Embed Size (px)
Citation preview
Higher Education and Security:Part of the ProblemPart of the Solution
Dr. Ken Klingenstein
Director, Internet2 Middleware Initiative
Member, Exec Team, EDUCAUSE/Internet2 Security Task Force
Chief Technologist, University of Colorado at Boulder
Agenda
Level-set: security, risks, problems, solutions
The Types of Risks
The National Scene
The Higher Ed Scene
Emergent Technologies
DDOS, SAML and federations, PKI
Emergent Threats
Warhol Worms
The First Amendment
Vendor Issues –MS
Moving Forward
Layers of Security
Application Layer – threats to the app, email viruses, SQL worms
Middleware Layer – privacy violations, identity theft, brute force password attacks, etc.
Operating System Layer – holes in OS, trojan code, etc.
Network Layer – DDOS, password sniffing, etc.
Note that the frequent behavior is to exploit a hole at one layer of the stack to create an attack using another layer…
zombies (OS-Layer) doing DDOS
unathenticated SMTP used for identity theft
Impact: Types of Risk
Strategic Risk
Financial Risk
Legal Risk
Operational Risk
Reputational Risk
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Handling Risks
Risk Assumption
Risk Control
Risk Mitigation
Risk Avoidance
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
HE - Part of the Problem
Fast pipes, multiply linked campuses, high speed computers
Uneven maintenance environments
Patches not available, limited mandates, etc
University research lab computers are often insecure and poorly managed
Trust relationships between departments at various Universities for research (e.g. Physics community)
Challenging firewall requirements
Bright, talented semi-transients
Difficult policy setting mechanisms
A tough mix of requirements: privacy, academic freedom and security
HE - Part of the solution
Campuses taking concerted steps
Teach security
CERT at CMU
Research
into tools – programmable security filters
into architectures – security at line speed
into practices – www.cert.org/OCTAVE
State of the art ISAC (Information Sharing Analysis Center)
Defining the issues and offering alternatives
A tough mix of requirements: privacy, academic freedom and security
Culture of Open Access to Information
The National Scene
CyberSecurity within the scope of the Critical Infrastructure Protection Board.
FBI's National Infrastructure Protection Board, the Commerce Department's Critical Infrastructure Assurance Office, the General Service Administration's FedCirc and several other small agencies focused on physical and cyber security
DARPA Research Programs – next generation backbone security
Federal Interagency/citizen Security
Federal PKI efforts
Federal e-Authentication efforts
NIST Standards
Recent National Developments
Cybersecurity czar - Richard Clarke resigns, Howard Schmidt interim
Most cybersecurity now within Department of Homeland Security
Landmark white paper (National Strategy to Secure Cyberspace) backed off on a number of areas:
requirements on sectors
vendor pressure
privacy protections
DMCA (Digital Millenium Copyright Act) confusion
Corporate InfoSec Trends
Firewalls, proxies, user access control
Network monitoring, bandwidth management
Extensive logging, logfile analysis
IDS – Intrusion Detection Systems
VPNs (Virtual Private Networks) • PPTP, L2TP, IPSEC
Strong Authentication – PKI, Smartcards
Vulnerability scanning (internal, external)
Change Control / Management
Managed Security Services (e.g. outsourced)
The Higher Ed Scene
EDUCAUSE/Internet2 Security Task Force (http://www.educause.edu/security/)
policy and education tools architectures
Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf
Targeted messages, institutes, increased communication, ISAC, politics
Shibboleth, SAML, PKI, Federations
Recent events: Texas, Yale
EDUCAUSE/Internet2 Security Task Force
Increase Awareness of Risks, Vulnerabilities, Liabilities
Leverage Intellectual Capital
Develop Community Reaction and Response Mechanisms
Identify & Inform Community of Risks Associated with Emerging Technologies
Education & Awareness
Increase Awareness of Risks, Vulnerabilities, Liabilities• Identify Constituent Groups, Audiences• Develop Messages Appropriate for Audiences• Utilize Existing Communication Vehicles (Educause Review, etc.)• Establish Partnerships with Higher Ed Leadership Groups (ACE,
AAHE, NASULGC, NACUBO, etc.)
Leverage Intellectual Capital
Policies • Evaluating best practices in Higher Education, Corporations, Government, Military• Developing common recommended policies
Procedures• Physical Security• Computer Security• Network Security• Business Continuity/Disaster Planning
Tools• Strong authentication methods (smart cards, tokens, etc.)• Vulnerability assessment (scanners)• DDoS zombie detectors• Patch tools
Emerging Technologies
Internet2/NIST/NIH PKI Research Conference
SAML/Shibboleth/Federations
Higher Ed Bridge Certificate Authority
The CREN CAt
Security at Line Speed Conference
IPv6 promotion
Framework for Action
Make IT Security a higher and more visible priority in higher education
Do a better job with existing security tools, including revision of institutional policies
Design, develop and deploy improved security for future research and education networks
Raise the level of security collaboration among higher education, industry and government
Integrate higher education work on security into the broader national effort to strengthen critical infrastructure
Action Agenda
Identify Responsibilities for IT security, Establish Authority, and Hold Accountable
Designate an IT Security Officer
Conduct Institutional Risk Assessments
Increase Awareness and Provide Training to Users and IT staff
Develop IT Security Policies, Procedures, and Standards
Action Agenda (cont’d)
Require Secure Products From Vendors
Establish Collaboration and Information Sharing Mechanisms
Design, Develop, and Deploy Secure Communication and Information Systems
Use Tools: Scan, Intrusion Detection Systems, Anti-Virus Software, etc.
Invest in Staff and Tools
REN-ISAC
Research and Education ISAC at Indiana University, works with NIPC
Two way reporting with filtering; NIPC funnels other sector ISAC’s
Four types of reports from REN-ISAC to NIPC• general periodic situational reports
• proactive monitoring by REN detects an anomaly
• RE member network reports being attacked or being used to source an attack
• request from NIPC coming in turn from another ISAC or government agency
Reports are real-time, secured
REN-ISAC
Threshholds such as
Failure of any major node > 30 minutes or 50% of traffic
Latency > 1.5 prior month average for a period of 30 min
Network monitoring visibility < 60%
Loss of network analysis data > 40% for a period of 30 minutes
Applies to Abilene, AMPATH, TRANSPAC, MIRNET, STARTAP, EUROLINK
Interesting FOIA issues…
What Every President Must Do
Ensure the confidentiality, integrity, and availability of University assets and information
Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact
Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions
Emergent Technologies
DDOS
programming routers…in a federated fashion
Middleware Layers
Authentication and Authorization
PKI
SAML, Shibboleth and Federations
The Key Issues
Authentication
strength of enrollment processes
strength of validation mechanisms
Authorization
methods of expression
approaches to decisions
The Trust Fabric
Privacy
Key Trust Structures
Hierarchies• may assert stronger or more formal trust
• requires bridges and policy mappings to connect hierarchies
• appear larger scale
Federated administration• basic bilateral (origins and targets in web services)
• complex bilateral (videoconferencing with external MCU’s, digital rights management with external rights holders)
• multilateral
Virtual organizations• Shared resources among a sparse, distributed set of users
• Grids, virtual communities, some P2P applications
• Want to leverage other trust structures above
Federations
A group of organizations (universities, corporations, content providers, etc.) who agree to exchange attributes using the SAML/Shibboleth/Liberty protocols. In doing so they agree to abide by common sets of rules.
The required rules and functions could include:
• A registry to process applications and administer operations
• A set of best practices on associated technical issues, typically involving security and attribute management
• A set of agreements or best practices on policies and business rules governing the exchange and use of attributes.
• The set of attributes that are regularly exchanged (syntax and semantics).
• A mechanism (WAYF) to identify a user’s security domains
• Ways to federate and unfederate identities
Rethinking Privacy
Passive privacy - The current approach.
A user passes identity to the target, and then worries about the target’s privacy policy. To comply with privacy, targets have significant regulatory requirements. The user has no control, and no responsibility. And no one is happy...
Active privacy - A new approach.
A user (through their security domain) can release the attributes to the target that are appropriate and necessary. If the attributes are personally identifiable. If the attributes are personally identifiable, the user decides whether to release them. The user has control, along with commensurate responsibility. All parties are happy, maybe…
Attribute-based authorization
There is a spectrum of approaches available for attribute-based management of access to controlled resources,
At one end is the attribute-based approach, where attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision. This approach does not degrade privacy.
At the other end is the identity-based approach, where the identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access. Since this leads with identity, this approach requires the user to trust the target to protect privacy.
Federations in the last year
Communicator Hub ID is one of the pioneering Liberty
Alliance-based services on the market, supporting vertical-industry B2B
offerings such as SecuritiesHub. SecuritiesHub, which is sponsored by eight leading Wall Street investment firms, including Credit Suisse First Boston, Goldman Sachs, JPMorgan, Lehman Brothers, Merrill Lynch, Morgan Stanley, Salomon Smith Barney and UBS Warburg.
Liberty Alliance (http://www.projectliberty.org/)
Federal e-Authentication Initiative (http://www.cio.gov/eauthentication/)
Not much use of federated .NET
Shibboleth and InCommon (http://middleware.internet2.edu/shibboleth)
Emergent Challenges
Warhol Worm
First Amendment
Vendors
Warhol Worms
Paper by Nicholas Weaver, Berkeley CS
Think malevolent slammer worm with a brain
OS level worm
optimized probe
use a hit list for initial propagation
permutation scanning for complete, self coordinated coverage
Target repair sites with DDOS
In 15-45 minutes, could bring down the Internet hard.
http://www.cs.berkeley.edu/~nweaver/warhol.html
The First Amendment
What can be encrypted on the wire?
What can be encrypted in storage? (files, email, etc.)
What can be correlated?
What can be gotten with a subpoena?
The Patriot Act
Patriot II Act
Vendors
The pluses and minuses of releasing known problems
The pluses and minuses of open source
Vendor liabilities for software
Marketplace effects – wireless in airports…
Moving Forward
Do what you can do…
Attack the long latency problems (policies and education)
Get someone following the threads
Look at the Cornell Policy and IT materials
Get ready for identity management services
