Server Security

http://www.vpit.txstate.edu/security.html

Office of the Vice President for Information Technology, Texas State University-San Marcos

Mr. Shawn Pearcy, Information Security Analyst Mr. Corbett Consolvo, Senior Information Security Analyst

Ms. Lori McElroy, Information Security OfficerMr. Don Volz, Special Assistant to the Vice President for Information

Technology

April 3-4, 2008

Agenda

• Who is IT Security at Texas State University?

• Our Mission• Server Hardening and Checklists• Incident Detection• Incident Reporting

Who is IT Security?

• Sarmita Tuladhar, Student Technical Assistant• Shawn Pearcy, Information Security Analyst

• CompTIA Security+, Network+, A+, MCP 2K

• Mr. Corbett Consolvo, Senior Information Security Analyst

• Ms. Lori McElroy, Information Security Officer• CISSP, GIAC Certified Incident Handler (GCIH)

• Mr. Don Volz, Special Assistant to the Vice President for Information Technology

Mission

IT Security at Texas State exists to ensure the confidentiality, integrity, and availability of University data, information, communications and services.

Server Hardening and Checklists

• Best practices • Server hardening• Server checklists• Tools overview• Hands-on practice

Server Incident Detection

• SANS Intrusion Discovery Cheat Sheets• Linux commands

• Hands on practice• Windows commands

• Hands on practice• X-cleaner

Spyware at Texas State

Infecting Product Category Attempts

Threat Rating (1-10)

Covenanteyes Commercial Monitoring Software 12 7180 Search Assistant Adware 84 7Agobot.gen Trojan 1461 8Xrenoder Adware 261 7Bandjammer Trojan 27 7Covenanteyes Commercial Monitoring Software 877 7Bandjammer Trojan 9 7Ardamax Keylogger Commercial Monitoring Software 4 7RK-70164 Trojan 25 7Bandjammer Trojan 2 7NextDoor Worm 1 8GRI.Bot Worm 2 7w32.Kmeth Worm Worm 1 7NextDoor Worm 1 8NextDoor Worm 1 8GRI.Bot Worm 20 7

Spyware Rule Summary Report Spyware Type: Download Source/Phone Home

Period: 3/1/2008-3/31/2008

SPAM at Texas State

SPAM Volume Over 7 Days

Server Incident Detection

• Vulnerability scanning• Core Impact• Hands on – MBSA and Nmap

• Network based intrusion detection systems• Demo – Current solutions• Hands on – packet capture and Snort

• Securing Services• Hands on – SSH and RDP

• Logs• Remote logging and regular review

Incident Reporting

• What is an incident• Incident lifecycle• Common incidents at Texas State• Incident priorities• Incident response and mitigation

What is an Incident?

• Attempted or successful unauthorized access

• Theft or exposure of confidential or sensitive data either intentionally or unintentionally

• Wrongful modifications of data• Inappropriate use (excessive bandwidth

use, spam, etc…)

What is an Incident?

• Violates state or federal law• Ex: Copyright violation

• Violates Appropriate Use UPPS (04.01.07)• Is determined to be harmful to the security

and privacy of University data, or IT resources

• Is construed as harassment• Involves the unexpected disruption of

University services

Laptop TheftEDUCAUSE 2006 Security Awareness Video Contest

Honorable MentionBy Adam Stackhouse, College of William & Mary

Incident Lifecycle

• Alert / Notification• Investigation / Analysis• Containment & Eradication• Recovery• Assessment

Our Priorities - Incident Response

• Contact law enforcement if incident involves criminal activity

• Limit exposure• Maintain / restore service• Protect students / faculty / staff• Support prosecution / legal action

** The order of priorities may vary by incident **

Incident Prevention – Our Part

• Perimeter and LAN firewalls• Hands on - VPN access

• Intrusion Prevention and Detection• Patch Management

• Keep Windows and McAfee Up-To-Date• Education and Awareness• Annual Risk Assessments

Incident Response – Our Part

• We use our logs to attempt to locate:• Attacking computers • Attack method• Other vulnerable computers (warn and

fix)• Other victims (warn, possibly block)

Incident Response – Our Part

• We disable ports on computers that have been compromised• Protects the individual machine as well as the

rest of campus• Evaluating additional tools for automation and

quarantine

Avoid InfectionEDUCAUSE 2007 Security Awareness Video Contest

Gold Award - 1st Prize Winner Joseph Ellis and Eric Collins, University of Delaware

Incident Response – Your Part• UPPS 04.01.01 – Section 4.02: Individuals are

responsible for the security of any computer account issued to them and are accountable for any activity that takes place in their account.  Individuals who discover or suspect that the security of their account has been compromised must immediately change their password and report the incident to their supervisor.  Any suspected or attempted violation of system security should be reported immediately to the Office of the Assistant Vice President for Technology Resources at 245-2501.

• Policy is in revision – Contact IT Security

Incident Response – Your Part• If you suspect a compromise:• Notify us immediately

• 512-245-4225 (HACK), After hours contact UPD• Email to itsecurity@txstate.edu• If IT Security is not reachable, contact

• Information Technology Assistance Center• 245-4822 (ITAC), by e-mail at itac@txstate.edu

**Do not send sensitive information via email**

Incident Response – Your Part

• Important information to gather:• Detailed description of suspected incident

• What led you to believe an incident has occurred• Who, what, where, when, how

• Be as specific as possible

• Do not attempt to gather evidence or perform any technical investigation before contacting IT Security• This may contaminate data and destroy critical

evidence

Incident Prevention – Your Part

• Backup and recovery• Patch Management

• Keep Windows and McAfee Up-To-Date• Restrict Power User Access• Disable unused / unnecessary services

• http://www.vpit.txstate.edu/security/items_interest/server.html

Incident Prevention – Your Part

• Install / activate software firewall• Hands on – IP Tables• Windows XP and Server 2003

• Physical and environmental security• Examples of not-so-good practices• Examples of good practices

Other IT Security Services

• Consulting• Backup strategies• Vendor contract review• Software analysis• Risk Assessments

• Customized training• Vulnerability Scanning • Penetration testing

University Policies (UPPS)

• Security of Texas State Information Resources• UPPS 04.01.01

• Appropriate Use of Information Resources• UPPS 04.01.07

• Appropriate Release of Information• UPPS 01.04.00

Summary

• Technology alone will not keep our systems safe

• By protecting your own computer system, you're also doing your part to protect computers throughout the university

• IT Security is here to help YOU!

Tools• ListServs

• http://groups.txstate.edu/mailman/listinfo/• TSP-Security• TxState-ServerAdmins

Tools on DVD• IT Security Best Practices

• http://www.vpit.txstate.edu/security/items_interest/server.html• SANS Hardening Checklists

• http://www.sans.org/score/checklists.php?portal=85501419b5313ffba77bde5e9cc6f136

• Microsoft Security Baseline Analyzer (MSBA)• http://www.microsoft.com/technet/security/tools/mbsahome.mspx

• Wireshark• www.wireshark.org/

• Nmap• http://nmap.org/

• Spybot• http://www.safer-networking.org/en/index.html

• Proventure• http://www.proventsure.com/Proventsure%20Self%20PII%20Dete

ction.zip

Questions?

• Q&A

Contact Info

IT Security

itsecurity@txstate.edu

512-245-4225 (HACK)

Thanks for attending!

http://www.vpit.txstate.edu/security.html

Please complete your evaluation form!