© 2006 the trustees of boston college slide 1 staying out of the security headlines educause...
TRANSCRIPT
© 2006 The Trustees of Boston College Slide 1
Staying Out of the Security Headlines
Educause Security Professionals ConferenceTrack 4
Wednesday, April 12, 200610:00 a.m. - 11:00 a.m.
Denver Ballroom 4
David Escalante, Director of Computer Policy & Security, Boston CollegeCathy Hubbs, Information Technology Security Coordinator, George Mason University
© 2006 The Trustees of Boston College Slide 2
Introduction» Part I
Boston College, Anatomy of an Incident and Managing It
» Part II George Mason University, Refining Incident Response
» Boston College We didn't stay out of the headlines (75+ news outlets)
So why pay attention to me (or Cathy) ? Management of incident was largely successful, and The headlines missed things or got things wrong in a way that
favored us instead of making us look bad Learning through the experience of others is less painful
» NOTE: slides do not necessarily reflect content of talk
Let’s go over what happens…
© 2006 The Trustees of Boston College Slide 3
Know where your data is » “…as we know, there are known knowns; there are
things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know.” -- Don Rumsfeld, Secretary of Defense, 2002
© 2006 The Trustees of Boston College Slide 4
Know where your data is (2)
• Post-incident research revealed that 9 of 11 outside data providers weren’t handling BC sensitive data properly
© 2006 The Trustees of Boston College Slide 5
Different KIND of Incident» Recognize that a breach of confidential data
covering many people is fundamentally different than your typical incident that affects one or more computers, but not thousands of peoples' lives.
» There will be legal, notification, and other issues you will need help on, fast.
© 2006 The Trustees of Boston College Slide 6
The users know more than you
» Where the data is, the “bodies are buried”» How the data got to its present state» Local operational procedures» Contacts with their vendors» How to interact with their particular customers» Ignore users at your peril -- there’s a difference between
managing the incident from a computer perspective and stepping outside your comfort area and managing the whole thing
© 2006 The Trustees of Boston College Slide 7
Have a flexible incident response team
» Also consider having a separate team for incidents of this magnitude
» Escalante’s talk last year at this conference on incident response teams with Calvin Weeks covers flexible incident response in more detail, see http://www.educause.edu/LibraryDetailPage/666?ID=SPC0563
© 2006 The Trustees of Boston College Slide 8
Know how to do computer forensics » You will have to figure out what happened in order to formulate a
response. The press and public are not kind to those who delay in reporting these
incidents, management will want to know what happened, and you won't have a lot of time to work through the forensics.
Alternately, have a pool of money and identified outside resources for rapid response.
» Also, know how to keep operations running in the face of the investigation, or at least recover systems and operations quickly.
© 2006 The Trustees of Boston College Slide 9
Know your Lawyer/General Counsel» The General Counsel’s office will not be happy.
It’s much better to have an unhappy friend in this case than an unhappy stranger.
» They should be able to tell you what to do and what to say to preserve evidence, not get the school in trouble, respond to outside parties who are being a pain, and many other contributions.
© 2006 The Trustees of Boston College Slide 10
Know Your Local Law Enforcement Officials
» http://www.infragard.net/ InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field
Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI ユ s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters
» http://www.ectaskforce.org The concept of task forces has been around for many years and has proven to be quite successful… The
Secret Service developed a new approach to increase the resources, skills and vision by which local, state, and federal law enforcement team with prosecutors, private industry and academia to fully maximize what each has to offer in an effort to combat criminal activity. By forging new relationships with private sector entities and scholars, the task force opens itself up to a wealth of information and communication lines with limitless potential. The New York Electronic Crimes Task Force (NYECTF) was formed based on this concept and has been highly successful since its inception in 1995. On October 26, 2001, President Bush signed into law H.R. 3162, the PATRIOT Act. In drafting this particular legislation, Congress, recognized the Secret Service philosophy that our success resides in the ability to bring academia, law enforcement and private industry together to combat crime in the information age. As a result, the U.S. Secret Service was mandated by this Act to establish a nationwide network of Electronic Crimes Task Forces based upon the New York model that encompasses this philosophy.The Electronic Crimes Task Force has grown from a few dedicated individuals, to a group of hundreds of industry as well as local, state and federal law enforcement members throughout the country. At a recent meeting in New York, there were over 500 members in attendance.
© 2006 The Trustees of Boston College Slide 11
Figure Out How You'd Handle Extraordinary Volumes.
» Mail» Phone» Inquiries
» BC chose to outsource the mailing and keep the phone response in-house. At peak times, we ran out of phone lines and/or people to man them.
» You will need a system to triage calls and other inquiries You will have a lot of them. Some of them will be very important.
Some won't. Some will want to speak to "the manager", some won't. In BC’s case, the affected department did a good job of handling this.
© 2006 The Trustees of Boston College Slide 12
Phone SituationDay (800) line calls
Tuesday 74
Wednesday 302
Thursday 640
Friday 825
Saturday 53
Sunday 5
Monday 517
Tuesday 309
Wednesday 155
Thursday 170
Total 3,050
Calls to BC Inquiry Line
0
200
400
600
800
1000
Day of Week
Numb
er of
Calls
13 lines mapped off T1
Letters mailed Monday
© 2006 The Trustees of Boston College Slide 13
Deleting Users» The scripts need to have a defined escalation procedure for
some situations.» You can defuse some tension by researching whether or not
you have a way to remove people from "the system". BC didn't do this in very many instances, but for some people nothing else would do, and it was nice to have as an ultimate fallback.
© 2006 The Trustees of Boston College Slide 14
The Letter» You need to communicate directly with the parties
affected.» Usually you get one message, a letter or e-mail.
So it had better be good.» Lots of people will want input on this
communication Public Affairs General Counsel Affected Department …you get the idea
» Editing the letter» Signing the letter» Editing the talking points.
© 2006 The Trustees of Boston College Slide 15
The Press» Know your Public Affairs staff and the local
press who report on computer stories.» The press aren’t usually out to get you, they
want to convey accurate information. If possible, they’d also like a “scoop” If there’s no “scoop,” there’s less press interest
© 2006 The Trustees of Boston College Slide 16
The Press (2)
» Boston College, Calif. State University computers hacked School officials say the hackers apparently weren't after personal
data» BC warns its alumni of possible ID theft after
computer is hacked College officials say they have no reason to believe the intruder
was looking for personal information to steal; instead, the attacker planted a program that would enable him to use the computer to launch attacks on other machines. But the school is taking no chances, because of the sensitive information stored on the computer.
» George Mason University suffers security breach George Mason University confirmed on Monday that the personal
information of more than 30,000 students, faculty and staff had been nabbed by online intruders.
© 2006 The Trustees of Boston College Slide 17
The Slime
» Does “ambulance chaser” apply outside the legal field?» There are a lot of security vendors
They will all be able to help you If you had their product, you wouldn’t have had a problem
» Other parties, such as credit bureaus or banks, where you might expect to get some help, see you as a profit opportunity
© 2006 The Trustees of Boston College Slide 18
Keep Appropriate Parties Informed
» Regardless of the fact that you're a security person, it is IMPERATIVE that you keep your management, university management, and other parties involved up to date -- you are most likely not the president or VP, not the owner of the data, and not in charge of the university's reputation.
» Those people need frequent updates they need to give you guidance, and they need specialized guidance from you on the
technical issues.
» In return, they will take a lot off your back
© 2006 The Trustees of Boston College Slide 19
After the Chaos Dies Down
» …the real work begins» Culture change time» Data classification policy
Helps review data in field
» Review relationships with third parties» Auditors, auditors, auditors
© 2006 The Trustees of Boston College Slide 20
Summary
» Build key relationships in advance with legal, law enforcement, the press, and others
» Have a forensics capability, in-house or outside» Work with others, possibly as part of Business
Continuity Planning, on how to handle large-volume communications that have to be hands-on, where a web site is not sufficient
» Drive some type of data classification that assigns explicit responsibility to operational departments of the school
» Evaluate your third party and partner relationships with extreme care from a security perspective, and review what’s in any data feeds your central systems send out
Road map
• Mason’s landscape• Current Defense Measures• Incident Handling History• Refining Central IT Incident Handling
Procedures
About Mason
•Public University
•Main campus in Fairfax, Virginia, is 2 miles from regional interstates and 20 miles from Washington, D.C.
•Nearly 30,000 students and 7,000 staff and faculty.
•Four campuses in four counties (5th campus in UAE).
•Part of Internet2-Abeleine and National Lambda Rail.
•Central IT Organization –Information Technology Unit (ITU)
Current Elements of Defense
• Policies: RUC, Stewardship, Public Internet Address, Wireless Networking
• People: Security Awareness, Community Involvement through Groups
• Host & Application: Managed Desktops – M.E.S.A.
• Network: ResNet-Quarantine System, Firewalls, Unified Threat Management
Mason’s Incident Response History• VP of Information Technology initiative.
• Began taking shape summer 2004 through fall 2004.
• Researched government and university incident handling procedures.
• Consensus: Computer Security Incident Response Team (CSIRT)
CSIRT: Two Teams
1. Technicians responsibilities• First to respond and evaluate situation. • Preserve the evidence while investigating.• Contain the problem.
2. Executives responsibilities• Report incidents to VITA per
Commonwealth Legislative Directive Code of Virginia § 2.2-603.G
• Create a unified communication strategy.
Ready or not…
• January 2005
• ID Server incident occurs
• Teams are activated
• Unfortunately we still make the
NEWSPAPER HEADLINES
Media Scrap Book Memories
JANUARY 10, 2005 (COMPUTERWORLD) Hacker compromises data at George Mason University Private information on 32,000 students and staff was compromised
JANUARY 10, 2005 (CNET News)Hackers steal ID info from Virginia universityGeorge Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.
JANUARY 11, 2005 (USA Today)Hackers capture info from George Mason U.
JANUARY 11, 2005 (Washington Post)Vital Files Exposed In GMU HackingA computer hacker apparently broke into a George Mason University data base containing student and employee Social Security numbers, leaving 32,000 people uncertain whether their finances or identities might be compromised.
JANUARY 13, 2005 (WASHINGTON POST)George Mason Officials Investigate Hacking Incident
JANUARY 10, 2005 (ZDNET UK)University suffers massive ID data theft
JANUARY 25, 2005 (THE HILL TOP)Hacking at George Mason Stirs Concerns at HowardSome students at Howard University are wondering if they, too, could be at risk for identity theft after a recent incident at George Mason University in which a computer hacker broke into the data base by entering password after password.
Outcome of ID Server Incident• Communication, collaboration and
community prevail.
• Mason police maintain important relationships with agencies that focus on cybersecurity.
• Mason establishes relationship with company specializing in forensics and risk management.
• Experience spike in reports of suspected compromised machines.
• Opportunity to review incident handling procedures.
Refining the process-Institutionalize• Responsibility and ownership.
"Cyber Security on Campus" Executive Awareness Video
• Define incident handling objectives- focus ITU.Who should be involved?
What are the objectives?
When should incident response team be activated?
Why formalize the incident handling process?
Who is involved?
CSIRT ExecsVP IT, President and VP of University RelationsAdvisors from Human Resources, Legal, Safety, and Police.
Server Support Group
Network Engineers
Support Center
Desktop Support Services
Communicate findingsProvide direction
CSIRT-Techs
What are CSIRT-Techs main objectives?
• First response.
• Evaluate the situation. Is it an incident?
• Preserve the evidence.
• Contain the problem.
Incident Classification GuideClassificatio
n LevelsUrgency
LevelResponse
UnitCharacteristics Example Likelihood to
get a Call at SC
0 Standard16 hours
DSS* Annoyance or inconvenience for a single user
Low-impact Virus or Spyware
Very Likely
1 Immediate8 hours
DSS* Compromises non-sensitive data for a single user
Malicious virus Likely
2 Immediate8 hours
DSS* Compromised account access for a single user
Faculty/staff’s account has been shared
Likely
3 Immediate8 hours
CSIRT** Compromised sensitive data for a single user
Faculty’s desktop with names and grades on it. Credit card information.
Likely
4 Immediate8 hours
CSIRT** Affects data or services for a group
Banner Security Officer Account compromised
Rare
5 Emergency4 hours
CSIRT** Large segment of university
ID Server hacked into Very Rare
*DSS Desktop Support Services **CSIRT Computer Security Incident Response Team
Updated: 02/20/06
Customer Contacts SC
Is it Faculty/Staff?Inform Student to seek
Professional Help
Consult Matrix to Determine Classification
Assign Incident: Urgency Level = Standard
Group = DSS
Is it Level 0? Is it Level 1-2? Is it Level 5?
Assign Incident: Urgency Level = Immediate
Group = DSS
Call DSS
Assign Incident: Urgency Level = Emergency
Group = CSIRT
Call CSIRT Contact & Activate CSIRT phone tree
Clean Workstation
Is it Level 3-4?
Assign Incident: Urgency Level = Immediate
Group = CSIRT
Call CSIRT Contact & Activate CSIRT phone tree
Close Incident
Close Incident
Is there a compromise?
Call CSIRT Contact & Activate CSIRT phone tree
No
No No No
Yes
Yes
Yes
No
Yes Yes Yes
Support Center Procedures
When to activate CSIRT
If a compromised computer is suspected or confirmed to contain highly sensitive data.
If a computer with a Mason IP address is probing another Mason computer.
Server Support Group and NET
• Initiate a Magic (help desk system) ticket.
• ID suspected computer.
• Alert CSIRT by telephone.
Everyone
• Remain calm and professional while investigating suspected and confirmed incidents.
• Main objectives are to Preserve the evidence. Contain the problem. Limit all discussions regarding incidents
to those directly involved.
Community Message re: CSIRT?
If you suspect that your computer hasbeen compromised you should:
Stop what you are doing with the computer.
Call the ITU Support Center.
Why formalize Incident Handling?
• PreparednessDefine roles and responsibilities.Everyone knows what to do and when to
do it.
• MetricsTickets provide tracking system.Repeat offenders.Trends.
Resources
Educausehttp://www.educause.edu/securityData Notification Checklist and more
Questions?
Cathy Hubbs David [email protected] [email protected]