"In the Beginning, ARPA created the ARPANET.

And the ARPANET was without form and void.

And darkness was upon the deep. And the spirit of ARPA moved

upon the face of the network and ARPA said, 'Let there be a protocol,' and there was a

protocol. And ARPA saw that it was good.

And ARPA said, 'Let there be more protocols,' and it was so.

And ARPA saw that it was good. And ARPA said, 'Let there be

more networks,' and it was so." -- Danny Cohen

Source: “Computer History Museum” http://www.computerhistory.org/internet_history/

2

The Shifting Landscape of IT Security

EDUCAUSE Security Professionals Conference 2008

Brian Smith-Sweeney Project Lead, New York University

Copyright Brian Smith-Sweeney 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to

republish requires written permission from the author.

NYU Info

• 14 Schools and Colleges• 65,000+ users, 50,000 active accounts

– 50,000 enrolled– 16,000 staff– 11,000 residential

• ~50,000 nodes on NYU-NET • 1.4Gb/sec+ connectivity

– 1.2Gb/sec commodity– 200 Mb/sec Internet2– Multi-Gb/sec specialiazed/R&E connectivity

Part I: Ancient IT Security History (Internet Time)

Contemporary Internet Security History

The 80s• Malware largely written for fun and mischief • IT security was “don’t share floppies”• “Security” personnel mostly physical security

The 90s• Malware complexity improved dramatically• IT security added “be careful of attachments”• IT security professionals arrive in EDU

© 1983 Metro-Goldwyn-Mayer Studios Inc.

© 1992 Universal Studios

2001: “Year of the Worm”

• Self-propagating malware develops• CodeRed, Nimda, Li0n, Ramen• Some network professionals became

network security professionals• SANS Internet Storm Center formed• Early IT security strategy in .edu

TM & © 2001 Warner Bros.

SQL Slammer worm network

traffic visualization

Normal network traffic Worm network traffic

Drops

Accepts

Source: “The effect of worms on the Internet”, http://www.e-things.org/worms

Security Lifecycle

Security Lifecycle

.edu IT Security: 2001-?

• Mostly operational. Sometimes tactical. Rarely strategic.

• Detection became easy. Reaction was harder.

• Assessment and protection? Still operational and reactive!– Nessus and Netreg– Top-X lockdown lists– Education and awareness

Part II: Defining the Shifting Landscape

The Shifting Landscape: The good guys

• OS/app vendors have found security!

• Firewalls on by default

• Passwords enabled by default

• Automatic patching

The Shifting Landscape: The bad guys

• It’s all about the money

• Attacker community is evolving and specializing– Malware authors have become bot herders– Site defacers have become phishing hosts

• Attackers are becoming more organized

How Organized? The RBN

• Involved in hacking, phishing, DoSing, child pornography, botnets

• Hosting for all of the above (Only $600 US!)

• Rumored political ties

• Possibly connected to the Storm Worm

Shifting Landscape Fallout

• The death of the Internet worm

• The rise of the client-side attack

• The rise of the application-layer attack

• The rebirth of the Internet worm

• The failure of classic IT security strategies

NYU Safetynet

• Agentless NAC for NYU ResNet

• Relied on network security posture assessment

• Complex technical architecture

• Initial ResNet vulnerability rate: 30%

• By 2006, only 1.9% of registered systems were marked vulnerable.

Anti-malware: Losing the

battle

Source: “Antivirus Systems’ Performance Graphs”, http://winnow.oitc.com/AntiVirusPerformance.html

50%

Storm Worm: the future of malware?

• Constantly-improving distribution method

• Peer2peer communication protocol

• Encrypted communications

• Distribution of duties

• Rapid updates

• Active defense mechanisms

Part III: Responding to The Shift

Security Lifecycle Redux

Security Lifecycle Redux

But Wait, There’s More!

• Technical Issues– IPv6 – Encryption everywhere

• New Compliance Requirements

• Changing Management Expectations– Increased scrutiny– Decreasing budgets

– HIPPA– FERPA

– PCI– Breach Notification

Asset Classification

1. Classify data types– Compliance requirements– Business requirements

2. Classify systems – Data classification– Availability requirements

3. Use classifications to drive – Security standards – Technical security architecture– Auditing and vulnerability assessment– Incident response

Consulting Services

• Aligned with project management group

• Reached out to the folks that manage projects through the University

• Worked to clarify our role– Advisement? Enforcement? Reporting?

• (Nearly) always said yes!

Vulnerability Assessment

• Moved away from “fire-and-forget” assessment

• Developed in-house web application vulnerability assessment

• Encouraged outsourced vulnerability assessments when appropriate

• Next steps– Automate “fire-and-forget” scans for clients– Develop tiered vulnerability assessment model

Refocus on Education and Awareness

• Created list of security contacts among system administrators– Peer mailing list– Monthly system administrator meeting

• Improved security awareness month– Created security roadshows for departmental staff– Made training resources available online

• Leveraged local contacts as local educators• Next steps

– “Selling” online training as risk mitigation– Working with policy group to mandate education

Looking Ahead

• Formalize risk management process• Re-re-balance detect and react• Work toward Enterprise Security Architecture• Overhaul policy structure• Continue to align with project management• Formalize, document, increase transparency

Part IV: Wrapping up

Summary Points

• Much of .edu security strategy – or lack thereof – was formed in the world of network worms. The Shifting Landscape has challenged the assumptions of those strategies.

• There are ever-more external pressures and compliance issues influencing which threats we must address.

• IT Security professionals aren't ronin anymore; we're part of the organization, and management expects us to behave as such. 

• We have to keep an eye on the distinct technological challenges posed by these changes, as well as technologies that are changing for their own reasons.

Summary Points

Meeting these challenges requires coherent strategic planning. 

You have to take a step back, take a deep breath, look forward, and form a plan.  If you can't get your head out of the keyboard you’ll sink or be replaced

by someone that can.

Resources

• Internet2 SALSA-CSI2 working grouphttp://security.internet2.edu/csi2/

• REN-ISAChttp://www.ren-isac.net/

• EDUCAUSE/Internet2 Effective Practiceshttps://wiki.internet2.edu/confluence/display/secguide

• OWASP – web application securityhttp://www.owasp.org/index.php/Main_Page

• Learn more about Storm Wormhttp://www.cyber-ta.org/pubs/StormWorm/links.html

References

• RBN study – before and afterhttp://isc.sans.org/presentations/RBN_Study.pdf

• Russian Business Network (RBN)http://rbnexploit.blogspot.com

• Wishing an (Un)Happy Birthday to Storm Wormhttp://blog.washingtonpost.com/securityfix/2008/01/unhappy_birthday_to_the_storm.html

• Schneier on Security: The Storm Wormhttp://www.schneier.com/blog/archives/2007/10/the_storm_worm.html

• Storm worm strikes back at security proshttp://www.networkworld.com/news/2007/102407-storm-worm-security.html

• SANS Internet Storm Centerhttp://isc.sans.org/about.html

• History of Malwarehttp://www.viruslist.com/en/viruses/encyclopedia?chapter=153280684

• Timeline of notable computer viruses and wormshttp://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms

• Timeline of computer security hacker historyhttp://en.wikipedia.org/wiki/Timeline_of_hacker_history

33

Questions?