“permit ip any any” – The Challenge of Information Security

on a University Campus

Harvard TownsendChief Information Security Officer

Kansas State Universityharv@ksu.edu

October 27, 2011

It requires thick skin…

“Don’t let anybody tell ya it’s easy!”

Agenda

• The environment

• The challenges– Unique to higher education– Common to all large organizations

• Never a dull moment

• The strategy

• Q&A

Kansas State University• 23,863 students from all 50 states, 90 countries• 5,350 students living in on-campus housing• 6,218 faculty, staff, administrators• ~5,000 new faces every year… and 5,000 departures• Public, land grant institution• Three campuses – Manhattan, Salina, and now Olathe; plus a

recruiting office in China• 2 Gbps pipe to Internet/Internet2 (250,000 flows/min, 360 million

flows/day); moving to 10 Gbps core network• ~35,000 devices on the network on a typical weekday, many with

static, public, routable IP addresses• 47 credit card Merchant IDs• Numerous affiliated 501c3 corporations (Athletics, Foundation,

Alumni Association, Student Union, Student Publications,…)• Veterinary Medicine (hooray for no medical center/hospital!)• BRI, NBAF

The Challenges – Unique?• Dr. Simon Ou’s and Dr. Eugene Vasserman’s

cybersecurity students are on our network!• Turnover of 5,000-6,000 users every year (20%)• Providing services to prospective students, alumni,

parents• Student-owned personal systems in residence halls,

campus apartments, and wireless• Highly distributed administration, budget, technology• Shared governance – little tolerance for top-down

edicts• Culture of autonomy, open expression of opinions• Tenure• Protecting freedom of speech, academic freedom (“I’m

studying for my human sexuality class.”)

The Challenges – Unique?• “Incidental personal use” allowed by policy• Up until four years ago, the student ID

number was their SSN• State library and federal document

repository (public access mandated)• Plethora of affiliated organizations• No central control of technology purchases

or what gets plugged into the network• Plethora of mobile devices with

expectation that we support all of them

The Challenges - Common

• Multiple campuses, including an office in China• Accommodating campus visitors• International collaborations• Providing secure, reliable services to “customers”

(i.e., students) throughout the world• Outsourcing to the cloud• Limited resources (IT services in general, IT

security specifically)• Plethora of laws and regulations

– FERPA, HEOA (DMCA)– PCI DSS, HIPAA, CALEA, GLBA, …

DMCA-P2P File Sharing

• Higher Education Opportunity Act of 2008 mandates use of “one or more technology-based deterrents” to combat copyright infringement (recording industry lobbyists were quite busy that year)

• We block P2P file sharing protocols – one of the few things we block

• Surprisingly little push-back from students• 83 DMCA violation notices in 2010, 29 in 2009• Interesting DMCA notices from porn industry lately

offering settlement for $200 to avoid legal action – sleazy tactic

Never a dull moment

• I’m starting to get a phobia about announcing any kind of change!

• For example, due to state of Kansas policy, security best practice, and plain ol’ common sense, we now require annual IT security training for all employees.

• Some responses were downright venomous• One said it was the worst piece a junk they’d

seen in their 21 years at K-State; another said it was the best training they’d ever seen in their 20 years at K-State.

Change is Evil

• Summer 2011, implemented WPA2-Enterprise wireless network, phasing out WEP-based wireless (turned off Oct. 25)– Collegian reporter: “Why are you changing the

Internet?”– Email from a faculty member: “I have AT&T

Internet service at home. Should I change to ‘KSU Wireless?’ If so, how much does it cost and how do I install it?”

– Email from a graduate student, another from a campus system administrator:

Privacy

• What do you think is the expectation of privacy for a faculty, staff, or student at K-State?

• Privacy is an interesting animal in higher education – a hybrid species

• “We respect your privacy, but you have none.”• We’re not watchdogs; only snoop when specific

conditions are met, several of which require permission of the CIO in consultation with General Counsel; annually report these accesses to Faculty Senate

How Dare You!

• I’m a glutton for punishment – now I plan to block remote access protocols at the border, like SSH and RDP

• Due to:– Multiple compromises, some via successful brute force

cracking of accounts with weak passwords– Massive DDoS that buried a core router– Morto worm infections– Many instances of SSH and RDP scans, incoming and

outgoing– Security best practice, common sense, etc.

• Will have to use a VPN before remotely logging in.• No brainer… right? Not in higher ed…

15

3 per day in 2010 - not a good trend!!

Incidents @ K-State

K-State IT SecurityIncidents in 2010

• Categories– 408 Spear phishing– 355 Spam source– 344 Unauthorized access– 103 Malicious code activity– 93 Policy violation– 83 DMCA violation– 23 Criminal activity/investigation– 10 Web/BBS defacement– 8 Reconnaissance activity– 3 Confidential data exposure– 1 Rogue server/service– 0 Un-patched vulnerability– 0 Denial of Service– 82 No incident

16

K-State IT SecurityIncidents in 2010

• Categories– 408 Spear phishing– 355 Spam source– 344 Unauthorized access– 103 Malicious code activity– 93 Policy violation– 83 DMCA violation– 23 Criminal activity/investigation– 10 Web/BBS defacement– 8 Reconnaissance activity– 3 Confidential data exposure– 1 Rogue server/service– 0 Un-patched vulnerability– 0 Denial of Service– 82 No incident

17

} Mostly due to spearphishing scams (74%)

18

A better trend!(0.6 -> 0.9 -> 0.6 -> 0.7 per day)

19

First phishing scam detected at K-State on January 31, 20081,067 compromised eIDs since then (2011 not included) and, 920 different phishing scams… that we know of

20

A good trend!User awareness efforts and additional security

measures are working

Demographics of PhishingScam Replies in 2010

• 390 Students (87% of total eIDs that replied to scams)– 95 Newly admitted, have not attended yet– 89 Freshmen– 55 Sophomore– 35 Junior– 54 Senior– 43 Graduate (31 Master’s, 12 PhD)– 6 Vet Med– 10 Alumni– 9 non-degree

• 26 Staff (24 current, 2 retired)• 16 Faculty (6 current, 3 adjunct, 2 Instructor, 5 emeritus/retired)• 1 Post-Doc• 0 Senior administrators• 231 employees (i.e., lots of student employees duped)• 13 Repeat offenders (retired faculty wins the prize for replying 5

times; barely beat retired music faculty @ 4 replies)

21

} They shouldknow better!

Demographics of Phishing ScamReplies in 2010

• Gender• Female: 264 (58%)• Male: 192 (42%)• (60/40 in 2009)

22

More Phun PhishingPhacts

• In 2009, 79 of the 296 (27%) phishing scams were “successful” (i.e., got replies with passwords) – no wonder the hackers don’t stop given this success rate!!

• Significant shift in the form of phishing since September 2010– Before, was 60-70% “reply to this email with

your password” – Since September 2010, 60+% are “click on

this link and fill out the form”23

Typical phishing form

• Usually hosted on compromised server• Use of PHP Form Generator very common

24

Typical phishing form

Sometimes we can get administrative access to the form and delete or modify it, even view list of people who filled it out in order to identify who from K-State was duped by the phishing scam.

25

26

Most EffectiveSpear PhishingScam

27

Most EffectiveSpear PhishingScam

28

Most EffectiveSpear PhishingScam

29

Spear phishing scam received by K-Staters in January 2010If you clicked on the link…

30

The malicious link in the scam email took you to an exact replicaof K-State’s single sign-on web page, hosted on a server in the Netherlands,

that will steal their eID and password if they enter it and click “Sign in”.Clicking on “Sign in” then took the user to K-State’s home page.

Note the URL – “flushandfloose.nl”, which is obviously not k-state.edu

31

Real SSOweb page

Fake SSOweb page

32

Real SSOweb page –note “https”

Fake SSOweb page –

site not secure (http,

not https) andhosted in theNetherlands

(.nl)

33

Real SSOweb page –Use the eIDverificationbadge tovalidate

Fake SSOweb page

34

Result of clicking on eID verification badge on the fake SSO web site, or any site that is not authorized to use the eID and password

35

Result of clicking on eID verification badge on a legitimate K-State web site that is authorized to use the eID and password for authentication

Strategy

“permit ip any any”

Strategy• Operate within the culture of the institution

– Respect and embrace the culture; if you fight it, you’ll only make enemies who will ignore your policies and undermine everything you do

• Independent, opinionated “customers”• Highly distributed power/budget/control/technology (accept

the fact that we cannot centralize or control everything)– Mixed model of centralized vs. distributed

resources/control (we’re IT Services, not “Infotech Take-over Services”)

– Remember our primary purpose – to SUPPORT faculty, staff, students, and administration

• To enable their work, not hinder it• Security is not the sole consideration, or always the most

important; strongly consider impact on user experience

Culture continued– Be willing to compromise

• RDP/SSH block good example – don’t block every remote access protocol, just ones that pose greatest risk; allow exceptions for departmental remote access servers

– Give them input into the process; prove you listen by adjusting policies, procedures, and project timelines based on their feedback

– Take the time to respond professionally to the flaming emails (coffee shops are great cybersecurity tools)

– Communicate in as many ways as you can, with clear explanation of the reasons for the change

Security Organization at K-State

• Information Security & Compliance department in central IT Services (that’s me and my team – six of us total)

• CIO plays key role in communicating, esp. up the ladder

• SIRT – Security Incident Response Team and advisory council– Play a critical role in gaining buy-in from the campus– Reps from every academic college and major

administrative unit• Departmental security contacts – at least one in

every department

Communicate! Communicate! Communicate!

Battling the John Mallery “Stupid People” Problem, or thinning the Bozone

• User awareness and training– Only so much technology can do, especially in

our open, distributed environment– Regular “IT Tuesday” articles were pretty well

read– Annual IT day-long security workshop with more

technical and less technical tracks– Started mandatory annual security training last

year• Focused on phishing scams and password mgmt• Had some positive effect in spite of venomous push-

back– And something new this year…

National Cyber Security Awareness Month

Strategy• Usual set of security technologies (Snort IDS, Nessus

vuln scanner, QRadar log mgr, Procera PacketLogic traffic shaper, IronPort email security appliance, EnCase+FRED for forensics, netflow analysis tools, Cisco ASA firewalls, Cisco AnyConnect SSL VPN, Impulse NAC, Trend Micro AV, PGP WDE)

• Network segmentation• Strong security policy base, including data classification• Jericho Forum firewall strategy apropos for higher ed (

www.jerichoforum.org)– “De-perimeterisation”– Move the security controls closer to the things you’re trying to

protect (i.e., the data… which resides who-knows-where)

Q&R – Question & Response(i.e., I don’t have all the answers!)

What’s on your mind?

????

????

??