server security office of the vice president for information technology, texas state university-san...
TRANSCRIPT
Server Security
http://www.vpit.txstate.edu/security.html
Office of the Vice President for Information Technology, Texas State University-San Marcos
Mr. Shawn Pearcy, Information Security Analyst Mr. Corbett Consolvo, Senior Information Security Analyst
Ms. Lori McElroy, Information Security OfficerMr. Don Volz, Special Assistant to the Vice President for Information
Technology
April 3-4, 2008
Agenda
• Who is IT Security at Texas State University?
• Our Mission• Server Hardening and Checklists• Incident Detection• Incident Reporting
Who is IT Security?
• Sarmita Tuladhar, Student Technical Assistant• Shawn Pearcy, Information Security Analyst
• CompTIA Security+, Network+, A+, MCP 2K
• Mr. Corbett Consolvo, Senior Information Security Analyst
• Ms. Lori McElroy, Information Security Officer• CISSP, GIAC Certified Incident Handler (GCIH)
• Mr. Don Volz, Special Assistant to the Vice President for Information Technology
Mission
IT Security at Texas State exists to ensure the confidentiality, integrity, and availability of University data, information, communications and services.
Server Hardening and Checklists
• Best practices • Server hardening• Server checklists• Tools overview• Hands-on practice
Server Incident Detection
• SANS Intrusion Discovery Cheat Sheets• Linux commands
• Hands on practice• Windows commands
• Hands on practice• X-cleaner
Spyware at Texas State
Infecting Product Category Attempts
Threat Rating (1-10)
Covenanteyes Commercial Monitoring Software 12 7180 Search Assistant Adware 84 7Agobot.gen Trojan 1461 8Xrenoder Adware 261 7Bandjammer Trojan 27 7Covenanteyes Commercial Monitoring Software 877 7Bandjammer Trojan 9 7Ardamax Keylogger Commercial Monitoring Software 4 7RK-70164 Trojan 25 7Bandjammer Trojan 2 7NextDoor Worm 1 8GRI.Bot Worm 2 7w32.Kmeth Worm Worm 1 7NextDoor Worm 1 8NextDoor Worm 1 8GRI.Bot Worm 20 7
Spyware Rule Summary Report Spyware Type: Download Source/Phone Home
Period: 3/1/2008-3/31/2008
SPAM at Texas State
SPAM Volume Over 7 Days
Server Incident Detection
• Vulnerability scanning• Core Impact• Hands on – MBSA and Nmap
• Network based intrusion detection systems• Demo – Current solutions• Hands on – packet capture and Snort
• Securing Services• Hands on – SSH and RDP
• Logs• Remote logging and regular review
Incident Reporting
• What is an incident• Incident lifecycle• Common incidents at Texas State• Incident priorities• Incident response and mitigation
What is an Incident?
• Attempted or successful unauthorized access
• Theft or exposure of confidential or sensitive data either intentionally or unintentionally
• Wrongful modifications of data• Inappropriate use (excessive bandwidth
use, spam, etc…)
What is an Incident?
• Violates state or federal law• Ex: Copyright violation
• Violates Appropriate Use UPPS (04.01.07)• Is determined to be harmful to the security
and privacy of University data, or IT resources
• Is construed as harassment• Involves the unexpected disruption of
University services
Laptop TheftEDUCAUSE 2006 Security Awareness Video Contest
Honorable MentionBy Adam Stackhouse, College of William & Mary
Incident Lifecycle
• Alert / Notification• Investigation / Analysis• Containment & Eradication• Recovery• Assessment
Our Priorities - Incident Response
• Contact law enforcement if incident involves criminal activity
• Limit exposure• Maintain / restore service• Protect students / faculty / staff• Support prosecution / legal action
** The order of priorities may vary by incident **
Incident Prevention – Our Part
• Perimeter and LAN firewalls• Hands on - VPN access
• Intrusion Prevention and Detection• Patch Management
• Keep Windows and McAfee Up-To-Date• Education and Awareness• Annual Risk Assessments
Incident Response – Our Part
• We use our logs to attempt to locate:• Attacking computers • Attack method• Other vulnerable computers (warn and
fix)• Other victims (warn, possibly block)
Incident Response – Our Part
• We disable ports on computers that have been compromised• Protects the individual machine as well as the
rest of campus• Evaluating additional tools for automation and
quarantine
Avoid InfectionEDUCAUSE 2007 Security Awareness Video Contest
Gold Award - 1st Prize Winner Joseph Ellis and Eric Collins, University of Delaware
Incident Response – Your Part• UPPS 04.01.01 – Section 4.02: Individuals are
responsible for the security of any computer account issued to them and are accountable for any activity that takes place in their account. Individuals who discover or suspect that the security of their account has been compromised must immediately change their password and report the incident to their supervisor. Any suspected or attempted violation of system security should be reported immediately to the Office of the Assistant Vice President for Technology Resources at 245-2501.
• Policy is in revision – Contact IT Security
Incident Response – Your Part• If you suspect a compromise:• Notify us immediately
• 512-245-4225 (HACK), After hours contact UPD• Email to [email protected]• If IT Security is not reachable, contact
• Information Technology Assistance Center• 245-4822 (ITAC), by e-mail at [email protected]
**Do not send sensitive information via email**
Incident Response – Your Part
• Important information to gather:• Detailed description of suspected incident
• What led you to believe an incident has occurred• Who, what, where, when, how
• Be as specific as possible
• Do not attempt to gather evidence or perform any technical investigation before contacting IT Security• This may contaminate data and destroy critical
evidence
Incident Prevention – Your Part
• Backup and recovery• Patch Management
• Keep Windows and McAfee Up-To-Date• Restrict Power User Access• Disable unused / unnecessary services
• http://www.vpit.txstate.edu/security/items_interest/server.html
Incident Prevention – Your Part
• Install / activate software firewall• Hands on – IP Tables• Windows XP and Server 2003
• Physical and environmental security• Examples of not-so-good practices• Examples of good practices
Other IT Security Services
• Consulting• Backup strategies• Vendor contract review• Software analysis• Risk Assessments
• Customized training• Vulnerability Scanning • Penetration testing
University Policies (UPPS)
• Security of Texas State Information Resources• UPPS 04.01.01
• Appropriate Use of Information Resources• UPPS 04.01.07
• Appropriate Release of Information• UPPS 01.04.00
Summary
• Technology alone will not keep our systems safe
• By protecting your own computer system, you're also doing your part to protect computers throughout the university
• IT Security is here to help YOU!
Tools• ListServs
• http://groups.txstate.edu/mailman/listinfo/• TSP-Security• TxState-ServerAdmins
Tools on DVD• IT Security Best Practices
• http://www.vpit.txstate.edu/security/items_interest/server.html• SANS Hardening Checklists
• http://www.sans.org/score/checklists.php?portal=85501419b5313ffba77bde5e9cc6f136
• Microsoft Security Baseline Analyzer (MSBA)• http://www.microsoft.com/technet/security/tools/mbsahome.mspx
• Wireshark• www.wireshark.org/
• Nmap• http://nmap.org/
• Spybot• http://www.safer-networking.org/en/index.html
• Proventure• http://www.proventsure.com/Proventsure%20Self%20PII%20Dete
ction.zip
Questions?
• Q&A
Thanks for attending!
http://www.vpit.txstate.edu/security.html
Please complete your evaluation form!