“permit ip any any” – The Challenge of Information Security on a University Campus Harvard Townsend Chief Information Security Officer Kansas State University [email protected] October 27, 2011
Dec 26, 2015
“permit ip any any” – The Challenge of Information Security
on a University Campus
Harvard TownsendChief Information Security Officer
Kansas State [email protected]
October 27, 2011
It requires thick skin…
“Don’t let anybody tell ya it’s easy!”
Agenda
• The environment
• The challenges– Unique to higher education– Common to all large organizations
• Never a dull moment
• The strategy
• Q&A
Kansas State University• 23,863 students from all 50 states, 90 countries• 5,350 students living in on-campus housing• 6,218 faculty, staff, administrators• ~5,000 new faces every year… and 5,000 departures• Public, land grant institution• Three campuses – Manhattan, Salina, and now Olathe; plus a
recruiting office in China• 2 Gbps pipe to Internet/Internet2 (250,000 flows/min, 360 million
flows/day); moving to 10 Gbps core network• ~35,000 devices on the network on a typical weekday, many with
static, public, routable IP addresses• 47 credit card Merchant IDs• Numerous affiliated 501c3 corporations (Athletics, Foundation,
Alumni Association, Student Union, Student Publications,…)• Veterinary Medicine (hooray for no medical center/hospital!)• BRI, NBAF
The Challenges – Unique?• Dr. Simon Ou’s and Dr. Eugene Vasserman’s
cybersecurity students are on our network!• Turnover of 5,000-6,000 users every year (20%)• Providing services to prospective students, alumni,
parents• Student-owned personal systems in residence halls,
campus apartments, and wireless• Highly distributed administration, budget, technology• Shared governance – little tolerance for top-down
edicts• Culture of autonomy, open expression of opinions• Tenure• Protecting freedom of speech, academic freedom (“I’m
studying for my human sexuality class.”)
The Challenges – Unique?• “Incidental personal use” allowed by policy• Up until four years ago, the student ID
number was their SSN• State library and federal document
repository (public access mandated)• Plethora of affiliated organizations• No central control of technology purchases
or what gets plugged into the network• Plethora of mobile devices with
expectation that we support all of them
The Challenges - Common
• Multiple campuses, including an office in China• Accommodating campus visitors• International collaborations• Providing secure, reliable services to “customers”
(i.e., students) throughout the world• Outsourcing to the cloud• Limited resources (IT services in general, IT
security specifically)• Plethora of laws and regulations
– FERPA, HEOA (DMCA)– PCI DSS, HIPAA, CALEA, GLBA, …
DMCA-P2P File Sharing
• Higher Education Opportunity Act of 2008 mandates use of “one or more technology-based deterrents” to combat copyright infringement (recording industry lobbyists were quite busy that year)
• We block P2P file sharing protocols – one of the few things we block
• Surprisingly little push-back from students• 83 DMCA violation notices in 2010, 29 in 2009• Interesting DMCA notices from porn industry lately
offering settlement for $200 to avoid legal action – sleazy tactic
Never a dull moment
• I’m starting to get a phobia about announcing any kind of change!
• For example, due to state of Kansas policy, security best practice, and plain ol’ common sense, we now require annual IT security training for all employees.
• Some responses were downright venomous• One said it was the worst piece a junk they’d
seen in their 21 years at K-State; another said it was the best training they’d ever seen in their 20 years at K-State.
Change is Evil
• Summer 2011, implemented WPA2-Enterprise wireless network, phasing out WEP-based wireless (turned off Oct. 25)– Collegian reporter: “Why are you changing the
Internet?”– Email from a faculty member: “I have AT&T
Internet service at home. Should I change to ‘KSU Wireless?’ If so, how much does it cost and how do I install it?”
– Email from a graduate student, another from a campus system administrator:
Privacy
• What do you think is the expectation of privacy for a faculty, staff, or student at K-State?
• Privacy is an interesting animal in higher education – a hybrid species
• “We respect your privacy, but you have none.”• We’re not watchdogs; only snoop when specific
conditions are met, several of which require permission of the CIO in consultation with General Counsel; annually report these accesses to Faculty Senate
How Dare You!
• I’m a glutton for punishment – now I plan to block remote access protocols at the border, like SSH and RDP
• Due to:– Multiple compromises, some via successful brute force
cracking of accounts with weak passwords– Massive DDoS that buried a core router– Morto worm infections– Many instances of SSH and RDP scans, incoming and
outgoing– Security best practice, common sense, etc.
• Will have to use a VPN before remotely logging in.• No brainer… right? Not in higher ed…
K-State IT SecurityIncidents in 2010
• Categories– 408 Spear phishing– 355 Spam source– 344 Unauthorized access– 103 Malicious code activity– 93 Policy violation– 83 DMCA violation– 23 Criminal activity/investigation– 10 Web/BBS defacement– 8 Reconnaissance activity– 3 Confidential data exposure– 1 Rogue server/service– 0 Un-patched vulnerability– 0 Denial of Service– 82 No incident
16
K-State IT SecurityIncidents in 2010
• Categories– 408 Spear phishing– 355 Spam source– 344 Unauthorized access– 103 Malicious code activity– 93 Policy violation– 83 DMCA violation– 23 Criminal activity/investigation– 10 Web/BBS defacement– 8 Reconnaissance activity– 3 Confidential data exposure– 1 Rogue server/service– 0 Un-patched vulnerability– 0 Denial of Service– 82 No incident
17
} Mostly due to spearphishing scams (74%)
19
First phishing scam detected at K-State on January 31, 20081,067 compromised eIDs since then (2011 not included) and, 920 different phishing scams… that we know of
Demographics of PhishingScam Replies in 2010
• 390 Students (87% of total eIDs that replied to scams)– 95 Newly admitted, have not attended yet– 89 Freshmen– 55 Sophomore– 35 Junior– 54 Senior– 43 Graduate (31 Master’s, 12 PhD)– 6 Vet Med– 10 Alumni– 9 non-degree
• 26 Staff (24 current, 2 retired)• 16 Faculty (6 current, 3 adjunct, 2 Instructor, 5 emeritus/retired)• 1 Post-Doc• 0 Senior administrators• 231 employees (i.e., lots of student employees duped)• 13 Repeat offenders (retired faculty wins the prize for replying 5
times; barely beat retired music faculty @ 4 replies)
21
} They shouldknow better!
Demographics of Phishing ScamReplies in 2010
• Gender• Female: 264 (58%)• Male: 192 (42%)• (60/40 in 2009)
22
More Phun PhishingPhacts
• In 2009, 79 of the 296 (27%) phishing scams were “successful” (i.e., got replies with passwords) – no wonder the hackers don’t stop given this success rate!!
• Significant shift in the form of phishing since September 2010– Before, was 60-70% “reply to this email with
your password” – Since September 2010, 60+% are “click on
this link and fill out the form”23
Typical phishing form
• Usually hosted on compromised server• Use of PHP Form Generator very common
24
Typical phishing form
Sometimes we can get administrative access to the form and delete or modify it, even view list of people who filled it out in order to identify who from K-State was duped by the phishing scam.
25
30
The malicious link in the scam email took you to an exact replicaof K-State’s single sign-on web page, hosted on a server in the Netherlands,
that will steal their eID and password if they enter it and click “Sign in”.Clicking on “Sign in” then took the user to K-State’s home page.
Note the URL – “flushandfloose.nl”, which is obviously not k-state.edu
32
Real SSOweb page –note “https”
Fake SSOweb page –
site not secure (http,
not https) andhosted in theNetherlands
(.nl)
34
Result of clicking on eID verification badge on the fake SSO web site, or any site that is not authorized to use the eID and password
35
Result of clicking on eID verification badge on a legitimate K-State web site that is authorized to use the eID and password for authentication
Strategy• Operate within the culture of the institution
– Respect and embrace the culture; if you fight it, you’ll only make enemies who will ignore your policies and undermine everything you do
• Independent, opinionated “customers”• Highly distributed power/budget/control/technology (accept
the fact that we cannot centralize or control everything)– Mixed model of centralized vs. distributed
resources/control (we’re IT Services, not “Infotech Take-over Services”)
– Remember our primary purpose – to SUPPORT faculty, staff, students, and administration
• To enable their work, not hinder it• Security is not the sole consideration, or always the most
important; strongly consider impact on user experience
Culture continued– Be willing to compromise
• RDP/SSH block good example – don’t block every remote access protocol, just ones that pose greatest risk; allow exceptions for departmental remote access servers
– Give them input into the process; prove you listen by adjusting policies, procedures, and project timelines based on their feedback
– Take the time to respond professionally to the flaming emails (coffee shops are great cybersecurity tools)
– Communicate in as many ways as you can, with clear explanation of the reasons for the change
Security Organization at K-State
• Information Security & Compliance department in central IT Services (that’s me and my team – six of us total)
• CIO plays key role in communicating, esp. up the ladder
• SIRT – Security Incident Response Team and advisory council– Play a critical role in gaining buy-in from the campus– Reps from every academic college and major
administrative unit• Departmental security contacts – at least one in
every department
Battling the John Mallery “Stupid People” Problem, or thinning the Bozone
• User awareness and training– Only so much technology can do, especially in
our open, distributed environment– Regular “IT Tuesday” articles were pretty well
read– Annual IT day-long security workshop with more
technical and less technical tracks– Started mandatory annual security training last
year• Focused on phishing scams and password mgmt• Had some positive effect in spite of venomous push-
back– And something new this year…
Strategy• Usual set of security technologies (Snort IDS, Nessus
vuln scanner, QRadar log mgr, Procera PacketLogic traffic shaper, IronPort email security appliance, EnCase+FRED for forensics, netflow analysis tools, Cisco ASA firewalls, Cisco AnyConnect SSL VPN, Impulse NAC, Trend Micro AV, PGP WDE)
• Network segmentation• Strong security policy base, including data classification• Jericho Forum firewall strategy apropos for higher ed (
www.jerichoforum.org)– “De-perimeterisation”– Move the security controls closer to the things you’re trying to
protect (i.e., the data… which resides who-knows-where)