1. 1 Securing Unmanaged Computers Solutions, Strategies and Effective Practices Costs of Security Residential Security Strategies/Case Studies Discussion of Georgia State University’s Solutions and Practices Small Group Case Study Exercises Reference Materials

2. 2 Why Care About Unmanaged Computers? Protecting user privacy - computers often contain personal, sensitive information. Limiting institutional liability - managing incidents after the fact is expensive. Reputation - these computers are part of your network domain and reflect on the institution. Bandwidth cost - compromised systems may be used for serving copyrighted material that can generate a lot of bandwidth. DDoS - large numbers of compromised computers are being used in Denial of service attacks.

3. 3 What Is Security? Security is a strategy that requires tools, policies and user awareness/education to be effective. Security is an on-going process.  It does not end once a computer is provided access to a network or information resource, it only begins. For effective security:  Assume your network is a perpetually hostile environment  Assume your weakest link is the user device (desktop/laptop)  Develop proactive security strategies

4. 4 What Is Security? The development of security practices at your institution may involve:  Department and central IT services  Faculty senate  General Counsel  Internal Auditing  Security office if designated  Student technology support group (ResNet)  Students

5. 5 Security: Negative Deliverable Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it. Jeffrey I. Schiller, MIT’s Security Architect

6. 6 Definition of Managed Computers For this presentation, managed computer systems fall into one or more categories:  Systems that are controlled through an automated mechanism that enforces certain aspects of the institution’s security measures or policy.  Systems that have professional IT staff assigned to “manage” them. Trust is bestowed upon a managed computer  Risk assessment  Degree they are managed Note: managed computer systems may still possess security issues!

7. 7 Definition of Unmanaged Computers For this presentation, an unmanaged computer system relies upon the owner of that system to do the right thing at the right time to secure their computer. At a higher education institution, different members of the community will potentially operate unmanaged computers.  Student owned computers  Faculty owned computers, particularly those used for research  Staff computers may also fall into this category  Personally owned computers connecting from home  Guest computers, conference attendees

8. 8 Forces Causing Unmanaged Computers Laptops are becoming ubiquitous on campus and wireless networks are commonplace. Institutions may not own the computer in question as in the case of student computers or systems acquired through grants and research. Faculty research activity may prevent updates or changes from occurring. Institutions may have a culture where there is an “expectation” to work from home -- how do we help manage their system?

9. 9 Solution Strategies Solutions can fall into these broad areas. A combination, dependent on your institution environment, can offer an effective strategy: Network architecture Host-based firewalls Agent-based products Patch management and anti-virus Response and Remediation strategies Effective practices and policies  Netauth working group documents User education through security awareness and training

10. 10 Network Architecture Network design and segmentation Network security devices can help secure unmanaged systems either proactively or reactively.  Proactive devices can block problems - these include intrusion prevention, firewalls, and router access control lists.  Reactive devices can identify systems with security vulnerabilities -- intrusion prevention, intrusion detection, vulnerability scanners, and packet shapers.

11. 11 Host-based Firewalls Running a firewall on the computer system provides additional protection. Techniques being used:  Windows XP - SP2 provides a basic firewall for Windows that is enabled by default.  Other commercial products provide firewalls and IPS with more advanced features than those found on SP2. Some institutions package a firewall product with anti-virus

12. 12 Agent-Based Products These products install an agent-based program on the computer that validates configuration settings. This agent can be queried during authentication to the network to ensure compliance. Commercial products include Perfigo, Vernier, and BlueSocket. Each of these products has the capability to validate security settings for compliance prior during or after authentication Many institutions have developed their own agents.

13. 13 Patch Management and Anti-virus Anti-virus software with regular updates is essential. Promptly updating software to fix security vulnerabilities is a requirement to keep an unmanaged computer system secure. Techniques available for Microsoft Windows  Enabling auto-update for Windows XP and 2000  Creating an institution-wide Windows Update Server and using that to update machines  Using commercial patch management products such as Bigfix and Patchlink  Regularly scanning systems for compliance

14. 14 Response and Remediation Institutions need a business process to support the remediation of compromised systems. Some issues that must be considered:  Do you have a policy that allows the institution to deny access to a compromised system?  Under what circumstances do you deny access?  Can remediation occur if access is denied?  What assistance do you offer in fixing this system?  How do you validate that remediation has occurred?  How do you perform remediation in a timely fashion? What is the user’s expectation?

15. 15 Remediation Techniques Examples of remediation techniques  CMU’s NetNotify is a completely online system for managing remediation. http://www.net.cmu.edu/epidemic/ http://www.net.cmu.edu/epidemic/  Some institutions delay service Systems are off the network Used as a motivator to student to maintain security  Some institutions charge students to perform remediation.  Some institutions trust students to confirm that remediation has occurred.

16. 16 Effective Practices and Policies The effective practices guide has a number of case studies that can help:  IDS deployment -- Notre Dame, MIT, U. Florida  Vulnerability scanning -- Purdue and Indiana  Security architecture - UMich, GaTech, GMU  Network registration/scanning - U. Conn.  Router ACL - Cornell  Firewall - Brown  NAT - Bethune Cookman, Perdue  Wireless - Penn State, Purdue, Simon Fraser http://www.educause.edu/EffectiveSecurityPracticesGuide/1246

17. 17 NetAuth Working Group Internet2/NetAuth working group is focusing on issues of network authentication and federated wireless authentication. Salsa NetAuth whitepaper--frames the issue and identifies solution strategies for typical residential network situations. http://security.internet2.edu/netauth/docs/draft-internet2-salsa-netauth- summary-02.html

18. 18 NetAuth Working Group Work is beginning on defining a model and developing frameworks for future NetAuth systems. Making NetAuth systems architectural components of a network, not add-on components to existing systems See the working group roadmap for a deeper investigation of this work. http://security.internet2.edu/netauth/index.html#Docs

19. 19 Security Awareness and Education Education and awareness programs are critical in getting buy-in and understanding for these efforts to “protect” users and their systems. EDUCAUSE has a CD that contains materials that can give ideas for starting a security awareness program Many institutions produce a security CD for their users. This security CD will often auto-configure a computer to receive Windows updates and ensure that virus protection is installed and enabled. Please visit the url: http://www.educause.edu/Browse/645&PARENT_ID=639 http://www.educause.edu/Browse/645&PARENT_ID=639

20. 20 The Costs of attacks Article: Costs of virus cleanups goes up  United Kingdom blue chip companies security costs $213,000 per incident (2003) $52,000 per incident (2002)  Corporate IT Forum survey Average 365 man hours lost 1/3 reported over 3000 man hours lost  Computer Crime and Security Survey $65 million in DoS attacks 82% reported virus incidents, costing $27 million Source:http://searchsecurity.techtarget.com/originalContent/0,289 142,sid14_gci941270,00.htmlhttp://searchsecurity.techtarget.com/originalContent/0,289 142,sid14_gci941270,00.html

21. 21 The Costsof attacks Article: Colleges Face Rising Costs for Computer Security  501 institutions surveyed  Issues Nearly 100% experienced worm and virus in the past year 73% have seen an escalation 53% reported attempts to adversely effect their network  Concerns Unauthorized access to financial, medical records Tension of closing a traditionally open society  Result 39% do security awareness training for user community 42% have Chief Information Security Officers Anti-virus, spam filtering and firewalls almost universally used http://chronicle.com/prm/weekly/v51/i17/17a00101.htm

22. 22 The Costs of attacks Article: Colleges Brace for the Next Worm The Tipping Point: Blaster, 5 weeks in summer 2003  19 research institutions $299, 579 on average  Stanford University $806,000 18,460 repair hours  University of Michigan $543,000 16,100 repair hours  University of Chicago $377,000 9000 repair hours http://chronicle.com/free/v50/i28/28a02901.htm

23. 23 Cost of Prevention Use the figures to do your Risk Assessment  Don’t do an ROI – this is prevention, not an investment  Share the information of what can happen if you don’t reduce your risks  Identify your threats and your vulnerabilities

24. 24 Security and the Support of Residential Communities David Futey, Stanford University EDUCAUSE/Internet2 Computer and Network Security Task Force ResNet Steering Committee, Chairperson

25. 25 A Question of Philosophy and Resources If we were only a Fortune 500… Variety of solutions  Registration, patch management appliances  Client agents  Scanning Policy that guides the solutions Resources to enact solutions How and from whom are your residential students supported? Specific area (designated ResNet group) and or part of overall IT services?

26. 26 Recent Security Challenges Welchia - July 2003 Blaster - August 2003 Worms - ongoing Agobot/Gaobot -2004 Malware - 2004 Adware - 2004 Spyware - 2004 Rodin: The Gates of Hell D. Futey photograph

27. 27 Residential Security Priorities Protecting user privacy User education Responsible control and management Network integrity Institution integrity Limiting institutional liability

28. 28 The Process Registration Detection  Active  Passive  Agents Isolation Remediation

29. 29 Security Options Commercial  Microsoft Software Update Server  Bradford Campus Bandwidth Manager  Perfigo  Still Secure - Safe Access Open Source  Nessus-vulnerability assessment  Snort-intruder detection Network Segmentation

30. 30 Security Options Email  CanIt ( http://www.canit.ca/)http://www.canit.ca/  ClamAV for virus scanning http://www.clamav.net/ http://www.clamav.net/  BlueCatNetworks Meridius Email http://www.bluecatnetworks.com/products/meridius /index.htmlhttp://www.bluecatnetworks.com/products/meridius /index.html  Sophos (www.sophos.com)

31. 31 Enterprise Spyware Options WebRoot's SpySweeper Enterprise Adaware SE Pro Anti Virus  McAfee ePolicy  Symantec version 10 Desktop IPS  ISS Proventia desktop

32. 32 Georgia State University Perfigo (now Cisco) Clean Machines  Checked for running AV, ISS desktop IPS, Windows updates  Ran a Nessus scan to detect worms or familiar anomalies AV and ISS policy sigs were “auto” pushed to residents’ computers At the edge of the network, we unidirectionally blocked P2P traffic coming in from the “outside” world—resulted in stopping the copyright violation letters from watchdog agencies Incidents decreased dramatically

33. 33 Tufts University ResNet installer  Checks for Windows Auto Update  “Advises” students to select if not configured Under Evaluation  Provide services through a domain Access file storage and resources Centrally evaluate patch level and virus definitions Student must agree evaluation process for domain access  Intel LANDesk –Presently used for faculty and staff patch management –Evaluating other utilities At issue  Sensitivity regarding ‘control’ of the computer

34. 34 University of Western Florida No registration utility at present  Switch ports mapped to rooms  DHCP for IP assignment Periodically scan network for vulnerabilities (Sasser) De-activate computers that are not patched  Letter delivered by the student's Resident Assistant  Student contacts ResNet office  ResNet office patches student’s computer  Educate the student on proper security measures Re-activate

35. 35 Iowa State University New student computers registered with Netreg  Computers redirected to Netreg web server when they are first connected.  Students authenticate to kerberos servers during initial Netreg session If Windows 2000 or XP computer is detected  Students are directed to download Computer Inspector  Computer Inspector verifies connection standards

36. 36 Iowa State University Connection standards that must be met  Weak passwords  Service Pack Levels  Hot fixes  Automatic Windows Updates  Antivirus available  Antivirus on Access scan  Antivirus update  Antivirus on Demand Future  Enhancements to Computer Inspector  Develop policy for student connectivity

37. 37 University of Twente The Netherlands New and unregistered students quarantined  Must register  Access to patch and antivirus sites Quarantine if infected once on the network  Detected through infecting a honeypot  Network Operators Student corrects problem  Requests access to routable network  Option available once every 6 months

38. 38 University of Twente If student is still or becomes re-infected  Honeypot can detect within 15 minutes (95%)  Staff intervention to determine status  Possible re-installation by staff Results  Reduction in external complaints  Educate university community

39. 39 Swarthmore College Site License antivirus software Centrally manage antivirus updates  ePolicy Automatic updates Client agent (1.3MB) connects to ePolicy server Virus event reporting Email scanned prior to delivery

40. 40 Hebrew Union College  Small seminary – 4 locations –New York, Los Angeles, Cincinnati, Jerusalem  500 Students – 230+ employees  No student dorm access  Limited public access labs Labs are locked down W2K machines Thin client terminals

41. 41 Hebrew Union College Students can NOT connect personal computers to campus network Researchers and visiting scholars must let IT staff clean and patch machines Limited staff – limited access Capital budget to upgrade network to allow Netreg type solution.

42. 42 Stanford University Contact students prior to arrival and request install of anti-virus software-CD provided, on line sources. Student’s register computer  Review and confirm acceptance of University and residential AUP BigFix  Patch management  Concern by students on information collected  Approval from Chief Security Officer, General Counsel and Internal Audit may be required for changes in collected data RCC assists with remediation Stanford Security Self-Test tool

43. 43 University of Massachusetts Amherst Students register computer  Review and confirm acceptance of University and residential AUP/Conditions of use Safetynet  Infected systems are isolated at layer2 or layer 3  Help Desk ticketing system is notified/email sent to student  Student has access to Help Desk ticketing system  Student may self-remediate  Software group approves restoration of service

44. 44 ResNet Vulnerability Survey (n=94) Tool to register student's computer (Y=85%)  Lack of resources (3%)  Do not register (6%) Registration Tools  Homegrown utility  Southwestern University NetReg www.netreg.org  Bradford Campus Manager  Perfigo  Cisco switches with VMPS  CMU NetReg

45. 45 ResNet Vulnerability Survey Tool to evaluate student's computer (Y=69%)  Lack of resources (9%)  Evaluating how others approach it (11%) Evaluation Tools  Homegrown utility  Perfigo  Nessus or Nessus in combination with other utilities  Bradford Campus Manager  Microsoft SUS Evaluate off campus student laptop when accessing through on campus wireless  No (64%)

46. 46 Georgia State University Effective Practices and Techniques to Prevent Attacks and Intrusions

47. 47 First, Some 2004 Statistics 2 million attacks launched against our systems each week 95% or more of the successful ones targeted Win2k or XP workstations 5% aimed at servers and network equipment 580+ desktops ravaged by Sasser within a week’s time 250+ of these compromised by hackers within a day or two later 40-60 successful malware invasions per day on university and residential systems combined Reduced by 95% in late 2004 to 1 or 2 incidents a day

48. 48 Most Common Threats Emailed worm attachments and URL’s that install spyware and Trojan Horses Exploited backdoors left behind by worms used to get “root” and install hacker utilities Cracking weak passwords to get root Using automated exploits such as “DCOM” to get root NT and unix rootkits IRC hackers turning systems into bots for use in DDOS attacks or as warez servers Spam propagation through various exploits that install SMTP engines on workstations and mail servers misconfigured as open mail relays

49. 49 Effective Practices and Solutions In addition to AV on the desktops and/or servers, robust gateway scanners… √ Control and restriction at the edge or on segments via a firewall Dynamic blocking at the edge via IPS…√ Centrally-maintained patch management… √ IPS at the desktop, on servers, at the edge… √ Ability to mandate use of “strong” passwords, through a combination of policy and technology… √ VPN for remote access…√ Encrypted data transmission… √ Secure email and/or FTP Vulnerability assessment and risk analysis… √ A SIM or central logging facility to gather disparate data gathered daily from firewalls, IDS, IPS, AV, etc., with data correlation and reporting 24/7 monitoring and incident detection/response

50. 50 Effective Practices and Solutions Taking advantage of current federal legislative requirements such as GLBA and HIPAA to enforce minimum levels of security on networked devices processing sensitive info… √ Developing (in our case a WebCT Vista) security awareness course that can be distributed to faculty, staff, and students … √ Establishment of secure, trusted zones that are separated from the rest of the network… √ Access/authentication requirements on every wired port (except public access stations) and wireless areas… √ Identity management Self defending networks – endpoint security enforcement and compliance

51. 51 Where Do You Start? With an external audit or risk assessment if funding is available With a strategic plan that ties your security objectives in with your university’s academic and IT goals With a tactical plan or roadmap that identifies the major risks, threats, and vulnerabilities on your network and what is needed to mitigate them—in both qualitative and quantitative measures With a detailed network security architecture design that provides defense indepth With the development of facilitating structures such as security committees, taskforces, incident response teams With a review of existing policies, procedures, guidelines, security technology in use, and regulatory requirements

52. 52 Case Study Exercises The following scenarios are found at many universities and they require decisions based on staff resources, funding requirements, and more often than not, political concerns There are no right or wrong answers Perhaps the best results will involve thinking outside the box and creative brainstorming without limitations

53. 53 Residential Computing You’re the ISO at a mid-sized college with 2000 residential students that will be moving back to the dorms in the fall. The IT support people have warned you that they received calls the previous year about the network being unstable or crashing occasionally and the network gurus stated that the cause of this appears to be related to worm outbreaks and problem systems in the dorms. They ask you to advise them on what to do to prevent that from happening this next academic year.  What course of action would you suggest?  Would you advise them to “turn off” P2P downloading or cap bandwidth? Why or why not?  Would you require the students to install protective programs on their pc’s such as AV or desktop firewalls? Why or why not?  Would you advise the network gurus to separate the residential network from the campus network? Why or why not?

54. 54 Selecting A Security Architecture You’re the new ISO at a small mid-western college, with approximately 3000 students and centrally managed information technology resources. You find when you accept this position that the only security mechanism in place at the college is antivirus software. You feel that based on what you’ve heard from the network staff about numerous abuse complaints that came in through email about 1) systems on the network attacking external agencies and 2) a faculty member’s web server that contained SSN’s and other student information that was recently compromised, that there is a need to better protect the university’s information technology resources. However, when you suggest that the college invest in a commercial firewall solution you are familiar with, the CIO tells you there is no security budget available this fiscal year.  What would you then suggest as a possible course of action?  Would you focus on host security mechanisms or ACL’s at the edge of the network? Why or why not?  Are there any free or open source tools you would want to use for vulnerability assessments, IDS, firewalls, removal of malware, etc.? What are they?  How would you engender support for funding commercial security solutions that you felt needed to be implemented?

55. 55 Regulatory Compliance Your Legal Affairs office informs you that there are HIPAA covered entities and business associate relationships and you have to ensure the university is in compliance with “the Security Rule.” Your Comptroller is worried about GLBA and SOX Sarbanes Oxley. You have concerns about potential exposures of credit card transactions or FERPA data.  What course of action would you recommend?  Would you try to mandate security standards for those who are affected? Why or why not?  Would you push through some new policies or standards? What types of policies or standards would you recommend or develop?  How would you go about ensuring compliance?

56. 56 Defending the Network Charles, the network manager, wants to set up a Checkpoint firewall at the edge and on various segments of your mid to large-sized university’s decentralized network, and close ports or restrict services as needed. Campus departmental administrators would have to request exceptions to the firewall rules. Systems administrators on campus are in favor of an IPS solution that will allow you to institute dynamic blocking and protocol analysis. Others are telling your CIO that neither is a good solution and too hard to deploy.  What course of action would you recommend?  Which solution do you feel is most effective—a network firewall or IPS and why?  What factors would be most important in your decision making process as to the type of solution you would choose?  What factors would be most important in your decision making process as to the specific solution you would select?

57. 57 Reference Material The remainder of this class guide is comprised of reference materials compiled by various university contributors

58. 58 Yale’s Effective Practices and Policies Unmanaged clients:  Site-wide licenses for Symantec Anti-Virus and Spysweeper  Multiple campus SUS/WUS patch/update servers.  Education and awareness (website, guides, training) Network:  IDS deployment -- SNORT IDS - bidirectional or RIDS  Vulnerability scanning -- ISS and Nessus  Security architecture - Internal Firewalls, some RFC1918  Network registration/scanning - NetReg system w/scanning  Router ACL - Some ports blocked at Internet router  Firewall - external router ACL + Packetshaper, internal FWs  NAT - currently no global NAT but local NAT routers  Wireless - MAC registered DHCP, VPN

59. 59 Network IDS Effective Practices and Policies IDS Deployment  Inside Internet router (mirrored port)  Outside critical server networks (E-Mail, Web, DB)  At border of sensitive networks (Police, Hospital/Medical Labs)

60. 60 Network IDS Effective Practices and Policies IDS Usage:  Bidirectional or RIDS (Reverse Intrusion Detection System)  Look for attacks emanating on your network(s) outbound -- as this tells you what computers are infected or under malicious control.  Also look for services (FTP, SSH, E-Mail, Web proxy, IRC) running on internal computers on non-standard ports  Look for PCs sending infected or spam e-mail  Look for computers scanning network IP ranges or port ranges  Look for IRC “bot” drones (on rogue channels or servers, running XDCC)  Look for login failures (better to do this with a HIDS or log analysis on client PCs, servers and authentication services) or similar errors.

61. 61 Network VAT Effective Practices and Policies VAT (Vulnerability Assessment Tools) -- ISS and Nessus  Get a policy allowing network vulnerability scanning.  Notify the community.  Scan for one or a few vulnerabilities if doing a network wide scan.  Scan for vulnerabilities currently being exploited and/or for which warnings and patches have just been announced.  Scan for the most commonly found and exploited vulnerabilities (SANS top)  Notify the owner/users of vulnerable computers.  Follow up.  Rescan on a regular basis (monthly).

62. 62 Network Architecture Effective Practices/ Policies Network Security architecture  Firewalls  IPS  Packetshaping / Bandwidth management / QoS guarantees  Router ACLs  RFC1918 IP subnets (10, 172.16 - 172.31, 192.168.* )  VLANs  Switches

63. 63 “NetFlow technology efficiently provides the metering base for a key set of applications including network traffic accounting, …” Data export mechanism that records information about router flows.  Src/dst IP, port, etc  Bytes  No packet content is logged Netflow

64. 64 NetFlow exports a LOT of data, especially if you have big fat pipes…  Need a quick system to process it all  Must rotate and summarize data frequently  Substantial upfront time to install, configure, and optimize  But once you have it, there is no going back Netflow

65. 65 NetFlow exports a LOT of data, especially if you have big fat pipes…  Need a quick system to process it all  Must rotate and summarize data frequently  Substantial upfront time to install, configure, and optimize  But once you have it, there is no going back Netflow

66. 66 Several commercial and freely available tools to manipulate and develop reports from NetFlow data FlowScan http://www.caida.org/tools/utilities/flowscan Flow-tools http://www.splintered.net/sw/flow-tools NetFlow Add-ons and Tools

67. 67 Several commercial and freely available tools to manipulate and reporting from NetFlow data Argus is a separate system (doesn’t use NetFlow data but uses packet capture in promiscious mode) which can obtain similar more detailed results : http://www.qosient.com/argus NetFlow Add-ons and Tools

68. 68 Great tool for detecting Denial of Service attacks  However, it is prone to data loss under abnormal load  Visual analysis is often the most efficient detector Great tool for post-incident analysis  Provided the data has not been cycled off the system NetFlow Caveats

69. 69 As links become faster, many flow exports are sampled  You get a statistical representation of data across your network  Still useful for Capacity planning and DoS detection, but of limited use for forensics purposes Not necessarily the first tool in your toolkit, but an invaluable one to complement all the others NetFlow Caveats

70. 70 NetFlow Graphs: Detecting Anomalies

71. 71 NetFlow Graphs: Detecting Anomalies

72. 72 srcIP dstIP prot srcPort dstPort octets packets 80.116.163.85 xxx.yyy.131.204 17 3111 1434 404 1 81.3.162.10 xxx.yyy.131.182 17 1514 1434 404 1 200.74.27.228 xxx.yyy.131.246 6 447 8080 40 1 200.74.27.228 xxx.yyy.131.246 6 64068 80 40 1 200.74.27.228 xxx.yyy.131.246 6 50265 3128 40 1 142.179.169.213 xxx.yyy.131.178 17 1126 1434 404 1 213.60.21.96 xxx.yyy.131.171 17 1923 1434 404 1 212.180.2.68 xxx.yyy.131.114 6 63559 41544 40 1 200.29.164.162 xxx.yyy.131.233 17 1051 1434 404 1 202.103.13.62 xxx.yyy.131.35 6 9001 30185 40 1 213.119.233.63 xxx.yyy.131.7 17 1246 1434 404 1 216.51.150.219 xxx.yyy.131.7 17 1157 1434 404 1 24.112.24.160 xxx.yyy.131.122 17 1129 1434 404 1 Example: flow-print data

73. 73 Combining netflow with network infrastructure can improve network awareness  Malware generally scans local address space preferentially  Many organizations have unused network address space Analyzing traffic destined for these unused networks is a valuable detection tool Darknets

74. 74 Network ACLs Effective Practices and Policies External / Internet Network Router ACLs:  Anti-Spoofing Ingress (discard RFC1918 and all bogus source IP)  Anti-Spoofing Egress (only allow your public IPs as source IP) - “Good Neighbor Policy”  Block broadcast and other obvious DoS attacks (detect SYN floods?)  Block Windows Networking (TCP/UDP 135-139, 445, 42), SunRPC/NFS  Block other ports you consider dangerous (1433/1434, 23, 25)  Limit SMTP inbound/outbound to known e-mail servers?

75. 75 Since the darknet address space is unused, traffic destined there is at least spurious and probably malicious Local hosts connecting to this space are likely infected  Or at least misconfigured Use of address space at the top and bottom of ranges are often scanned first  Much malware still scans sequentially. Darknets

76. 76 Non-local hosts connecting to this address space provide interesting situational awareness  Current scanning trends  Possible perimeter defense weaknesses or misconfigurations  Network reconnaissance analysis Darknets

77. 77 Once an incident has occurred, often we need to be able to reconstruct events. To determine if we are still vulnerable. To recover data To identify attacker To work with law enforcement and/or legal counsel Forensics

78. 78 The Coroner’s Toolkit  “A collection of programs … for a post- mortem analysis of a UNIX system after break-in” http://www.porcupine.org/forensics/tct.html TASK/Autopsy  Open Source forensic toolkit for analyzing Microsoft and UNIX filesystems. http://www.atstake.com/research/tools/task http://www.atstake.com/research/tools/autopsy Non-Commercial Forensics Tools

79. 79 Foundstone’s Forensic Toolkit v2.0 and other tools http://www.foundstone.com/knowledge/forensics.htm l Non-Commercial Forensics Tools

80. 80 http://www.atstake.com/research/tools/autopsy/images/timeline1.gif Forensics: Autopsy Screenshot

81. 81 Commercial Forensics Tools Guidance Software's Encase™ Access Data’s Forensic Toolkit™ (FTK™) Parabne Corporation PDA Seizure The following companies sell tools only to government, DOD and law enforcement: Fred Cohen's ForensiX (http://all.net/ForensiX/ )/ NTI (http://www.forensics-intl.com/tools.html)

82. 82 Guidance Software's Encase™ 4.0 The most popular computer forensics software package currently used is Guidance Software's Encase(tm) - http://www.encase.com/ -- as it allows the use of Windows and integrates a number of functions within an easy to use GUI interface.

83. 83 Network ACLs Effective Practices and Policies Internal Network Router ACLs:  Anti-Spoofing Ingress (discard all bogus source IPs)?  Anti-Spoofing Egress (only allow your public IPs as source IP) - “Good Neighbor Policy”  Disable directed broadcasts.  Disable other obvious DoS attacks (detect SYN floods?)  Any ports you consider dangerous?  Limit any services to the local subnet (RPC, NFS, etc.)?

84. 84 NAT & Firewall Effective Practices and Policies For most part the same as Internal Network Router ACLs:  Anti-Spoofing Ingress (discard all bogus source IPs)?  Anti-Spoofing Egress (only allow your public IPs as source IP) - “Good Neighbor Policy”  Disallow directed broadcasts & other obvious DoS attacks (SYN floods)  Any ports you consider dangerous?  Limit any services to the local subnet (RPC, NFS, etc.). But also…  Open any ports/services on the protected network to the outside?  Don’t allow certain hosts access to the outside?  Block outbound connections (e.g. to disarm ‘worms’  How do you now identify infected/malicious computers? Computers with DMCA complaints?

85. 85 WiFi Security Effective Practices and Policies On ‘open’ wireless networks: Encourage or require ‘secure’ network application protocols. Encourage or require VPN connections over the wireless network. On ‘medium’ security wireless networks: Require and use MAC address network registration / scanning. Use MAC address filtering if possible and scalable. Disable SSID broadcasts in beacon frames. For higher security wireless networks: Use 802.1X authentication with PEAP and RADIUS. Use WPA or WPA2 encryption rather than WEP -- e.g. use 802.11i Monitor for both rogue WAPs (Wireless Access Points) and clients as well as rogue WLANs. Note dangers of accidental assocation as well as malicious overpowering.

86. 86 Security Resources http://www.sans.org Sans (SysAdmin, Audit, Network, Security) http://www.cert.org Computer Emergency Response Team http://www.incidents.org Internet Storm Center tracking site http://www.secinf.net Windows Network Security http://www.securityfocus.com/ Unix, Windows, Virus, IDS

87. 87 Email Resources Email Lists  www.counterpane.com Bruce Schneier www.counterpane.com –Monthly email digest of Computer security issues  www.ntbugtraq.com www.ntbugtraq.com –Windows NT security list  www.intrusions.org www.intrusions.org –Daily digests of port probes and good discussions  www.microsoft.com/security www.microsoft.com/security –Links to Microsoft’s security page  http://survey.mailfrontier.com/survey/quiztest.html http://survey.mailfrontier.com/survey/quiztest.html –Online phishing quiz

88. 88 Acknowledgment This material has been developed by a variety of individuals at campuses and members of the EDUCAUSE/Internet2 Security Task Force. Their able assistance in the development of this material is gratefully acknowledged.