1 / 36

NDSU IT Security

NDSU IT Security. Theresa Semmens Chief Information Technology Security Officer Jeff Gimbel Senior Security Analyst. NDSU Physical Infrastructure. Open Network External facing network 79 subnets Open to Internet Internal facing network 79 subnets

lancej
Download Presentation

NDSU IT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NDSU IT Security • Theresa SemmensChief Information Technology Security Officer • Jeff GimbelSenior Security Analyst

  2. NDSU Physical Infrastructure • Open Network • External facing network • 79 subnets • Open to Internet • Internal facing network • 79 subnets • Open to the University System and some statewide entities • Firewalled network • Used by some departments for regulatory compliance • Server room network • Used for server to server communication (i.e., backup)

  3. NDSU IT Infrastructure Supported Departments Distributed IT Independent Departments

  4. A Little History • 2004, ND Information Technology Department • SNMP Scan – Found a majority of printers on the University System network that had SNMP set to public • 2008, Foundstone • 175 insecure devices recognized as printers

  5. How did the printer problem really come to light? • Nessus scan • Removed the safe scan • See how much paper would be wasted • LaserJet M 602 • 3 sheets • Nessus findings • FTP open • Telnet open • Web page default username and password • SNMP community name set to public

  6. How did the printer problem really come to light? (continued) • Brought to the attention of IT leadership • Nessus set to “scan the entire network” • Work out alternative solution

  7. Is this really a problem? • 2008 - NDSU dropped support for printers as cost-savings initiative • Currently, departments request DNS name for purchased printers • Name is granted within our naming scheme • Name is added to an install script • Printer plugged into the network

  8. Is this really a problem?

  9. Is this really a problem?

  10. Is this really a problem?

  11. Methodology • Tools – What are we going to use? • Locating devices – How widespread is the problem? • Policies and procedures – Shouldn’t we have covered this somewhere? • Identification and notification – How do we let stakeholders know their printers are not secure? • Reactions – How could we have been so wrong about how stakeholders would react? • Interesting problems – It did WHAT? • First follow-up scan – Is it working?

  12. Tools Used • Angry IP scanner (GPLv2) • Putty (GNU GPL) • WinSCP(GNU GPL) • Microsoft Excel (campus agreement) • Student Employee

  13. Locating Devices • Finding what is on the network • Angry IP Scanner • http://angryip.org/w/Home

  14. Locating Devices (continued)

  15. Findings • External network – Outward facing • 3,526 active hosts (June 7) • 67 recognizable printers • Internal network – Not routable to the Internet • 1885 active hosts (June 6) • 509 recognizable printers

  16. How bad is it? • Human solution for finding the vulnerabilities in the printers • Didn’t want to be responsible for: • Crashing printers • Reams of wasted paper • Default usernames and passwords

  17. Methodology • What did the student employee do? • Opened a browser to IP and hostname • Tried to log in using defaults • Used Putty to Telnet into IP or hostname • Port 23 • Tried anonymous FTP connection with WinSCP • Port 21 • Anonymous login selected

  18. Findings (continued) • External network – 67 printers • 20 with anonymous FTP logins (30%) • 20 default user/admin accounts (30%) • 9 Telnet logins (13%)

  19. Findings (continued) • Internal network – 509 printers • 177 with anonymous FTP logins (35%) • 219 default user/admin accounts (43%) • 156 Telnet logins (31%)

  20. Policies and Procedures • Reviewed existing policies and procedures • Did we have any? • Why were they not being followed? • Should we create new ones? • How do we enforce newpolicies and procedures?

  21. Review of Policies, Procedures • Vague policies • N.D. University System 1901.2 • NDSU 158 • No documented procedures • No procedures meant few people knew what should have been done • Started new procedures right away • Isn’t getting client buy-in the most difficult task anyway?

  22. Vendors • Mind tricks, (policies or procedures) do not work on them, only money • Need to make sure departments consult withcentral IT unit before making purchases of devices that will be placed on the network

  23. Identification and Notification • DNS names include department name, for the most part • For others, impossible to know to which department they belonged

  24. Methodology • Sent emails to identified groups • IP address • DNS name • Vulnerabilities found • Directions for cleanup • Worked with communications coordinator and IT Help Desk

  25. Methodology Sent out the emails and we waited

  26. Reactions • Calm and collected • Were able to configure devices with no problems • Glad to help • Panicked when contacted by security office • Needed help with securing process • Grateful for help

  27. It did WHAT?!?!

  28. Interesting Problems • Printers no longer printing • Disabled port 9100 • Disabled SNMP • Client needed reconfiguration • Stop the print spooler • Delete all jobs in C:\Windows\system32\spool • Restart spooler • Delete all IP ports • Delete all printers • Restart computer • Setup printers

  29. Problems (continued) • Older printers did not have a Web-based configuration • Older Java • Did not have any of the sections needed to configure • Configuration through Telnet • set-password – Changes default password • ftp-config:0 – Disables FTP • set-cmnty-name: <newname> - Changes default SNMP • Idle-timeout: 5 – Sets short timeout for Telnet

  30. Follow-Up Scan • External network • Initially 67 printers • 20 with anonymous FTP logins (30%) • 20 default user/admin accounts (30%) • Telnet logins (13%) • First follow-up scan found 67 Printers • 16 with anonymous FTP logins (24%) • 17 default user/admin accounts (25%) • 7 Telnet logins (10%)

  31. Follow-Up Scan • Internal network • Initially 509 printers • 177 with anonymous FTP logins (35%) • 219 default user/admin accounts (43%) • 156 Telnet logins (31%) • First follow-up scan found 509 Printers • 129 with anonymous FTP logins (25%) • 182 default user/admin accounts (36%) • 118 Telnet logins (23%)

  32. What’s Next?

  33. Questions?

More Related