Southwest Bell

45 45 Criminal Matter Felony in MI Coordinated with –UM DPS (local) –MI High Tech Crime Unit (state) –MI State Police (state) –Detroit FBI Computer Intrusion Unit (federal) –Corpus Christi, TX PD (local) –TX High Tech Crime Unit (state)

46 46 Prosecuted April 25, 2001 search warrant is executed Suspect is 16 years old Evidence found on seized equipment Case transferred to TX for prosecution Guilty plea on May 28, 2002

47 Questions and Discussion Paul Howell grue@umich.edu 734-763-0609

Download ppt "Security Interchange Paul Howell Information Systems Security Officer MAIS / Technical Infrastructure Operations June 2002."

Similar presentations

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey.

Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
EDUCAUSE Systems Security Task Force - April 11, 2001 Educause Task Force on System Security Gordon Wishon Georgia Institute of Technology Networking 2001.

EDUCAUSE Systems Security Task Force - April 11, 2001 Educause Task Force on System Security Gordon Wishon Georgia Institute of Technology Networking 2001.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Network security policy: best practices

Network security policy: best practices
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.

Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.

Similar presentations

Ads by Google