Post on 29-Dec-2015
"In the Beginning, ARPA created the ARPANET.
And the ARPANET was without form and void.
And darkness was upon the deep. And the spirit of ARPA moved
upon the face of the network and ARPA said, 'Let there be a protocol,' and there was a
protocol. And ARPA saw that it was good.
And ARPA said, 'Let there be more protocols,' and it was so.
And ARPA saw that it was good. And ARPA said, 'Let there be
more networks,' and it was so." -- Danny Cohen
Source: “Computer History Museum” http://www.computerhistory.org/internet_history/
2
The Shifting Landscape of IT Security
EDUCAUSE Security Professionals Conference 2008
Brian Smith-Sweeney Project Lead, New York University
Copyright Brian Smith-Sweeney 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to
republish requires written permission from the author.
NYU Info
• 14 Schools and Colleges• 65,000+ users, 50,000 active accounts
– 50,000 enrolled– 16,000 staff– 11,000 residential
• ~50,000 nodes on NYU-NET • 1.4Gb/sec+ connectivity
– 1.2Gb/sec commodity– 200 Mb/sec Internet2– Multi-Gb/sec specialiazed/R&E connectivity
Part I: Ancient IT Security History (Internet Time)
Contemporary Internet Security History
The 80s• Malware largely written for fun and mischief • IT security was “don’t share floppies”• “Security” personnel mostly physical security
The 90s• Malware complexity improved dramatically• IT security added “be careful of attachments”• IT security professionals arrive in EDU
© 1983 Metro-Goldwyn-Mayer Studios Inc.
© 1992 Universal Studios
2001: “Year of the Worm”
• Self-propagating malware develops• CodeRed, Nimda, Li0n, Ramen• Some network professionals became
network security professionals• SANS Internet Storm Center formed• Early IT security strategy in .edu
TM & © 2001 Warner Bros.
SQL Slammer worm network
traffic visualization
Normal network traffic Worm network traffic
Drops
Accepts
Source: “The effect of worms on the Internet”, http://www.e-things.org/worms
Security Lifecycle
Security Lifecycle
.edu IT Security: 2001-?
• Mostly operational. Sometimes tactical. Rarely strategic.
• Detection became easy. Reaction was harder.
• Assessment and protection? Still operational and reactive!– Nessus and Netreg– Top-X lockdown lists– Education and awareness
Part II: Defining the Shifting Landscape
The Shifting Landscape: The good guys
• OS/app vendors have found security!
• Firewalls on by default
• Passwords enabled by default
• Automatic patching
The Shifting Landscape: The bad guys
• It’s all about the money
• Attacker community is evolving and specializing– Malware authors have become bot herders– Site defacers have become phishing hosts
• Attackers are becoming more organized
How Organized? The RBN
• Involved in hacking, phishing, DoSing, child pornography, botnets
• Hosting for all of the above (Only $600 US!)
• Rumored political ties
• Possibly connected to the Storm Worm
Shifting Landscape Fallout
• The death of the Internet worm
• The rise of the client-side attack
• The rise of the application-layer attack
• The rebirth of the Internet worm
• The failure of classic IT security strategies
NYU Safetynet
• Agentless NAC for NYU ResNet
• Relied on network security posture assessment
• Complex technical architecture
• Initial ResNet vulnerability rate: 30%
• By 2006, only 1.9% of registered systems were marked vulnerable.
Anti-malware: Losing the
battle
Source: “Antivirus Systems’ Performance Graphs”, http://winnow.oitc.com/AntiVirusPerformance.html
50%
Storm Worm: the future of malware?
• Constantly-improving distribution method
• Peer2peer communication protocol
• Encrypted communications
• Distribution of duties
• Rapid updates
• Active defense mechanisms
Part III: Responding to The Shift
Security Lifecycle Redux
Security Lifecycle Redux
But Wait, There’s More!
• Technical Issues– IPv6 – Encryption everywhere
• New Compliance Requirements
• Changing Management Expectations– Increased scrutiny– Decreasing budgets
– HIPPA– FERPA
– PCI– Breach Notification
Asset Classification
1. Classify data types– Compliance requirements– Business requirements
2. Classify systems – Data classification– Availability requirements
3. Use classifications to drive – Security standards – Technical security architecture– Auditing and vulnerability assessment– Incident response
Consulting Services
• Aligned with project management group
• Reached out to the folks that manage projects through the University
• Worked to clarify our role– Advisement? Enforcement? Reporting?
• (Nearly) always said yes!
Vulnerability Assessment
• Moved away from “fire-and-forget” assessment
• Developed in-house web application vulnerability assessment
• Encouraged outsourced vulnerability assessments when appropriate
• Next steps– Automate “fire-and-forget” scans for clients– Develop tiered vulnerability assessment model
Refocus on Education and Awareness
• Created list of security contacts among system administrators– Peer mailing list– Monthly system administrator meeting
• Improved security awareness month– Created security roadshows for departmental staff– Made training resources available online
• Leveraged local contacts as local educators• Next steps
– “Selling” online training as risk mitigation– Working with policy group to mandate education
Looking Ahead
• Formalize risk management process• Re-re-balance detect and react• Work toward Enterprise Security Architecture• Overhaul policy structure• Continue to align with project management• Formalize, document, increase transparency
Part IV: Wrapping up
Summary Points
• Much of .edu security strategy – or lack thereof – was formed in the world of network worms. The Shifting Landscape has challenged the assumptions of those strategies.
• There are ever-more external pressures and compliance issues influencing which threats we must address.
• IT Security professionals aren't ronin anymore; we're part of the organization, and management expects us to behave as such.
• We have to keep an eye on the distinct technological challenges posed by these changes, as well as technologies that are changing for their own reasons.
Summary Points
Meeting these challenges requires coherent strategic planning.
You have to take a step back, take a deep breath, look forward, and form a plan. If you can't get your head out of the keyboard you’ll sink or be replaced
by someone that can.
Resources
• Internet2 SALSA-CSI2 working grouphttp://security.internet2.edu/csi2/
• REN-ISAChttp://www.ren-isac.net/
• EDUCAUSE/Internet2 Effective Practiceshttps://wiki.internet2.edu/confluence/display/secguide
• OWASP – web application securityhttp://www.owasp.org/index.php/Main_Page
• Learn more about Storm Wormhttp://www.cyber-ta.org/pubs/StormWorm/links.html
References
• RBN study – before and afterhttp://isc.sans.org/presentations/RBN_Study.pdf
• Russian Business Network (RBN)http://rbnexploit.blogspot.com
• Wishing an (Un)Happy Birthday to Storm Wormhttp://blog.washingtonpost.com/securityfix/2008/01/unhappy_birthday_to_the_storm.html
• Schneier on Security: The Storm Wormhttp://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
• Storm worm strikes back at security proshttp://www.networkworld.com/news/2007/102407-storm-worm-security.html
• SANS Internet Storm Centerhttp://isc.sans.org/about.html
• History of Malwarehttp://www.viruslist.com/en/viruses/encyclopedia?chapter=153280684
• Timeline of notable computer viruses and wormshttp://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
• Timeline of computer security hacker historyhttp://en.wikipedia.org/wiki/Timeline_of_hacker_history
33
Questions?