1. Detection and Prevention of Intrusions and Attacks at Universities Tammy Clark Information Security Officer Georgia State University Tlclark@gsu.edu 404-463-9612 Copyright Tammy Clark, 2001. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2. Prelude Detection and Prevention of Intrusions and Attacks at Universities Track 7: Infrastructure/Networking/Security Wednesday, October 31, 2001 9:30-10:20 a.m. You can access this presentation online at http://www.gsu.edu/security http://www.gsu.edu/security

3. Introduction  While the size and composition of our individual networks may differ… University network infrastructures are a major target for “script kiddies” and are under attack 24/7. University systems are being “used” to attack other systems over the internet on a regular basis.  While our institutional security budgets and staffing allowances may differ…we all need to devise effective methodologies to prevent, detect, monitor and respond to attacks and intrusions on our networks.

4. The Weakest Link…. A university without …..  A “funded mandate” to develop a robust information security program  An information security strategic plan and comprehensive policies  Security tools  At least one full-time security staff member to take the lead on security initiatives

5. Common Vulnerabilities and Threats  Inadequate security plans, procedures and/or policy  Security “unaware” users  Un-patched or mis-configured operating systems and applications  Unprotected hosts, gateways, network perimeters  Undetected modems or wireless access points  Workstations connected to the network that no one uses or notices…

6. Other Areas of Concern  Vendor-supplied systems (COTS) that are not properly secured or managed  Wireless networks  Inbound and outbound filters not applied to external routers or firewalls  Flawed “disaster recovery” processes  SANS’ Twenty Most Critical Internet Security Vulnerabilities at http://66.129.1.101/top20.htm http://66.129.1.101/top20.htm

7. Methods to Prevent STRATEGIC PLANNING  Employ a strategic approach to security—develop plans, procedures, and policies  Staff Up—ISO, CERT, Task Force, Security Committee  Assess the “state of security” —conduct internal and external audits to prioritize and identify critical vulnerabilities and threats.  In your policies, notify users that vulnerability scans will be performed  Incorporate policies and standards that require users to apply specified levels of protection to systems before connecting them to the production network  Clearly define the consequences of non-compliance

8. Methods to Prevent STRATEGIC PROTECTION  Segregate/aggregate critical hosts, Resnets and vendor- maintained systems onto their own Vlans and apply very specific restrictions and permissions  Promote and require (through policy/procedures) secure data transmission, authentication, and remote network access methods, such as SSH, SSL, VPN’s  Protect University systems—ensure that, at a minimum, each critical system and server on your campus has an individual or group that is responsible for applying security configurations, patches, logging and auditing

9. Methods to Prevent PROACTIVE MEASURES  Security Awareness Training—Use a wide variety of methods to get your faculty, staff, and students actively involved  Subscribe to receive alerts about newly discovered vulnerabilities and exploits and establish a mechanism to communicate these to system administrators  Incident Response Action Plans—document and define incident notification and response procedures and communicate these to campus technology leaders  Disaster Recovery Planning—develop a plan that details how critical systems will be restored in the event of a compromise or loss (that includes system security configuration and patch documentation)

10. Methods to Monitor and Detect “GUARDING THE GATES”  Firewalls –Router access control filters –Distributed firewalls –Firewall modules and centralized management to protect critical hosts –Personal firewalls, hardware or software  Anti virus software –Install and maintain on workstations and servers –Place virus scanners in front of mail gateways

11. Methods to Monitor and Detect AUTOMATED DISCOVERY  Network Security Assessment Scanners –Detect a wide range of vulnerabilities in operating systems and applications –Expose vulnerabilities in databases, web servers, CGI scripts –Discover exposed ports and services that need to be turned off –Identify unknown wireless access points and modems  System Security Assessment Scanners and Integrity Solutions –Centrally manage scans of multiple hosts on a network –Set a baseline standard configuration and monitor for alterations –Have the ability to recover a system back to its unaltered state

12. Methods to Monitor and Detect AUTOMATED DETECTION  Intrusion Detection Systems –Monitor your network for attacks and intrusions –Halt attacks in progress to prevent further damage –Identify compromised systems  Security Management Applications –Centrally organize log and audit information across your enterprise network

13. Methods to Respond  There are a sequence of defined “phases” in establishing a methodology to respond to security incidents: –Preparation –Identification –Containment –Eradication –Recovery –Follow Up

14. Methods to Respond PREPARATION  Develop notification, investigation, and response procedures that will integrate with your University’s existing policies and standards  Ensuring that effective backup procedures are in place is an important preparation step!  SAN’S Computer Security Incident Handling, Step By Step Guide is an excellent resource (www.sans.org)www.sans.org  Organize a campus-wide CERT and clearly define roles and responsibilities-- http://www.auscert.org.au/Information/Auscert_info/Paper s/Forming_an_Incident_Response_Team.html http://www.auscert.org.au/Information/Auscert_info/Paper s/Forming_an_Incident_Response_Team.html

15. Methods to Respond IDENTIFICATION  A first step in responding to an incident is to identify what has happened  Intrusion detection systems, firewalls, system logs, network or system “behavior” that diverts from the norm, reports from outside entities can all alert you to the fact that an incident has occurred  You will want to include the stipulation in your incident response policies that a “compromised” system should not be shut down or tampered with in any way before your CERT has a chance to identify what has occurred

16. Methods to Respond CONTAINMENT  You will want to ensure that your incident response policy identifies when a system will immediately be removed from the network due to the risk that it represents  Many Universities don’t have time to do a lot of forensics activities to dissect a compromise—but rather than simply wipe the system and reload as a regular practice—make a backup of the system in it’s compromised state to examine later or to use in getting outside advice about what occurred  Preserve logs, take notes, use the information you can get from the system involved in an incident to insure that no other systems on your campus are affected

17. Methods to Respond ERADICATION  The method that you employ to ensure that your network or systems are “clean” will differ depending on the type of incident  Some incidents, such as widespread denial of service attacks, can require you to obtain assistance from your ISP or network provider to successfully stop the attacks  Most viruses can successfully be removed, but determining whether all traces of a root-level compromise can be found and fixed can be time-consuming and an imprecise science  This is where that preparation step of ensuring you have good backups will pay off!

18. Methods to Respond RECOVERY  If it is not possible to remove all traces of infection or problems, restore an affected system from the “last good” backup or decide to reload it, depending on the circumstances  Dictate in your procedures the criteria you will employ in making a decision as to when to restore network services to an affected system  Continue to monitor the system to ensure no further problems occur

19. Methods to Respond FOLLOW UP  You will want to conduct activities around documenting incidents, examining the “lessons learned” and noting whether changes need to be made in policies or procedures to prevent further problems  Gathering historical information on incidents that have occurred on your campus can be invaluable in supporting the budgetary and staffing needs of your Information Security function!

20. Case Studies  Following are examples of recent incidents that have affected University networks worldwide and in some cases, continue to do so…  There are numerous methods and means that a University can employ to mitigate incidents.  The choices that are made are normally a reflection of the numbers of staff dedicated to security-related duties, the budget to procure tools, and the “perceived” importance of protecting University technology resources

21. Code Red Worm V.1  Description: The Code Red Worm, discovered July 19 th, affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000 that run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the file “idq.dll.”  Prevention: Scanning for vulnerable web servers with eEye Digital Security’s free Code Red Scanner and patching vulnerable systems  Detection: By setting a policy for an intrusion detection system to display all “http get” requests, all of the infected servers were identified within 20 minutes  Response: Contacting affected systems administrators and providing them with instructions on how to eradicate or shutting the infected systems down until an administrator could fix them  Summary: The Code Red Worm v.1 impact was mitigated campus- wide within four hours of discovery due to a large number of infected systems, with isolated incidents occurring for several days that were quickly resolved

22. Code Red Worm V.2  Description: CodeRed II was discovered on August 4, 2001. It has been called a variant of the original Code Red Worm because it uses the same "buffer overflow" exploit to propagate to other Web servers. However, this version of the worm plants one or more “backdoors” on the infected servers.  Prevention: Scanning for vulnerable web servers with eEye Digital Security’s free Code Red Scanner and patching vulnerable systems  Detection: Several attack signatures were added to RealSecure IDS that allowed easy detection of any Code Red Worm variant, allowing identification of infected servers instantly  Response: Contacting affected systems administrators and providing them with tools and instructions on how to eradicate or shutting the infected systems down temporarily  Summary: The Code Red Worm v.2 impact was mitigated campus- wide within two hours after discovery, with isolated incidents occurring for several days that were quickly resolved

23. Code Blue Worm  Description: Discovered on September 18, 2001, a virus with multiple methods of delivery infected Windows 95, 98, ME, NT, 2000 systems, which then scanned IIS web servers for directory traversal vulnerabilities and back doors left by the Code Red Worm v.2 and Sadmind worms  Prevention: A virus scanner that protects mail gateways that was configured to prevent attachments containing “malicious” code would intercept infected messages and prevent them from entering the mail system. IIS systems that were patched and free of back doors would not be affected  Detection: RealSecure instantly identified infected web servers once again and a minimum of campus users that utilize Outlook clients became infected and were detected after being scanned by Norton Antivirus  Response: Antivirus ( and other security) vendors released tools that eradicated the virus from systems, including web servers and affected systems administrators were notified to fix webservers or they were shut down until they could do so  Summary: Code Blue infected systems were detected quickly and the damage was mitigated campus-wide within an hour after discovery

24. Selecting the Right Tools For The Job…  Just as there are so many strategic choices that can be made in protecting University networks, the same is true of security tools  Following are “short lists” of categorized tools— these are not recommendations, just a starting point for you  There is no way to get around three facts: –When it comes to security tools, one size does not fit all –Choosing the most effective tools that will also fit your University’s budgetary needs requires research, planning and careful evaluation –To get a return on your security tools investment, you will need to ensure that you have “security savvy” staff members to deploy and manage them!

25. Firewalls  Checkpoint Firewall-1: http://www.checkpoint.com/products/firewall-1/index.html http://www.checkpoint.com/products/firewall-1/index.html  Cisco IOS Firewall and Cisco Pix: http://www.cisco.com/warp/public/44/jump/secure.shtml http://www.cisco.com/warp/public/44/jump/secure.shtml  Cyberwall Plus: http://www.network- 1.com/products/index.htmlhttp://www.network- 1.com/products/index.html  Sunscreen: http://www.sun.com/software/securenet/securenet3/;$sessi onid$QQCYLGIAAES11AMTA1LU45Q http://www.sun.com/software/securenet/securenet3/;$sessi onid$QQCYLGIAAES11AMTA1LU45Q  ZoneAlarm: http://www.zonealarm.comhttp://www.zonealarm.com  BlackICE Defender: http://www.networkice.comhttp://www.networkice.com

26. Anti Virus  Email/SMTP gateway antivirus scanner –Guinevere for Novell Groupwise: http://www.indecon.com/guinevere/precis.htm http://www.indecon.com/guinevere/precis.htm –Interscan VirusWall for NT or Unix: http://www.antivirus.com/products/internet_gateway.htm http://www.antivirus.com/products/internet_gateway.htm –Webshield for NT or Unix: http://corporate.mcafee.com/content/software_products/avd_gatew ay_default.asp http://corporate.mcafee.com/content/software_products/avd_gatew ay_default.asp  Centrally-managed anti virus solutions –Trend Virus Control System: http://www.antivirus.com/products/trend_vcs/ http://www.antivirus.com/products/trend_vcs/ –Norton Antivirus: http://enterprisesecurity.symantec.com/products/products.cfm?Pro ductID=23&PID=8684275 http://enterprisesecurity.symantec.com/products/products.cfm?Pro ductID=23&PID=8684275

27. Network Security Assessment  Commercial Tools –Internet Scanner: http://www.iss.nethttp://www.iss.net –Database Scanner: http://www.iss.nethttp://www.iss.net –Security Analyzer: http://www.netiq.com/products/sa/default.asphttp://www.netiq.com/products/sa/default.asp –Bv-control for Internet Security: http://www.bindview.com/products/control/internet.cfm http://www.bindview.com/products/control/internet.cfm –Retina: http://www.eeye.com/html/Products/Retina/index.htmlhttp://www.eeye.com/html/Products/Retina/index.html –Telesweep: http://telesweepsecure.securelogix.com/http://telesweepsecure.securelogix.com/  Free Tools –Saint: http://www.wwdsi.com/saint/http://www.wwdsi.com/saint/ –Nessus: http://www.nessus.org/http://www.nessus.org/ –Blue Globe: http://www.blueglobe.com/%7Ecliffmcc/portscanner.html http://www.blueglobe.com/%7Ecliffmcc/portscanner.html –NMAP: http://www.insecure.org/nmap/index.html#otherhttp://www.insecure.org/nmap/index.html#other

28. System Security/Integrity Assessment  System Scanner: http://www.iss.nethttp://www.iss.net  Tripwire Manager: http://www.tripwire.com/ http://www.tripwire.com/  VigilEnt Security Manager: http://www.pentasafe.com/products/ http://www.pentasafe.com/products/

29. Intrusion Detection Systems  Commercial Intrusion Detection Systems –RealSecure: http://www.iss.nethttp://www.iss.net –NFR: http://www.nfr.com/http://www.nfr.com/ –Dragon: http://www.enterasys.com/ids/http://www.enterasys.com/ids/ –Cisco Secure: http://www.cisco.com/warp/public/44/jump/sec ure.shtml http://www.cisco.com/warp/public/44/jump/sec ure.shtml –Free Intrusion Detection Systems –Snort: http://www.snort.orghttp://www.snort.org

30. Security Management  SAFEsuite Decisions: http://www.iss.net/securing_e- business/security_products/security_management/ decisions/ http://www.iss.net/securing_e- business/security_products/security_management/ decisions/  Secure Log Manager: http://documents.iss.net/literature/slm/slm10_ug.p df http://documents.iss.net/literature/slm/slm10_ug.p df  NetSecure Log: http://www.netsecuresoftware.com/netsecurenew/ Products/NetSecure_Log/netsecure_log.html http://www.netsecuresoftware.com/netsecurenew/ Products/NetSecure_Log/netsecure_log.html  AccessMaster: http://www.evidian.com/accessmaster/index.htm http://www.evidian.com/accessmaster/index.htm

31. Wrapping Up…  You can access this presentation online at the Georgia State University Security Information Center http://www.gsu.edu/securityhttp://www.gsu.edu/security  References I recommend: –Incident Response: Investigating Computer Crime by Kevin Mandia and Chris Prosise –Hacking Exposed: Network Security Secrets & Solutions by Joel Scambray, Stuart McClure, and George Kurtz –The Hacking Exposed volumes on Linux and Windows 2000 by the above authors –All of the SANS “Step by Step” Guides available at http://www.sans.org http://www.sans.org