Post on 16-Dec-2015
transcript
Creating a Secure University:Technology, Policies, Education & Culture
Randy Marchany, VA TechMarchany@vt.edu
Joy Hughes, George Mason University
Jhughes@gmu.edu
Educause MARC, 2003 Copyright 2002, Marchany 2
General Outline Unit 1 – Policy
Hands-on exercise Unit 2 – Risk Analysis
Hands-on exercise Unit 3 – Incident Response, Setting up
the Computer Incident Response Team Unit 4 – Useful Freeware Security Tools
Unit 1: Policy
What are the rules? Why do we need rules?
Educause MARC, 2003 Copyright 2002, Marchany 4
The Layers of Security Policy Awareness Risk Analysis Incident Response Free Tools
Educause MARC, 2003 Copyright 2002, Marchany 5
Educause MARC, 2003 Copyright 2002, Marchany 6
Educause MARC, 2003 Copyright 2002, Marchany 7
Educause MARC, 2003 Copyright 2002, Marchany 8
Educause MARC, 2003 Copyright 2002, Marchany 9
Educause MARC, 2003 Copyright 2002, Marchany 10
Educause MARC, 2003 Copyright 2002, Marchany 11
Educause MARC, 2003 Copyright 2002, Marchany 12
Educause MARC, 2003 Copyright 2002, Marchany 13
Educause MARC, 2003 Copyright 2002, Marchany 14
Educause MARC, 2003 Copyright 2002, Marchany 15
Educause MARC, 2003 Copyright 2002, Marchany 16
Educause MARC, 2003 Copyright 2002, Marchany 17
Educause MARC, 2003 Copyright 2002, Marchany 18
Educause MARC, 2003 Copyright 2002, Marchany 19
Educause MARC, 2003 Copyright 2002, Marchany 20
Educause MARC, 2003 Copyright 2002, Marchany 21
Educause MARC, 2003 Copyright 2002, Marchany 22
b
Educause MARC, 2003 Copyright 2002, Marchany 23
KaZaA KaZaA is another file sharing
program that lets users download music, pictures, software, video clips and more.
The fine print in the license agreement has something nasty.
Educause MARC, 2003 Copyright 2002, Marchany 24
KaZaA License Agreement You hereby grant Brilliant Digital
Entertainment the right to access and use the unused computing power and storage space on your computer/s and/or Internet access or bandwidth for the aggregation of content and use in distributed computing. The use acknowledges and authorizes this use without the right of compensation.
Educause MARC, 2003 Copyright 2002, Marchany 25
It Can’t Happen Here 1984 – student sends obscene email to
female faculty 1991 – Major Unix break-in, 18 machines, 5
depts, hackers from all over the world, discussed in the book @Large
1993 – Illegal music sites start to appear on VT systems
1995 – Student obtains test from faculty Mac ahead of time
1996 – Major relay attack, VT system used to attack other sites, AF-OSI/FBI involved
Educause MARC, 2003 Copyright 2002, Marchany 26
It Can’t Happen Here 1996 – Student changes grades on
instructor’s PC 1996 – Anonymous email harassment from
public VT systems 1996 – Hackers attack system in MCB,
capture passwords from 3 depts 1996 – Secret Service investigates VT
student for threat to the President via email 1996 – female instructor harassed via email
on class listserv
Educause MARC, 2003 Copyright 2002, Marchany 27
It Can’t Happen Here 1996 – CO system attacked by BEV user 1996 – VT student captures 300 passwords
in a dorm and changes them on 4/1/96 1997 – VT WWW site modified illegally 1997 – Dept. WWW sites attacked 1997 – VT student send hate mail to gay
www site. VT Provost gets > 500 emails protesting this attack, story appears in NY Times, Washington Post, LA Times, CT, local PBS
Educause MARC, 2003 Copyright 2002, Marchany 28
It Can’t Happen Here 1997 – VT student sent to judicial review for
email harassment & threats 1997 – Pirated software sites on VT systems 1997 – VT system attacked from outside, FBI
involved 1997 – Hackers attack VT system to attack
Canadian systems, RCMP/FBI involved 1998 – Hackers attack VT system to attack PSU
systems 1998 – Dept lab attacked by disgruntled
former grad student
Educause MARC, 2003 Copyright 2002, Marchany 29
It Can’t Happen Here 1998 – EE, Emporium labs attacked by
hackers 1999 – BO, Netbus, Email attachment attacks
arrive 1999 – +80 VT systems attacked to be used
in DDOS attacks. FBI involved 2000 – Email harassment attacks continue 2000 – Remote control trojan attacks
increase 2001 – VT systems continually probed for
vulnerabilities
Educause MARC, 2003 Copyright 2002, Marchany 30
History 1989: I asked a question 1990: first draft of the AUP
2000 – adopted 1989, revised 1999 Management of University Records
2005 – adopted 1989, revised 1999 Administrative Data Management and Access Policy
2015(AUP) – adopted 1991, revised 1999 Acceptable Use Guidelines contain specific examples
2020 – adopted 1991, removal pending Policy on Protecting Electronic Access Privilege
2030 – adopted 2000 Policy on Privacy Statements on VT WWW sites
Educause MARC, 2003 Copyright 2002, Marchany 31
AUP Enforcement Philosophy Use Existing Policies and Sanctions
Sanctions are described in Student, Faculty and Staff Handbooks
Judicial procedure is defined there also Maintain compliance with Federal,
state and local Computer Crime statutes. Academic freedom vs. illegal activity
Educause MARC, 2003 Copyright 2002, Marchany 32
Acceptable Use Policy Scope
All VT computer & communications facilities dealing with voice, video and data
VT Networks, mainframe, midrange, minicomputer, workstation and PC
No individually owned computers
Educause MARC, 2003 Copyright 2002, Marchany 33
Acceptable Use Policy Demonstrates Respect of:
Privacy rights of others Intellectual property rights
(copyrights, patents) Data ownership Defense mechanisms Freedom from harassment,
intimidation
Educause MARC, 2003 Copyright 2002, Marchany 34
Acceptable Use – The Do’s Use resources for authorized purposes only
Porno, personal business – violation! Responsibility
You’re responsible for anything that originates from your system/userid.
Permission Access only what you’ve been given permission
You can share your userid/system but see previous point Use only legal copyrighted software or data
Refrain from overloading resources Spam, DOS attacks
Educause MARC, 2003 Copyright 2002, Marchany 35
Acceptable Use – The DONT’s Use another’s system, userid, data, files or
password without permission Use hacking programs, willfully spread
viruses to break system security or disrupt services
Make illegal copyrighted materials, store them on VT systems or transmit them on VT networks MP3, Napster, DVD is ok as long as copyrights
are respected.
Educause MARC, 2003 Copyright 2002, Marchany 36
Acceptable Use – The DON’Ts Use email or messaging services to
harass, intimidate or threaten others Most common offense
Use VT systems for personal gain Use VT systems for illegal purposes
Educause MARC, 2003 Copyright 2002, Marchany 37
Acceptable Use - Enforcement AUP violations are a serious offense VT reserves the right to copy and examine
any file on VT systems allegedly related to AUP violations in order to protects its resources Done only with the approval of supervisory or
legal entities. Does NOT apply to personal systems
FERPA, ECPA, Computer Fraud & Abuse Act, Computer Virus Eradication Act, VA Computer Crime Law, HIPPA, Interstate Transportation of Stolen Property Act
Educause MARC, 2003 Copyright 2002, Marchany 38
Acceptable Use - Enforcement Students
Office of Judicial Affairs (www.judicial.vt.edu) Staff
VP for Human Resources Faculty
Provost and Department Head Legal
Campus Police, State Police, FBI, Customs, ATF, Military OSI, Secret Service
IS does NOT prosecute! It only collects data for the above entities.
Educause MARC, 2003 Copyright 2002, Marchany 39
Acceptable Use - Statistics Students
1998: 5 cases formally adjudicated 1999: 1200 complaints, 25 cases
formally adjudicated Gender based harassment, copyright
infringement pose significant contributory liability concerns for the University
Data from Office of Judicial Affairs annual report
Educause MARC, 2003 Copyright 2002, Marchany 40
Response Strategies
From RFC 2196 Protect and Proceed
assets are not well protected continued penetration could result in financial risk willingness to prosecute is not present unsophisticated users and their work is vulnerable
Pursue and Prosecute allow intruders to continue their activity until the
site can identify them. This is recommended by law enforcement agencies but is the most difficult.
Willingness to prosecute!!
Educause MARC, 2003 Copyright 2002, Marchany 41
Acceptable Use - Summary Comprehensive Flexible Use existing University Policies for
enforcement Do not marry it to technology.
Stealing is stealing whether done in the real or cyber worlds.
Increasing Awareness
Once You Have a Policy, You Need To Tell People What It Is
Educause MARC, 2003 Copyright 2002, Marchany 43
Orientation Sessions Student
Freshman Orientation Resident Computer Consultants (RCC)
Faculty
Faculty Development Institute Departmental presentations
Staff New Employee Orientation
Educause MARC, 2003 Copyright 2002, Marchany 44
Sample Orientation Presentation The following presentation is one
of the ones we give to GTA at their orientation.
GTA Workshop – Acceptable Use Guidelines
Wayne DonaldRandy Marchany
Educause MARC, 2003 Copyright 2002, Marchany 46
Educause MARC, 2003 Copyright 2002, Marchany 47
Educause MARC, 2003 Copyright 2002, Marchany 48
Educause MARC, 2003 Copyright 2002, Marchany 49
Educause MARC, 2003 Copyright 2002, Marchany 50
Passwords ARE the First Defense Bad Password Examples
Educause MARC, 2003 Copyright 2002, Marchany 51
Sharing Systems Never share userids. Log off when you’re done You have sensitive data about your
students. You must protect it or you’ll violate FERPA regulations
Make sure your system administrators have protected your operating system but you must do your part!
Educause MARC, 2003 Copyright 2002, Marchany 52
Protecting the System Get the VTNET software CD, it’s FREE! Antivirus
Norton Antivirus Corporate Edition 7.6 Cleartext
Secure Shell SSH 2.4, Secure Copy 2.4 Use especially if you have wireless systems Never disclose sensitive information via the
WWW if the padlock icon is unlocked Use Personal Firewalls software to monitor
access to your systems (Zone Alarm, BlackIce, XP firewall)
Educause MARC, 2003 Copyright 2002, Marchany 53
Acceptable Use You’re responsible for anything
that originates from your userid Don’t download movies or music
unless you bought them The Net is not anonymous so be
careful Use email responsibly
Educause MARC, 2003 Copyright 2002, Marchany 54
Summary You are responsible for sensitive
information stored on your computers You could violate federal laws if you allow
the information to get out Make sure you’ve read the VA Tech
Acceptable Use Guidelines Make sure you have a “safe” working
environment Don’t share computers unless you have
no choice
Educause MARC, 2003 Copyright 2002, Marchany 55
Eliminate the Excuses The following slides show some of
the www pages we have to increase awareness at the general and technical levels.
Educause MARC, 2003 Copyright 2002, Marchany 56
Educause MARC, 2003 Copyright 2002, Marchany 57
Educause MARC, 2003 Copyright 2002, Marchany 58
Educause MARC, 2003 Copyright 2002, Marchany 59
Educause MARC, 2003 Copyright 2002, Marchany 60
Educause MARC, 2003 Copyright 2002, Marchany 61
Educause MARC, 2003 Copyright 2002, Marchany 62
Educause MARC, 2003 Copyright 2002, Marchany 63
Surplusing IT Equipment How To Surplus IT Equipment
Educause MARC, 2003 Copyright 2002, Marchany 64
Have We Been Successful? We tried for 3 years to get into the Faculty,
Student and Staff orientation programs. We were told there wasn’t enough time for
our short presentation This year, something changed.
Faculty Development was ordered to give us time. Student orientation wanted something after 9/11.
Orientation sessions have generated additional presentations for individual groups.
Educause MARC, 2003 Copyright 2002, Marchany 65
Technical Orientation/Training Provide security awareness and
technical training to your sysadmins. In-house is the cheapest option.
Hardest to do but the benefits are outstanding.
Builds a support networks across depts. Hold regional training for local edus.
Educause MARC, 2003 Copyright 2002, Marchany 66
Technical Orientation/Training Regional training for local EDUs
SANS-EDU – 3 day seminar on Network, Unix, W2K security
Sponsored by SANS Institute (www.sans.org) and VA Tech
Open to any EDU in the US, $100/person
Aimed to help close the training gap Low price = no excuses
Educause MARC, 2003 Copyright 2002, Marchany 67
Conclusions Get the AUP in place. Build awareness programs for
faculty, staff and student. Get technical training for your
support staff. Establish links between the
enforcement arms of the university. Repeat steps 2-4.