Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Successfully Defend Against IRC Bots, Compromises, and Information Leaks Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information.

Similar presentations


Presentation on theme: "How to Successfully Defend Against IRC Bots, Compromises, and Information Leaks Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information."— Presentation transcript:

1 How to Successfully Defend Against IRC Bots, Compromises, and Information Leaks Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information Security Administrator, Georgia State University

2 Data Breaches Are Popping Up Everywhere Lately… According to the Privacy Rights Clearinghouse, there have been 236 data breaches reported in 2006. Of this number, 47 incidents reported were universities reporting sensitive data leaks (How many go unreported?) and of this total, 24 were due to hacking/unauthorized access 74 incidents occurred due to human error--web site misconfigurations, application bugs, or mishandled documents/receipts that caused data exposures 102 of these incidents involved backup tapes, documents, and/or unencrypted computers containing sensitive data repositories that were stolen 60 of the total breaches reported for all types of organizations were a result of unauthorized access/intrusions Bruce Schneier: “Securing university networks is an excellent example of the social problems surrounding network security being harder than the technical ones. “

3 The Threat of Human Errors Increasingly, human errors are accounting for two thirds of data breaches that are occurring, due to the following reasons: –Misconfigured systems, web sites and applications –Paper documents that are not properly stored, handled or shredded –Computer hard drives that are not properly disposed of

4 Data Leakages Outside the Perimeter As ‘sensitive’ data finds its way off campus, the risk of data exposures increases exponentially for the following reasons: –Mobile users manipulating sensitive data on systems that are easily hacked or that lack good security measures including weak passwords, lack of encryption, inadequate system configurations and controls –Theft of mobile devices –Backups or data tapes lost or stolen in transit

5 A Little Background Info Georgia State’s information security program launched in 2000 Currently, 3 dedicated staff members serve the campus community 10,000 staff and faculty 30,000+ students Decentralized information technology environment

6 Preventing Compromises, IRC Bots and Information Leaks Prior to 2005, we had between 20-50 incidents a day involving compromised or malware infected systems Since late 2005, security incidents involving university systems and data have dropped dramatically to between 0-1 a week—most of these involve misconfigured systems that can be exploited by hackers We also routinely detect between 1-10 malware compromised ‘non university’ systems a week brought in by students using wireless or various labs & classrooms on campus

7 Our Information Security Roadmap Information Security Plan based on ISO 17799 Prioritized Yearly Action Plans Secure Computing Initiative Policy and Procedures Risk Analyses and Security Assessments Compliance Initiatives (HIPAA, PCI, GLBA) Remote Access Project Building Consensus through Collaborations with Committees and Taskforces Security operations that include monitoring and incident handling CSIRT mobilization Provision of customized training to campus college/dept. systems administrators that allows them to manage their own assets in a hierarchal ‘child domain’ structure within our security monitoring systems Online Security Awareness Training Defense In Depth through layering in new policies, procedures, and solutions

8 Campus Security Plan Based on ISO 17799 Two years ago, we developed a holistic, comprehensive security plan based on ISO 17799—133 controls and 12 domain areas As we developed the initial plan, we conducted a ‘state of security’ assessment in each domain area and developed action plans to address deficiencies We modify our plan each year to incorporate changes in the ISO 17799 standard, as well as new requirements due to compliance legislation, university policies, risk analyses We also develop action plans each year which lead to the addition of policies, procedures, and new solutions being layered into our security infrastructure

9 GSU’s Secure Computing Initiative In response to regulatory requirements to protect sensitive information, we established a program in 2005 that mandates the use of AV, IPS, strong passwords, secure device configurations, and successful completion of an electronic security awareness course We conduct a risk analysis of business processes, applications being used, and hardware systems involved, to determine if sensitive information is being stored, processed and handled in a reasonably secure manner We require college/department information technology representatives to provide us with an inventory of systems and a survey questionnaire specifying what steps they are taking in the areas of controls, backups, disaster recovery, etc. We provide them with customized antivirus builds and desktop IPS as well as ‘child domains’ on our security monitoring systems that allow them to manage their own devices/policies We mandate controls on servers and in front of internet-connected devices if sensitive information is involved

10 Risk Analyses and Security Reviews We conduct a risk analysis to determine if sensitive information is being stored, processed and handled in a reasonably secure manner As colleges and dept’s at GSU acquire new technology from vendors to assist in their academic or business endeavors, we get involved in assessing the potential risk that new devices, software, etc., can introduce We conduct vulnerability assessments and testing using a variety of tools and methods We also examine business processes which can include how paper documents are stored or destroyed, disposal of computer hard drives, electronic transmission of financial information to 3 rd parties, imaging, sharing information with external entities through email, FTP, remote administration and access, etc.

11 Compliance A new policy mandating risk assessments prior to the approval of funding for IT projects on our campus has resulted in over 50 large scale risk assessments being completed so far in 2006, that mandate controls and in some cases, led to the development of new policies and procedures due to sensitive or ‘regulated’ information being involved We instituted a process with departments on campus that grant access to information that is deemed sensitive or subject to legislative requirements to conduct security audits We routinely conduct risk assessments to analyze business processes, application security configurations, and provide checklists and procedures to secure workstations and servers We are working with the data stewards on our campus to initiate security reviews when any users on campus request access to sensitive information We require 3 rd parties who interface with business systems on campus to provide contractual assurances that they are reasonably secure and require them to use specified methods to access our network and/or in managing applications or systems they are responsible for We also utilize our IPS systems to apply granular levels of protection to internet connected devices that are involved

12 HIPAA Compliance Matrix

13 Remote Access Project In cooperation with other agencies on campus, we completed a project that resulted in the following: –Modification of our remote access policy to clarify that VPN usage is mandatory and in the case of individual storing or processing sensitive information, approved and recommended methods of remote access –Creation of a new website to distribute a customized PC Anywhere build that has been tested and secured –Obtained approval to utilize our Intrushield IPS to deny access to specific protocols or services (RDP, IRC, PC Anywhere, VNC, etc) unless the campus VPN was used

14 Security Operations We have several security monitoring systems that provide critical information to us about attacks and intrusions 24/7 We establish automated alerting and reporting mechanisms within Intrushield and ISS Siteprotector to provide targeted information We are offering training to network operations and helpdesk technicians to allow them to field alerts 24/7 and create helpdesk tickets, make notifications, and contact us to analyze information that comes in about potential attacks and incidents We have an experienced security operations/incident handler in our department who collects data and manages incidents during business hours. We also have a CSIRT on campus and a policy that we are allowed to decide to disrupt network services to any device that represents a threat to the university if necessary without prior notification

15 Security Awareness We provide security awareness presentations on demand and are in the process of distributing a WebCT Vista security awareness course to campus users We are working to have this electronic course distributed to all incoming freshman students as part of their “freshman communities” curriculum. We require everyone on campus processing sensitive information to take the course and achieve a passing score on the test that accompanies it We are working with human resources staff members to include the course in their new employee orientations

16 Malware is Constantly Getting into Our Campus Networks Having effective visibility of your network traffic coupled with the ability to prevent a very high percentage of known malware from coming into your campus network is critical In cases where hackers do gain unauthorized access or zero day malware infections occur, you need to be able to quickly detect the presence of malware, contain the spread, get the compromised system(s) off your network, and deter the attacker/threat from continuing or returning… Implementing a defense in depth strategy that applies customized levels of protection to networked systems & devices is imperative in being able to successfully combat malware invasions and prevent data breaches Behind the scenes, you must continually educate campus users and systems administrators, conduct security audits and risk analyses, and put systems (technology), policies and procedures in place that address access, authentication, authorization, protection of sensitive information, and regulatory compliance

17 Georgia State’s Security Architecture In addition to AV on the desktops and/or servers, robust gateway AV scanning and anti-spam appliances… √ Dynamic blocking at the edge via IPS…√ Centrally-maintained “push” patch management √ IPS on desktops and servers√ Ability to mandate use of “strong” passwords, through a combination of policy and technology √ VPN required for remote access √ Encrypted data transmission √ Vulnerability assessment and risk analysis √ A SIM or central logging facility to gather disparate data gathered daily from firewalls, IDS, IPS, AV, etc., with data correlation and reporting 24/7 monitoring and incident detection/response

18 Security Architecture Continued Regulatory compliance in ensuring minimum levels of security on networked devices processing sensitive info√ An online security awareness course (we used WebCT Vista) that can be distributed to faculty, staff, and students √ Establishment of secure, trusted zones that are separated from the rest of the network √ Access/authentication requirements on every wired port (except public access stations) and wireless areas √ Identity management system Encrypted data on mobile systems (storage & transmission)

19 IPS at The Edge, Anyone? We implemented McAfee’s Intrushield 4000 appliance in early 2005 We selected Intrushield as it allows us to create thousands of virtual ‘child’ domains with just one appliance that can apply very granular, customized policies to protect networked devices. Unlike our ISS Realsecure IDS, which we still maintain due to auditing capabilities that allow us to easily detect IRC bots and compromised systems, the Intrushield IPS allows us to dynamically block attacks in realtime, 24/7 We maintain an overall GSU policy that is applied to networked devices not housed under specific child domains. We also shield a group of high risk devices with a very restrictive policy. We create child domains for various colleges and departments and allow them to specify additional things they want to restrict via their departmental policies, such as P2P applications We provide training to campus systems administrators and allow them to obtain a child domain, maintain their own policies and gain access to the management console to view all activity on just their specific areas

20 Intrushield

21 IPS on Desktops and Servers We deployed ISS SiteProtector in 2003, a central console that can manage network, server, and desktop sensors. The network sensors perform the IDS function and the server and desktop sensors have IPS capabilities built in. We began distributing desktop IPS clients in 2004 to residential students. From there, we provided them to staff maintaining campus labs and classrooms. Various systems administrators are in the process of deploying server sensors to protect their critical systems. We group desktop and server sensors by colleges and departments and we also create sub-domains underneath these groupings that apply more granular policies to specific systems. We provide training to campus systems administrators and allow them to manage their sensor groups, distribute and install sensors, maintain their own policies and gain access to the management console to view activity on just their specific areas

22 ISS SiteProtector

23 Managed Antivirus We distribute Symantec antivirus to all Windows and Mac systems on campus and allow users to install it on remote systems as well We provide a managed client that allows us to “push” AV updates as they come out and group the clients by the college or department they fall into. We also provide an unmanaged client for our remote users We provide targeted information about worms and viruses to campus administrators and plan to allow them access to their own groups on our management console once Symantec releases the ability to distribute management of AV clients

24 Symantec Antivirus

25 Defense In Depth Strategy The challenge we all face in seeking to protect customer information and university technical resources is achieving a delicate balance between applying controls and utilizing these resources at optimum levels of efficiency and effectiveness From 2000 to the third quarter of 2004, we layered existing technological solutions, devised processes that often required the active participation of the campus community and we found that we could not stem the tide of blended malware threats that managed to evade our controls The emergence of IPS at the edge, on servers and desktops, along with regulatory requirements that mandate minimum levels of security have evolved our efforts to allow us to be more proactive, to manage security efforts “end to end” on the network, rather than exist in a purely reactive mode. These controls are transparent for the most part to our campus community, as we do not deploy some of the more intrusive measures these solutions are capable of..

26 Defense in Depth Cont. We constantly devise policies and processes that can be instituted to better protect network devices, more often than not, without user intervention. We focus on educating staff, faculty, and users about policies, mandated requirements, and about the threats and vulnerabilities they will encounter when they utilize systems connected to the internet… We’ve achieved a measure of success at this point, but we continue to examine new technologies that surface such as ‘self defending networks’ and complex ones such as ‘IDMS’ to allow us to mitigate the effects of mobile users bringing infected systems to campus and access/authentication issues

27 Of Interest To Higher Ed Information Security Staffs www.educause.edu/security The EDUCAUSE Security Task Force and a wealth of downloadable contentwww.educause.edu/security http://www.educause.edu/securityconference The Security Professionals Conference Archivehttp://www.educause.edu/securityconference http://www.ren-isac.net/ Research and Education Networking – Information Sharing and Analysis Centerhttp://www.ren-isac.net/ http://www.privacyrights.org/ar/ChronDataBreac hes.htm Privacy Rights Clearinghouse--A Chronology of Data Breacheshttp://www.privacyrights.org/ar/ChronDataBreac hes.htm

28 Case Studies of Interest to Higher Ed Practitioners “When Bots Attack,” Baseline Magazine’s April 2006 Issue (discusses Auburn University’s experiences with IRC Bots) http://www.baselinemag.com/current_issue/0,1542,i=1818,00.asp http://www.baselinemag.com/current_issue/0,1542,i=1818,00.asp “Remote Control Wars,” SC Magazine’s June 2006 Issue (discusses defense-in- depth approach to mitigating the bot threat) http://www.scmagazine.com/us/news/article/562997/remote+control+wars http://www.scmagazine.com/us/news/article/562997/remote+control+wars “Attack of the iPods,” CSO Magazine’s May 2006 Issue (discusses the threat of malware implanted on iPods, MP3 players and USB devices) http://www.csoonline.com/read/050106/ipods.html http://www.csoonline.com/read/050106/ipods.html “Security Survival Guide,” Baseline Magazine’s May 2006 Issue (discusses tips & techniques to survive the malware onslaught) http://www.baselinemag.com/article2/0,1540,1962511,00.asp http://www.baselinemag.com/article2/0,1540,1962511,00.asp “Invasion of the Computer Snatchers,” Washington Post Feb 2006 Article (discusses the methods by which hackers are commandeering computers to steal sensitive data, send spam, etc.) http://www.washingtonpost.com/wp- dyn/content/article/2006/02/14/AR2006021401342.htmlhttp://www.washingtonpost.com/wp- dyn/content/article/2006/02/14/AR2006021401342.html Bruce Schneier on Security, A weblog covering security and security technology, University Networks and Data Security, September 2006 http://www.schneier.com/blog/archives/2006/09/university_netw.html http://www.schneier.com/blog/archives/2006/09/university_netw.html

29 Questions? Copyright Tammy L. Clark, October 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


Download ppt "How to Successfully Defend Against IRC Bots, Compromises, and Information Leaks Tammy L. Clark, CISO, Georgia State University William Monahan, Lead Information."

Similar presentations


Ads by Google