Computer security in higher education
Download
1 / 40

Computer Security in Higher Education - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on
  • Presentation posted in: General

Computer Security in Higher Education. David Brumley dbrumley@stanford.edu. Things To Come. Need for policies and procedures Proper staffing and funding Clear, consistent, and followed plans. Stanford Infrastructure. 55,000 registered nodes 58,000 active principles

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Computer Security in Higher Education

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Computer Security inHigher Education

David Brumleydbrumley@stanford.edu


Things To Come

  • Need for policies and procedures

  • Proper staffing and funding

  • Clear, consistent, and followed plans


Stanford Infrastructure

  • 55,000 registered nodes

  • 58,000 active principles

  • 800 MB/day web data alone

  • 3.5 million/day email messages

  • 200 to 700 mb/s bandwidth


Why Security?

  • Do your users have any expectation of privacy?

  • Do you have assets that need protecting?

  • Have you considered the cost of system compromises vs. protection?


Attacks Happen


FY97

FY00

Incident Type Comparison


Worried about Privacy?

  • School Records

    • Directories (FERPA)

    • Email

    • Homework

  • Hospital/Medical Records

    • HIPPA


Computer Security Is...

Primarily risk management by ensuring:

  • Confidentiality

  • Integrity

  • Availability


System Confidentiality

[root@topsecret cctest]# pwd

/var/lib/mysql/cctest

[root@topsecret cctest]# strings customer.MYD

david brumley

351 Monroe Palo Alto

Anton Ushakov

590 Escondido Mall

Russ Alberry

101 Great America Parkway

[root@topsecret cctest]# strings orders.MYD

9 piece knife set

34233394134272MasterCard

9910

Sickle and Hammer

543543545345452Visa

0120

3 towels

656565655555Visa

9920

  • Many believe there is nothing valuable on their system, but:

  • System can serve to launch attacks

  • There may be unexpected information on the host


Network Confidentiality

H

Hacker listening regardless of MAC

A

B

DST MAC A

DST MAC B


Network Sniffers

psych-Wylie-NT.Stanford.EDU => pobox3.Stanford.EDU [110]

USER sleeples

PASS password

STAT

UIDL

QUIT

----- [FIN]

psych-3354-dreamscape.Stanford.EDU => daydream.Stanford.EDU [23]

!'''#P

38400,38400#dreamscape.stanford.edu:0'DISPLAYdreamscape.stanford.edu:0XTE

R

Moscar

password2

elm

jjjjjjjjjjjjjjjjjjjjjj

----- [Timed Out]

voodoo.Stanford.EDU => lucas.Stanford.EDU [21]

(#USER menon

PASS password3

SYST

PORT 171,65,60,163,5,104

LIST

CWD /home/pub/gary

CWD /home/pub/

CWD /home/

----- [Timed Out]

psych-3367-macG3.Stanford.EDU => elaine18.Stanford.EDU [23]

%%jboyett%IR.STANFORD.EDU@(P^$:-)':ca<`%.+vc6s}DF~T[f8FLc|vI;#wG\CN6MYlP%6M-&&&&

& #'$&&Y`&&VT100&

wl\cfCCSDK) >aWHW^H

>rGhsN{q0jxU

`&$$ vQa;j:T8%H>VzL d>7s_

----- [Timed Out]


University Of Washington Sniffer

Summer 2000:

  • NT IIS Web Server compromise

  • Password sniffer installed

  • Exposed 5000 medical records


Ensuring Confidentiality

  • Strong Authentication

    • No clear text logins

      • Kerberos

      • SSH

  • Strong Authorization

    • AFS

    • Directory ACL’s


Kerberos


Populating the KDC


Compromises of Integrity

  • ls (dir) - doesn’t show intruders files

  • ps (task manager) - doesn’t show intruders processes

  • ifconfig - doesn’t show interface in promisc mode

  • zap - cleans log files

  • fix - fixes timestamp and checksum info

  • chfn - gives root shell with proper arg

  • login - gives root shell w/ proper password

  • inetd (runs network services like “telnet”) - gives full access on a particular port


Integrity Compromise Example

Normal System:

sunset:security> telnet elaine

Trying 171.64.15.86...

Connected to elaine21.stanford.edu.

Escape character is '^]'.

UNIX(r) System V Release 4.0 (elaine21.Stanford.EDU)

elaine21.Stanford.EDU login:

Hacked System:

sunset:security> telnet jimi-hendrix 1524

Trying 171.65.38.180...

Connected to jimi-hendrix.Stanford.EDU (171.65.38.180).

Escape character is '^]'.

# ls -altr /;

total 1618

-r-xr-xr-x 1 root root 1541 Oct 14 1998 .cshrc

drwx------ 2 root root 8192 Apr 14 1999 lost+found

drwxr-xr-x 1 root root 9 Apr 14 1999 bin

drwxrwxr-x 2 root sys 512 Apr 14 1999 mnt


Ensuring Integrity - Axioms

  • All programs are buggy

    • The larger the program, the more bugs it will have

  • If a program isn’t ran, it doesn’t matter if it’s buggy

    • Hosts should run as few services as possible


Building Integrity

  • Create easy to use resources for system security:

    • Templates

    • Distributions

    • Best use documents

  • Defense in Depth is the goal


Threats to Availability

  • System intrusion

  • Denial of Service Attack

  • Domain Name Hijack/Modifications


RSA.COM’s Availability


The Master Plan

  • Asses situation

  • Create policies, procedures, and implementation plan

  • Create infrastructure

  • Maintain infrastructure

  • Lather, rinse, repeat.


Getting Started

  • Assessing where you are at:

    • What policies exist?

    • What staff is already in place?

    • What services are offered?

    • What services will be offered?


Policy Key Points

  • What are you protecting?

  • Who has authority?

  • What are the resources for?

  • What organizational units are there?


The Key

The policy must be approved at the highest levels in order to deal with irate:

  • Nobel prize laureates

  • Crafty Students

  • Other political entities


Security Office Plan

  • Plan base authentication, authorization, and integrity mechanisms

  • Work with infrastructure groups to utilize security resources

  • Educated the community


Creating Infrastructure

Major points in an assessment:

  • Create scalable architectures

  • Create robust architectures

  • Create low-risk architectures


Ex: Integrating Kerberos


Allocating Resources

  • Staff and budget are needed, but security gets easier and cheaper as time goes on.

  • Fundamental knowledge for computer security staff is knowledge of operating systems and programming

  • Leverage off existing infrastructure to minimize long-term cost


The Benefits

  • Guaranteed and quick response

  • Guaranteed responsibility

  • Protection

  • Be a good net-citizen


Quick Response

From: xxxx@leland.Stanford.EDU

Sent: Saturday, May 29, 1999 5:46 AM

Subject:

As we'll know how fxxxxx Stanford housing situation is, still our

hypocrit spic-and-nigger loving administration has done nothing but

keep accepting more and more of these motherxxxxx black jelly

beans.

These dirty cheating son of xxxxx

....[edited]....

================================================================

Firstname Lastname

Engineering-Economic Systems & Operations Research

Address

Stanford University

Stanford CA 94305

http://www.geocities.com/CollegePark/Grounds/2511


Quick Response

  • August 8, 1999

    • 46 Solaris machines compromised

    • trin00 installed

    • 24 hours for cleanup

  • Quite possibly avoided large scale internet attack


Protection

  • SULinux

  • Best use documents

  • Policy enforcement


Public Service

  • Feb 1999 - ShadowKnight compromises Stanford hosts

  • Feb 1999 - Aug 1999 Stanford monitors hacker

  • Nov 2000 - Jason Diekman, aka ShadowKnight, convicted


Protect

  • Assess critical infrastructure security

  • Legal point of contact for problems

  • Advise and help deploy security infrastructure

  • Help keep network available for academic use


Summary

  • Need policies and procedures

  • Need staff

  • Need Plan

    It really is that easy!


Resources

  • Slides available athttp://theorygroup.com/Theory

  • See handout for additional resources


ad
  • Login