detection and prevention of intrusions and attacks at universities tammy clark information security...
TRANSCRIPT
Detection and Prevention of Intrusions and Attacks at UniversitiesTammy ClarkInformation Security OfficerGeorgia State [email protected]
Copyright Tammy Clark, 2001. This work is the intellectual property ofthe author. Permission is granted for this material to be shared fornon-commercial, educational purposes, provided that this copyrightstatement appears on the reproduced materials and notice is given thatthe copying is by permission of the author. To disseminate otherwise orto republish requires written permission from the author.
Prelude
Detection and Prevention of Intrusions and Attacks at Universities
Track 7: Infrastructure/Networking/Security
Wednesday, October 31, 2001
9:30-10:20 a.m.
You can access this presentation online at http://www.gsu.edu/security
Introduction While the size and composition of our individual
networks may differ… University network infrastructures are a major target for “script kiddies” and are under attack 24/7. University systems are being “used” to attack other systems over the internet on a regular basis.
While our institutional security budgets and staffing allowances may differ…we all need to devise effective methodologies to prevent, detect, monitor and respond to attacks and intrusions on our networks.
The Weakest Link….
A university without ….. A “funded mandate” to develop a robust
information security program An information security strategic plan and
comprehensive policies Security tools At least one full-time security staff member
to take the lead on security initiatives
Common Vulnerabilities and Threats
Inadequate security plans, procedures and/or policy
Security “unaware” users Un-patched or mis-configured operating systems
and applications Unprotected hosts, gateways, network perimeters Undetected modems or wireless access points Workstations connected to the network that no one
uses or notices…
Other Areas of Concern
Vendor-supplied systems (COTS) that are not properly secured or managed
Wireless networks Inbound and outbound filters not applied to
external routers or firewalls Flawed “disaster recovery” processes SANS’ Twenty Most Critical Internet
Security Vulnerabilities at http://66.129.1.101/top20.htm
Methods to PreventSTRATEGIC PLANNING
Employ a strategic approach to security—develop plans, procedures, and policies
Staff Up—ISO, CERT, Task Force, Security Committee Assess the “state of security” —conduct internal and
external audits to prioritize and identify critical vulnerabilities and threats.
In your policies, notify users that vulnerability scans will be performed
Incorporate policies and standards that require users to apply specified levels of protection to systems before connecting them to the production network
Clearly define the consequences of non-compliance
Methods to PreventSTRATEGIC PROTECTION
Segregate/aggregate critical hosts, Resnets and vendor-maintained systems onto their own Vlans and apply very specific restrictions and permissions
Promote and require (through policy/procedures) secure data transmission, authentication, and remote network access methods, such as SSH, SSL, VPN’s
Protect University systems—ensure that, at a minimum, each critical system and server on your campus has an individual or group that is responsible for applying security configurations, patches, logging and auditing
Methods to PreventPROACTIVE MEASURES
Security Awareness Training—Use a wide variety of methods to get your faculty, staff, and students actively involved
Subscribe to receive alerts about newly discovered vulnerabilities and exploits and establish a mechanism to communicate these to system administrators
Incident Response Action Plans—document and define incident notification and response procedures and communicate these to campus technology leaders
Disaster Recovery Planning—develop a plan that details how critical systems will be restored in the event of a compromise or loss (that includes system security configuration and patch documentation)
Methods to Monitor and Detect“GUARDING THE GATES”
Firewalls– Router access control filters
– Distributed firewalls
– Firewall modules and centralized management to protect critical hosts
– Personal firewalls, hardware or software
Anti virus software– Install and maintain on workstations and servers
– Place virus scanners in front of mail gateways
Methods to Monitor and DetectAUTOMATED DISCOVERY
Network Security Assessment Scanners– Detect a wide range of vulnerabilities in operating systems and
applications
– Expose vulnerabilities in databases, web servers, CGI scripts
– Discover exposed ports and services that need to be turned off
– Identify unknown wireless access points and modems
System Security Assessment Scanners and Integrity Solutions– Centrally manage scans of multiple hosts on a network
– Set a baseline standard configuration and monitor for alterations
– Have the ability to recover a system back to its unaltered state
Methods to Monitor and DetectAUTOMATED DETECTION
Intrusion Detection Systems– Monitor your network for attacks and intrusions– Halt attacks in progress to prevent further
damage– Identify compromised systems
Security Management Applications– Centrally organize log and audit information
across your enterprise network
Methods to Respond
There are a sequence of defined “phases” in establishing a methodology to respond to security incidents:– Preparation– Identification– Containment– Eradication– Recovery– Follow Up
Methods to RespondPREPARATION
Develop notification, investigation, and response procedures that will integrate with your University’s existing policies and standards
Ensuring that effective backup procedures are in place is an important preparation step!
SAN’S Computer Security Incident Handling, Step By Step Guide is an excellent resource (www.sans.org)
Organize a campus-wide CERT and clearly define roles and responsibilities--http://www.auscert.org.au/Information/Auscert_info/Papers/Forming_an_Incident_Response_Team.html
Methods to RespondIDENTIFICATION
A first step in responding to an incident is to identify what has happened
Intrusion detection systems, firewalls, system logs, network or system “behavior” that diverts from the norm, reports from outside entities can all alert you to the fact that an incident has occurred
You will want to include the stipulation in your incident response policies that a “compromised” system should not be shut down or tampered with in any way before your CERT has a chance to identify what has occurred
Methods to RespondCONTAINMENT
You will want to ensure that your incident response policy identifies when a system will immediately be removed from the network due to the risk that it represents
Many Universities don’t have time to do a lot of forensics activities to dissect a compromise—but rather than simply wipe the system and reload as a regular practice—make a backup of the system in it’s compromised state to examine later or to use in getting outside advice about what occurred
Preserve logs, take notes, use the information you can get from the system involved in an incident to insure that no other systems on your campus are affected
Methods to RespondERADICATION
The method that you employ to ensure that your network or systems are “clean” will differ depending on the type of incident
Some incidents, such as widespread denial of service attacks, can require you to obtain assistance from your ISP or network provider to successfully stop the attacks
Most viruses can successfully be removed, but determining whether all traces of a root-level compromise can be found and fixed can be time-consuming and an imprecise science
This is where that preparation step of ensuring you have good backups will pay off!
Methods to RespondRECOVERY
If it is not possible to remove all traces of infection or problems, restore an affected system from the “last good” backup or decide to reload it, depending on the circumstances
Dictate in your procedures the criteria you will employ in making a decision as to when to restore network services to an affected system
Continue to monitor the system to ensure no further problems occur
Methods to RespondFOLLOW UP
You will want to conduct activities around documenting incidents, examining the “lessons learned” and noting whether changes need to be made in policies or procedures to prevent further problems
Gathering historical information on incidents that have occurred on your campus can be invaluable in supporting the budgetary and staffing needs of your Information Security function!
Case Studies Following are examples of recent incidents that
have affected University networks worldwide and in some cases, continue to do so…
There are numerous methods and means that a University can employ to mitigate incidents.
The choices that are made are normally a reflection of the numbers of staff dedicated to security-related duties, the budget to procure tools, and the “perceived” importance of protecting University technology resources
Code Red Worm V.1 Description: The Code Red Worm, discovered July 19th, affects Microsoft
Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000 that run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the file “idq.dll.”
Prevention: Scanning for vulnerable web servers with eEye Digital Security’s free Code Red Scanner and patching vulnerable systems
Detection: By setting a policy for an intrusion detection system to display all “http get” requests, all of the infected servers were identified within 20 minutes
Response: Contacting affected systems administrators and providing them with instructions on how to eradicate or shutting the infected systems down until an administrator could fix them
Summary: The Code Red Worm v.1 impact was mitigated campus-wide within four hours of discovery due to a large number of infected systems, with isolated incidents occurring for several days that were quickly resolved
Code Red Worm V.2 Description: CodeRed II was discovered on August 4, 2001. It has been
called a variant of the original Code Red Worm because it uses the same "buffer overflow" exploit to propagate to other Web servers. However, this version of the worm plants one or more “backdoors” on the infected servers.
Prevention: Scanning for vulnerable web servers with eEye Digital Security’s free Code Red Scanner and patching vulnerable systems
Detection: Several attack signatures were added to RealSecure IDS that allowed easy detection of any Code Red Worm variant, allowing identification of infected servers instantly
Response: Contacting affected systems administrators and providing them with tools and instructions on how to eradicate or shutting the infected systems down temporarily
Summary: The Code Red Worm v.2 impact was mitigated campus-wide within two hours after discovery, with isolated incidents occurring for several days that were quickly resolved
Code Blue Worm Description: Discovered on September 18, 2001, a virus with multiple
methods of delivery infected Windows 95, 98, ME, NT, 2000 systems, which then scanned IIS web servers for directory traversal vulnerabilities and back doors left by the Code Red Worm v.2 and Sadmind worms
Prevention: A virus scanner that protects mail gateways that was configured to prevent attachments containing “malicious” code would intercept infected messages and prevent them from entering the mail system. IIS systems that were patched and free of back doors would not be affected
Detection: RealSecure instantly identified infected web servers once again and a minimum of campus users that utilize Outlook clients became infected and were detected after being scanned by Norton Antivirus
Response: Antivirus ( and other security) vendors released tools that eradicated the virus from systems, including web servers and affected systems administrators were notified to fix webservers or they were shut down until they could do so
Summary: Code Blue infected systems were detected quickly and the damage was mitigated campus-wide within an hour after discovery
Selecting the Right Tools For The Job…
Just as there are so many strategic choices that can be made in protecting University networks, the same is true of security tools
Following are “short lists” of categorized tools—these are not recommendations, just a starting point for you
There is no way to get around three facts:– When it comes to security tools, one size does not fit all– Choosing the most effective tools that will also fit your University’s
budgetary needs requires research, planning and careful evaluation– To get a return on your security tools investment, you will need to
ensure that you have “security savvy” staff members to deploy and manage them!
Firewalls Checkpoint Firewall-1:
http://www.checkpoint.com/products/firewall-1/index.html Cisco IOS Firewall and Cisco Pix:
http://www.cisco.com/warp/public/44/jump/secure.shtml Cyberwall Plus:
http://www.network-1.com/products/index.html Sunscreen:
http://www.sun.com/software/securenet/securenet3/;$sessionid$QQCYLGIAAES11AMTA1LU45Q
ZoneAlarm: http://www.zonealarm.com BlackICE Defender: http://www.networkice.com
Anti Virus Email/SMTP gateway antivirus scanner
– Guinevere for Novell Groupwise: http://www.indecon.com/guinevere/precis.htm
– Interscan VirusWall for NT or Unix: http://www.antivirus.com/products/internet_gateway.htm
– Webshield for NT or Unix: http://corporate.mcafee.com/content/software_products/avd_gateway_default.asp
Centrally-managed anti virus solutions– Trend Virus Control System:
http://www.antivirus.com/products/trend_vcs/– Norton Antivirus:
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=23&PID=8684275
Network Security Assessment Commercial Tools
– Internet Scanner: http://www.iss.net– Database Scanner: http://www.iss.net– Security Analyzer: http://www.netiq.com/products/sa/default.asp– Bv-control for Internet Security:
http://www.bindview.com/products/control/internet.cfm– Retina: http://www.eeye.com/html/Products/Retina/index.html– Telesweep: http://telesweepsecure.securelogix.com/
Free Tools– Saint: http://www.wwdsi.com/saint/– Nessus: http://www.nessus.org/– Blue Globe: http://www.blueglobe.com/%7Ecliffmcc/portscanner.html– NMAP: http://www.insecure.org/nmap/index.html#other
System Security/Integrity Assessment
System Scanner: http://www.iss.net Tripwire Manager:
http://www.tripwire.com/ VigilEnt Security Manager:
http://www.pentasafe.com/products/
Intrusion Detection Systems
Commercial Intrusion Detection Systems– RealSecure: http://www.iss.net– NFR: http://www.nfr.com/– Dragon: http://www.enterasys.com/ids/– Cisco Secure:
http://www.cisco.com/warp/public/44/jump/secure.shtml
– Free Intrusion Detection Systems– Snort: http://www.snort.org
Security Management SAFEsuite Decisions:
http://www.iss.net/securing_e-business/security_products/security_management/decisions/
Secure Log Manager: http://documents.iss.net/literature/slm/slm10_ug.pdf
NetSecure Log: http://www.netsecuresoftware.com/netsecurenew/Products/NetSecure_Log/netsecure_log.html
AccessMaster: http://www.evidian.com/accessmaster/index.htm
Wrapping Up… You can access this presentation online at the
Georgia State University Security Information Center http://www.gsu.edu/security
References I recommend:– Incident Response: Investigating Computer Crime by
Kevin Mandia and Chris Prosise– Hacking Exposed: Network Security Secrets & Solutions
by Joel Scambray, Stuart McClure, and George Kurtz– The Hacking Exposed volumes on Linux and Windows
2000 by the above authors– All of the SANS “Step by Step” Guides available at
http://www.sans.org