2010: top security challenges & its security projects update jodi ito information security...
Post on 21-Dec-2015
215 views
TRANSCRIPT
2010:Top Security Challenges &
ITS Security Projects Update
Jodi Ito
Information Security Officer
VP IT & CIO Office
Information Technology Services
Predictions for 2010 Increase in web-based threats Botnets Targeted Attacks P2P data leaks More sophisticated attacks Imbedded devices Increase in Adobe attacks
Web Threats More services provided via “web” More complex programming; less
secure code Legitimate websites hacked
Illegal pharmacies Used to distributed malware Drive-by downloads Fast flux DNS
Increase in Bot Traffic
ITS receiving more reports of “bot” infected machines on UH network
Most Torpig Torpig
uses fast flux DNS to change name of C&C and malware-infected sites
Uses java and Twitter API to generate ®ister new hostnames
Designed to harvest sensitive information such as credit card & bank account information
Targeted Attacks Subject of phishing attacks are specifically
selected Such as senior administrators & management Uses social engineering techniques
Very convincing messages and images: North Carolina State University:
http://www.ncsu.edu/it/security/webmail-phishing.html
FTC P2P data leak alarm…
The Federal Trade Commission this week sent letters to almost 100 organizations that personal information, including sensitive data about customers and employees, has been shared from their computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud.
Search for “FTC P2P data leak” using your favorite search engine
Sophisticated Attacks
Fast Flux DNS Evolving malware - signatures change faster
that antivirus can keep up Layered malware:
Mebroot rootkit used to distribute botnet malware Legitimate websites delivering malware from ad
servers Increased/expanded use of technology
Top Security Issues at UH
Copyright Violations (DMCA violations) Protecting Sensitive Info & UH Data Breaches Protecting Users, Computers & Networks
People are the weakest link!
Copyright Violations HEOA 2008 - All universities must have:
An annual disclosure to students describing copyright law and campus policies related to violating copyright law.
A plan to “effectively combat the unauthorized distribution of copyrighted materials” by users of its network, including "the use of one or more technology-based deterrents".
A plan to "offer alternatives to illegal downloading".
HEOA Compliance Compliance by July 1, 2010 Failure to do so: lose all federal
financial aid!
UH Statistics: 2007-2010
As of 3/1/2010
DMCA Notices
13 136
0 0
145
15 127
2217
24
35
18
3930
2216 16
79
95
31 3021
35
46
127
39
25
36
71
8983 84
79
105
90
4
0
20
40
60
80
100
120
140
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Month
Notices per Month
2007
2008
2009
2010
DMCA Statistics
As of 3/1/2010
2007 2008 2009 2010Jan 13 24 21 105Feb 13 35 35 90Mar 6 18 46 4Apr 0 39 127May 0 30 39Jun 14 22 25Jul 5 16 36Aug 15 16 71Sep 12 79 89Oct 7 95 83Nov 22 31 84Dec 17 30 79
ITS Procedures
Identify and Notify If no response, block Currently, infringers are “counseled” and must
sign Copyright Notificationhttp://www.hawaii.edu/itsdocs/gen/sample_copyright_notification.pdf
Future: must go through online tutorial/quiz Failure to do so, blocked & reported to Dean of
Students (or supervisor/Dean/Director) for action
UH Policies Executive Policy E2.210:
Use and Management of Information Technology Resources
http://www.hawaii.edu/svpa/ep/e2/e2210.pdf Executive Policy E2.214:
Security and Protection of Sensitive Information
http://www.hawaii.edu/apis/ep/e2/e2214.pdf
More UH Policies
UH Form 92:
UH General Confidentiality Noticehttp://www.hawaii.edu/ohr/docs/forms/uh92.pdf
System-wide Student Code of Conducthttp://www.hawaii.edu/apis/ep/e7/e7208.pdf
Policies and Compliance
Enforce laws, regulations, policies FERPA, HIPAA, FTC Red Flags, PCI DSS,
FISMA, State & Federal laws & regulations, etc.
Legal Issues E-Discovery & Litigation holds Subpoenas & National Security Letters
Internal Investigations
Protecting Sensitive Info Hawaii Revised Statutes:
HRS 487J - SSN Protectionhttp://www.capitol.hawaii.gov/hrscurrent/
Vol11_Ch0476-0490/HRS0487J/ HRS 487N - Breach Disclosurehttp://www.capitol.hawaii.gov/hrscurrent/
Vol11_Ch0476-0490/HRS0487N/ HRS 487R - Destruction of PI Recordshttp://www.capitol.hawaii.gov/hrscurrent/
Vol11_Ch0476-0490/HRS0487R/
UH Data Breach 2009
Series of “human”mis-steps: Computer VERY infected + rootkit (6 mo+) Computer was used to connect to another server that
stored years of sensitive information User connected to the server every morning and
stayed connected as a matter of daily routine User opened all emails and attachments without regard
to relevance User visited social networking sites
Breach Notification
Determined that pursuant to HRS 487N, UH required to do a “Breach Notification”: Written notification to all affected
individuals (approx. 15,000) Legislative Report due 20 days after
discovery of breach Press Release/website
“Near” Breach
Reported that a server was opened for anonymous FTP
Found connections from foreign countries accessing the server
Successful retrievals of some log files Unsuccessful retrieval of database
containing SSN
Protecting Users Increase in compromised UH
usernames Used to send spam/phish
Increase because: Responding to PHISHES! Weak passwords Using unsecured computers and/or
networks
Lack of Awareness of Safe Computing Behaviors
TTMI: “Tweeting Too Much Information”http://pleaserobme.com/
P2P filesharing risks: “FTC warns nearly 100 firms of P2P data leaks”
http://www.networkworld.com/news/2010/022310-ftc-warns-nearly-100-firms.html
“P2P Snoopers Know What's In Your Wallet” http://www.networkworld.com/news/2010/020710-shmoocon-p2p-snoopers-know-whats.html
“File Sharers, Beware!” http://www.cbsnews.com/stories/2005/05/03/eveningnews/main692765.shtml
Other Unsafe Behaviors Respond to “phishes” Do not update operating systems and
applications on a routine basis Do not use or update anti-virus/anti-spyware
software Visit unsafe websites Share accounts/passwords Use unsecured wi-fi for sensitive transactions
ITS Security Projects
Vetting of Campus Identity Reps UH Username Password Strengthening Identification & Blocking of
Bot/Malware-infected hosts Identification & Disabling of
Compromised UH usernames Vulnerability assessment of servers? Develop Information Security Training
Campus Identity Reps
Ensure Campus Identity Reps understand their responsibilities to protect sensitive information
Develop annual training Annual acknowledgement of
understanding of UH policies and applicable federal and state laws
Password Strengthening
New password rules: Length 8-xx characters (1st 60, maybe
32??) At least one lowercase, one uppercase,
one number, and one special character No dictionary words, cannot use name or
UH username, etc. Temporary passwords must be changed at
first login or within 7 days
Password Rules Impact
Applications using UH username/password must be tested with new rules
UH Manoa wireless: cannot login if password is longer than 48 characters
FMAX: max password length is 32
Bot/Malware-Infected Systems
ITS receives reports identifying infected systems by IP
ITS will block IP of system and attempt to identify owner of system
System needs to be remediated before being unblocked
Compromised UH Usernames
Usually detected by ITS UH username found to be sending large
amounts of email (spam) UH username is disabled and ITS
attempts to contact user Webmail settings must be cleaned
before account is re-enabled
Vulnerability Assessment
NWACC vulnerability assessment: Vulnerability scan done & report provided for each system scanned
Report consists of list of vulnerabilities (CVE) and recommended remediation steps
Let me know if you would like any servers scanned as part of the assessment (fee-based - cost recovery)
Information Security Training
State contract contain requirement that contract awardees must go through Information Security Training
Training conducted in-person Develop online training - open to
everyone