itsecurityinhighereducation

1、 IT Security in Higher EducationMichael A. McRobbieVice President for Information Technology and Chief Information OfficerMark BruhnInformation Technology Policy OfficerIndiana UniversityEDUCAUSE 2001IndianapolisPresentation OverviewThem versus UsUs versus UsUs versus ThemSummaryThem Versus UsThem V

2、ersus Us Crackers and HackersHackers are those individuals who possess expert technical skillsCrackers are hackers that use their skills for nefarious purposesThem Versus UsChanging Cracker Scene (Before)Only really good hackers could crackDifficult to write programs to affect Operating SystemsCrack

3、ing was “expensive” learning curve and timeMost cracking had specific purposes e.g., financial gain, espionage, sabotageThem Versus UsChanging Cracker Scene (Now)Veteran crackers are “publishing” code for neophyte crackers: e.g., log-wipe utilitiesOperating system and application APIs are easy to us

4、e: e.g., Microsoft VBSMore complicated operating systems and software cause more bugsAutomated vulnerability scanningCracking for fun: e.g., “script kiddies”Cracking for profit: e.g., credit card theft, industrial espionageCracking for political reasons: e.g., Chinese web page defacementsCracking as

5、 part of cyberwarfareThem Versus UsCracker MentoringVeteran crackers writing and publishing toolsCracker tools exist for cellular, voice, data communicationsCracker FAQs exist for almost all systemsOther Cracker resources:2600: The Hacker QuarterlyBlack Hacker MagazineForbidden Knowledge MagazineSea

6、rch for “password cracking”Thousands of web sites in various languagesThem Versus UsCracker Mentoring (continued)Found on a cracker mentoring web site:“OK, now for the real stuff. First and foremost, dont get caught. Use public site computers, stolen phone lines to access an ISP or other organizatio

7、n providing internet access “Remember you are not dealing with technology as much as you are dealing with people. You against the system administrators. . I myself am a sysadmin . Time is the most major stumbling block for me. I just dont have the time to do as thorough checking as Id like on a peri

8、odic basis, and the machines I administer have loose security policies. Im sure many other sysadmins are in the same position.“More reading. Get the FAQs for these newsgroups (), read them, and study. Also read old CERT advisories, check out AUSCERT, and check out SGLM. Be careful with your actions,

9、 as some of these transactions will be logged, and it may seem a bit suspicious.”Them Versus UsCracker Mentoring (continued)Physical security from another cracker web site:“ best place to steal chemicals is a college. . Evening is the best time to enter lab buildings and most of the labs will still

10、be unlocked. One simply tries to resemble a college freshman. If anyone asks what such a person is doing, the thief can simply say that he is looking for the polymer chemistry lab . One can usually find out where the various labs are by calling the university. There are, of course other techniques s

11、uch as placing a piece of cardboard in the latch of an unused door . Then, all one needs to do is come back at a later hour the would-be thief should know when and if the campus security makes patrols through buildings. but as a rule, college campus security is pretty poor, and nobody suspects anoth

12、er person in the building of doing anything wrong, even if they are there at an odd hour.”Them Versus UsInternet ProbesProbes are attempts by automated programs to locate Internet-connected computers with known vulnerabilitiesWe estimate that every networked device at IU is probed at least once dail

13、yProbes can and do lead to compromise of devices that are not appropriately maintained“Honeypot” experiments show that certain vulnerabilities will be found and exploited in less than 24 hoursOf course, data stored on vulnerable devices is exposed and perhaps has been already compromisedReported Int

14、rusion Attempts/Probes (Per Month)Viruses Reported (Per Month)Notable IncidentsMelissa, March 1999Word 97, Word 2000$300 million in damagesApproximately 4 days, 150,000 systemsILOVEYOU, May 2000OutlookAs much as $10 billion in damagesApproximately 24 hours, 500,000 systems(“Brain” took 5 years to do

15、 $50 million)Estimated 50,000 viruses; 100,000 by 2004Copyright 2000 by E. H. SpaffordThem Versus UsIntrusion Purposes/ConsequencesUnauthorized access to dataInstallation of malicious code to collect passwords, keystrokes, or other data in transitStashing bootleg movies and other illegal materials.H

16、uge consumption of network resources, leading to slow response timesLoss of machine cycles for intended purposesInappropriate use of public resourcesDefacement for political reasonsInstallation of programs to support attacks on internal or external systems, e.g. DDoS zombies Pressure to require unif

17、orm high level IT security as condition for Government grants in climate of increased concern about national security & cyberwarfareThem Versus UsActorsNational Security ThreatsInfo Warrior Reduce U.S. Decision Space, Strategic Advantage, Chaos, Target DamageNational Intelligence Information for Pol

18、itical, Military, Economic AdvantageShared ThreatsTerrorist Visibility, Publicity, Chaos, Political ChangeIndustrial Espionage - Competitive Advantage, IntimidationOrganized Crime Revenge, Retribution, Financial Gain, Institutional ChangeLocal ThreatsInstitutional Hacker Monetary Gain, Thrill, Chall

19、enge, PrestigeRecreational Hacker Thrill, ChallengeCopyright 2000 by E. H. SpaffordUs Versus UsUs Versus UsTypical University Technology Environments25,000 to 70,000 networked devicesVery high-speed, high-capacity networks with fast connections to the commercial InternetResidence Halls and Greek Hou

20、ses wiredHardware and software deployed are significantly diverseUsually first to implement new technologies, before maturedPhysical systems locations vary widely, from under a secretarys desk to professional data centersNetworked systems are being probed continually for vulnerabilitiesUs Versus UsT

21、ypical University Technology Management Usually no device registration requirementsIn most instances no network-level user authentication requirements In many instances no service-level user authentication requirementsDepartments control local technology and have traditionally acted independentlyUnd

22、er-paid, under-trained, over-worked techniciansNonexistent, organizationally buried, or understaffed technical security officesMinimal IS/IT auditors on staffUs Versus UsTypical University Data ManagementThousands of people with authorization to access confidential information from central databases

23、, or derive the data locallyUser can extract data to any networked device, to use local manipulation toolsNo one knows on which of the thousands of networked devices sensitive data is hostedMinimal training on data handling/protectionNo central data management structureUs Versus UsWasting “Power of

24、Many”?Higher education is not collectively:Putting pressure on vendors to improve product security performancePutting pressure on Federal and State Governments to put pressure on vendors to improve product security performanceAvoiding use of products with bad security record, which costs much more i

25、n time and money to manageIU Faculty Research Information Database (1997)IU Office of the Bursar (2001)IU School of Music (2001)University of Michigan patient records.University of Washington patient records.Stolen passwords at Berkeley, UCLA, Harvard Many others not publicized.Us Versus UsShould it

26、 Take an Incident to Wake Us Up?Us Versus UsAwareness at the TopTypically executive management and governing boards in universities are not aware of these problemsHowever, they have the potential to be very damaging to a university both in reputation and potential liabilityUs Versus UsAwareness at t

27、he Top It is vital that the following people be aware of and acknowledge IT security as a cost of doing business: Board of Trustees/RegentsPresident/ProvostsChief Information OfficerChancellorsDeansUs Versus ThemUs Versus ThemInstitutional RecognitionHigher education institutions must recognize that

28、 information technology is engrained in ALL academic and administrative activities, and that poor system, network, and data security WILL have a direct and costly impact on the mission.Us Versus ThemInstitutional ControlThe Chief Information Officer is pivotal, and must:Participate in executive admi

29、nistrationBe given a charge to assess security climate and the authority to carry out repairsExercise visible and active controlUnderstand the strategic threatsUnderstand the technical threatsTranslate threats into institutional risks in language colleagues in administration can understandEstablish

30、requirements and set standardsMake tough and perhaps unpopular decisionsCommit to providing assistance to departments and technicians right across the universityUs Versus ThemInstitutional RisksTrustees, Presidents, and governing bodies must understand that lax security:Threatens the reputation of h

31、igher educationThreatens the reputation of their specific institutionIncreases the risk and associated liability for disclosure of information protected by Federal lawIncreases the risk of suits being filed by students and others when information is disclosedWastes publicly-funded resourcesContribut

32、es to vulnerability of national IT infrastructureUs Versus ThemInstitutional AttentionChancellors and Deans must:Understand that their information assets are as critical as capital and human resourcesPlace visible and vocal priority on systems and data protectionEnsure that technicians are trained,

33、capable, and have the time to secure systemsUs Versus Them:Indiana University OrganizationChief Information Officer reports to the President:Has formal authority directly from TrusteesProactive set security policies and enforce standardsReactive assume control of responses to incidentsHas full suppo

34、rt of the PresidentEstablished Policy and Security Offices, with the authority to defend the University from security and other technical threats, including blocking incoming traffic and isolating insecure devices from the network when necessary Reports on state of security annually to the Board of

35、TrusteesUs Versus Them:Indiana University CIO OrganizationThe Policy Officer reports to the CIO:Coordinates policy issues, consults on technology deployment and usage issues, handles incident response, is a diplomat and negotiator, and acts as the “enforcer”The Security Officer reports to the Policy

36、 Officer and the CIO:Must be very technically capable, assesses and advises CIO on technical threat, provides consulting, coordinates technical security resources, and must not be viewed as “police” The computing organization reports to the CIO:Must keep its own house in excellent order.Must be prep

37、ared to provide assistance to departments struggling with security or prepared to replace services that departments cant provide securelyMark BruhnIT Policy Officer/Contracts & Agreements Officer6 AccountsAdministratorsIncident ResponseCoordinatorTechnicalInvestigatorsUniversity Information Technolo

38、gy Policy OfficeOffice of the Vice President for Information Technology September 2001Admin AsstData AdministratorInfo Mgt OfficerTom DavisIT Security OfficerMichael McRobbieVP/CIOInformation Technology Security Office1 Lead Data/Applications Analyst2 Senior Data/Applications Analysts2 Principal Security Engineers2 Lead Security Engineers2 Senior Security AnalystsDisaster RecoveryProgram ManagerCross-Uni