How to Secure the “End-User”: Same Goal, Varied Approaches

Carrie McCoy – University of Missouri-ColumbiaRebecca Fowler – University of Missouri-Columbia

Jodi Ito – University of Hawaii

© 2004 Curators of the University of Missouri and the University of Hawaii

University of Missouri - Columbia

• Public University

• Flagship campus in a four campus system

• 15000+ employees

• Outreach and Extension programs (state-wide)

University of Missouri - Columbia

• Approximately 27,000 students – ~20,500 undergraduates– ~6500 graduate/professional

• Approximately 6000 students live in University housing– Most have high speed internet access

(ResNet)

MU IT Structure

• Information Access & Technology Services (IATS) is the central IT group– E-mail– Campus wired & wireless network– Voice– Cable– Central storage– Help desk – Desktop support– Account Management– Security

MU Distributed IT Support

• IT Professional community– Selected by individual departments

• Act as first-tier desktop support for departments

• Liaison between IAT Services and the campus

• Monthly meetings

MU Computing Environment• 18000 devices on network

– 70.7% Windows, 29.3% other (Mac, Unix, Printers)

• Over 48,000 Active Directory accounts

• 35 computing sites (public and residence halls)– 1300 public computers

• Wireless coverage is continuing to grow– 66 campus buildings are wireless– 232 access points across campus

MU Wireless Coverage

University of Hawaii

• Statewide public university & community college system– Governed by one Board of Regents– Publicly funded institution– Three 4-year campuses– Seven community college campuses– One employment training center– Five education centers

University of Hawaii

• System-wide:– Approximately 46,000 students– 40,000 undergraduates, 6000 graduates– Approximately 8600 faculty & staff– Approximately 2800 students in residence

halls at Manoa• Most have high speed access (ResNet)

UH IT Structure

• UH Information Technology Services is IT support organization (voice, video, data, institutional applications)

• Dual roles:– System-wide: plan/manage/maintain:

• Primary Internet connections (Internet2, Australia, Japan, commodity Internet),

• Inter-campus connections

– Manoa campus: provide IT support at all levels

UH Distributed IT Support

• Establish IT coordinators group– To be appointed by Deans, Directors, & Unit Heads

• Will serve as point-of-contact for IT-related incidents/advisories

• Have meetings each semester in addition to workshops and training opportunities

• Form close working relationships to better coordinate IT activities

UH Computing Environment

• Between 20,000-30,000 devices connected to the network

• Over 1000 publicly-accessible computers in labs

• 100,000+ UH Usernames issued

UH Manoa Wireless Coverage

Common Problems• Combat security incidents proactively

– Worms and viruses– Spyware– Copyright violations– Account Compromises

• People don’t understand that security is their responsibility

MU Worm/Virus Statistics• Blaster

– 3689 infected systems (September 2003)

• Beagle– 530 infected systems (March 2004)

• Sasser – 251 infected systems (May 2004)

Other MU Incident Statistics• Currently blocking over 500 IP/MAC addresses

• 97 copyright infringement complaints since July 2003

• 743 probing/unauthorized attempt complaints since July 2003

• 105 complaints of spam relayed through an MU host

UH Virus Statistics

Other UH Incident Statistics

• Week of May 3rd, 2004 - over 240 unique IPs infected with Sasser/Gaobot variant

– Using DHCP in some areas - more than one system may have used a single IP or same compromised system may have used a different IP

• Currently blocking over 330 IP/MAC addresses

• Approximately 70 copyright infringement complaints since January 2004

• 200+ spam/probing/unauthorized attempt complaints since January 2004

Overall Approach to Common Problems

• Both MU and UH decided that it would not be enough to just use technology solutions to combat or prevent problems

• Dual focus:– End-user education– Technology efforts

MU End-User Education

• Creation of a comprehensive security awareness program

• Theme: “You are the key to security!”

• Worked with internal Creative Services group to create a logo

MU Security Awareness Program

• Two main components of program– Activities based on monthly topics– Security awareness training

• Trying to reach varied audiences– Faculty/Staff– On-campus students– Off-campus students

Monthly Topics

• Planned topics 10 months in advance with the idea that they could change

• Example topics:– Password safety and security– Virus protection– DMCA– AUP– Workstation security– E-Mail security

Monthly Activities• Technology newsletter articles (goes to all students and 9000

faculty/staff)

• Poster campaigns

• Guest speakers

• Payroll stuffers

• Presentations to organizations

• Targeted mass e-mails

Examples of Monthly Activities

• January: Password Safety and Security– Posters– Technology newsletter article– Mass e-mail about password reset campaign to all

faculty, staff, and students

• April: Cyber Security– Guest speaker from FBI cyber crime task force– Presentation to graduate class in College of

Business– Security awareness webpage highlighting cyber

security

Security Awareness Training

• One hour instructor led course– Password safety– Workstation security– Physical security– Internet and e-mail security– Social Engineering/Principle of least privilege– FERPA/HIPAA overview

• Online course in development– Same topics as instructor led course– Student version and faculty/staff version

Lesson 2: Password Safety & Security

Key Points

•Don’t use your PawPrint and password on external entities.

• Always choose a secure password!

# of Characters 26(abc) 36(abc123) 52(AaBbCc)

6 51.5 minutes 3.74 hours 13.7 days

7 22.3 hours 9.07 days 3.91 months

8 24.2 days 10.7 months 17.0 years

9 1.72 years 32.2 years 8.82 centuries

10 44.8 years 1.16 millennia 45.8 millennia

11 11.6 centuries 41.7 millennia 2,384 millennia

12 30.3 millennia 1,503 millennia 123,946 millennia

Password Cracking – It’s Easier Than You Think!

What Could Someone Do If They Had Your Password?

• Send threatening e-mail on your behalf

• Access Web sites on which you have enabled one-click ordering and purchase items with your credit card

What Could Someone Do If They Had Your Password?

• Connect to MU e-mail servers and spam thousands of people

• Gain access to the MU network and attack other entities on your behalf

Choose a Secure Password

• Easy to remember

• Can be typed quickly without having to look at the keyboard

• Mix of apparently random letters, digits, and punctuation

Xms25thoD* = “Christmas is on the 25th of December*”

Ihomdf5y. = “I have owned my dog for 5 years.”

UMC PawPrint Password Requirements

• Your password MUST:– Consist of between 8 and 26 characters– Contain at least one character from each of the following:

• Lowercase letters: a-z• Uppercase letters: A-Z• Digits: 0-9• Special Characters: ( * & ) = ? | ^ } / _ > # : - + ; ] ~ , [ < .

UMC PawPrint Password Requirements

• Your password MAY NOT:– Be a word found in a dictionary– Be the same as your PawPrint– Contain a space– Contain symbols other than the approved special characters– Contain UMC related terms (tiger, truman, jesse, etc)

Things To Avoid When Choosing a Password

• Simple keyboard patterns

• University or state team names

• Use of the word “password” or “secret”

Password Safety

Never share your password with anyone!

There are other methods of granting access to data and systems if there is a

legitimate need.

Password Safety (Continued)

• Change your password regularly using the Password Manager.

• Don’t record your passwords any place they could be vulnerable, including Web pages that can store your login ID and password.

Key Point

If it wasn’t hard for you to think of, it won’t be hard for someone

else to figure out!

Treat Your Password Like Your Signature

Your password is the major form of protection for your computer account and

the University resources that you have permission to access.

UH End User Education

• Information table at Campus Center’s Wireless Day

• Presentations at professional group meetings (clerical, fiscal officers, EEO/gender equity, etc.)

• Departmental meetings

• Invitation by faculty to speak to their class

• ITS workshops each semester

UH Security Awareness Training

• In-person, 1.5 hours, targeting end-user

• Topics:– Why care about security? (horror stories)– Current threats– How to protect computers (passwords, antivirus,

vulnerabilities/patching, firewalls, etc.)– How to protect information (don’t use SSN, shred

personal papers, use of public computers/wireless networks

Education Alone Is Not Enough

• In addition to educating end users, the University of Missouri-Columbia and the University of Hawaii also focus on technology-based efforts to secure our networks

UH Technology Based Efforts

• Proactive vulnerability scanning and assessments

• Proactive notification of vulnerabilities and patches

• Blocking of problem systems by IP/MAC address

UH Vulnerability Scans

• The Plan:– Schedule scans in advance– Give results back to IT coordinator– Work with IT coordinator to secure

vulnerabilities

UH Proactive Notification

• ITS subscribes to Symantec Deep Sight Alerting Services & other security lists

• Notify mailing lists of threats and fixes– ITS evaluates threat and vulnerability

notifications and alerts departmental contacts

Blocking Compromised Systems From the UH Network

• Block offending systems by IP or MAC address at closest router

• Blocked IP and MAC address listed on a web page

• User contacts department support staff or ITS Help Desk

• Repeat offenders user must contact Security Officer and system must be inspected by ITS technician

MU Vulnerability Scans

• Receive vulnerability notifications from Microsoft Premier Support and other security mailing lists

• Scan daily for known vulnerabilities until we reach an acceptable level of risk

MU Proactive Notification

• Working on making daily results available to entire IT professional community

• Update Fix-It-Now tool, SUS server, and patch.missouri.edu server

• In emergency situations we send an e-mail to all on-campus students

Blocking Compromised Systems from the MU Network

• MAC addresses of wired systems are blocked on the current switch

• Wireless systems are blocked on all access points

• Attempt to notify IT professionals when departmental machines are blocked

• Students – re-enable once in good faith

• Departments – re-enable at request of IT professional

Comparison of Philosophy

• MU Philosophy– People are always the weakest link, so we must

focus on technology based efforts and education at the same time to be successful in improving information security at MU

• UH Philosophy– Solutions that will protect/educate the most people

with the fewest resources are given highest priority in an effort to quickly improve information security at UH

Results of Different Philosophies

UH

• Utilizes pre-existing events to reach a large number of people quickly (such as meetings and workshops)

• Addresses current events in end-user training in addition to ways for the user to protect themselves

• Focuses on addressing current threats with technology

MU

• Attempts to reach people on a monthly basis in addition to pre-existing events (such as back to school activities)

• Security awareness program focuses on changing user behavior

• Addresses current threats with publications and technology

Results of Different Philosophies

UH

• Utilizes Symantec alerting services to receive vulnerability and threat alerts quickly

• Publishes list of disabled systems to select group of IT support people to allow for quick notification

• Schedules vulnerability scans on a department by department basis

• Works with departmental support people to help remediate vulnerabilities

MU

• Relies on vendors and security organizations to receive vulnerability and threat alerts

• Attempts to notify IT professionals individually when network access is disabled

• Regularly scans entire campus for vulnerabilities

• Notifies IT professionals of vulnerabilities and relies on them to remediate

On-Going Problems at MU

• Metrics are difficult if not impossible to achieve

• Constant struggle to be restrictive in the University environment

• IT is secondary to the job of most people at the University

On-Going Problems at UH

• Not me or don’t care attitude

• Not enough IT support staff

• IT is not a primary responsibility for many department staff/faculty - security is an afterthought

• Security risks/threats are increasing at a rapid pace

Future MU Initiatives• Publish online security awareness course that

we hope to require for all students

• Develop policies and procedures to help us adequately address new security threats or issues without having to reinvent the wheel each time

• Continue to revise the security awareness program to make it relevant for the current user base

Future MU Initiatives• Complete network efforts currently in progress

– Blocking outbound SMTP– 802.1x authentication for network access– Require MAC address registration for network access– Implement a secure VPN pool for system administrators – IPS

• Require SMTP authentication to send mail through campus e-mail servers

• Finalize and implement a data classification system

Future UH Initiatives• Complete implementation of current initiatives

• Evaluate additional network policies (restricting SMTP servers, implementing institutional VPNs, develop firewall policies)

• Institute required end-user security training

• Evaluate new technologies/strategies

• Develop method of identifying user/system on the network

While we have different philosophies and different

ways of combating problems, both MU and UH

have one common goal:

Change user behavior and the culture of

our organizations to improve the overall

security of our campuses

Questions?

• Feel free to contact us:– Carrie McCoy: mccoyca@missouri.edu– Rebecca Fowler: becky@missouri.edu– Jodi Ito: jodi@hawaii.edu