Security InterchangePaul Howell

Information Systems Security OfficerMAIS / Technical Infrastructure Operations

June 2002

2

Agenda

• UM and the Internet• The Internet: past, present, and future• Security problems• Challenges for Higher Education• Security solutions• MAIS efforts and status• Working together• Update on a security incident at MAIS

3

UM and the Internet

• Full connectivity with the Internet and Internet2

• Approximately 50,000 live hosts on UM networks

• Mission critical business processes run over the

network

• Education and research depend upon the network

4

5

The Internet, Circa 1969

OOnce upon a time, there was a network, where all users worked together in harmony towards common goals

6

The Internet, Present

7

The Internet, Future

8

More Sophisticated Intruders

Intruders are:

• growing in number and type• building technical knowledge and skills• gaining leverage through automation• building skills in vulnerability discovery• becoming more skilled at masking their

behavior

9

Attack Sophistication vs. Intruder Technical Knowledge

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Intruders

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

DDoS attacks

network worms

10

Modus Operandi

• A typical attack pattern consists of– Reconnaissance of the victim site

– Gaining access to a user's account

– Gaining privileged access

– Performing desired activity

• It is possible to accomplish all these steps manually in as little as a few minutes

• got root?

11

Code Red: 359,000 Infected Hosts

12

Published on Bugtraq

http://www.securityfocus.com/vdb/stats.html2001 data is incomplete

13

It’s going to get worse – 1

• Explosive growth of the Internet continues– Where will capable system administrators come

from?

• Market pressures will drive vendors– Time to market, features, performance, and cost

are primary– “Invisible” quality features such as security are

secondary

14

It’s going to get worse – 2

• More sensitive applications will be connected to the Internet– Low cost of communications, ease of

connection, and power of products engineered for the Internet will drive out other forms of networking

– Hunger for connectivity, data and benefits of electronic interaction will continue to push widespread use of Internet technology

15

It’s going to get worse – 3

• “The death of the firewall” – Traditional approaches depend on complete

administrative control and strong perimeter controls– Today’s business practices and wide area networks

violate these basic principles• no central point of network control• more interconnections with customers, suppliers, partners• more network applications

- “the network is the computer”• who’s an “insider”and who’s an “outsider”

16

Incident Costs in the Big 10

0

1

2

3

4

5

6

7

8

$0 - $5,000

$5,001 - $15,000

$15,001 - $50,000

$50,001 - $100,00

> $100,00

Source: 1997 – 1998 ICAMP Study

Num

ber

of

Inci

dents

17

The Risks

While computer networks revolutionize the way organizations operate, the risks computer networks introduce can be fatal to their mission.

Network attacks lead to lost:

– Money– Time– Work products &

research– Reputation– Privacy– Sensitive information– Lives

18

What’s Wrong?

• The Internet was designed to be resilient, not secure

• Insecure Products– Poor quality control leads to a large number of patches

– Products ship with open configurations

– Security is an add-on

– Security is hard to configure

• Cryptography is not ubiquitous

19

What’s Wrong?

On the Internet, every– hacker/cracker (professional, script kiddie)– hacktavist– criminal (pedophile, extortionist, fraud, …)– sociopath– terrorist– espionage/intelligence agent– military cyber warrior– copy cat

IS O

UR

NEIGHBOR

20

The Challenges of Security inHigher Education

1. Diversity of the Higher Ed Industry

2. Complexity of Service Offerings Drives Complexity of Architectures

3. Cultural Challenges

21

Diversity of the Higher Ed Industry

• 3500+ Colleges and Universities

• > 1000 Community colleges

• < 100 major research universities

• 125+ University Medical Schools

• 400 Teaching Hospitals

• 150+ Institutional members of Internet2

22

Complex Service Offerings

• The University is an Educational and Research Entity

• The University is a Corporation

• The University is an ISP

23

Cultural Challenges• Loose confederation of autonomous entities• Lack of control over users• Academic “culture” and tradition of open access to

information• Complex trust relationships between departments at various

Universities for research (e.g. Physics community)• Creative Network Anarchy – anyone can attach anything to

the network• University research lab computers are often insecure and

poorly managed, Libraries provide open terminals• Dorm Networking: little adult supervision

24

Why US Higher Ed Computer Networks are Attractive Targets

• Excellent platforms for launching attacks– Wired dorms (insecure Linux PCs, PC Trojans)– High bandwidth Internet – Sophisticated computing capacity (scientific computing clusters,

even web servers, etc.)– “Open” network security environment (no firewalls or only “light”

filtering routers on many high bandwidth WANs and LANs)• Many college & university networks are insecure

– Too few security experts; weak tools;most institutions do not have an InfoSec office

– Few policies regarding systems security– Dearth of funding

25

Targets of Opportunity on US Higher Education Computer Networks• Sensitive Data

– Credit Card #s, ACH bank #s

– Patient Records

– Student Records

– Institution Financial Records

– Investment Records

– Donor Records

– Research Data & Other Intellectual Property

26

Increasing Visibility of Security Issues in Higher Ed

• Increasing concerns about liability: Will E-Commerce sites recover damages from institutions implicated in future DDoS attacks?

• Federal funding agencies to require firewalls, security?• HIPAA is a “forcing function” in academic Medical Centers,

Campus Health Centers• FERPA, COPPA, CIPA, DMCA, Privacy legislation• Threats from terrorist activities, protection of the national

infrastructure• Recent incidents: Massive Virus Attacks, Intrusions Leading

to Potential for Identity Theft, Liability

27

Educause Action Statement• Make IT security a higher and more visible priority in

higher education• Do a better job with existing security tools, including

revision of institutional policies• Design, develop, and deploy improved security for future

research and education networks• Raise the level of security collaboration among higher

education, industry, and government• Integrate higher education work on security into the

broader national effort to strengthen critical infrastructure

28

Statement on Stewardship, UM

• Maintaining systems security and a secure computer environment for financial and other University records

• Storing information you obtain under secure conditions and taking every reasonable effort to maintain privacy and confidentiality of the data

29

Security is a Process

Risk Analysis

Security Policy

Countermeasures

Audit

It’s All About Risk Management

Security

30

Security Objectives

• Confidentiality: Information is disclosed to authorized individuals

• Integrity: Information and programs are changed only in a specified and authorized manner

• Availability: Assure that systems work promptly and service is not denied to authorized users

31

Primary Activities

• Prevention– Security policy– Firewalls, encryption

• Detection– Logging and monitoring– Intrusion detection, integrity management

• Reaction– Incident response team– Recovery of resources/information

32

Elements of Security

• Should support the mission of the organization

• Is a means to an end and not an end in itself

• Is an integral element of good management

• Should be cost-effective

33

Basic Steps

• Identify what you are trying to protect

• Determine what you are trying to protect it from

• Determine how likely the threats are

• Implement measures that will protect your assets in a cost-effective manner

• Review the process continuously and make improvements each time a weakness is found

34

MAIS Participation in Security Organizations• InfraGard - government and private sectors

working together to protect critical infrastructure

• CIC Security Working Group - Big 10 security officers meet quarterly

• Host the UM Security Round Table - people from UM and the region attend for quarterly meetings

35

MAIS Data Center• Approx. 4,000 square foot computer room• Central records for HR, SA, and Fin• Houses about 130 servers

– Citrix– Oracle (e.g., Fin and HE Prod)– Wolverine Access– Development, Alumni, and Constituency– Library (Mirlyn)– Axis (ITCom billing system)– Alumni Association Self Service– Printers

36

MAIS Enterprise Systems

• Security assessment completed January 2001

– “administrative information systems in the data center are at considerable risk to technology-based security attacks”

• Recommendations made to correct this are fully funded and being implemented

• Infrastructure Protection Group formed with members from different areas

37

Our Vulnerabilities

2526

9.9%

8.2%

81.9%

High 9.9%Med 8.2%Low 81.9%Total:100.0%

Percent of Vulnerabilities by Severity

VulnerabilitiesIdentified

38

Security Project StatusCompleted Started Planned

Firewall Encrypt Network Traffic Authentication Review of Admin Systems

Network Time Protocol Security Policy Account Usage Analysis

Improve WA Encryption Central Logging 24 X 7 Vulnerability Detection

Intrusion Detection Disaster Recovery Security Assessments as a Service

Routine Patching User Security Awareness

DMZ Integrity Management

39

40

Some Future Things

• Secure Shell to replace FTP

• Use VPNs to access systems remotely

• Authentication systems review and recommendations, i.e., currently up to 9 passwords– Strong yet simple

• Cooperatively work towards providing the same level of security for administrative information across campus

41

User Security Awareness

• Increase awareness of security issues• Communicate advisories • Team up with technical staff within the Units

to work with on technical items• Hold periodic Security Interchange meetings• Web site with security information http://www.mais.umich.edu

42

Teaming Up

• Identify technical support staff working on security in their respective areas

• Establish an email list for discussing and sharing information regarding security

• Share tools and techniques used to assess and secure our operational environments

• Two-way communication is vital

43

Reporting Incidents

• If your system has been compromised and it might affect HR, SA, Library, or Fin information and/or systems, please contact the MAIS Help Desk

• If you suspect your account has been compromised, please contact the MAIS Help Desk

• If it’s an emergency send email to mais.security@umich.edu and my pager is in the online directory

• Still contact your local system administrators

44

Incident Response

• January 2001 – a critical server is compromised

• Serious threat to UM

• Tracing the connections backwards– UM Physics

– University of Maryland

– University of Illinois

– ADSL modem in Corpus Christi, TX operated by Southwest Bell

45

Criminal Matter

• Felony in MI

• Coordinated with– UM DPS (local)

– MI High Tech Crime Unit (state)

– MI State Police (state)

– Detroit FBI Computer Intrusion Unit (federal)

– Corpus Christi, TX PD (local)

– TX High Tech Crime Unit (state)

46

Prosecuted• April 25, 2001 search

warrant is executed

• Suspect is 16 years old

• Evidence found on seized equipment

• Case transferred to TX for prosecution

• Guilty plea on May 28, 2002

Questions and Discussion

Paul Howell

grue@umich.edu

734-763-0609