Presentation is loading. Please wait.

Presentation is loading. Please wait.

Creating a Secure University:Technology, Policies, Education & Culture Randy Marchany, VA Tech Joy Hughes, George Mason University

Similar presentations


Presentation on theme: "Creating a Secure University:Technology, Policies, Education & Culture Randy Marchany, VA Tech Joy Hughes, George Mason University"— Presentation transcript:

1 Creating a Secure University:Technology, Policies, Education & Culture Randy Marchany, VA Tech Marchany@vt.edu Joy Hughes, George Mason University Jhughes@gmu.edu

2 Educause MARC, 2003 Copyright 2002, Marchany 2 General Outline Unit 1 – Policy Hands-on exercise Unit 2 – Risk Analysis Hands-on exercise Unit 3 – Incident Response, Setting up the Computer Incident Response Team Unit 4 – Useful Freeware Security Tools

3 Unit 1: Policy What are the rules? Why do we need rules?

4 Educause MARC, 2003 Copyright 2002, Marchany 4 The Layers of Security Policy Awareness Risk Analysis Incident Response Free Tools

5 Educause MARC, 2003 Copyright 2002, Marchany 5

6 Educause MARC, 2003 Copyright 2002, Marchany 6

7 Educause MARC, 2003 Copyright 2002, Marchany 7

8 Educause MARC, 2003 Copyright 2002, Marchany 8

9 Educause MARC, 2003 Copyright 2002, Marchany 9

10 Educause MARC, 2003 Copyright 2002, Marchany 10

11 Educause MARC, 2003 Copyright 2002, Marchany 11

12 Educause MARC, 2003 Copyright 2002, Marchany 12

13 Educause MARC, 2003 Copyright 2002, Marchany 13

14 Educause MARC, 2003 Copyright 2002, Marchany 14

15 Educause MARC, 2003 Copyright 2002, Marchany 15

16 Educause MARC, 2003 Copyright 2002, Marchany 16

17 Educause MARC, 2003 Copyright 2002, Marchany 17

18 Educause MARC, 2003 Copyright 2002, Marchany 18

19 Educause MARC, 2003 Copyright 2002, Marchany 19

20 Educause MARC, 2003 Copyright 2002, Marchany 20

21 Educause MARC, 2003 Copyright 2002, Marchany 21

22 Educause MARC, 2003 Copyright 2002, Marchany 22 b

23 Educause MARC, 2003 Copyright 2002, Marchany 23 KaZaA KaZaA is another file sharing program that lets users download music, pictures, software, video clips and more. The fine print in the license agreement has something nasty.

24 Educause MARC, 2003 Copyright 2002, Marchany 24 KaZaA License Agreement You hereby grant Brilliant Digital Entertainment the right to access and use the unused computing power and storage space on your computer/s and/or Internet access or bandwidth for the aggregation of content and use in distributed computing. The use acknowledges and authorizes this use without the right of compensation.

25 Educause MARC, 2003 Copyright 2002, Marchany 25 It Can’t Happen Here 1984 – student sends obscene email to female faculty 1991 – Major Unix break-in, 18 machines, 5 depts, hackers from all over the world, discussed in the book @Large 1993 – Illegal music sites start to appear on VT systems 1995 – Student obtains test from faculty Mac ahead of time 1996 – Major relay attack, VT system used to attack other sites, AF-OSI/FBI involved

26 Educause MARC, 2003 Copyright 2002, Marchany 26 It Can’t Happen Here 1996 – Student changes grades on instructor’s PC 1996 – Anonymous email harassment from public VT systems 1996 – Hackers attack system in MCB, capture passwords from 3 depts 1996 – Secret Service investigates VT student for threat to the President via email 1996 – female instructor harassed via email on class listserv

27 Educause MARC, 2003 Copyright 2002, Marchany 27 It Can’t Happen Here 1996 – CO system attacked by BEV user 1996 – VT student captures 300 passwords in a dorm and changes them on 4/1/96 1997 – VT WWW site modified illegally 1997 – Dept. WWW sites attacked 1997 – VT student send hate mail to gay www site. VT Provost gets > 500 emails protesting this attack, story appears in NY Times, Washington Post, LA Times, CT, local PBS

28 Educause MARC, 2003 Copyright 2002, Marchany 28 It Can’t Happen Here 1997 – VT student sent to judicial review for email harassment & threats 1997 – Pirated software sites on VT systems 1997 – VT system attacked from outside, FBI involved 1997 – Hackers attack VT system to attack Canadian systems, RCMP/FBI involved 1998 – Hackers attack VT system to attack PSU systems 1998 – Dept lab attacked by disgruntled former grad student

29 Educause MARC, 2003 Copyright 2002, Marchany 29 It Can’t Happen Here 1998 – EE, Emporium labs attacked by hackers 1999 – BO, Netbus, Email attachment attacks arrive 1999 – +80 VT systems attacked to be used in DDOS attacks. FBI involved 2000 – Email harassment attacks continue 2000 – Remote control trojan attacks increase 2001 – VT systems continually probed for vulnerabilities

30 Educause MARC, 2003 Copyright 2002, Marchany 30 History 1989: I asked a question 1990: first draft of the AUP 2000 – adopted 1989, revised 1999 Management of University Records 2005 – adopted 1989, revised 1999 Administrative Data Management and Access Policy 2015(AUP) – adopted 1991, revised 1999 Acceptable Use Guidelines contain specific examples 2020 – adopted 1991, removal pending Policy on Protecting Electronic Access Privilege 2030 – adopted 2000 Policy on Privacy Statements on VT WWW sites

31 Educause MARC, 2003 Copyright 2002, Marchany 31 AUP Enforcement Philosophy Use Existing Policies and Sanctions Sanctions are described in Student, Faculty and Staff Handbooks Judicial procedure is defined there also Maintain compliance with Federal, state and local Computer Crime statutes. Academic freedom vs. illegal activity

32 Educause MARC, 2003 Copyright 2002, Marchany 32 Acceptable Use Policy Scope All VT computer & communications facilities dealing with voice, video and data VT Networks, mainframe, midrange, minicomputer, workstation and PC No individually owned computers

33 Educause MARC, 2003 Copyright 2002, Marchany 33 Acceptable Use Policy Demonstrates Respect of: Privacy rights of others Intellectual property rights (copyrights, patents) Data ownership Defense mechanisms Freedom from harassment, intimidation

34 Educause MARC, 2003 Copyright 2002, Marchany 34 Acceptable Use – The Do’s Use resources for authorized purposes only Porno, personal business – violation! Responsibility You’re responsible for anything that originates from your system/userid. Permission Access only what you’ve been given permission You can share your userid/system but see previous point Use only legal copyrighted software or data Refrain from overloading resources Spam, DOS attacks

35 Educause MARC, 2003 Copyright 2002, Marchany 35 Acceptable Use – The DONT’s Use another’s system, userid, data, files or password without permission Use hacking programs, willfully spread viruses to break system security or disrupt services Make illegal copyrighted materials, store them on VT systems or transmit them on VT networks MP3, Napster, DVD is ok as long as copyrights are respected.

36 Educause MARC, 2003 Copyright 2002, Marchany 36 Acceptable Use – The DON’Ts Use email or messaging services to harass, intimidate or threaten others Most common offense Use VT systems for personal gain Use VT systems for illegal purposes

37 Educause MARC, 2003 Copyright 2002, Marchany 37 Acceptable Use - Enforcement AUP violations are a serious offense VT reserves the right to copy and examine any file on VT systems allegedly related to AUP violations in order to protects its resources Done only with the approval of supervisory or legal entities. Does NOT apply to personal systems FERPA, ECPA, Computer Fraud & Abuse Act, Computer Virus Eradication Act, VA Computer Crime Law, HIPPA, Interstate Transportation of Stolen Property Act

38 Educause MARC, 2003 Copyright 2002, Marchany 38 Acceptable Use - Enforcement Students Office of Judicial Affairs (www.judicial.vt.edu)www.judicial.vt.edu Staff VP for Human Resources Faculty Provost and Department Head Legal Campus Police, State Police, FBI, Customs, ATF, Military OSI, Secret Service IS does NOT prosecute! It only collects data for the above entities.

39 Educause MARC, 2003 Copyright 2002, Marchany 39 Acceptable Use - Statistics Students 1998: 5 cases formally adjudicated 1999: 1200 complaints, 25 cases formally adjudicated Gender based harassment, copyright infringement pose significant contributory liability concerns for the University Data from Office of Judicial Affairs annual report

40 Educause MARC, 2003 Copyright 2002, Marchany 40 Response Strategies From RFC 2196 Protect and Proceed assets are not well protected continued penetration could result in financial risk willingness to prosecute is not present unsophisticated users and their work is vulnerable Pursue and Prosecute allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies but is the most difficult. Willingness to prosecute!!

41 Educause MARC, 2003 Copyright 2002, Marchany 41 Acceptable Use - Summary Comprehensive Flexible Use existing University Policies for enforcement Do not marry it to technology. Stealing is stealing whether done in the real or cyber worlds.

42 Increasing Awareness Once You Have a Policy, You Need To Tell People What It Is

43 Educause MARC, 2003 Copyright 2002, Marchany 43 Orientation Sessions Student Freshman Orientation Resident Computer Consultants (RCC) Faculty Faculty Development Institute Departmental presentations Staff New Employee Orientation 

44 Educause MARC, 2003 Copyright 2002, Marchany 44 Sample Orientation Presentation The following presentation is one of the ones we give to GTA at their orientation.

45 GTA Workshop – Acceptable Use Guidelines Wayne Donald Randy Marchany

46 Educause MARC, 2003 Copyright 2002, Marchany 46

47 Educause MARC, 2003 Copyright 2002, Marchany 47

48 Educause MARC, 2003 Copyright 2002, Marchany 48

49 Educause MARC, 2003 Copyright 2002, Marchany 49

50 Educause MARC, 2003 Copyright 2002, Marchany 50 Passwords ARE the First Defense Bad Password Examples

51 Educause MARC, 2003 Copyright 2002, Marchany 51 Sharing Systems Never share userids. Log off when you’re done You have sensitive data about your students. You must protect it or you’ll violate FERPA regulations Make sure your system administrators have protected your operating system but you must do your part!

52 Educause MARC, 2003 Copyright 2002, Marchany 52 Protecting the System Get the VTNET software CD, it’s FREE! Antivirus Norton Antivirus Corporate Edition 7.6 Cleartext Secure Shell SSH 2.4, Secure Copy 2.4 Use especially if you have wireless systems Never disclose sensitive information via the WWW if the padlock icon is unlocked Use Personal Firewalls software to monitor access to your systems (Zone Alarm, BlackIce, XP firewall)

53 Educause MARC, 2003 Copyright 2002, Marchany 53 Acceptable Use You’re responsible for anything that originates from your userid Don’t download movies or music unless you bought them The Net is not anonymous so be careful Use email responsibly

54 Educause MARC, 2003 Copyright 2002, Marchany 54 Summary You are responsible for sensitive information stored on your computers You could violate federal laws if you allow the information to get out Make sure you’ve read the VA Tech Acceptable Use Guidelines Make sure you have a “safe” working environment Don’t share computers unless you have no choice

55 Educause MARC, 2003 Copyright 2002, Marchany 55 Eliminate the Excuses The following slides show some of the www pages we have to increase awareness at the general and technical levels.

56 Educause MARC, 2003 Copyright 2002, Marchany 56

57 Educause MARC, 2003 Copyright 2002, Marchany 57

58 Educause MARC, 2003 Copyright 2002, Marchany 58

59 Educause MARC, 2003 Copyright 2002, Marchany 59

60 Educause MARC, 2003 Copyright 2002, Marchany 60

61 Educause MARC, 2003 Copyright 2002, Marchany 61

62 Educause MARC, 2003 Copyright 2002, Marchany 62

63 Educause MARC, 2003 Copyright 2002, Marchany 63 Surplusing IT Equipment How To Surplus IT Equipment

64 Educause MARC, 2003 Copyright 2002, Marchany 64 Have We Been Successful? We tried for 3 years to get into the Faculty, Student and Staff orientation programs. We were told there wasn’t enough time for our short presentation This year, something changed. Faculty Development was ordered to give us time. Student orientation wanted something after 9/11. Orientation sessions have generated additional presentations for individual groups.

65 Educause MARC, 2003 Copyright 2002, Marchany 65 Technical Orientation/Training Provide security awareness and technical training to your sysadmins. In-house is the cheapest option. Hardest to do but the benefits are outstanding. Builds a support networks across depts. Hold regional training for local edus.

66 Educause MARC, 2003 Copyright 2002, Marchany 66 Technical Orientation/Training Regional training for local EDUs SANS-EDU – 3 day seminar on Network, Unix, W2K security Sponsored by SANS Institute (www.sans.org) and VA Techwww.sans.org Open to any EDU in the US, $100/person Aimed to help close the training gap Low price = no excuses

67 Educause MARC, 2003 Copyright 2002, Marchany 67 Conclusions Get the AUP in place. Build awareness programs for faculty, staff and student. Get technical training for your support staff. Establish links between the enforcement arms of the university. Repeat steps 2-4.


Download ppt "Creating a Secure University:Technology, Policies, Education & Culture Randy Marchany, VA Tech Joy Hughes, George Mason University"

Similar presentations


Ads by Google