INFORMATION SECURITYUniversity of Notre Dame

WHAT DOES INFOSEC DO?

University of Notre Dame

INFORMATION SECURITY TEAM

David Seidl James Smith Brandon Bauer Jaime Preciado-Beas Jason Williams Aaron Wilkey Kolin Hodgson

INFORMATION SECURITY TEAM

Who do I contact if I have a question?

Phone:1-3888 Email: infosec@nd.eduIn person: Visit the Duty Officer of the day.After hours: contact Ops

INFRASTRUCTURE

NETWORK FLOW EXAMPLE

NETWORK FLOW TO INDIA

SOME OF OUR SERVICES

Web Inspect Risk Assessment Compliance Support (PCI-FERPA-HIPAA) Advisories Vulnerability Management (Qualys) Data Center Firewall Management

COMPUTER FORENSICS

We know what you did.

YES YOU

COMPUTER FORENSICS

Investigations occur after approval from the CIO, Office of General Counsel, and/or HR

Investigations can occur on any electronic device Windows, MacOS, Linux based systems, and

others Mobile devices Network devices

Mostly HR or Incident Response

CONSULTS

Security Assessments Cloud/Vendor Security Assessments Virtualization Education

POLICIES AND STANDARDS

Information Security Policy http://policy.nd.edu/policy_files/

InformationSecurityPolicy.pdf

Highly Sensitive Information http://oit.nd.edu/policies/itstandards/

infohandling.shtml Responsible Use

http://policy.nd.edu/policy_files/ResponsibleUseITResourcesPolicy.pdf

Security Configuration Standards https://secure.nd.edu/standards/index.shtml

DNS BLACKLIST

Implemented May 2012 Redirects URLs through DNS to prevent users

from visiting malicious web pages URL lists (feeds) are from known security

vendors, e.g. SANS Refreshed daily URLs can be white listed by contacting the help

desk Manually blacklist as phishing attacks occur. To try this visit 12345.com from campus

“Safe

DNS”

DNS BLACKLIST “Safe

DNS”

DNS BLACKLIST TESTING

9/11/2012 9/12/2012 9/13/2012 9/14/20120

500

1,000

1,500

2,000

2,500

3,000

3,500

1,528

3,091

2,7412,603

CREDIT CARD SUPPORT PROGRAM (CCSP)

Separate network behind its own firewall Credit Card processing environment for ND

merchants All ND merchants required to comply with PCI

DSS Governance body Information: ccsp.nd.edu or ccsp@nd.edu

TEAM GHOSTSHELL

Project WestWind

WH

O IS

TEA

M G

HO

STS

HELL?

“Hactivists” focused on hacking to bring awareness for what they consider to be the greater good

Team GhostShell has made successful dumps prior to Project West Wind

IT Wall Street: Dumped 50,000 accounts to support the occupy Wall Street movement

Project Dragonfly: Dumped

200,000 accounts to support freedom of speech in communist countries

Project WestWind

Target: 100 top universities across the world

Purpose: To bring attention to the decaying status of higher education around the world

Outcome: A massive dump of over 120k student/faculty/staff records pulled from university servers

The Data: Usernames, passwords, phone numbers, class numbers, and more

TH

E A

TTA

CK

! SQL Injection:

A code injection technique that exploits a security vulnerability in a website's software.

GhostShell was able to take advantage of vulnerabilities in the web applications of the targeted universities to gain access to their servers

The vulnerabilities were most likely exploited using SQL injection

The attack took up to four months to prepare according to Aaron Titus of Identity Finder (Chief Privacy Officer)

The Damage

Reputation: Anytime there is a data leak, the reputation of the institution is affected

Reputation: GhostShell also found many of the machines were already exploited existing exploits. Some of these stored credit card information.

Cost: Notification and credit monitoring for those whose information was leaked

Sample of Affected Universities

University of Michigan (7 servers)

University of Wisconsin (4 servers)

Cornell University (3 servers)

Tokyo University (4 servers)

Stanford (2 servers)

Cambridge (2 servers)

Arizona State (3 servers)

HOW NOTRE DAME AVOIDED THE INCIDENTVigilantly scanning all web

applications using tools such as HP Webinspect

Limited the exposure of public facing servers with the zone network project and other efforts across the university

Luck?

WILL GHOSTSHELL GET CAUGHT?

It is unlikely that anyone from team GhostShell will get caught.

The team used TOR (anonymity network) to extract and dump the data. This allowed them to mask their location through a network of anonymous proxies around the world.

QUESTIONS YOU ASKED

HOW DO NET IDS GET COMPROMISED?

Phishing

MALWARE

POOR PASSWORDS

POOR PASSWORD

GoIrish, GoIrish1, GoIrish! password, P@ssword 123123, 12345678, abc123, qwerty iloveyou jesus Trustno1, letmein ashley, Ashley1983 ninja, mustang, dragon

QUESTIONS WE DIDN’T ANSWER

1. List all of the security software the University licenses There’s a lot: check the software downloads page

for many approved software packages. If you have a specific need, drop us a line.

2. Common ePO troubleshooting steps Rather than talk to the entire room about these,

we’ll schedule an ePO users group meeting.