Automating Endpoint Security Policy Enforcement Computing and Networking Services University of Toronto

Computing and Networking Services University of Toronto Unmanaged ‘Endpoints’ Systems not proactively managed by University IT staff:  7000 student residents – Sept & Jan overload.  active unique wireless user accounts. Subject to:  Missing OS updates, missing/expired AV protection, unsupported/pirated OS/SP.  Already compromised – spyware, V / W / T.

Computing and Networking Services University of Toronto Automation Framework Network Isolation VulnerabilityDetectionRemediation Missing Patches ↔ user - WindowsUpdate Missing Patches ↔ user - WindowsUpdate … ↔ … … ↔ … CompromiseDetectionRemediation V / W / T ↔ user – SAV scan V / W / T ↔ user – SAV scan … ↔ … … ↔ …

Computing and Networking Services University of Toronto Isolation  IP based – DHCP using two address pools, routable and non-routable (SWU Netreg) with full DNS.  HTTP control (Squid) – configure access for users in restricted zone.  Dynamic firewall port control (IPtables) – block services in restricted zone – except for IDS test interval

Computing and Networking Services University of Toronto Detection Framework  Active  Scanning from external source, eg. Nmap, Nessus.  Passive  Monitoring network traffic, eg. Tcpdump, Snort.  Agent  Client software, continuous or run-once.

Computing and Networking Services University of Toronto Detection Implementation Vulnerability  Missing critical patches: MBSA (cli version)  Missing antivirus: registry check and wmic  Weak passwords: John the Ripper  Insecure user configuration: user privileges, AutoUpdates, root cert audit Compromise  Virus/worm/trojan: IDS (Snort, TCPView), Microsoft MSR*  Spyware: Spybot cli  Rootkit: RootkitRevealer

Computing and Networking Services University of Toronto Remediation Vulnerability  WindowsUpdate (user)  Install SAV (user)  Weak passwords (user)  Insecure user configuration (user-run wizard) Compromise  Virus/worm/trojan: SAV scan, TrendMicro Sysclean, Microsoft MSR MSR  Spyware: (user-run Spybot)  Rootkit: (assisted )

Computing and Networking Services University of Toronto Tools in Detail Wizard UI  CLI utilities wrapped using open source Windows installers: NSIS, InnoSetup.  Provides familiar wizard user interface for detection/remediation tools.  Provides ‘run-once’ function – no installation required.  API includes registry read/write, cookie writing.  Two formats – stand-alone and server integration. MBSA  Detection of all critical updates available day of release, also detects updates to existing versions. Detection

Computing and Networking Services University of Toronto Tools in Detail Password Audit  Checks for blank password, password=username, dictionary lookup of words found in blended threats. Checks IDS  Snort check for host/port scan (20 sec. sample) Note: Isolation opened up to allow client server connections. Snort  TCPView check for excessive SYN rate. TCPView

Computing and Networking Services University of Toronto Applications - ESP  integration of isolation, MBSA detection, user remediation. integration  admin functions: init registration cycle, isolation/block MAC, configure isolation access.

Computing and Networking Services University of Toronto Applications - HealthChk  integration of isolation, compromise detection for assisted detection and remediation.  admin functions: convenient access to external utilities.

Computing and Networking Services University of Toronto Applications - Future  Create a remote HealthChk system.  User runs detection and remediation tools remotely, support for Linux?  Other Applications?  Managed environment use – encourage users to use automated systems, no isolation, enforcement via reminders.

Computing and Networking Services University of Toronto More Information   