the educause security professionals experience brian moeller, cissp the ohio state university
TRANSCRIPT
The EDUCAUSE Security The EDUCAUSE Security Professionals ExperienceProfessionals Experience
Brian Moeller, CISSPBrian Moeller, CISSP
The Ohio State UniversityThe Ohio State University
Pre-ConferencePre-Conference
Exercise in Ethical HackingExercise in Ethical Hacking
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
The KeynoteThe Keynote
Dan Larkin, FBIDan Larkin, FBI http://www.ic3.govhttp://www.ic3.gov
The Botherd is coming!The Botherd is coming!
Overview of how a Help Desk Operation Overview of how a Help Desk Operation dealt with an infestation of Bots.dealt with an infestation of Bots.
Complete title: Complete title:
The Botherd is Coming! How Education and The Botherd is Coming! How Education and Technology Can Stop The StampedeTechnology Can Stop The Stampede
Defining the Security DomainDefining the Security Domain
Nothing good to say about this oneNothing good to say about this one
PKI at UW-MadisonPKI at UW-Madison
Vendor/Institution Team EffortVendor/Institution Team Effort Presentation covered decisions, costs, Presentation covered decisions, costs,
timeframestimeframes Vendor handled himself with classVendor handled himself with class
Detection and Investigation of Detection and Investigation of Compromised Hosts on CampusCompromised Hosts on Campus
An affirmation…An affirmation…
Information Sharing the Information Sharing the MOREnet WayMOREnet Way
MOREnet is similar to OARnet (but MOREnet is similar to OARnet (but smaller)smaller)
Information sharing the MOREnet Information sharing the MOREnet way: How not to keep secretsway: How not to keep secrets
Randy RawRandy RawBeth YoungBeth Young
MOREnet Security MOREnet Security [email protected]@more.net
Objectives:Objectives:
IntroductionsIntroductions What is MOREnetWhat is MOREnet Communication optionsCommunication options ConferencesConferences Expanding the security communityExpanding the security community
IntroductionsIntroductions
Randy RawRandy Raw– CISSP - August 2005CISSP - August 2005– 1.5 years with MOREnet1.5 years with MOREnet– Former Director of Technology Services at Linn State Technical Former Director of Technology Services at Linn State Technical
CollegeCollege– Former Technology Coordinator for the Osage County R-II Former Technology Coordinator for the Osage County R-II
schoolsschools
Beth YoungBeth Young– CISSP - July 2003CISSP - July 2003– 5 years with MOREnet5 years with MOREnet– Former Network Analyst - University of Missouri ColumbiaFormer Network Analyst - University of Missouri Columbia
What is MOREnetWhat is MOREnet
The Missouri Research and Education Network The Missouri Research and Education Network (MOREnet)(MOREnet) provides Internet connectivity, provides Internet connectivity, access to Internet2, technical support, access to Internet2, technical support, videoconferencing services and training to videoconferencing services and training to Missouri's K-12 schools, colleges and universities, Missouri's K-12 schools, colleges and universities, public libraries, health care, state government and public libraries, health care, state government and other affiliated organizations. other affiliated organizations.
What does the Security office What does the Security office do?do?
Assist with incident responseAssist with incident response Liaison with law enforcementLiaison with law enforcement Gather information for disseminationGather information for dissemination Knowledge transferKnowledge transfer
The “Old Days”The “Old Days”
We were the bad guys. Nobody talked to us We were the bad guys. Nobody talked to us because they were afraid we would use it because they were afraid we would use it against them.against them.
We were a “ticket numbers” group.We were a “ticket numbers” group.
Policy issues kept us from being proactive Policy issues kept us from being proactive and helpful and helpful
What have we done to change?What have we done to change?
Change how we do what we doChange how we do what we do Communicate regularly to our members, not just when Communicate regularly to our members, not just when
they have a problemthey have a problem Provide opportunities for members to learn and help Provide opportunities for members to learn and help
them secure their networks, not just be their Internet them secure their networks, not just be their Internet policepolice
Establish goals to reduce ticket counts, especially Establish goals to reduce ticket counts, especially nuisance ticketsnuisance tickets
Create and communicate Security roadmapCreate and communicate Security roadmap
The “kinder and gentler” security -The “kinder and gentler” security -changing what we dochanging what we do
Good Net Neighbor configurationGood Net Neighbor configuration– Phase I – Microsoft NetBIOS portPhase I – Microsoft NetBIOS port
– Phase II – Outbound Port 25 spam blockPhase II – Outbound Port 25 spam block
Self-scanning tool to self-evaluate hostsSelf-scanning tool to self-evaluate hosts Blackhole DNS ServerBlackhole DNS Server MOREnet network status indicatorMOREnet network status indicator Town hall meetings to discover their needs and Town hall meetings to discover their needs and
issuesissues
Using our lists for proactive Using our lists for proactive communicationcommunication
Security-l, MERC-security and State-security lists Security-l, MERC-security and State-security lists – One-way push for critical announcementsOne-way push for critical announcements
» Bot network C&C Bot network C&C » Virus alertsVirus alerts» Vulnerability announcementsVulnerability announcements
– Two-way discussions for any topic members chooseTwo-way discussions for any topic members choose– Communication of important training opportunitiesCommunication of important training opportunities
Monthly Web Seminars - Monthly Web Seminars - communicatecommunicate
Phishing SchemesPhishing Schemes Bot networksBot networks Spyware/malwareSpyware/malware NmapNmap EtherealEthereal Securing HP printersSecuring HP printers SecCheck and Active PortsSecCheck and Active Ports Subpoena handlingSubpoena handling
Annual Security Symposium - Annual Security Symposium - educationeducation
Mostly member presentationsMostly member presentations Advanced Technical topicsAdvanced Technical topics K-12, Higher Education, Library and State K-12, Higher Education, Library and State
Government attendees and presentersGovernment attendees and presenters Attorney General’s Office keynote on Attorney General’s Office keynote on
dealing with law enforcementdealing with law enforcement
Advanced Security Training - Advanced Security Training - educationeducation
Contracted with SANS and providing Contracted with SANS and providing SANS Forensics course at steep discount SANS Forensics course at steep discount for MOREnet membersfor MOREnet members
CISSP training for members using video CISSP training for members using video conferencing technologyconferencing technology
Conferences – Conferences – education/communicationeducation/communication
Security policy generationSecurity policy generation Security Awareness emphasisSecurity Awareness emphasis Hands-on training sessionsHands-on training sessions Hacking competitionsHacking competitions Ethical hacking trainingEthical hacking training
Other methods of communications Other methods of communications and sharing of informationand sharing of information
Daily Security Newslinks on websiteDaily Security Newslinks on website Security offerings accessible through Security offerings accessible through
MyMOREnet loginMyMOREnet login– RADAR (MRTG) statisticsRADAR (MRTG) statistics– NetFlow statisticsNetFlow statistics– Ticket submissionTicket submission– Research requestsResearch requests
Fee-based ServicesFee-based Services
E-mail Virus and Spam Filtering (EVSF)E-mail Virus and Spam Filtering (EVSF) Remote Vulnerability AssessmentRemote Vulnerability Assessment
Expanding to the security Expanding to the security communitycommunity
Security community meetingsSecurity community meetings Security community e-mail list for Security community e-mail list for
announcements and discussionannouncements and discussion Infragard involvementInfragard involvement State Information Technology Advisory State Information Technology Advisory
Board (ITAB) involvementBoard (ITAB) involvement
On-going activitiesOn-going activities
Participate in annual Security Awareness Participate in annual Security Awareness MonthMonth
Annual advanced topic for trainingAnnual advanced topic for training Nationally known Security Symposium Nationally known Security Symposium
keynote speakerkeynote speaker Expand the security community reach Expand the security community reach
beyond Columbiabeyond Columbia
Is there anything left to do?Is there anything left to do?
BloggingBlogging DarknetDarknet DShield log analysis serverDShield log analysis server On-site Remote Vulnerability AssessmentOn-site Remote Vulnerability Assessment In-depth firewall assessmentIn-depth firewall assessment SMTP self-testing toolSMTP self-testing tool Managed firewallManaged firewall Managed security applianceManaged security appliance
For more informationFor more information
Randy RawRandy Raw– [email protected]@more.net– 573.882.0749573.882.0749
Beth YoungBeth Young– [email protected]@more.net– 573.884.7200573.884.7200