how to secure the “end-user”: same goal, varied approaches carrie mccoy – university of...
TRANSCRIPT
How to Secure the “End-User”: Same Goal, Varied Approaches
Carrie McCoy – University of Missouri-ColumbiaRebecca Fowler – University of Missouri-Columbia
Jodi Ito – University of Hawaii
© 2004 Curators of the University of Missouri and the University of Hawaii
University of Missouri - Columbia
• Public University
• Flagship campus in a four campus system
• 15000+ employees
• Outreach and Extension programs (state-wide)
University of Missouri - Columbia
• Approximately 27,000 students – ~20,500 undergraduates– ~6500 graduate/professional
• Approximately 6000 students live in University housing– Most have high speed internet access
(ResNet)
MU IT Structure
• Information Access & Technology Services (IATS) is the central IT group– E-mail– Campus wired & wireless network– Voice– Cable– Central storage– Help desk – Desktop support– Account Management– Security
MU Distributed IT Support
• IT Professional community– Selected by individual departments
• Act as first-tier desktop support for departments
• Liaison between IAT Services and the campus
• Monthly meetings
MU Computing Environment• 18000 devices on network
– 70.7% Windows, 29.3% other (Mac, Unix, Printers)
• Over 48,000 Active Directory accounts
• 35 computing sites (public and residence halls)– 1300 public computers
• Wireless coverage is continuing to grow– 66 campus buildings are wireless– 232 access points across campus
University of Hawaii
• Statewide public university & community college system– Governed by one Board of Regents– Publicly funded institution– Three 4-year campuses– Seven community college campuses– One employment training center– Five education centers
University of Hawaii
• System-wide:– Approximately 46,000 students– 40,000 undergraduates, 6000 graduates– Approximately 8600 faculty & staff– Approximately 2800 students in residence
halls at Manoa• Most have high speed access (ResNet)
UH IT Structure
• UH Information Technology Services is IT support organization (voice, video, data, institutional applications)
• Dual roles:– System-wide: plan/manage/maintain:
• Primary Internet connections (Internet2, Australia, Japan, commodity Internet),
• Inter-campus connections
– Manoa campus: provide IT support at all levels
UH Distributed IT Support
• Establish IT coordinators group– To be appointed by Deans, Directors, & Unit Heads
• Will serve as point-of-contact for IT-related incidents/advisories
• Have meetings each semester in addition to workshops and training opportunities
• Form close working relationships to better coordinate IT activities
UH Computing Environment
• Between 20,000-30,000 devices connected to the network
• Over 1000 publicly-accessible computers in labs
• 100,000+ UH Usernames issued
Common Problems• Combat security incidents proactively
– Worms and viruses– Spyware– Copyright violations– Account Compromises
• People don’t understand that security is their responsibility
MU Worm/Virus Statistics• Blaster
– 3689 infected systems (September 2003)
• Beagle– 530 infected systems (March 2004)
• Sasser – 251 infected systems (May 2004)
Other MU Incident Statistics• Currently blocking over 500 IP/MAC addresses
• 97 copyright infringement complaints since July 2003
• 743 probing/unauthorized attempt complaints since July 2003
• 105 complaints of spam relayed through an MU host
Other UH Incident Statistics
• Week of May 3rd, 2004 - over 240 unique IPs infected with Sasser/Gaobot variant
– Using DHCP in some areas - more than one system may have used a single IP or same compromised system may have used a different IP
• Currently blocking over 330 IP/MAC addresses
• Approximately 70 copyright infringement complaints since January 2004
• 200+ spam/probing/unauthorized attempt complaints since January 2004
Overall Approach to Common Problems
• Both MU and UH decided that it would not be enough to just use technology solutions to combat or prevent problems
• Dual focus:– End-user education– Technology efforts
MU End-User Education
• Creation of a comprehensive security awareness program
• Theme: “You are the key to security!”
• Worked with internal Creative Services group to create a logo
MU Security Awareness Program
• Two main components of program– Activities based on monthly topics– Security awareness training
• Trying to reach varied audiences– Faculty/Staff– On-campus students– Off-campus students
Monthly Topics
• Planned topics 10 months in advance with the idea that they could change
• Example topics:– Password safety and security– Virus protection– DMCA– AUP– Workstation security– E-Mail security
Monthly Activities• Technology newsletter articles (goes to all students and 9000
faculty/staff)
• Poster campaigns
• Guest speakers
• Payroll stuffers
• Presentations to organizations
• Targeted mass e-mails
Examples of Monthly Activities
• January: Password Safety and Security– Posters– Technology newsletter article– Mass e-mail about password reset campaign to all
faculty, staff, and students
• April: Cyber Security– Guest speaker from FBI cyber crime task force– Presentation to graduate class in College of
Business– Security awareness webpage highlighting cyber
security
Security Awareness Training
• One hour instructor led course– Password safety– Workstation security– Physical security– Internet and e-mail security– Social Engineering/Principle of least privilege– FERPA/HIPAA overview
• Online course in development– Same topics as instructor led course– Student version and faculty/staff version
Key Points
•Don’t use your PawPrint and password on external entities.
• Always choose a secure password!
# of Characters 26(abc) 36(abc123) 52(AaBbCc)
6 51.5 minutes 3.74 hours 13.7 days
7 22.3 hours 9.07 days 3.91 months
8 24.2 days 10.7 months 17.0 years
9 1.72 years 32.2 years 8.82 centuries
10 44.8 years 1.16 millennia 45.8 millennia
11 11.6 centuries 41.7 millennia 2,384 millennia
12 30.3 millennia 1,503 millennia 123,946 millennia
Password Cracking – It’s Easier Than You Think!
What Could Someone Do If They Had Your Password?
• Send threatening e-mail on your behalf
• Access Web sites on which you have enabled one-click ordering and purchase items with your credit card
What Could Someone Do If They Had Your Password?
• Connect to MU e-mail servers and spam thousands of people
• Gain access to the MU network and attack other entities on your behalf
Choose a Secure Password
• Easy to remember
• Can be typed quickly without having to look at the keyboard
• Mix of apparently random letters, digits, and punctuation
UMC PawPrint Password Requirements
• Your password MUST:– Consist of between 8 and 26 characters– Contain at least one character from each of the following:
• Lowercase letters: a-z• Uppercase letters: A-Z• Digits: 0-9• Special Characters: ( * & ) = ? | ^ } / _ > # : - + ; ] ~ , [ < .
UMC PawPrint Password Requirements
• Your password MAY NOT:– Be a word found in a dictionary– Be the same as your PawPrint– Contain a space– Contain symbols other than the approved special characters– Contain UMC related terms (tiger, truman, jesse, etc)
Things To Avoid When Choosing a Password
• Simple keyboard patterns
• University or state team names
• Use of the word “password” or “secret”
Password Safety
Never share your password with anyone!
There are other methods of granting access to data and systems if there is a
legitimate need.
Password Safety (Continued)
• Change your password regularly using the Password Manager.
• Don’t record your passwords any place they could be vulnerable, including Web pages that can store your login ID and password.
Treat Your Password Like Your Signature
Your password is the major form of protection for your computer account and
the University resources that you have permission to access.
UH End User Education
• Information table at Campus Center’s Wireless Day
• Presentations at professional group meetings (clerical, fiscal officers, EEO/gender equity, etc.)
• Departmental meetings
• Invitation by faculty to speak to their class
• ITS workshops each semester
UH Security Awareness Training
• In-person, 1.5 hours, targeting end-user
• Topics:– Why care about security? (horror stories)– Current threats– How to protect computers (passwords, antivirus,
vulnerabilities/patching, firewalls, etc.)– How to protect information (don’t use SSN, shred
personal papers, use of public computers/wireless networks
Education Alone Is Not Enough
• In addition to educating end users, the University of Missouri-Columbia and the University of Hawaii also focus on technology-based efforts to secure our networks
UH Technology Based Efforts
• Proactive vulnerability scanning and assessments
• Proactive notification of vulnerabilities and patches
• Blocking of problem systems by IP/MAC address
UH Vulnerability Scans
• The Plan:– Schedule scans in advance– Give results back to IT coordinator– Work with IT coordinator to secure
vulnerabilities
UH Proactive Notification
• ITS subscribes to Symantec Deep Sight Alerting Services & other security lists
• Notify mailing lists of threats and fixes– ITS evaluates threat and vulnerability
notifications and alerts departmental contacts
Blocking Compromised Systems From the UH Network
• Block offending systems by IP or MAC address at closest router
• Blocked IP and MAC address listed on a web page
• User contacts department support staff or ITS Help Desk
• Repeat offenders user must contact Security Officer and system must be inspected by ITS technician
MU Vulnerability Scans
• Receive vulnerability notifications from Microsoft Premier Support and other security mailing lists
• Scan daily for known vulnerabilities until we reach an acceptable level of risk
MU Proactive Notification
• Working on making daily results available to entire IT professional community
• Update Fix-It-Now tool, SUS server, and patch.missouri.edu server
• In emergency situations we send an e-mail to all on-campus students
Blocking Compromised Systems from the MU Network
• MAC addresses of wired systems are blocked on the current switch
• Wireless systems are blocked on all access points
• Attempt to notify IT professionals when departmental machines are blocked
• Students – re-enable once in good faith
• Departments – re-enable at request of IT professional
Comparison of Philosophy
• MU Philosophy– People are always the weakest link, so we must
focus on technology based efforts and education at the same time to be successful in improving information security at MU
• UH Philosophy– Solutions that will protect/educate the most people
with the fewest resources are given highest priority in an effort to quickly improve information security at UH
Results of Different Philosophies
UH
• Utilizes pre-existing events to reach a large number of people quickly (such as meetings and workshops)
• Addresses current events in end-user training in addition to ways for the user to protect themselves
• Focuses on addressing current threats with technology
MU
• Attempts to reach people on a monthly basis in addition to pre-existing events (such as back to school activities)
• Security awareness program focuses on changing user behavior
• Addresses current threats with publications and technology
Results of Different Philosophies
UH
• Utilizes Symantec alerting services to receive vulnerability and threat alerts quickly
• Publishes list of disabled systems to select group of IT support people to allow for quick notification
• Schedules vulnerability scans on a department by department basis
• Works with departmental support people to help remediate vulnerabilities
MU
• Relies on vendors and security organizations to receive vulnerability and threat alerts
• Attempts to notify IT professionals individually when network access is disabled
• Regularly scans entire campus for vulnerabilities
• Notifies IT professionals of vulnerabilities and relies on them to remediate
On-Going Problems at MU
• Metrics are difficult if not impossible to achieve
• Constant struggle to be restrictive in the University environment
• IT is secondary to the job of most people at the University
On-Going Problems at UH
• Not me or don’t care attitude
• Not enough IT support staff
• IT is not a primary responsibility for many department staff/faculty - security is an afterthought
• Security risks/threats are increasing at a rapid pace
Future MU Initiatives• Publish online security awareness course that
we hope to require for all students
• Develop policies and procedures to help us adequately address new security threats or issues without having to reinvent the wheel each time
• Continue to revise the security awareness program to make it relevant for the current user base
Future MU Initiatives• Complete network efforts currently in progress
– Blocking outbound SMTP– 802.1x authentication for network access– Require MAC address registration for network access– Implement a secure VPN pool for system administrators – IPS
• Require SMTP authentication to send mail through campus e-mail servers
• Finalize and implement a data classification system
Future UH Initiatives• Complete implementation of current initiatives
• Evaluate additional network policies (restricting SMTP servers, implementing institutional VPNs, develop firewall policies)
• Institute required end-user security training
• Evaluate new technologies/strategies
• Develop method of identifying user/system on the network
While we have different philosophies and different
ways of combating problems, both MU and UH
have one common goal:
Change user behavior and the culture of
our organizations to improve the overall
security of our campuses
Questions?
• Feel free to contact us:– Carrie McCoy: [email protected]– Rebecca Fowler: [email protected]– Jodi Ito: [email protected]