Empowering Users With A Proactive Security Strategy

Lance D. Jordan GSEC, Director & Bob Gerdes, Project Manager

Rutgers University Computing Services

Information Protection & Security

Educause Mid-Atlantic Regional Conference

January 13, 2004

                            

Copyright January 2004, Lance Jordan and Bob Gerdes. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

Agenda About Rutgers University The Mission The Challenges Problem statement Strategy Situational Awareness Vulnerability Scanning Tenable Console & Pilot Project RUScan architecture Evaluation & Feedback Future Uses Summary

About Rutgers University

Newark (Exit 15W)10K+ students

New Brunswick/Piscataway(Exit 9)5 campuses35K+ studentsCamden (Exit 5)

5K+ students

500+ buildings40K+ hosts60K+ users345 Mbps

Public UniversityFounded 1766$1Bil+ Budget270 Degree programs130 Research InstitutesAAU Member

About Rutgers University-IT Organization @ RU

R u tg e rs U n ive ris ty Co m p utin g S e rv ices

A d m in s tra tive Co m pu ting T e le co m m u n ica tio ns In fo rm a tio n P ro tec tion

N e w B ru n sw ick N e w a rk C a m d en

C a m p u s Co m pu ting

E xe cu tive D ire c to r

A ca de m ic A d m in is tra tive

D e pa rtm e n ts

200 + FTEs

300+ FTEs600-800 Students

The Mission

Develop and execute a strategy for an effective university-wide information protection and computer security program

Be proactive rather than reactive

Increase and sustain user security awareness

Improve business continuity planning

The Challenges What do we really understand about our

computing environment?• Stable & competent central IT staff

– Departmental staff varying skill sets– Not centrally managed

• Large untrained & transient user population• Transient work force (student workers)• Numerous vendor products & Multiple Operating Systems• Open & highly distributed computing systems• Competing priorities & projects• Collaborative process• Expectation of privacy• Ease of access to information

Q: How to provide users with better information that enables them to set priorities in resolving computer security problems?

A: Better security through better intelligence & better tools

Problem Statement

“Forewarned is forearmed…”Ben Franklin

Multi-tiered approach & Situational Awareness

Our Strategy

Threat

Feedback loops

Pick a model– People, Processes. Technology

– SWOT

– Defense in depth, etc.

Develop/Refine Computing Policies Conduct Security Self Evaluation & Risk

Assessment– http://rusecure.rutgers.edu/sec_plan/baseline_I

T_sec_cklst.php

Strategy-Planning

Strategy-Planning

Strategy-Planning

Organize Computer Incident Response team – Setup info sharing capability– Develop procedures & processes, etc.– Be flexible

Create information sharing listservs Plan centralized data BU & BCP

– Vendors?

Account creation process w/ strong password enforcement

Authentication/ Authorization/Access (RADIUS/KERBEROS/LDAP)

User Awareness program

VPN

Develop OS Patching strategy

Use secure protocols (SSL, SSH, Secure FTP)

Install Anti-spoofing on routers

Vulnerability Assessments thru Scanning

Strategy-Prevention

Anti-virus software (University site license)

Filtering at central email servers & desktops

SPAM Filtering on central servers

Firewalls

LAN-based and host-based

IDS

Syslog/Event log for IDS & FW

Strategy-Detection

Notification & follow-up process After-hours contact list Preserve evidence Patch or “burn and rebuild” Statistical trending Lessons-learned

Strategy-Reaction/Recovery

Col John Boyd (USAF)– OODA Loop (Decision Cycle)

Situational Awareness

Orient Observe

Decide Act

Situational AwarenessIt is all about the decision cycle. You don’t have to be the best or the fastest; just a step ahead of the threat or less vulnerable than the other guy

Hacker advantages:InitiativeNo boundariesTime

Your advantages:Knowledge of your environment & cultureKnowledge of the location of critical assets & informationAbility to adjust policyWhat needs to be available vs. confidential (data, services,etc.)

Situational Awareness-How do you become aware ...?

SANS Top 10/20 Incidents.org

Bugtraq

MS Technet

Your favorite OS Vendor

AV alerts

Firewall alertsIDS data

Vulnerability scanningdata

CERT.orgSlashdot

The merging of vulnerability scanning data with IDS data is part of the answer– An active and dedicated vulnerability scanning

program develops a database of history– Combined with IDS data correlates what is

vulnerable to active attacks– Helps to assess hackers intent & where to

reduce your profile– Sets priority of work for sys admin

Situational Awareness-Lots of data…What is useful?

Options initially limited by funding– SAINT (freeware version)

• 3 months behind fee version

– SARA• SANS Top 10…later Top 20

• Code Red Test

• Established regular scans (avoided DoS & Buffer Overflow side effects)

Short history of vulnerability scanning @ RU

SARA – Major progress with buy-in from departments

regarding weak passwords and open file shares– Distributed process– Reports easy to understand; including

remediation instructions– Abuse incidents dropped off for a few months– When incidents began to increase little

correlation with vulnerabilities

Short history of vulnerability scanning @ RU…..

Nessus– SANS Top 20– Needed to provide additional options for

departmental scans– Began to establish scan alerts– Needed to simplify managing scans across

multiple scanners– Needed to reduce false positives

Short history of vulnerability scanning @ RU…..

Separate project had evaluated IDS technology– Proprietary hardware and software with steep learning

curve– High false positive rate– Looked for an alternative

Discovered white papers about a product that tied IDS with vulnerability scanning data– Combined Nessus results with IDS results to reduce false

positives– Capable of managing several distributed Nessus scanners– Provided departments the capability to conduct their own

scans

Finding Tenable

Pilot Project Created a test plan that would evaluate all of the Tenable

features

Set target date of June 2003 university-wide scan to test Tenable

Identified training needs and other needs (IDS setup or Nessus setup)

Held several coordination sessions Recruited partner departments to participate

– Wanted a mix of departments with and without network-based firewalls

– Needed some departments to setup IDSs

ID Task Name Start End DurationJan 2004

8 9 10 11 12 13 14 15 16 17 18 19 20 21

1 10d1/21/20041/8/2004Task 1

2 3d1/12/20041/8/2004Task 3

3 8d1/19/20041/8/2004Task 4

4 10d1/21/20041/8/2004Task 5

IDS

RUScan Architecture

Lightning Console

Scanner #1

Scanner #2

IDS

IDS

Scanner #3Scanner #4

RUScan Screen shots(scans)

RUScan Screen shots (IDS)

RUScan Screen shots (reporting)

Lots of moving parts– Setting up Linux for Snort or Nessus– Connecting IDS– Connecting Nessus scanners

Learning curve– Pulling all the parts together– Accounts-philosophy-in departments– Creating/cloning scan policies

• All but DoS– Report generation – Departments

• Initiating scans• Browsing reports• Remediation process

– Automated alerts based on IDS/Vulnerability match for the same IP using CVE/BID #s

Evaluation & Feedback

June scan went well Able to review summary results for all Able to shift time from managing tools to

managing process Special purpose scans for MS Blaster &

Nachi completed in one business day (2 Class B public & 3 class B private)

Evaluation & Feedback…..

Use asset tags to establish future scans or analysis Generalize IDS alerts Incorporate departmental requirements into scan

alerts (Highlight progress on patching & AV) Offer self-service scan for users Offer additional reporting formats

– Increase scan alerts – One-liners with flags

• Flags can be used to prioritize efforts• CSV format

Potential Uses in the future

Empowering users with a proactive security strategy– Create a plan and execute your plan– Understand your environment– Team/Partnership effort

• People, processes & technology • Central & distributed• Network/App Dev/Departments

– Find/Create/Buy tools to enhance situational awareness– Not a trivial investment

• Servers/people/software costs

– Push/Pull technology and intelligence for users• There is a balance driven by user community

– Be flexible

Summary

Contact info– Lancejor@rutgers.edu– Gerdes@rutgers.edu– http://rusecure.rutgers.edu

Questions?