Embed Size (px)
Citation preview
IT Security in Higher Education
Michael A. McRobbie PhD
Vice President for Information Technology and Chief Information OfficerVice President for Research
Professor of Computer Science & Professor of Philosophy
Indiana University
Secure-IT 2003 Temecula, California
Cybersecurity• The threats to cybersecurity are real, whether it be at
the level of the individual, department, university, or nation
• These threats are seldom benign• The motivation for them can be theft (both of money
and intellectual property), revenge, harassment, intimidation, character assassination, fraud, sabotage, crime and terrorism
• They can result in major financial and other losses and damages
• Universities are not immune to these threats – mostly unwittingly, they are among the most fertile grounds for cracker activities and attacks
Presentation Overview
• Reliance on IT in Higher Education• Typical Technical and Data Management in
Higher Education• Higher Education: Ripe for Security Incidents• Impact of Incidents• What Must We Do as a Community?• Indiana University’s Contribution• Summary
Reliance on IT in Higher Education
Higher Education in General• Higher education networks comprise an estimated 15% of
the total advertised Internet address space• Institutions in this sector vary in size, mission, locations,
as well as in cultural and physical complexity • Communities range from 1000 to 200,000 people• Knowledge, deployment, and proper management of
technologies vary dramatically• Knowledge and application of security techniques and
technologies vary dramatically • Management understanding of (and means to allocate
resources to) security vary dramatically • Higher education and research networks connect a large
set of technology-rich, complex, and traditionally “open” environments, in which the application of security has generally not yet been accepted as a critical part doing business
E-Research• Research is becoming almost totally digital• Data is being generated, collected,
processed, analyzed, visualized and stored in digital form.
• Simulations and modeling are being carried out completely digitally
• Historical and contemporary archives of rsearch are all being converted into digital form as parts of digital libraries
Global Dimension of e-Research
• E-research is becoming completely international – it knows no boundaries:• becoming progressively more global with network-enabled
world-wide collaborative communities rapidly forming in a broad range of areas (Grids)
• based around a few expensive – sometimes unique – instruments or distributed complexes of sensors that produce vast amounts of data
• global communities carry out research based on this data using computation, storage and visualization facilities distributed world-wide (cyberinfrastructure)
• digital data of e-Science can be shared with collaborators not just on campus, but across cities, within states, nationally and internationally
Learning
• Online Course Management Systems are common and relied on extensively for assignments, grading, group projects, etc.
• Interactions among faculty and students are now mostly by email
• Interactions between advisors and other support staff is also via email
• Disabling a student’s computer access now has a dramatic impact on their academic progress, and is not done lightly (if at all)
Administration
• Nearly all business processes now have large IT components (finance, HR, student services)
• Manual backup processes are not being maintained – relying on automated processes
• Email unavailability for even a couple of hours can stop business processes
• Users (esp. students) expect services to be automated and available at all hours
Typical Technical and Data Management in Higher Education
Typical University IT Environments
• Extremely “open” by tradition & culture• 25,000 to 70,000 networked devices• Very high-speed, high-capacity networks with fast connections to
the commercial Internet & regional, national, and international research networks (e.g. I-Light, Abilene, Geant)
• Residence Halls and Greek Houses wired• Hardware and software deployed are significantly diverse• Usually first to implement new technologies, before matured• Physical systems locations vary widely, from under a secretary's
desk to professional data centers• Networked systems are being probed continually for vulnerabilities
Typical University IT Management
• Usually no device registration requirements – we do not generally know who connects devices to our networks
• In most instances no network-level user authentication requirements – we do not generally know who is using our network
• In many instances, no service-level user authentication requirements – allowing anonymous use of some systems
Typical University IT Management (more)
• Departments control local technology and have traditionally acted independently
• Under-paid, under-trained, over-worked technicians
• Nonexistent, organizationally buried, or understaffed technical security offices
• Minimal IS/IT auditors on staff
Typical University Data Management
• Thousands of people with authorization to access confidential information from central databases, or derive the data locally
• User can extract data to any networked device, to use local manipulation tools
• No one knows on which of the thousands of networked devices sensitive data is hosted
• Minimal training on data handling/protection.• No central data management structure
Ripe for Security Incidents
• Attacks on commercial web sites (ZDNet, CNN, Etc.)• IU Office of the Bursar (2001)• IU School of Music (2001)• University of Michigan patient records• University of Washington patient records• Stolen passwords at Berkeley, UCLA, Harvard, Purdue • Notre Dame, Indiana State, Georgia Tech, Montana…• Attacks on root-name-servers amplified by several campuses• Kansas SEVIS Data• U Texas Austin student record compromise – 10,000s• Georgia Tech – 57,000 Credit Cards • Large “Mid-Western University” HR/Benefits Database• Many others not publicized (or admitted to)
Incidents Happen
Internet Probes
• Probes are attempts by automated programs to locate Internet-connected computers with known vulnerabilities
• We estimate that every networked device at IU is probed at least once daily
• Probes can and do lead to compromise of devices that are not appropriately maintained/secured
• “Honeypot” experiments show that certain vulnerabilities will be found and exploited in less than 24 hours
• Of course, data stored on vulnerable devices is exposed and perhaps has been already compromised
• When the 10th of 10 new PCs is installed, the first has been compromised -- unless each is secured as they are installed
Notable Malicious Code Incidents
• Melissa, March 1999• Word 97, Word 2000• $300 million in damages• Approximately 4 days, 150,000 systems
• ILOVEYOU, May 2000• Outlook• As much as $10 billion in damages• Approximately 24 hours, > 500,000 systems
• (“Brain” took 5 years to do $50 million in early 90s)• SQL Slammer?• Estimated 50,000 viruses; 100,000 by 2004
Copyright 2000 by E. H. Spafford
Impact of Incidents
Impact of Incidents
• Interruption of essential functions• Unauthorized access to data, some
Federally protected:• FERPA (student)• HIPAA (patient health)• Gramm-Leach-Bliley (financial)
• Compromise of passwords (on the systems or in transit)
• Hosting illegal materials such as bootleg movies and music
• Consumption of network and system resources
Impact of Incidents
• Mangling of desired message (e.g., web defacement)
• Inappropriate use of public resources
• Installation of programs to support attacks on internal or external systems, e.g. DDoS zombies
• Possible (though not yet tested) liability for loss of business if campus systems are used in attacks
Impact of Incidents
• Compromise of research • Premature disclosure of theories and
protocols• Release of unverified results• Release of data on subjects• Cause questions as to integrity of results
• Pressure to require uniform high level IT security as condition for Government grants in climate of increased concern about national security & cyberwarfare
What Must We Do as a Community?
Institutional Recognition
Higher education leadership is beginning to understand that information technology is engrained in ALL academic and administrative activities, and that poor system, network, and data security WILL have a direct and costly impact on an institution’s mission.
Institutional Risks
Trustees, Presidents, and governing bodies must understand that lax security:• Threatens the reputation of higher education• Threatens the reputation of their specific
institution• Increases the risk and associated liability for
disclosure of information protected by Federal law
• Increases the risk of law suits being filed by commercial entities affected by campuses
• Wastes publicly-funded resources• Contributes to vulnerability of national IT
infrastructure
Institutional Attention
Chancellors and Deans must:• Understand that their information assets
are as critical as capital and human resources
• Place visible and vocal priority on systems and data protection
• Ensure that technicians are trained, capable, and have the time to secure systems
Institutional Control
The Chief Information Officer is pivotal, and must:• Participate in executive administration.• Be given a charge to assess security climate and the
authority to carry out repairs• Exercise visible and active control• Understand the strategic threats• Understand the technical threats• Translate threats into institutional risks – in language
colleagues in administration can understand• Establish requirements and set standards• Make tough and perhaps unpopular decisions• Commit to providing assistance to departments and
technicians right across the university
Continue Community Dialogue
• Many opportunities for technical security and policy staff to interact and learn from each other
• EDUCAUSE, Internet2, SANS, FIRST• EDUCAUSE Security Professionals
Workshop (preceded this conference)• EDUCAUSE/Internet2 Computer and Network
Security Task Force• NSF Workshops• Framework for Improving Security in Higher
Education
Re-Visit Actions Previously Discounted in Higher Education
• Firewalls – now available to handle large campus connections
• Intrusion Detection – becoming more accurate in recognizing security events
• Centralization – systems supporting sensitive data or functions
• Central Authority for policies and standards
Indiana University’s Activities in Cybersecurity
IU’s Goals in Cybersecurity
• Goal 1: to ensure, as effectively as possible, the cybersecurity of the IT environment of all IU students, faculty and staff
• Goal 2: to contribute to national security by providing leadership in improving the cybersecurity of the higher education sector
Indiana University’s Internal Focus
Cybersecurity at IU• Cybersecurity has been an institutional priority at IU
for 6 years• This followed an incident in March 1997; OVPIT
commissioned a two part security audit• Penetration analysis• Major review chaired by Gene Spafford
• Spafford Review found IU cybersecurity in very poor shape – made extensive recommendations for improvements, these were all implemented
• Led to the formation of the• IU IT Policy Office (ITPO) headed by University
Chief IT Security and Policy Officer Mark Bruhn• IU IT Security Office (ITSO) headed by University
IT Security Officer Tom Davis
IU’s IT Strategic Plan• Developed & approved in 1998 – implementation
nearing completion• Recognized importance of security as a
component of planning and IT infrastructure• Plan had a major recommendation & action items
devoted to security and privacy• Funding provided for staffing, hardware, tools,
etc.• Security operation, training, and staff• Identification, authentication, and authorization• Directory services• Anti-virus, secure communications
Indiana University Organization
Chief Information Officer reports to the President:• Has formal authority directly from Trustees
• Proactive – set security policies and enforce standards• Reactive – assume control of responses to incidents
• Has full support of the President• Reports on state of security annually to the Board of
Trustees in executive session
Indiana University CIO Organization
• The Policy Officer reports to the CIO:• Coordinates policy issues, consults on technology deployment and
usage issues, handles incident response, is a diplomat and negotiator, and acts as the “enforcer” with the authority to defend the University from security and other technical threats, including blocking incoming traffic and isolating insecure devices from the network when necessary
• The Security Officer reports to the Policy Officer and the CIO:• Must be very technically capable, assesses and advises CIO on
technical threat, provides consulting, coordinates technical security resources, and must not be viewed as “police”
• The computing organization reports to the CIO:• Must keep it’s own house in excellent order.• Must be prepared to provide assistance to departments struggling
with security – or prepared to replace services that departments can’t provide securely
Mark BruhnChief IT Security and
Policy Officer/
6 AccountsAdministrators
Incident ResponseCoordinator
TechnicalInvestigators
University Information Technology Policy Office
Office of the Vice President for Information Technology
Admin Asst
Data AdministratorInfo Mgt Officer
Tom DavisIT Security Officer
Michael McRobbie
VP/CIO
Information Technology Security
Office1 Lead Data/Applications Analyst2 Senior Data/Applications Analysts
2 Principal Security Engineers2 Lead Security Engineers2 Senior Security Analysts
Disaster RecoveryProgram Manager
Cross-UnitRecovery PlanningTeam
Global Directory Services Team
Computer AccountsManager
Merri Beth LavagninoDeputy IT Policy
Officer
Authority for IU’s Cybersecurity
• Was previously ill-defined• In response to a number of incidents in 2001, the IU Board of
Trustees passed a resolution on May 4, 2001...“ the Trustees direct the Office of the Vice President for
Information Technology and CIO to…• develop and implement policies necessary to minimize the
possibility of unauthorized access to IU’s IT infrastructure• assume leadership, responsibility, and control of responses
to unauthorized access to IU’s IT infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the IU office involved…”
www.itpo.iu.edu/Resolution.html
• VPIT has delegated this authority to ITPO/ITSO on a day-to-day basis
• Directive from the CIO to Deans/Chancellors to eliminate unnecessary caches of Social Security Numbers
• Presentations to executive administrators • Periodic presentations to technical managers and
technicians• Developed a technician certification program• Developed Best Practices documents• Server profiling/evaluation• Working on implementation of a network isolation
strategy – based on layered security
Some Specific IU Activities
Indiana University’s Outward Focus
Three Principal Initiatives
• Advanced Network Management Laboratory (ANML)
• Research & Education Network Information Analysis Center (REN-ISAC)
• Center for Applied Cybersecurity Research (CACR)
The Advanced Network Management Lab (ANML)
• Initial funding through the Lilly Endowment• Current funding includes Lilly, the US National
Science Foundation, and the Department of Defense ($1.7M in external funding to date)
• Comprised of five researchers, five graduate students• Focus on applied network research
• Technologies that have impact within a few years (at most)• Leverage opportunities presented through IU’s leadership in
high performance networking (Abilene, etc.)
ANML - a range of projects
• Network Security
• High performance file transfer protocols
• Network visualization
• Wireless network management and performance
• The next generation Internet Protocol: IPv6
• Abilene NOC presented with an opportunity to partner with Asta Network and Arbor Networks via Internet2
• Distributed Denial of Service (DDoS) detection equipment first installed at Indianapolis core node in 2000
• DDoS detection equipment showed *many* DDoS incidents traversing Abilene each day
• Determined that this was a potential opportunity to provide more focus on security for the research and education network space
ANML - Network Security
• ANML is engaged in other areas of security research as well:
• Host Management system for Honeypots. Uses virtual host software (VMware) to emulate a number of Honeypots on a single physical machine. Automates the distribution of honeypot instances and the collection of activity to each honeypot
• Development of a modified Linux root kit known as Sebek to allow honeypot researchers to monitor attacker activity even when the attacker is using encrypted transmissions. ANML works closely with the Honeynet alliance.
• Development of Spoofwatch, a SNORT plug-in that detects and locates sources of spoofed IP addresses
ANML- Network Security
REN-ISAC
• Research and Educational Networking Information Sharing and Analysis Center
ISAC Basics
• Sharing has long been known to improve operations in individual organizations
• Security information sharing was encouraged by Presidential (Clinton) Decision Directive 63
• Various sectors of the economy experience different events and threats
• Sharing amongst sectors increases the scope and the resulting benefit of that sharing
ISAC Basics (con’t)
• Department of Homeland Security coordinates sharing centers representing various sectors
• Higher education was NOT represented in the initial structure
• Indiana University, EDUCAUSE, and Internet2 convinced government that higher education representation was critical
• The Educause/Internet2 joint security task force encouraged the creation of a “higher education sharing center”
IU and the Research and Educational Networking ISAC
• Indiana University has a unique view of various national and international R&E networks, including Abilene
• Global NOC monitors networks 24x7• Excellent network and security engineers• Advanced Network Management Lab (Wallace) located at
IU is involved in advanced security research• Network instrumentation provides specific information
about security events• REN-ISAC a natural enhancement of security services
provided by IU to the Internet2 community • Hosting REN-ISAC (as part of national ISAC structure) at
Indiana University was formalized in D.C. on February 21, 2003
REN-ISAC Signing
REN-ISAC “Members”
• REN-ISAC members are all U.S. universities and colleges that are connected to national R&E networks
• Campuses connected to Abilene are the initial core members
• Extended members are any universities and colleges interested in receiving ISAC reports• Campuses will be given a means to register and
maintain contact information• REN-ISAC service will be 24x7
• To make full use of REN-ISAC services, campuses are encouraged to identify a 24x7 contact person or persons, if they do not have a 24x7 operation
REN-ISAC: Basic Functions • The ISAC will receive and analyze operational, threat and
warning, and actual attack information:• Received from the NIPC, other ISACs, and other sources• Received from ISAC member campuses related to incidents on
local network backbones• Received from network engineers related to incidents on
national R&E network backbones• Derived from network instrumentation
• Analysis would be performed related to: • Unscheduled outages and degraded operations• Security-related events such as DDoS attacks, virus alerts,
systematic network vulnerabilities scanning, systematic spoofing• Other anomalies that constitute or may constitute a serious
threat to the networks and associated systems of the REN-ISAC membership
REN-ISAC Reporting• General periodic reports from the REN-ISAC will
be sent to members as a result of• An anomaly detected by staff of the “REN-ISAC
Watch Desk”
• Reports of serious degradation from an as-yet-unknown cause
• Where organization report that their systems are being used to source, or are being victimized by, a network attack of some type
• Requests for information/analysis related to specific reports incidents
REN-ISAC: Reports to Members
• To campuses affected by a security event detected by the REN-ISAC, in real-time, so that those organizations can identify and stop the activity, and/or recover and repair
• To member campuses as soon as possible following an event, where that information would help improve security and/or avoid future impact
• To all or specific contacts in other national and regional ISACs, in real-time or as soon as possible during the following business days, where incident information could help members of those associations improve security and avoid future impact
REN-ISAC: Reports to the NIPC• In real-time, for anomalies that are negatively impacting the
operation of a number of member campuses• Post-event, where an event did not, but had the potential to
negatively impact the operation of a number of member campuses
• Significant network degradation -- failure of several nodes or unusual latency
• Loss or degradation of REN-ISAC network monitoring capability – portions of the networks are not visible
• Reporting to the NIPC will generally NOT identify specific member campuses, unless the campuses involved agree to have their identities included• In cases where there is an active investigation by law
enforcement, the involved campuses will be given contact information for the investigating agency and encouraged to make that contact unilaterally
ISAC Futures
• A Higher Education ISAC with a broader service set is needed, to deal with other campus security issues (system, virus, assessment, etc.)
• REN-ISAC may be/could be expanded to encompass these services
Center for Applied Cybersecurity Research (CACR)
• Serve as a focal point for cybersecurity research and teaching at IU, and a meeting ground for cybersecurity scholars and practitioners from all campuses
• Provide a clearinghouse for information on cybersecurity research, teaching, and practice at IU
• Link IU faculty and staff with external resources in cybersecurity and related fields
• Seek funding for cybersecurity research, instruction, and practice at IU
• Facilitate advanced cybersecurity research and the sharing ideas and information both inside and outside of the university
• Help coordinate the development of an innovative cybersecurity curriculum, including degree and joint-degree programs
• Partner with federal and state governments, business, and other education institutions to improve the quality of information assurance practice, research, and teaching
Summary• We need to rethink some of the things we do –
things that make our networks more attractive for intrusions
• We need to continue to balance security with convenience, our missions, and our cultures• There are things that can and should be done• There are other things that just can’t fit into our
environments
• We need to talk more to and learn from each other• Within higher education• Within the greater cyber-infrastructure community
• We need to orient research to projects with shorter-term practical benefit to practitioners
IT Security in Higher Education
Michael A. McRobbie
Vice President for Information Technology and Chief Information Officer
Vice President for Research
Indiana University
Secure-IT 2003 Temecula, California
