View
214
Download
0
Embed Size (px)
Citation preview
ITS
Off
sit
e W
ork
sh
op
2002
ITS Offsite Workshop 2002
IT Security
ITS
Off
sit
e W
ork
sh
op
2002
ITS Offsite Workshop 2002
Agenda:• Security Issues and PolyU Cases
• PolyU Computer Systems Security Policy (SSP)
• ITS/CLO Partnership In IT Security Implementation
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Security Issues and
PolyU cases
By
Chan Ping FongSenior Computer Officer
Information Technology Services office
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Universities are known to be vulnerable spots !
Why?
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Typical University IT Environment ...
• 10,000+ networked devices
• Very high-speed, high-capacity networks with fast connections to the Internet
• Hardware and software deployed are significantly diverse
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Typical University IT Environment ...
• Usually first to implement new technologies, sometimes even before they are matured
• Residence Halls networked• Networked systems are being probed
continually for vulnerabilities
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Typical University IT Environment…• Computer locations vary widely, from
under a someone's desk to professional data centers
• Departments control own technology and mostly act independently
• Non-existent or under-staffed technical/security staff
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Typical University IT Environment• Hundreds of people authorized to access
confidential information from central databases
• User can extract data to any networked device, to use local manipulation tools
• Once extracted, no one knows on which of the thousands of networked devices sensitive data is hosted
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Typical Security Threats • Virus Attacks
• Hacking and Cracking
• User Abuses
• Spam Mails
• Denial of Service (DoS) AttacksCases reported and complaints received
almost everyday
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Virus Attacks• Melissa
• I Love You
• SirCam
• Code Red and Code Red II
• Nimda
• Goner
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
• Multiple attack mechanisms Spreads via email ( not an attachment ) Spreads via visiting infected web page Targeting 16 vulnerabilities !! ( some IIS, but not all
)
• Nimda also threatened internal networks Unlike CodeRed, which was only attacking IIS
servers Windows 9x and NT vulnerable via ‘open share
attack’ Attacks IIS via Web Folder Transversal ( malformed
‘get’ ) And also via an incorrect MIME header
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
• Any PC on the NET communicate by using TCP/IP
• Any one could knock on your doors– There are 65535 ports– Your machine may serve any of 65536 ports
• Port scanning by hackers– Find out the weakest link
• Force you busy, can’t do any useful job– Denial of Service (DoS attack)
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
• Member of HARNET– Another cyber community on the Internet
• More web applications on campus network– More expose & risk
• Restricted access from outside– By PolyU firewall, proxy server & VPN
• Limited restriction on access PCs within campus– Protected by switches and routers– Protected by departmental or personal firewall– Rest, limited restriction
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Hacking and Cracking(Before)• Only really good hackers could crack• Difficult to write programs to affect
Operating Systems• Cracking was “expensive” – learning curve
and time• Most cracking had specific purposes – e.g.,
financial gain, espionage, sabotage
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues and Problems at PolyU
Hacking and Cracking (Now) …• Veteran crackers are “publishing”
code for neophyte crackers: e.g., log-wipe utilities
• Operating system and application APIs are easy to use: e.g., Microsoft VBS
• More complicated operating systems and software cause more bugs
• Automated vulnerability scanning
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Hacking and Cracking(Now)• Cracking for profit: e.g., credit card
theft, industrial espionage• Cracking for fun: e.g., “script kiddies” • Cracking for political reasons: e.g.,
PRC Government webpage defacements
• Cracking as part of cyber-warfare
ITS
Off
sit
e W
ork
sh
op
2002 Security Issues
Cracker Mentoring• Veteran crackers writing and publishing
tools
• Cracker tools exist for cellular, voice, data communications
• Cracker FAQs exist for almost all systems
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Typical Hacking and Cracking• Unauthorized access • Cracking password• Trojan horse• Tapping• Remote capture of someone’s
workstation
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Typical User Abuses• Download huge files• Send out unsolicited massive emails• Steal and sell email addresses • Steal and leak out passwords to
others
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Typical User Abuses• Put unlicensed software/films/songs for
others to download
• Conduct commercial activities using PolyU IT facilities and resources
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Spam Mails• Chain letters
• Spreading large number of e-mails to many different users
• Mail relay
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Denial of Service Attacks• Port Scanning
• Ping Flooding
• Mail bomb
• Re-broadcasting of unwanted packets
ITS
Off
sit
e W
ork
sh
op
2002 Quote From Richard A. Clarke
“The Internet was built without a government or master plan. It was also built without security as part of the central design. Our entire infrastructure is vulnerable because security was not designed in from the ground up.”
Richard A. Clarke, National Coordinator for Security,
Infrastructure Protection, and Counter-Terrorism, speaking at the Washington D.C. Summit, 18 April 2000
ITS
Off
sit
e W
ork
sh
op
2002 Quote from Computer
Economics“It is estimated that the worldwide impact of malicious code
was 13.2 Billion Dollars in the year 2001 alone, with the largest contributors being SirCam at $1.15 Billion, Code Red (all variants) at $2.62 Billion, and NIMDA at $635 Million.”
Computer Economics, 2001 Economic Impact of Malicious Code Attacks,
02 Jan 2002
ITS
Off
sit
e W
ork
sh
op
2002 It’s a wild world
• Every week we see new break-ins, new attack tools, new vulnerabilities
• 2002 CSI/FBI Computer Crime and Security Survey (503 respondents):– 90% of respondents detected “unauthorized
use of computer systems” in the last 12 months;
– The combined losses from just 223 respondents total $445 million
– $170 million from “theft of proprietary info” and $19 million from “system penetration”
ITS
Off
sit
e W
ork
sh
op
2002
Top 10 Attack Source by Country
2.0% 2.5% 2.5% 2.6%3.9% 4.5%
5.9%7.8%
8.8%
29.6%
0%
5%
10%
15%
20%
25%
30%
35%
ITS
Off
sit
e W
ork
sh
op
2002
Top 10 Attack Sources per Internet Capita “ in terms of number
of attacks per 10,000 Internet Users”
7.07 7.10 7.52 7.74 7.85 8.6010.03
11.57
14.50
26.16
0
5
10
15
20
25
30
ITS
Off
sit
e W
ork
sh
op
2002 Some Security News …
• Bugbear-Worm tries to steal credit cards and passwords. 10 Oct 02
• CERT Advisory Trojan Horse Sendmail Distribution. 08 Oct 02
• W32/Bugbear-A continues to cause problems. 07 Oct 02.
• Cyberattacks against energy firms rise, 09 Jul 02.• Hacker swipes $35,000 from Singapore Bank, 05
Jul 02.
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues and Problems at PolyU
Intrusion Purposes/Consequences …
• Unauthorized access to data• Installation of malicious code to collect
passwords, keystrokes, or other data in transit
• Huge consumption of network resources, leading to slow to no response on campus network
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
Intrusion Purposes/Consequences • Loss of machine power for intended
purposes• Defacement for political reasons• Installation of programs to support
attacks on internal or external systems, e.g. DDoS zombies
ITS
Off
sit
e W
ork
sh
op
2002
Security Issues
• URL of incident– http://www.attrition.org/mirror/attrition/2000/09/19/www.ba
nking.hsbc.co.uk/mirror.html
Note to the administrator: You should really enforce stronger passwords. I cracked 75% of your NT accounts in 16 seconds on my SMP Linux box. Please note the only thing changed on this server is your index page, which has been backed up. Nothing else has been altered.
ITS
Off
sit
e W
ork
sh
op
2002 IT Security Stories
Should it take an incident to wake us up?Indiana U Office of the Bursar (2001) IU Faculty Research Information Database (1997)University of Michigan patient recordsUniversity of Washington patient recordsStolen passwords at Berkeley, UCLA, Harvard Many other cases not publicized
ITS
Off
sit
e W
ork
sh
op
2002
Recent Case at our Sister University
A student hacked into the PCs of 4 other studentsAccessed the homework of other students Obtained the password of another studentImpersonate and withdrew the classmate from university
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 1 E-Mails sent to staff in the same department framing senior members of sexual abusesITS investigated and located the source being another institution in HKCase reported to police and a member in that institution identifiedPolice decided not to pursue due to ‘public interest’
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 2 …Departments (and some students) sent out surveys and promotional e-mails to large number of recipientsRecipients regarded that mail spamming and filed complaints to PolyUSome recipients (ISP) blacklisted PolyU and barred PolyU e-mails
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 2Some Departments requested ITS to help but disregarded ITS’s advice and kept on sending Case reported to the Human Subject Ethics Subcommittee
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 3Millions of short enquiry packets (pings) sent out to Internet by a DepartmentAte up over 80% of PolyU’s Internet bandwidth for 2 hoursITS traced two machines in the department’s lab and 100s of hours wastedNobody was identified due to no log kept in labMany more similar cases detected in the same department
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 4 …A graduate student sent out large volume of e-mails on the Internet to solicit money to help his sick wifeOver 200 complaints were received by ITS from all over the worldSome recipients reported to their police and activated investigation by HK and PRC police
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 4During the investigation, it was also found that the student had also used the PolyU IP address to register and host a commercial website for business activities
Case reported to the Head
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 5A graduate student sent out more than once obscene e-mails to over 200 selected recipients in the media and the HK higher education community to attack a senior staff in his departmentVast amount of time spent in the investigation. More than 200 man-hours just in ITS plus that of the senior management
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 6The lab instructor of a training course mistakenly generated an infinite loop among the campus Netware serversParalyzed the whole campus network which finally had to be shut down and restartedITS spent over 100 man-hours to trace the problem and the instructor and fixed the network
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 7 …Code Red, Code Red II and Nimda Viruses attacksITS sent out alerts and patches to all usersITS called urgent meetings with departmentsITS identified and isolated infected ports to contain the impactOver 300 PolyU PCs affected by Nimda
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 7Affected machines in turn degraded performance of the campus network and InternetDamage considered small compared to two other HK institutions which had to shut down the entire campus network to ‘stop the bleeding’
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
PolyU Real Case 8Some Linux machines in some departments were attacked
They became the ‘launch pad’ of port scanning to other machines on campus and the Internet
ITS received many complaints
The department refused to take action and ITS had to disable their ports from the network
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU Real Cases
Other PolyU Real AbusesTheft of passwordsUse PolyU IT resources to solicit moneyUse PolyU IT resources to run businessGive computer accounts to other personsInsult other users on Internet with foul languagesMail bombs
ITS
Off
sit
e W
ork
sh
op
2002
The PolyU Real Cases
Institutional Risks • Reputation of the institution
tarnished• Increases the risk of suits filed by
students and others and associated liability
• Wastes of resources
ITS
Off
sit
e W
ork
sh
op
2002 The PolyU IT Security
• Prevention is better than cure
• Users cooperate and follow ITS advices
• Must be secure to sustain the future
• The cooperation of CLO is essential
ITS
Off
sit
e W
ork
sh
op
2002 IT Security
Thank you