How to Successfully Defend Against IRC Bots, Compromises,

and Information Leaks

Tammy L. Clark, CISO, Georgia State University

William Monahan, Lead Information Security Administrator, Georgia State University

Data Breaches Are Popping Up Everywhere Lately…

• According to the Privacy Rights Clearinghouse, there have been 236 data breaches reported in 2006.

• Of this number, 47 incidents reported were universities reporting sensitive data leaks (How many go unreported?) and of this total, 24 were due to hacking/unauthorized access

• 74 incidents occurred due to human error--web site misconfigurations, application bugs, or mishandled documents/receipts that caused data exposures

• 102 of these incidents involved backup tapes, documents, and/or unencrypted computers containing sensitive data repositories that were stolen

• 60 of the total breaches reported for all types of organizations were a result of unauthorized access/intrusions

• Bruce Schneier: “Securing university networks is an excellent example of the social problems surrounding network security being harder than the technical ones. “

The Threat of Human Errors

• Increasingly, human errors are accounting for two thirds of data breaches that are occurring, due to the following reasons:– Misconfigured systems, web sites and

applications – Paper documents that are not properly stored,

handled or shredded– Computer hard drives that are not properly

disposed of

Data Leakages Outside the Perimeter

• As ‘sensitive’ data finds its way off campus, the risk of data exposures increases exponentially for the following reasons:– Mobile users manipulating sensitive data on systems

that are easily hacked or that lack good security measures including weak passwords, lack of encryption, inadequate system configurations and controls

– Theft of mobile devices– Backups or data tapes lost or stolen in transit

A Little Background Info

• Georgia State’s information security program launched in 2000

• Currently, 3 dedicated staff members serve the campus community

• 10,000 staff and faculty

• 30,000+ students

• Decentralized information technology environment

Preventing Compromises, IRC Bots and Information Leaks

• Prior to 2005, we had between 20-50 incidents a day involving compromised or malware infected systems

• Since late 2005, security incidents involving university systems and data have dropped dramatically to between 0-1 a week—most of these involve misconfigured systems that can be exploited by hackers

• We also routinely detect between 1-10 malware compromised ‘non university’ systems a week brought in by students using wireless or various labs & classrooms on campus

Our Information Security Roadmap

• Information Security Plan based on ISO 17799• Prioritized Yearly Action Plans• Secure Computing Initiative• Policy and Procedures• Risk Analyses and Security Assessments • Compliance Initiatives (HIPAA, PCI, GLBA)• Remote Access Project• Building Consensus through Collaborations with Committees and

Taskforces• Security operations that include monitoring and incident handling• CSIRT mobilization• Provision of customized training to campus college/dept. systems

administrators that allows them to manage their own assets in a hierarchal ‘child domain’ structure within our security monitoring systems

• Online Security Awareness Training• Defense In Depth through layering in new policies, procedures, and

solutions

Campus Security Plan Based on ISO 17799

• Two years ago, we developed a holistic, comprehensive security plan based on ISO 17799—133 controls and 12 domain areas

• As we developed the initial plan, we conducted a ‘state of security’ assessment in each domain area and developed action plans to address deficiencies

• We modify our plan each year to incorporate changes in the ISO 17799 standard, as well as new requirements due to compliance legislation, university policies, risk analyses

• We also develop action plans each year which lead to the addition of policies, procedures, and new solutions being layered into our security infrastructure

GSU’s Secure Computing Initiative

• In response to regulatory requirements to protect sensitive information, we established a program in 2005 that mandates the use of AV, IPS, strong passwords, secure device configurations, and successful completion of an electronic security awareness course

• We conduct a risk analysis of business processes, applications being used, and hardware systems involved, to determine if sensitive information is being stored, processed and handled in a reasonably secure manner

• We require college/department information technology representatives to provide us with an inventory of systems and a survey questionnaire specifying what steps they are taking in the areas of controls, backups, disaster recovery, etc.

• We provide them with customized antivirus builds and desktop IPS as well as ‘child domains’ on our security monitoring systems that allow them to manage their own devices/policies

• We mandate controls on servers and in front of internet-connected devices if sensitive information is involved

Risk Analyses and Security Reviews

• We conduct a risk analysis to determine if sensitive information is being stored, processed and handled in a reasonably secure manner

• As colleges and dept’s at GSU acquire new technology from vendors to assist in their academic or business endeavors, we get involved in assessing the potential risk that new devices, software, etc., can introduce

• We conduct vulnerability assessments and testing using a variety of tools and methods

• We also examine business processes which can include how paper documents are stored or destroyed, disposal of computer hard drives, electronic transmission of financial information to 3rd parties, imaging, sharing information with external entities through email, FTP, remote administration and access, etc.

Compliance • A new policy mandating risk assessments prior to the approval of funding for IT

projects on our campus has resulted in over 50 large scale risk assessments being completed so far in 2006, that mandate controls and in some cases, led to the development of new policies and procedures due to sensitive or ‘regulated’ information being involved

• We instituted a process with departments on campus that grant access to information that is deemed sensitive or subject to legislative requirements to conduct security audits

• We routinely conduct risk assessments to analyze business processes, application security configurations, and provide checklists and procedures to secure workstations and servers

• We are working with the data stewards on our campus to initiate security reviews when any users on campus request access to sensitive information

• We require 3rd parties who interface with business systems on campus to provide contractual assurances that they are reasonably secure and require them to use specified methods to access our network and/or in managing applications or systems they are responsible for

• We also utilize our IPS systems to apply granular levels of protection to internet connected devices that are involved

HIPAA Compliance Matrix

Remote Access Project

• In cooperation with other agencies on campus, we completed a project that resulted in the following:– Modification of our remote access policy to clarify that

VPN usage is mandatory and in the case of individual storing or processing sensitive information, approved and recommended methods of remote access

– Creation of a new website to distribute a customized PC Anywhere build that has been tested and secured

– Obtained approval to utilize our Intrushield IPS to deny access to specific protocols or services (RDP, IRC, PC Anywhere, VNC, etc) unless the campus VPN was used

Security Operations• We have several security monitoring systems that provide critical

information to us about attacks and intrusions 24/7• We establish automated alerting and reporting mechanisms within

Intrushield and ISS Siteprotector to provide targeted information• We are offering training to network operations and helpdesk

technicians to allow them to field alerts 24/7 and create helpdesk tickets, make notifications, and contact us to analyze information that comes in about potential attacks and incidents

• We have an experienced security operations/incident handler in our department who collects data and manages incidents during business hours. We also have a CSIRT on campus and a policy that we are allowed to decide to disrupt network services to any device that represents a threat to the university if necessary without prior notification

Security Awareness

• We provide security awareness presentations on demand and are in the process of distributing a WebCT Vista security awareness course to campus users

• We are working to have this electronic course distributed to all incoming freshman students as part of their “freshman communities” curriculum. We require everyone on campus processing sensitive information to take the course and achieve a passing score on the test that accompanies it

• We are working with human resources staff members to include the course in their new employee orientations

Malware is Constantly Getting into Our Campus Networks

• Having effective visibility of your network traffic coupled with the ability to prevent a very high percentage of known malware from coming into your campus network is critical

• In cases where hackers do gain unauthorized access or zero day malware infections occur, you need to be able to quickly detect the presence of malware, contain the spread, get the compromised system(s) off your network, and deter the attacker/threat from continuing or returning…

• Implementing a defense in depth strategy that applies customized levels of protection to networked systems & devices is imperative in being able to successfully combat malware invasions and prevent data breaches

• Behind the scenes, you must continually educate campus users and systems administrators, conduct security audits and risk analyses, and put systems (technology), policies and procedures in place that address access, authentication, authorization, protection of sensitive information, and regulatory compliance

Georgia State’s Security Architecture

• In addition to AV on the desktops and/or servers, robust gateway AV scanning and anti-spam appliances… √

• Dynamic blocking at the edge via IPS…√• Centrally-maintained “push” patch management √• IPS on desktops and servers√• Ability to mandate use of “strong” passwords, through a combination

of policy and technology å VPN required for remote access å Encrypted data transmission å Vulnerability assessment and risk analysis å A SIM or central logging facility to gather disparate data gathered

daily from firewalls, IDS, IPS, AV, etc., with data correlation and reporting

• 24/7 monitoring and incident detection/response

Security Architecture Continued

• Regulatory compliance in ensuring minimum levels of security on networked devices processing sensitive info√

• An online security awareness course (we used WebCT Vista) that can be distributed to faculty, staff, and students √

• Establishment of secure, trusted zones that are separated from the rest of the network √

• Access/authentication requirements on every wired port (except public access stations) and wireless areas √

• Identity management system • Encrypted data on mobile systems (storage &

transmission)

IPS at The Edge, Anyone?• We implemented McAfee’s Intrushield 4000 appliance in early 2005 • We selected Intrushield as it allows us to create thousands of virtual ‘child’

domains with just one appliance that can apply very granular, customized policies to protect networked devices. Unlike our ISS Realsecure IDS, which we still maintain due to auditing capabilities that allow us to easily detect IRC bots and compromised systems, the Intrushield IPS allows us to dynamically block attacks in realtime, 24/7

• We maintain an overall GSU policy that is applied to networked devices not housed under specific child domains. We also shield a group of high risk devices with a very restrictive policy. We create child domains for various colleges and departments and allow them to specify additional things they want to restrict via their departmental policies, such as P2P applications

• We provide training to campus systems administrators and allow them to obtain a child domain, maintain their own policies and gain access to the management console to view all activity on just their specific areas

Intrushield

IPS on Desktops and Servers• We deployed ISS SiteProtector in 2003, a central console that can

manage network, server, and desktop sensors. The network sensors perform the IDS function and the server and desktop sensors have IPS capabilities built in.

• We began distributing desktop IPS clients in 2004 to residential students. From there, we provided them to staff maintaining campus labs and classrooms. Various systems administrators are in the process of deploying server sensors to protect their critical systems.

• We group desktop and server sensors by colleges and departments and we also create sub-domains underneath these groupings that apply more granular policies to specific systems.

• We provide training to campus systems administrators and allow them to manage their sensor groups, distribute and install sensors, maintain their own policies and gain access to the management console to view activity on just their specific areas

ISS SiteProtector

Managed Antivirus

• We distribute Symantec antivirus to all Windows and Mac systems on campus and allow users to install it on remote systems as well

• We provide a managed client that allows us to “push” AV updates as they come out and group the clients by the college or department they fall into. We also provide an unmanaged client for our remote users

• We provide targeted information about worms and viruses to campus administrators and plan to allow them access to their own groups on our management console once Symantec releases the ability to distribute management of AV clients

Symantec Antivirus

Defense In Depth Strategy• The challenge we all face in seeking to protect customer information

and university technical resources is achieving a delicate balance between applying controls and utilizing these resources at optimum levels of efficiency and effectiveness

• From 2000 to the third quarter of 2004, we layered existing technological solutions, devised processes that often required the active participation of the campus community and we found that we could not stem the tide of blended malware threats that managed to evade our controls

• The emergence of IPS at the edge, on servers and desktops, along with regulatory requirements that mandate minimum levels of security have evolved our efforts to allow us to be more proactive, to manage security efforts “end to end” on the network, rather than exist in a purely reactive mode. These controls are transparent for the most part to our campus community, as we do not deploy some of the more intrusive measures these solutions are capable of..

Defense in Depth Cont.

• We constantly devise policies and processes that can be instituted to better protect network devices, more often than not, without user intervention. We focus on educating staff, faculty, and users about policies, mandated requirements, and about the threats and vulnerabilities they will encounter when they utilize systems connected to the internet…

• We’ve achieved a measure of success at this point, but we continue to examine new technologies that surface such as ‘self defending networks’ and complex ones such as ‘IDMS’ to allow us to mitigate the effects of mobile users bringing infected systems to campus and access/authentication issues

Of Interest To Higher Ed Information Security Staffs

• www.educause.edu/security The EDUCAUSE Security Task Force and a wealth of downloadable content

• http://www.educause.edu/securityconference The Security Professionals Conference Archive

• http://www.ren-isac.net/ Research and Education Networking – Information Sharing and Analysis Center

• http://www.privacyrights.org/ar/ChronDataBreaches.htm Privacy Rights Clearinghouse--A Chronology of Data Breaches

Case Studies of Interest to Higher Ed Practitioners

• “When Bots Attack,” Baseline Magazine’s April 2006 Issue (discusses Auburn University’s experiences with IRC Bots) http://www.baselinemag.com/current_issue/0,1542,i=1818,00.asp

• “Remote Control Wars,” SC Magazine’s June 2006 Issue (discusses defense-in-depth approach to mitigating the bot threat) http://www.scmagazine.com/us/news/article/562997/remote+control+wars

• “Attack of the iPods,” CSO Magazine’s May 2006 Issue (discusses the threat of malware implanted on iPods, MP3 players and USB devices) http://www.csoonline.com/read/050106/ipods.html

• “Security Survival Guide,” Baseline Magazine’s May 2006 Issue (discusses tips & techniques to survive the malware onslaught) http://www.baselinemag.com/article2/0,1540,1962511,00.asp

• “Invasion of the Computer Snatchers,” Washington Post Feb 2006 Article (discusses the methods by which hackers are commandeering computers to steal sensitive data, send spam, etc.) http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html

• Bruce Schneier on Security, A weblog covering security and security technology, University Networks and Data Security, September 2006 http://www.schneier.com/blog/archives/2006/09/university_netw.html

Questions?

Copyright Tammy L. Clark, October 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.