Upload
norman-armstrong
View
214
Download
0
Embed Size (px)
Citation preview
1
Securing Unmanaged Computers
Solutions, Strategies and Effective PracticesCosts of SecurityResidential Security Strategies/Case StudiesDiscussion of Georgia State University’s Solutions and PracticesSmall Group Case Study ExercisesReference Materials
2
Why Care About Unmanaged Computers?
Protecting user privacy - computers often contain personal, sensitive information.Limiting institutional liability - managing incidents after the fact is expensive.Reputation - these computers are part of your network domain and reflect on the institution.Bandwidth cost - compromised systems may be used for serving copyrighted material that can generate a lot of bandwidth.DDoS - large numbers of compromised computers are being used in Denial of service attacks.
3
What Is Security?
Security is a strategy that requires tools, policies and user awareness/education to be effective.Security is an on-going process. It does not end once a computer is provided access to
a network or information resource, it only begins.
For effective security: Assume your network is a perpetually hostile
environment Assume your weakest link is the user device
(desktop/laptop) Develop proactive security strategies
4
What Is Security?
The development of security practices at your institution may involve: Department and central IT services Faculty senate General Counsel Internal Auditing Security office if designated Student technology support group (ResNet) Students
5
Security: Negative Deliverable
Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.
Jeffrey I. Schiller, MIT’s Security Architect
6
Definition of Managed Computers
For this presentation, managed computer systems fall into one or more categories: Systems that are controlled through an automated
mechanism that enforces certain aspects of the institution’s security measures or policy.
Systems that have professional IT staff assigned to “manage” them.
Trust is bestowed upon a managed computer Risk assessment Degree they are managed
Note: managed computer systems may still possess security issues!
7
Definition of Unmanaged Computers
For this presentation, an unmanaged computer system relies upon the owner of that system to do the right thing at the right time to secure their computer. At a higher education institution, different members of the community will potentially operate unmanaged computers. Student owned computers Faculty owned computers, particularly those used for
research Staff computers may also fall into this category Personally owned computers connecting from home Guest computers, conference attendees
8
Forces Causing Unmanaged Computers
Laptops are becoming ubiquitous on campus and wireless networks are commonplace.Institutions may not own the computer in question as in the case of student computers or systems acquired through grants and research.Faculty research activity may prevent updates or changes from occurring.Institutions may have a culture where there is an “expectation” to work from home -- how do we help manage their system?
9
Solution Strategies
Solutions can fall into these broad areas. A combination, dependent on your institution environment, can offer an effective strategy:Network architectureHost-based firewallsAgent-based productsPatch management and anti-virusResponse and Remediation strategiesEffective practices and policies Netauth working group documents
User education through security awareness and training
10
Network Architecture
Network design and segmentation
Network security devices can help secure unmanaged systems either proactively or reactively. Proactive devices can block problems - these include
intrusion prevention, firewalls, and router access control lists.
Reactive devices can identify systems with security vulnerabilities -- intrusion prevention, intrusion detection, vulnerability scanners, and packet shapers.
11
Host-based Firewalls
Running a firewall on the computer system provides additional protection. Techniques being used: Windows XP - SP2 provides a basic firewall
for Windows that is enabled by default. Other commercial products provide firewalls
and IPS with more advanced features than those found on SP2.
• Some institutions package a firewall product with anti-virus
12
Agent-Based Products
These products install an agent-based program on the computer that validates configuration settings. This agent can be queried during authentication to the network to ensure compliance.Commercial products include Perfigo, Vernier, and BlueSocket. Each of these products has the capability to validate security settings for compliance prior during or after authenticationMany institutions have developed their own agents.
13
Patch Management and Anti-virus
Anti-virus software with regular updates is essential.Promptly updating software to fix security vulnerabilities is a requirement to keep an unmanaged computer system secure.Techniques available for Microsoft Windows Enabling auto-update for Windows XP and 2000 Creating an institution-wide Windows Update Server
and using that to update machines Using commercial patch management products such as
Bigfix and Patchlink Regularly scanning systems for compliance
14
Response and Remediation
Institutions need a business process to support the remediation of compromised systems. Some issues that must be considered: Do you have a policy that allows the institution to
deny access to a compromised system? Under what circumstances do you deny access? Can remediation occur if access is denied? What assistance do you offer in fixing this system? How do you validate that remediation has occurred? How do you perform remediation in a timely fashion?
What is the user’s expectation?
15
Remediation Techniques
Examples of remediation techniques CMU’s NetNotify is a completely online system for
managing remediation. http://www.net.cmu.edu/epidemic/
Some institutions delay service• Systems are off the network• Used as a motivator to student to maintain security
Some institutions charge students to perform remediation.
Some institutions trust students to confirm that remediation has occurred.
16
Effective Practices and Policies
The effective practices guide has a number of case studies that can help: IDS deployment -- Notre Dame, MIT, U. Florida Vulnerability scanning -- Purdue and Indiana Security architecture - UMich, GaTech, GMU Network registration/scanning - U. Conn. Router ACL - Cornell Firewall - Brown NAT - Bethune Cookman, Perdue Wireless - Penn State, Purdue, Simon Fraser
http://www.educause.edu/EffectiveSecurityPracticesGuide/1246
17
NetAuth Working Group
Internet2/NetAuth working group is focusing on issues of network authentication and federated wireless authentication.
Salsa NetAuth whitepaper--frames the issue and identifies solution strategies for typical residential network situations.http://security.internet2.edu/netauth/docs/draft-internet2-salsa-netauth-summary-02.html
18
NetAuth Working Group
Work is beginning on defining a model and developing frameworks for future NetAuth systems.Making NetAuth systems architectural components of a network, not add-on components to existing systemsSee the working group roadmap for a deeper investigation of this work.http://security.internet2.edu/netauth/index.html#Docs
19
Security Awareness and Education
Education and awareness programs are critical in getting buy-in and understanding for these efforts to “protect” users and their systems.EDUCAUSE has a CD that contains materials that can give ideas for starting a security awareness programMany institutions produce a security CD for their users. This security CD will often auto-configure a computer to receive Windows updates and ensure that virus protection is installed and enabled. Please visit the url:http://www.educause.edu/Browse/645&PARENT_ID=639
20
The Costs of attacks
Article: Costs of virus cleanups goes up United Kingdom blue chip companies security costs
• $213,000 per incident (2003)• $52,000 per incident (2002)
Corporate IT Forum survey• Average 365 man hours lost• 1/3 reported over 3000 man hours lost
Computer Crime and Security Survey• $65 million in DoS attacks• 82% reported virus incidents, costing $27 million
Source:http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci941270,00.html
21
The Costs of attacksArticle: Colleges Face Rising Costs for Computer Security 501 institutions surveyed Issues
• Nearly 100% experienced worm and virus in the past year• 73% have seen an escalation • 53% reported attempts to adversely effect their network
Concerns• Unauthorized access to financial, medical records • Tension of closing a traditionally open society
Result• 39% do security awareness training for user community• 42% have Chief Information Security Officers• Anti-virus, spam filtering and firewalls almost universally used
http://chronicle.com/prm/weekly/v51/i17/17a00101.htm
22
The Costs of attacksArticle: Colleges Brace for the Next WormThe Tipping Point: Blaster, 5 weeks in summer 2003 19 research institutions
• $299, 579 on average Stanford University
• $806,000• 18,460 repair hours
University of Michigan• $543,000• 16,100 repair hours
University of Chicago• $377,000• 9000 repair hours
http://chronicle.com/free/v50/i28/28a02901.htm
23
Cost of Prevention
Use the figures to do your Risk Assessment Don’t do an ROI – this is prevention, not an
investment Share the information of what can happen if
you don’t reduce your risks Identify your threats and your vulnerabilities
24
Security and the Support of Residential Communities
David Futey, Stanford University
EDUCAUSE/Internet2 Computer and Network Security Task Force
ResNet Steering Committee, Chairperson
25
A Question of Philosophy and Resources
If we were only a Fortune 500…Variety of solutions Registration, patch management appliances Client agents Scanning
Policy that guides the solutionsResources to enact solutionsHow and from whom are your residential students supported? Specific area (designated ResNet group) and or part of overall IT services?
26
Recent Security Challenges
Welchia - July 2003
Blaster - August 2003
Worms - ongoing
Agobot/Gaobot -2004
Malware - 2004
Adware - 2004
Spyware - 2004
Rodin: The Gates of HellD. Futey photograph
27
Residential Security Priorities
Protecting user privacyUser educationResponsible control and managementNetwork integrityInstitution integrityLimiting institutional liability
28
The Process
Registration
Detection Active Passive Agents
Isolation
Remediation
29
Security Options
Commercial Microsoft Software Update Server Bradford Campus Bandwidth Manager Perfigo Still Secure - Safe Access
Open Source Nessus-vulnerability assessment Snort-intruder detection
Network Segmentation
30
Security Options
Email CanIt ( http://www.canit.ca/) ClamAV for virus scanning http://
www.clamav.net/ BlueCatNetworks Meridius Email
• http://www.bluecatnetworks.com/products/meridius/index.html
Sophos (www.sophos.com)
31
Enterprise Spyware Options
WebRoot's SpySweeper Enterprise
Adaware SE Pro
Anti Virus McAfee ePolicy Symantec version 10
Desktop IPS ISS Proventia desktop
32
Georgia State University
Perfigo (now Cisco) Clean Machines Checked for running AV, ISS desktop IPS, Windows
updates Ran a Nessus scan to detect worms or familiar
anomaliesAV and ISS policy sigs were “auto” pushed to residents’ computersAt the edge of the network, we unidirectionally blocked P2P traffic coming in from the “outside” world—resulted in stopping the copyright violation letters from watchdog agenciesIncidents decreased dramatically
33
Tufts UniversityResNet installer Checks for Windows Auto Update “Advises” students to select if not configured
Under Evaluation Provide services through a domain
• Access file storage and resources• Centrally evaluate patch level and virus definitions• Student must agree evaluation process for domain access
Intel LANDesk– Presently used for faculty and staff patch management– Evaluating other utilities
At issue Sensitivity regarding ‘control’ of the computer
34
University of Western Florida
No registration utility at present Switch ports mapped to rooms DHCP for IP assignment
Periodically scan network for vulnerabilities (Sasser)De-activate computers that are not patched Letter delivered by the student's Resident Assistant Student contacts ResNet office ResNet office patches student’s computer Educate the student on proper security measures
Re-activate
35
Iowa State University
New student computers registered with Netreg Computers redirected to Netreg web server when they are first
connected. Students authenticate to kerberos servers during initial Netreg
session
If Windows 2000 or XP computer is detected Students are directed to download Computer Inspector Computer Inspector verifies connection standards
36
Iowa State UniversityConnection standards that must be met Weak passwords Service Pack Levels Hot fixes Automatic Windows Updates Antivirus available Antivirus on Access scan Antivirus update Antivirus on Demand
Future Enhancements to Computer Inspector Develop policy for student connectivity
37
University of TwenteThe Netherlands
New and unregistered students quarantined Must register Access to patch and antivirus sites
Quarantine if infected once on the network Detected through infecting a honeypot Network Operators
Student corrects problem Requests access to routable network Option available once every 6 months
38
University of Twente
If student is still or becomes re-infected Honeypot can detect within 15 minutes (95%) Staff intervention to determine status Possible re-installation by staff
Results Reduction in external complaints Educate university community
39
Swarthmore College
Site License antivirus software
Centrally manage antivirus updates ePolicy
• Automatic updates• Client agent (1.3MB) connects to ePolicy server
Virus event reporting
Email scanned prior to delivery
40
Hebrew Union College
Small seminary – • 4 locations
– New York, Los Angeles, Cincinnati, Jerusalem
500 Students – 230+ employees No student dorm access Limited public access labs
• Labs are locked down W2K machines• Thin client terminals
41
Hebrew Union College
Students can NOT connect personal computers to campus networkResearchers and visiting scholars must let IT staff clean and patch machinesLimited staff – limited accessCapital budget to upgrade network to allow Netreg type solution.
42
Stanford University
Contact students prior to arrival and request install of anti-virus software-CD provided, on line sources.Student’s register computer Review and confirm acceptance of University and residential
AUP
BigFix Patch management Concern by students on information collected Approval from Chief Security Officer, General Counsel and
Internal Audit may be required for changes in collected data
RCC assists with remediationStanford Security Self-Test tool
43
University of Massachusetts Amherst
Students register computer Review and confirm acceptance of University and
residential AUP/Conditions of use
Safetynet Infected systems are isolated at layer2 or layer 3 Help Desk ticketing system is notified/email sent to
student Student has access to Help Desk ticketing system Student may self-remediate Software group approves restoration of service
44
ResNet Vulnerability Survey (n=94)
Tool to register student's computer (Y=85%) Lack of resources (3%) Do not register (6%)
Registration Tools Homegrown utility Southwestern University NetReg
• www.netreg.org Bradford Campus Manager Perfigo Cisco switches with VMPS CMU NetReg
45
ResNet Vulnerability Survey
Tool to evaluate student's computer (Y=69%) Lack of resources (9%) Evaluating how others approach it (11%)
Evaluation Tools Homegrown utility Perfigo Nessus or Nessus in combination with other utilities Bradford Campus Manager Microsoft SUS
Evaluate off campus student laptop when accessing through on campus wireless No (64%)
46
Georgia State University
Effective Practices and Techniques to Prevent Attacks
and Intrusions
47
First, Some 2004 Statistics
2 million attacks launched against our systems each week95% or more of the successful ones targeted Win2k or XP workstations5% aimed at servers and network equipment580+ desktops ravaged by Sasser within a week’s time250+ of these compromised by hackers within a day or two later40-60 successful malware invasions per day on university and residential systems combinedReduced by 95% in late 2004 to 1 or 2 incidents a day
48
Most Common Threats
Emailed worm attachments and URL’s that install spyware and Trojan HorsesExploited backdoors left behind by worms used to get “root” and install hacker utilitiesCracking weak passwords to get rootUsing automated exploits such as “DCOM” to get rootNT and unix rootkitsIRC hackers turning systems into bots for use in DDOS attacks or as warez serversSpam propagation through various exploits that install SMTP engines on workstations and mail servers misconfigured as open mail relays
49
Effective Practices and Solutions
In addition to AV on the desktops and/or servers, robust gateway scanners… √Control and restriction at the edge or on segments via a firewallDynamic blocking at the edge via IPS…√Centrally-maintained patch management… √IPS at the desktop, on servers, at the edge… √Ability to mandate use of “strong” passwords, through a combination of policy and technology… √VPN for remote access…√Encrypted data transmission… √Secure email and/or FTPVulnerability assessment and risk analysis… √A SIM or central logging facility to gather disparate data gathered daily from firewalls, IDS, IPS, AV, etc., with data correlation and reporting 24/7 monitoring and incident detection/response
50
Effective Practices and Solutions
Taking advantage of current federal legislative requirements such as GLBA and HIPAA to enforce minimum levels of security on networked devices processing sensitive info…√
Developing (in our case a WebCT Vista) security awareness course that can be distributed to faculty, staff, and students …√
Establishment of secure, trusted zones that are separated from the rest of the network…√
Access/authentication requirements on every wired port (except public access stations) and wireless areas…√
Identity management Self defending networks – endpoint security enforcement and compliance
51
Where Do You Start?
With an external audit or risk assessment if funding is availableWith a strategic plan that ties your security objectives in with your university’s academic and IT goalsWith a tactical plan or roadmap that identifies the major risks, threats, and vulnerabilities on your network and what is needed to mitigate them—in both qualitative and quantitative measuresWith a detailed network security architecture design that provides defense indepth With the development of facilitating structures such as security committees, taskforces, incident response teamsWith a review of existing policies, procedures, guidelines, security technology in use, and regulatory requirements
52
Case Study Exercises
The following scenarios are found at many universities and they require decisions based on staff resources, funding requirements, and more often than not, political concernsThere are no right or wrong answersPerhaps the best results will involve thinking outside the box and creative brainstorming without limitations
53
Residential Computing
You’re the ISO at a mid-sized college with 2000 residential students that will be moving back to the dorms in the fall. The IT support people have warned you that they received calls the previous year about the network being unstable or crashing occasionally and the network gurus stated that the cause of this appears to be related to worm outbreaks and problem systems in the dorms. They ask you to advise them on what to do to prevent that from happening this next academic year.
What course of action would you suggest? Would you advise them to “turn off” P2P downloading or cap
bandwidth? Why or why not? Would you require the students to install protective programs on their
pc’s such as AV or desktop firewalls? Why or why not? Would you advise the network gurus to separate the residential network
from the campus network? Why or why not?
54
Selecting A Security Architecture
You’re the new ISO at a small mid-western college, with approximately 3000 students and centrally managed information technology resources. You find when you accept this position that the only security mechanism in place at the college is antivirus software. You feel that based on what you’ve heard from the network staff about numerous abuse complaints that came in through email about 1) systems on the network attacking external agencies and 2) a faculty member’s web server that contained SSN’s and other student information that was recently compromised, that there is a need to better protect the university’s information technology resources.However, when you suggest that the college invest in a commercial firewall solution you are familiar with, the CIO tells you there is no security budget available this fiscal year.
What would you then suggest as a possible course of action? Would you focus on host security mechanisms or ACL’s at the edge of the network? Why or
why not? Are there any free or open source tools you would want to use for vulnerability
assessments, IDS, firewalls, removal of malware, etc.? What are they? How would you engender support for funding commercial security solutions that you felt
needed to be implemented?
55
Regulatory Compliance
Your Legal Affairs office informs you that there are HIPAA covered entities and business associate relationships and you have to ensure the university is in compliance with “the Security Rule.” Your Comptroller is worried about GLBA and SOX Sarbanes Oxley. You have concerns about potential exposures of credit card transactions or FERPA data.
What course of action would you recommend? Would you try to mandate security standards for those who are
affected? Why or why not? Would you push through some new policies or standards? What
types of policies or standards would you recommend or develop?
How would you go about ensuring compliance?
56
Defending the Network
Charles, the network manager, wants to set up a Checkpoint firewall at the edge and on various segments of your mid to large-sized university’s decentralized network, and close ports or restrict services as needed. Campus departmental administrators would have to request exceptions to the firewall rules. Systems administrators on campus are in favor of an IPS solution that will allow you to institute dynamic blocking and protocol analysis. Others are telling your CIO that neither is a good solution and too hard to deploy.
What course of action would you recommend? Which solution do you feel is most effective—a network firewall or IPS
and why? What factors would be most important in your decision making process
as to the type of solution you would choose? What factors would be most important in your decision making process
as to the specific solution you would select?
57
Reference Material
The remainder of this class guide is comprised of reference materials compiled by various university contributors
58
Yale’s Effective Practices and Policies
Unmanaged clients: Site-wide licenses for Symantec Anti-Virus and Spysweeper Multiple campus SUS/WUS patch/update servers. Education and awareness (website, guides, training)
Network: IDS deployment -- SNORT IDS - bidirectional or RIDS Vulnerability scanning -- ISS and Nessus Security architecture - Internal Firewalls, some RFC1918 Network registration/scanning - NetReg system w/scanning Router ACL - Some ports blocked at Internet router Firewall - external router ACL + Packetshaper, internal FWs NAT - currently no global NAT but local NAT routers Wireless - MAC registered DHCP, VPN
59
Network IDS Effective Practices and Policies
IDS Deployment Inside Internet router (mirrored port) Outside critical server networks (E-Mail, Web, DB) At border of sensitive networks (Police, Hospital/Medical Labs)
60
Network IDS Effective Practices and Policies
IDS Usage: Bidirectional or RIDS (Reverse Intrusion Detection System) Look for attacks emanating on your network(s) outbound --
as this tells you what computers are infected or under malicious control. Also look for services (FTP, SSH, E-Mail, Web proxy, IRC) running on
internal computers on non-standard ports Look for PCs sending infected or spam e-mail Look for computers scanning network IP ranges or port ranges Look for IRC “bot” drones (on rogue channels or servers, running
XDCC) Look for login failures (better to do this with a HIDS or log analysis on
client PCs, servers and authentication services) or similar errors.
61
Network VAT Effective Practices and Policies
VAT (Vulnerability Assessment Tools) -- ISS and Nessus Get a policy allowing network vulnerability scanning. Notify the community. Scan for one or a few vulnerabilities if doing a network wide scan. Scan for vulnerabilities currently being exploited and/or for which
warnings and patches have just been announced. Scan for the most commonly found and exploited vulnerabilities (SANS
top) Notify the owner/users of vulnerable computers. Follow up. Rescan on a regular basis (monthly).
62
Network Architecture Effective Practices/ Policies
Network Security architecture Firewalls IPS Packetshaping / Bandwidth management / QoS
guarantees Router ACLs RFC1918 IP subnets (10, 172.16 - 172.31, 192.168.* ) VLANs Switches
63
“NetFlow technology efficiently provides the metering base for a key set of applications including network traffic accounting, …”Data export mechanism that records information about router flows. Src/dst IP, port, etc Bytes No packet content is logged
Netflow
64
NetFlow exports a LOT of data, especially if you have big fat pipes… Need a quick system to process it all Must rotate and summarize data frequently Substantial upfront time to install,
configure, and optimize But once you have it, there is no going
back
Netflow
65
NetFlow exports a LOT of data, especially if you have big fat pipes… Need a quick system to process it all Must rotate and summarize data frequently Substantial upfront time to install,
configure, and optimize But once you have it, there is no going
back
Netflow
66
Several commercial and freely available tools to manipulate and develop reports from NetFlow data
FlowScan• http://www.caida.org/tools/utilities/flowscan
Flow-tools• http://www.splintered.net/sw/flow-tools
NetFlow Add-ons and Tools
67
Several commercial and freely available tools to manipulate and reporting from NetFlow data
Argus is a separate system (doesn’t use NetFlow data but uses packet capture in promiscious mode) which can obtain similar more detailed results :
• http://www.qosient.com/argus
NetFlow Add-ons and Tools
68
Great tool for detecting Denial of Service attacks However, it is prone to data loss under
abnormal load Visual analysis is often the most efficient
detector
Great tool for post-incident analysis Provided the data has not been cycled off
the system
NetFlow Caveats
69
As links become faster, many flow exports are sampled You get a statistical representation of data
across your network Still useful for Capacity planning and DoS
detection, but of limited use for forensics purposes
Not necessarily the first tool in your toolkit, but an invaluable one to complement all the others
NetFlow Caveats
70
NetFlow Graphs: Detecting Anomalies
71
NetFlow Graphs: Detecting Anomalies
72
srcIP dstIP prot srcPort dstPort octets packets80.116.163.85 xxx.yyy.131.204 17 3111 1434 404 1 81.3.162.10 xxx.yyy.131.182 17 1514 1434 404 1 200.74.27.228 xxx.yyy.131.246 6 447 8080 40 1 200.74.27.228 xxx.yyy.131.246 6 64068 80 40 1 200.74.27.228 xxx.yyy.131.246 6 50265 3128 40 1 142.179.169.213 xxx.yyy.131.178 17 1126 1434 404 1
213.60.21.96 xxx.yyy.131.171 17 1923 1434 404 1 212.180.2.68 xxx.yyy.131.114 6 63559 41544 40 1 200.29.164.162 xxx.yyy.131.233 17 1051 1434 404 1
202.103.13.62 xxx.yyy.131.35 6 9001 30185 40 1 213.119.233.63 xxx.yyy.131.7 17 1246 1434 404 1 216.51.150.219 xxx.yyy.131.7 17 1157 1434 404 1 24.112.24.160 xxx.yyy.131.122 17 1129 1434 404 1
Example: flow-print data
73
Combining netflow with network infrastructure can improve network awareness Malware generally scans local address
space preferentially Many organizations have unused network
address space
Analyzing traffic destined for these unused networks is a valuable detection tool
Darknets
74
Network ACLs Effective Practices and Policies
External / Internet Network Router ACLs:
Anti-Spoofing Ingress (discard RFC1918 and all bogus source IP) Anti-Spoofing Egress (only allow your public IPs as source IP) -
“Good Neighbor Policy” Block broadcast and other obvious DoS attacks (detect SYN
floods?) Block Windows Networking (TCP/UDP 135-139, 445, 42),
SunRPC/NFS Block other ports you consider dangerous (1433/1434, 23, 25) Limit SMTP inbound/outbound to known e-mail servers?
75
Since the darknet address space is unused, traffic destined there is at least spurious and probably malicious
Local hosts connecting to this space are likely infected Or at least misconfigured
Use of address space at the top and bottom of ranges are often scanned first Much malware still scans sequentially.
Darknets
76
Non-local hosts connecting to this address space provide interesting situational awareness Current scanning trends Possible perimeter defense weaknesses or
misconfigurations Network reconnaissance analysis
Darknets
77
Once an incident has occurred, often we need to be able to reconstruct events.
To determine if we are still vulnerable.
To recover data
To identify attacker
To work with law enforcement and/or legal counsel
Forensics
78
The Coroner’s Toolkit “A collection of programs … for a post-
mortem analysis of a UNIX system after break-in” http://www.porcupine.org/forensics/tct.html
TASK/Autopsy Open Source forensic toolkit for analyzing
Microsoft and UNIX filesystems.• http://www.atstake.com/research/tools/task• http://www.atstake.com/research/tools/autopsy
Non-Commercial Forensics Tools
79
Foundstone’s Forensic Toolkit v2.0 and other toolshttp://www.foundstone.com/knowledge/
forensics.html
Non-Commercial Forensics Tools
80http://www.atstake.com/research/tools/autopsy/images/timeline1.gif
Forensics: Autopsy Screenshot
81
Commercial Forensics Tools
Guidance Software's Encase™Access Data’s Forensic Toolkit™ (FTK™) Parabne Corporation PDA Seizure
The following companies sell tools only to government, DOD and law enforcement:Fred Cohen's ForensiX (http://all.net/ForensiX/ )NTI (http://www.forensics-intl.com/tools.html)
82
Guidance Software's Encase™ 4.0
The most popular computer forensics software package currently used is Guidance Software's Encase(tm) - http://www.encase.com/ -- as it allows the use of Windows and integrates a number of functions within an easy to use GUI interface.
83
Network ACLs Effective Practices and Policies
Internal Network Router ACLs:
Anti-Spoofing Ingress (discard all bogus source IPs)? Anti-Spoofing Egress (only allow your public IPs as source IP) -
“Good Neighbor Policy” Disable directed broadcasts. Disable other obvious DoS attacks (detect SYN floods?) Any ports you consider dangerous? Limit any services to the local subnet (RPC, NFS, etc.)?
84
NAT & Firewall Effective Practices and Policies
For most part the same as Internal Network Router ACLs:
Anti-Spoofing Ingress (discard all bogus source IPs)? Anti-Spoofing Egress (only allow your public IPs as source IP) -
“Good Neighbor Policy” Disallow directed broadcasts & other obvious DoS attacks (SYN floods) Any ports you consider dangerous? Limit any services to the local subnet (RPC, NFS, etc.).
But also… Open any ports/services on the protected network to the outside? Don’t allow certain hosts access to the outside? Block outbound connections (e.g. to disarm ‘worms’ How do you now identify infected/malicious computers?
Computers with DMCA complaints?
85
WiFi Security Effective Practices and Policies
On ‘open’ wireless networks:Encourage or require ‘secure’ network application protocols.Encourage or require VPN connections over the wireless network.
On ‘medium’ security wireless networks:Require and use MAC address network registration / scanning.Use MAC address filtering if possible and scalable.Disable SSID broadcasts in beacon frames.
For higher security wireless networks:Use 802.1X authentication with PEAP and RADIUS.Use WPA or WPA2 encryption rather than WEP -- e.g. use 802.11iMonitor for both rogue WAPs (Wireless Access Points) and clients as well as rogueWLANs. Note dangers of accidental assocation as well as malicious overpowering.
86
Security Resources
http://www.sans.org• Sans (SysAdmin, Audit, Network, Security)
http://www.cert.org• Computer Emergency Response Team
http://www.incidents.org• Internet Storm Center tracking site
http://www.secinf.net• Windows Network Security
http://www.securityfocus.com/• Unix, Windows, Virus, IDS
87
Email Resources
Email Lists www.counterpane.com Bruce Schneier
– Monthly email digest of Computer security issues
www.ntbugtraq.com– Windows NT security list
www.intrusions.org– Daily digests of port probes and good discussions
www.microsoft.com/security– Links to Microsoft’s security page
http://survey.mailfrontier.com/survey/quiztest.html– Online phishing quiz
88
Acknowledgment
This material has been developed by a variety of individuals at campuses and members of the EDUCAUSE/Internet2 Security Task Force.
Their able assistance in the development of this material is gratefully acknowledged.