© 2006 The Trustees of Boston College Slide 1 Staying Out of the Security Headlines Educause Security Professionals Conference Track 4 Wednesday, April 12, :00 a.m. - 11:00 a.m. Denver Ballroom 4 David Escalante, Director of Computer Policy & Security, Boston College Cathy Hubbs, Information Technology Security Coordinator, George Mason University
© 2006 The Trustees of Boston College Slide 2 Introduction »Part I o Boston College, Anatomy of an Incident and Managing It »Part II o George Mason University, Refining Incident Response »Boston College o We didn't stay out of the headlines (75+ news outlets) o So why pay attention to me (or Cathy) ? Management of incident was largely successful, and The headlines missed things or got things wrong in a way that favored us instead of making us look bad Learning through the experience of others is less painful »NOTE: slides do not necessarily reflect content of talk Let’s go over what happens…
© 2006 The Trustees of Boston College Slide 3 Know where your data is »“…as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know.” -- Don Rumsfeld, Secretary of Defense, 2002
© 2006 The Trustees of Boston College Slide 4 Know where your data is (2) Post-incident research revealed that 9 of 11 outside data providers weren’t handling BC sensitive data properly
© 2006 The Trustees of Boston College Slide 5 Different KIND of Incident »Recognize that a breach of confidential data covering many people is fundamentally different than your typical incident that affects one or more computers, but not thousands of peoples' lives. »There will be legal, notification, and other issues you will need help on, fast.
© 2006 The Trustees of Boston College Slide 6 The users know more than you »Where the data is, the “bodies are buried” »How the data got to its present state »Local operational procedures »Contacts with their vendors »How to interact with their particular customers »Ignore users at your peril -- there’s a difference between managing the incident from a computer perspective and stepping outside your comfort area and managing the whole thing
© 2006 The Trustees of Boston College Slide 7 Have a flexible incident response team »Also consider having a separate team for incidents of this magnitude »Escalante’s talk last year at this conference on incident response teams with Calvin Weeks covers flexible incident response in more detail, see D=SPC0563
© 2006 The Trustees of Boston College Slide 8 Know how to do computer forensics »You will have to figure out what happened in order to formulate a response. o The press and public are not kind to those who delay in reporting these incidents, management will want to know what happened, and you won't have a lot of time to work through the forensics. o Alternately, have a pool of money and identified outside resources for rapid response. »Also, know how to keep operations running in the face of the investigation, or at least recover systems and operations quickly.
© 2006 The Trustees of Boston College Slide 9 Know your Lawyer/General Counsel »The General Counsel’s office will not be happy. o It’s much better to have an unhappy friend in this case than an unhappy stranger. »They should be able to tell you what to do and what to say to preserve evidence, not get the school in trouble, respond to outside parties who are being a pain, and many other contributions.
© 2006 The Trustees of Boston College Slide 10 Know Your Local Law Enforcement Officials » o InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field Office in It was a local effort to gain support from the information technology industry and academia for the FBI ユ s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters » o The concept of task forces has been around for many years and has proven to be quite successful… The Secret Service developed a new approach to increase the resources, skills and vision by which local, state, and federal law enforcement team with prosecutors, private industry and academia to fully maximize what each has to offer in an effort to combat criminal activity. By forging new relationships with private sector entities and scholars, the task force opens itself up to a wealth of information and communication lines with limitless potential. The New York Electronic Crimes Task Force (NYECTF) was formed based on this concept and has been highly successful since its inception in On October 26, 2001, President Bush signed into law H.R. 3162, the PATRIOT Act. In drafting this particular legislation, Congress, recognized the Secret Service philosophy that our success resides in the ability to bring academia, law enforcement and private industry together to combat crime in the information age. As a result, the U.S. Secret Service was mandated by this Act to establish a nationwide network of Electronic Crimes Task Forces based upon the New York model that encompasses this philosophy.The Electronic Crimes Task Force has grown from a few dedicated individuals, to a group of hundreds of industry as well as local, state and federal law enforcement members throughout the country. At a recent meeting in New York, there were over 500 members in attendance.
© 2006 The Trustees of Boston College Slide 11 Figure Out How You'd Handle Extraordinary Volumes. »Mail »Phone »Inquiries » »BC chose to outsource the mailing and keep the phone response in-house. At peak times, we ran out of phone lines and/or people to man them. »You will need a system to triage calls and other inquiries o You will have a lot of them. Some of them will be very important. Some won't. Some will want to speak to "the manager", some won't. In BC’s case, the affected department did a good job of handling this.
© 2006 The Trustees of Boston College Slide 12 Phone Situation Day(800) line calls Tuesday74 Wednesday302 Thursday640 Friday825 Saturday53 Sunday5 Monday517 Tuesday309 Wednesday155 Thursday170 Total3, lines mapped off T1 Letters mailed Monday
© 2006 The Trustees of Boston College Slide 13 Deleting Users »The scripts need to have a defined escalation procedure for some situations. »You can defuse some tension by researching whether or not you have a way to remove people from "the system". BC didn't do this in very many instances, but for some people nothing else would do, and it was nice to have as an ultimate fallback.
© 2006 The Trustees of Boston College Slide 14 The Letter »You need to communicate directly with the parties affected. »Usually you get one message, a letter or . So it had better be good. »Lots of people will want input on this communication o Public Affairs o General Counsel o Affected Department o …you get the idea »Editing the letter »Signing the letter »Editing the talking points.
© 2006 The Trustees of Boston College Slide 15 The Press »Know your Public Affairs staff and the local press who report on computer stories. »The press aren’t usually out to get you, they want to convey accurate information. o If possible, they’d also like a “scoop” o If there’s no “scoop,” there’s less press interest
© 2006 The Trustees of Boston College Slide 16 The Press (2) »Boston College, Calif. State University computers hacked o School officials say the hackers apparently weren't after personal data »BC warns its alumni of possible ID theft after computer is hacked o College officials say they have no reason to believe the intruder was looking for personal information to steal; instead, the attacker planted a program that would enable him to use the computer to launch attacks on other machines. But the school is taking no chances, because of the sensitive information stored on the computer. »George Mason University suffers security breach o George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.
© 2006 The Trustees of Boston College Slide 17 The Slime »Does “ambulance chaser” apply outside the legal field? »There are a lot of security vendors o They will all be able to help you o If you had their product, you wouldn’t have had a problem »Other parties, such as credit bureaus or banks, where you might expect to get some help, see you as a profit opportunity
© 2006 The Trustees of Boston College Slide 18 Keep Appropriate Parties Informed »Regardless of the fact that you're a security person, it is IMPERATIVE that you keep your management, university management, and other parties involved up to date -- you are most likely not the president or VP, not the owner of the data, and not in charge of the university's reputation. »Those people need o frequent updates o they need to give you guidance, and o they need specialized guidance from you on the technical issues. »In return, they will take a lot off your back
© 2006 The Trustees of Boston College Slide 19 After the Chaos Dies Down »…the real work begins »Culture change time »Data classification policy o Helps review data in field »Review relationships with third parties »Auditors, auditors, auditors
© 2006 The Trustees of Boston College Slide 20 Summary »Build key relationships in advance with legal, law enforcement, the press, and others »Have a forensics capability, in-house or outside »Work with others, possibly as part of Business Continuity Planning, on how to handle large-volume communications that have to be hands-on, where a web site is not sufficient »Drive some type of data classification that assigns explicit responsibility to operational departments of the school »Evaluate your third party and partner relationships with extreme care from a security perspective, and review what’s in any data feeds your central systems send out
Road map Mason’s landscape Current Defense Measures Incident Handling History Refining Central IT Incident Handling Procedures
About Mason Public University Main campus in Fairfax, Virginia, is 2 miles from regional interstates and 20 miles from Washington, D.C. Nearly 30,000 students and 7,000 staff and faculty. Four campuses in four counties (5 th campus in UAE). Part of Internet2-Abeleine and National Lambda Rail. Central IT Organization – Information Technology Unit (ITU)
ITU Organization
Current Elements of Defense Policies: RUC, Stewardship, Public Internet Address, Wireless Networking People: Security Awareness, Community Involvement through Groups Host & Application: Managed Desktops – M.E.S.A. Network: ResNet-Quarantine System, Firewalls, Unified Threat Management
Mason’s Incident Response History VP of Information Technology initiative. Began taking shape summer 2004 through fall Researched government and university incident handling procedures. Consensus: Computer Security Incident Response Team (CSIRT)
CSIRT: Two Teams 1. Technicians responsibilities First to respond and evaluate situation. Preserve the evidence while investigating. Contain the problem. 2. Executives responsibilities Report incidents to VITA per Commonwealth Legislative Directive Code of Virginia § G Create a unified communication strategy.
Ready or not… January 2005 ID Server incident occurs Teams are activated Unfortunately we still make the NEWSPAPER HEADLINES
M edia S crap Book Memories JANUARY 10, 2005 (COMPUTERWORLD) Hacker compromises data at George Mason University Private information on 32,000 students and staff was compromised JANUARY 10, 2005 (CNET News) Hackers steal ID info from Virginia university George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders. JANUARY 11, 2005 (USA Today) Hackers capture info from George Mason U. JANUARY 11, 2005 (Washington Post) Vital Files Exposed In GMU Hacking A computer hacker apparently broke into a George Mason University data base containing student and employee Social Security numbers, leaving 32,000 people uncertain whether their finances or identities might be compromised. JANUARY 13, 2005 (WASHINGTON POST) George Mason Officials Investigate Hacking Incident JANUARY 10, 2005 (ZDNET UK) University suffers massive ID data theft JANUARY 25, 2005 (THE HILL TOP) Hacking at George Mason Stirs Concerns at Howard Some students at Howard University are wondering if they, too, could be at risk for identity theft after a recent incident at George Mason University in which a computer hacker broke into the data base by entering password after password.
Outcome of ID Server Incident Communication, collaboration and community prevail. Mason police maintain important relationships with agencies that focus on cybersecurity. Mason establishes relationship with company specializing in forensics and risk management. Experience spike in reports of suspected compromised machines. Opportunity to review incident handling procedures.
Refining the process-Institutionalize Responsibility and ownership. "Cyber Security on Campus" Executive Awareness Video "Cyber Security on Campus" Executive Awareness Video Define incident handling objectives- focus ITU. Who should be involved? What are the objectives? When should incident response team be activated? Why formalize the incident handling process?
Who is involved? CSIRT Execs VP IT, President and VP of University Relations Advisors from Human Resources, Legal, Safety, and Police. Server Support Group Network Engineers Support Center Desktop Support Services Communicate findings Provide direction CSIRT-Techs
What are CSIRT-Techs main objectives? First response. Evaluate the situation. Is it an incident? Preserve the evidence. Contain the problem.
Incident Classification Guide Classification Levels Urgency Level Response Unit CharacteristicsExampleLikelihood to get a Call at SC 0 Standard 16 hours DSS*Annoyance or inconvenience for a single user Low-impact Virus or Spyware Very Likely 1 Immediate 8 hours DSS*Compromises non-sensitive data for a single user Malicious virusLikely 2 Immediate 8 hours DSS*Compromised account access for a single user Faculty/staff’s account has been shared Likely 3 Immediate 8 hours CSIRT**Compromised sensitive data for a single user Faculty’s desktop with names and grades on it. Credit card information. Likely 4 Immediate 8 hours CSIRT**Affects data or services for a group Banner Security Officer Account compromised Rare 5 Emergency 4 hours CSIRT**Large segment of universityID Server hacked intoVery Rare *DSS Desktop Support Services **CSIRT Computer Security Incident Response Team
Updated: 02/20/06 Customer Contacts SC Is it Faculty/Staff? Inform Student to seek Professional Help Consult Matrix to Determine Classification Assign Incident: Urgency Level = Standard Group = DSS Is it Level 0?Is it Level 1-2?Is it Level 5? Assign Incident: Urgency Level = Immediate Group = DSS Call DSS Assign Incident: Urgency Level = Emergency Group = CSIRT Call CSIRT Contact & Activate CSIRT phone tree Clean Workstation Is it Level 3-4? Assign Incident: Urgency Level = Immediate Group = CSIRT Call CSIRT Contact & Activate CSIRT phone tree Close Incident Is there a compromise? Call CSIRT Contact & Activate CSIRT phone tree No Yes No Yes Support Center Procedures
When to activate CSIRT If a compromised computer is suspected or confirmed to contain highly sensitive data. If a computer with a Mason IP address is probing another Mason computer.
Server Support Group and NET Initiate a Magic (help desk system) ticket. ID suspected computer. Alert CSIRT by telephone.
Everyone Remain calm and professional while investigating suspected and confirmed incidents. Main objectives are to Preserve the evidence. Contain the problem. Limit all discussions regarding incidents to those directly involved.
Community Message re: CSIRT? If you suspect that your computer has been compromised you should: Stop what you are doing with the computer. Call the ITU Support Center.
Why formalize Incident Handling? Preparedness Define roles and responsibilities. Everyone knows what to do and when to do it. Metrics Tickets provide tracking system. Repeat offenders. Trends.
Resources Educause Data Notification Checklist and more Questions? Cathy HubbsDavid Escalante