© 2006 the trustees of boston college slide 1 staying out of the security headlines educause...

© 2006 The Trustees of Boston College Slide 1

Staying Out of the Security Headlines

Educause Security Professionals ConferenceTrack 4

Wednesday, April 12, 200610:00 a.m. - 11:00 a.m.

Denver Ballroom 4

David Escalante, Director of Computer Policy & Security, Boston CollegeCathy Hubbs, Information Technology Security Coordinator, George Mason University


Introduction» Part I

Boston College, Anatomy of an Incident and Managing It

» Part II George Mason University, Refining Incident Response

» Boston College We didn't stay out of the headlines (75+ news outlets)

So why pay attention to me (or Cathy) ? Management of incident was largely successful, and The headlines missed things or got things wrong in a way that

favored us instead of making us look bad Learning through the experience of others is less painful

» NOTE: slides do not necessarily reflect content of talk

Let’s go over what happens…


Know where your data is » “…as we know, there are known knowns; there are

things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know.” -- Don Rumsfeld, Secretary of Defense, 2002


Know where your data is (2)

• Post-incident research revealed that 9 of 11 outside data providers weren’t handling BC sensitive data properly


Different KIND of Incident» Recognize that a breach of confidential data

covering many people is fundamentally different than your typical incident that affects one or more computers, but not thousands of peoples' lives.

» There will be legal, notification, and other issues you will need help on, fast.


The users know more than you

» Where the data is, the “bodies are buried”» How the data got to its present state» Local operational procedures» Contacts with their vendors» How to interact with their particular customers» Ignore users at your peril -- there’s a difference between

managing the incident from a computer perspective and stepping outside your comfort area and managing the whole thing


Have a flexible incident response team

» Also consider having a separate team for incidents of this magnitude

» Escalante’s talk last year at this conference on incident response teams with Calvin Weeks covers flexible incident response in more detail, see http://www.educause.edu/LibraryDetailPage/666?ID=SPC0563


Know how to do computer forensics » You will have to figure out what happened in order to formulate a

response. The press and public are not kind to those who delay in reporting these

incidents, management will want to know what happened, and you won't have a lot of time to work through the forensics.

Alternately, have a pool of money and identified outside resources for rapid response.

» Also, know how to keep operations running in the face of the investigation, or at least recover systems and operations quickly.


Know your Lawyer/General Counsel» The General Counsel’s office will not be happy.

It’s much better to have an unhappy friend in this case than an unhappy stranger.

» They should be able to tell you what to do and what to say to preserve evidence, not get the school in trouble, respond to outside parties who are being a pain, and many other contributions.


Know Your Local Law Enforcement Officials

» http://www.infragard.net/ InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field

Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBI ﾕ s investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters

» http://www.ectaskforce.org The concept of task forces has been around for many years and has proven to be quite successful… The

Secret Service developed a new approach to increase the resources, skills and vision by which local, state, and federal law enforcement team with prosecutors, private industry and academia to fully maximize what each has to offer in an effort to combat criminal activity. By forging new relationships with private sector entities and scholars, the task force opens itself up to a wealth of information and communication lines with limitless potential. The New York Electronic Crimes Task Force (NYECTF) was formed based on this concept and has been highly successful since its inception in 1995. On October 26, 2001, President Bush signed into law H.R. 3162, the PATRIOT Act. In drafting this particular legislation, Congress, recognized the Secret Service philosophy that our success resides in the ability to bring academia, law enforcement and private industry together to combat crime in the information age. As a result, the U.S. Secret Service was mandated by this Act to establish a nationwide network of Electronic Crimes Task Forces based upon the New York model that encompasses this philosophy.The Electronic Crimes Task Force has grown from a few dedicated individuals, to a group of hundreds of industry as well as local, state and federal law enforcement members throughout the country. At a recent meeting in New York, there were over 500 members in attendance.


Figure Out How You'd Handle Extraordinary Volumes.

» Mail» Phone» Inquiries

» BC chose to outsource the mailing and keep the phone response in-house. At peak times, we ran out of phone lines and/or people to man them.

» You will need a system to triage calls and other inquiries You will have a lot of them. Some of them will be very important.

Some won't. Some will want to speak to "the manager", some won't. In BC’s case, the affected department did a good job of handling this.


Phone SituationDay (800) line calls

Tuesday 74

Wednesday 302

Thursday 640

Friday 825

Saturday 53

Sunday 5

Monday 517

Tuesday 309

Wednesday 155

Thursday 170

Total 3,050

Calls to BC Inquiry Line

0

200

400

600

800

1000

Day of Week

Numb

er of

Calls

13 lines mapped off T1

Letters mailed Monday


Deleting Users» The scripts need to have a defined escalation procedure for

some situations.» You can defuse some tension by researching whether or not

you have a way to remove people from "the system". BC didn't do this in very many instances, but for some people nothing else would do, and it was nice to have as an ultimate fallback.


The Letter» You need to communicate directly with the parties

affected.» Usually you get one message, a letter or e-mail.

So it had better be good.» Lots of people will want input on this

communication Public Affairs General Counsel Affected Department …you get the idea

» Editing the letter» Signing the letter» Editing the talking points.


The Press» Know your Public Affairs staff and the local

press who report on computer stories.» The press aren’t usually out to get you, they

want to convey accurate information. If possible, they’d also like a “scoop” If there’s no “scoop,” there’s less press interest


The Press (2)

» Boston College, Calif. State University computers hacked School officials say the hackers apparently weren't after personal

data» BC warns its alumni of possible ID theft after

computer is hacked College officials say they have no reason to believe the intruder

was looking for personal information to steal; instead, the attacker planted a program that would enable him to use the computer to launch attacks on other machines. But the school is taking no chances, because of the sensitive information stored on the computer.

» George Mason University suffers security breach George Mason University confirmed on Monday that the personal

information of more than 30,000 students, faculty and staff had been nabbed by online intruders.


The Slime

» Does “ambulance chaser” apply outside the legal field?» There are a lot of security vendors

They will all be able to help you If you had their product, you wouldn’t have had a problem

» Other parties, such as credit bureaus or banks, where you might expect to get some help, see you as a profit opportunity


Keep Appropriate Parties Informed

» Regardless of the fact that you're a security person, it is IMPERATIVE that you keep your management, university management, and other parties involved up to date -- you are most likely not the president or VP, not the owner of the data, and not in charge of the university's reputation.

» Those people need frequent updates they need to give you guidance, and they need specialized guidance from you on the

technical issues.

» In return, they will take a lot off your back


After the Chaos Dies Down

» …the real work begins» Culture change time» Data classification policy

Helps review data in field

» Review relationships with third parties» Auditors, auditors, auditors


Summary

» Build key relationships in advance with legal, law enforcement, the press, and others

» Have a forensics capability, in-house or outside» Work with others, possibly as part of Business

Continuity Planning, on how to handle large-volume communications that have to be hands-on, where a web site is not sufficient

» Drive some type of data classification that assigns explicit responsibility to operational departments of the school

» Evaluate your third party and partner relationships with extreme care from a security perspective, and review what’s in any data feeds your central systems send out

Road map

• Mason’s landscape• Current Defense Measures• Incident Handling History• Refining Central IT Incident Handling

Procedures

About Mason

•Public University

•Main campus in Fairfax, Virginia, is 2 miles from regional interstates and 20 miles from Washington, D.C.

•Nearly 30,000 students and 7,000 staff and faculty.

•Four campuses in four counties (5th campus in UAE).

•Part of Internet2-Abeleine and National Lambda Rail.

•Central IT Organization –Information Technology Unit (ITU)

ITU Organization

Current Elements of Defense

• Policies: RUC, Stewardship, Public Internet Address, Wireless Networking

• People: Security Awareness, Community Involvement through Groups

• Host & Application: Managed Desktops – M.E.S.A.

• Network: ResNet-Quarantine System, Firewalls, Unified Threat Management

Mason’s Incident Response History• VP of Information Technology initiative.

• Began taking shape summer 2004 through fall 2004.

• Researched government and university incident handling procedures.

• Consensus: Computer Security Incident Response Team (CSIRT)

CSIRT: Two Teams

1. Technicians responsibilities• First to respond and evaluate situation. • Preserve the evidence while investigating.• Contain the problem.

2. Executives responsibilities• Report incidents to VITA per

Commonwealth Legislative Directive Code of Virginia § 2.2-603.G

• Create a unified communication strategy.

Ready or not…

• January 2005

• ID Server incident occurs

• Teams are activated

• Unfortunately we still make the

NEWSPAPER HEADLINES

Media Scrap Book Memories

JANUARY 10, 2005 (COMPUTERWORLD) Hacker compromises data at George Mason University Private information on 32,000 students and staff was compromised

JANUARY 10, 2005 (CNET News)Hackers steal ID info from Virginia universityGeorge Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.

JANUARY 11, 2005 (USA Today)Hackers capture info from George Mason U.

JANUARY 11, 2005 (Washington Post)Vital Files Exposed In GMU HackingA computer hacker apparently broke into a George Mason University data base containing student and employee Social Security numbers, leaving 32,000 people uncertain whether their finances or identities might be compromised.

JANUARY 13, 2005 (WASHINGTON POST)George Mason Officials Investigate Hacking Incident

JANUARY 10, 2005 (ZDNET UK)University suffers massive ID data theft

JANUARY 25, 2005 (THE HILL TOP)Hacking at George Mason Stirs Concerns at HowardSome students at Howard University are wondering if they, too, could be at risk for identity theft after a recent incident at George Mason University in which a computer hacker broke into the data base by entering password after password.

Outcome of ID Server Incident• Communication, collaboration and

community prevail.

• Mason police maintain important relationships with agencies that focus on cybersecurity.

• Mason establishes relationship with company specializing in forensics and risk management.

• Experience spike in reports of suspected compromised machines.

• Opportunity to review incident handling procedures.

Refining the process-Institutionalize• Responsibility and ownership.

"Cyber Security on Campus" Executive Awareness Video

• Define incident handling objectives- focus ITU.Who should be involved?

What are the objectives?

When should incident response team be activated?

Why formalize the incident handling process?

Who is involved?

CSIRT ExecsVP IT, President and VP of University RelationsAdvisors from Human Resources, Legal, Safety, and Police.

Server Support Group

Network Engineers

Support Center

Desktop Support Services

[email protected]

Communicate findingsProvide direction

CSIRT-Techs

What are CSIRT-Techs main objectives?

• First response.

• Evaluate the situation. Is it an incident?

• Preserve the evidence.

• Contain the problem.

Incident Classification GuideClassificatio

n LevelsUrgency

LevelResponse

UnitCharacteristics Example Likelihood to

get a Call at SC

0 Standard16 hours

DSS* Annoyance or inconvenience for a single user

Low-impact Virus or Spyware

Very Likely

1 Immediate8 hours

DSS* Compromises non-sensitive data for a single user

Malicious virus Likely

2 Immediate8 hours

DSS* Compromised account access for a single user

Faculty/staff’s account has been shared

Likely

3 Immediate8 hours

CSIRT** Compromised sensitive data for a single user

Faculty’s desktop with names and grades on it. Credit card information.

Likely

4 Immediate8 hours

CSIRT** Affects data or services for a group

Banner Security Officer Account compromised

Rare

5 Emergency4 hours

CSIRT** Large segment of university

ID Server hacked into Very Rare

*DSS Desktop Support Services **CSIRT Computer Security Incident Response Team

Updated: 02/20/06

Customer Contacts SC

Is it Faculty/Staff?Inform Student to seek

Professional Help

Consult Matrix to Determine Classification

Assign Incident: Urgency Level = Standard

Group = DSS

Is it Level 0? Is it Level 1-2? Is it Level 5?

Assign Incident: Urgency Level = Immediate

Group = DSS

Call DSS

Assign Incident: Urgency Level = Emergency

Group = CSIRT

Call CSIRT Contact & Activate CSIRT phone tree

Clean Workstation

Is it Level 3-4?

Assign Incident: Urgency Level = Immediate

Group = CSIRT


Close Incident

Close Incident

Is there a compromise?


No

No No No

Yes

Yes

Yes

No

Yes Yes Yes

Support Center Procedures

When to activate CSIRT

If a compromised computer is suspected or confirmed to contain highly sensitive data.

If a computer with a Mason IP address is probing another Mason computer.

Server Support Group and NET

• Initiate a Magic (help desk system) ticket.

• ID suspected computer.

• Alert CSIRT by telephone.

Everyone

• Remain calm and professional while investigating suspected and confirmed incidents.

• Main objectives are to Preserve the evidence. Contain the problem. Limit all discussions regarding incidents

to those directly involved.

Community Message re: CSIRT?

If you suspect that your computer hasbeen compromised you should:

Stop what you are doing with the computer.

Call the ITU Support Center.

Why formalize Incident Handling?

• PreparednessDefine roles and responsibilities.Everyone knows what to do and when to

do it.

• MetricsTickets provide tracking system.Repeat offenders.Trends.

Resources

Educausehttp://www.educause.edu/securityData Notification Checklist and more

Questions?

Cathy Hubbs David [email protected] [email protected]

© 2006 the trustees of boston college slide 1 staying out of the security headlines educause...

Documents

o boston college

spc0563 slide

thing slide

boston college cathy

management of incident

george mason university

incident response teams

typical incident