| Ira Winkler Talks Campus Network Security |
| by: David Geer |
|
Securing College Web Portals
\"First, the Web portals have to treat both the internal and
external systems as hostile,\" says Ira Winkler, chief security
strategist, Hewlett-Packard. Along with isolating the network,
this is Mr. Winkler\'s top recommendation with reference to Web
portals. As far as being audit-ready, even systems within
systems should be hardened against intrusion. This includes
insuring that all of the available security patches for all of
the software have been downloaded and installed, that all
permissions are set to minimal, and that you can verify and
assess how completely these things have been done.
In addition to hardening all the operating systems you need to
harden all application software, the Web server being the prime
example. \"Frequently, it\'s not the operating system that is
compromised when somebody hacks it, it\'s the application, the
Web server like Microsoft\'s Internet Information Server (IIS).
Macromedia\'s ColdFusion was a really bad one for that,\" says
Winkler. You need to harden any custom software as well. All
software, even your homemade pride and joy, has some bugs in it.
Test these applications and secure them.
\"Hardening includes making sure that you don\'t have Perl [(an
open source script programming language)] as an executable or
other executable programs in the wrong directories and things
like that,\" says Winkler. The next step is to assess the
readiness of supporting hardware and software like firewalls,
routers and database servers. A security hole in a router, for
example, invites router intrusion, which leads to compromising
the functions of the Web server.
Having hardened everything and assured yourself that everything
is secure, you audit by performing the same network scans that a
hacker would perform. Commercial tools are preferred because
these tend to be a little bit more comprehensive and give you
better reporting capability, says Winkler. You should scan your
systems regularly. New vulnerabilities can be discovered at any
time and even human error can lead to an accidental system
reconfiguration, leaving a hole behind.
Rely on Industry?
How can campuses and industry work together to minimize students
becoming victims, or perpetrators of hacking - stealing
bandwidth on campus networks, for example?
\"A University has to have their own security program. No
organization, academic or otherwise, should rely upon external
parties for their own security. What you are basically doing is
giving up control, which you should never do. Sometimes, for
example, if the University\'s ISP is weak, that\'s an issue, but
there are still things [the University] can do even if the ISP
has its problems. As far as working together with industry,
frankly, good security is really good systems administration.
What you have to do is make sure that your systems are
administered properly and that you have the appropriate access
controls and intrusion detection, and that has the effect of
making sure that you don\'t individually contribute to people
hacking and violating the policies and procedures,\" says Winkler.
Here\'s Ira\'s solution - minus leveraging industry.
You need a solid, fundamental security program. You need good
access controls. You need internal and external intrusion
detection systems to see if anyone is behaving \"maliciously\" or
even just \"unusually\". \"Check for policies and services provided
by the network,\" says Winkler. Know how people are using your
systems. Make sure no one is setting up your systems as \"Warez\"
sites. \"If you see large scale downloading bandwidth, if you see
services that shouldn\'t be running [you\'ve detected a problem].\"
Policy administration tools like Polivec\'s Polivec 3 and
Securify\'s SecurVantage line of products, and similar types of
products, are now available and some of these might be worth
looking into.
Is Legislation a Solution?
Very definitely. \"The Internet has had two decades to try and
get a grasp on the system. And even though there are some good
efforts being made, the good efforts are piecemeal and industry
specific in many cases,\" says Winkler. When industry does setup
standards or make recommendations, adherence is often voluntary,
making enforcement poor or nonexistent and QoS relatively
unmeasurable.
The Internet is a conglomerate of large networks spread
everywhere. \"Even if you have a whole industry like academia
theoretically securing themselves, which would be impossible -
telling every college all over the country that they are
voluntarily going to secure themselves - if one other company
[or campus] doesn\'t keep themselves secure, that\'s going to
compromise the security of everyone,\" says Winkler. If one
participant on the Internet doesn\'t secure against password
sniffing for example, then campus constituents logging into the
University from within or without are going to have accounts
compromised [See Figures 1-3]. This affects people connecting to
the Internet from the University, to the University remotely,
everyone. \"The only way to [enforce security] is by mandatory
regulation ... by the insurance industry or by government,\" says
Winkler.
[Heading: Compromise of the World Bank Entered Through
Universities Using Password Sniffers]
[Insert Figures 1, 2 & 3 here]
[Figure 1 Caption: Courtesy of Ira Winkler, chief security
strategist, Hewlett-Packard]
[Figure 2 Caption: The path of the World Bank hack through
Universities using Password Sniffers and other tools, Courtesy
of Ira Winkler, chief security strategist, Hewlett-Packard]
[Figure 3 Caption: Results of the World Bank hack, Courtesy of
Ira Winkler, chief security strategist, Hewlett-Packard]
Enforcement
A good model of enforcement is the insurance industry response
to the Y2K bug. \"Everybody was talking about Y2K but nobody was
doing a thing about it until insurance companies started saying
you are not going to get directors\' and officers\' insurance
unless you have an appropriate Y2K program in place. Then the
government passed laws that said that federal agencies have to
have an acceptable Y2K program in place as well. Then you saw
people taking action,\" says Winkler. Later, people claimed that
the money spent to fix the Y2K bug was just poured down the
drain because there were no major disasters related to the bug
come the turn of the century. However, it\'s because the money
was spent and the bug was patched that there were no problems.
Another good model is the auto industry. Mr. Winkler\'s life was
saved by a seatbelt, which would probably not have been
available had seatbelt laws not been voted into law. Despite the
automobile industry\'s opposition to seatbelts and airbags, the
insurance industry lobbied congress until airbags and seatbelts
were required. \"Without regulation, we\'re not going to see any
significant improvement,\" says Winkler.
The Big Picture - the Best Answer
In the larger view the best solution is to insure that
administration staff are effectively resourced and trained.
There need to be enough people on staff, there needs to be a
reasonable amount of money set aside for tools and access
controls and anything else that is needed. You need to know and
follow vendor recommendations for how many systems per
administrator are permissible. \"Frequently organizations don\'t
have a clue as to what that number is. What that means is that
administrators tend to be fighting fires instead of proactively
securing their systems. If they\'d be proactively securing their
systems they wouldn\'t have to worry about fighting the fires,\"
says Winkler.
Social Engineering
Colleges and Universities face about the same threat of social
engineering as any group or organization. Social engineering is
the manipulation of social interaction to gain access to
information. \"Usually when you do social engineering it might be
to try to get access to a company or something but University
systems tend to be so widely open a hacker frequently doesn\'t
have to resort to social engineering to get passwords or logins
on University systems. Frankly just password guessing works in
many cases,\" says Winkler.
In Conclusion
Part of maintaining security in an environment where you keep
full control and take complete responsibility is being willing
to say that if you can\'t secure it, you can\'t use it.
Hypothetically, if you go the route of trying to leverage a
company like Microsoft into adequately securing their products,
you could theoretically be insecure forever waiting for them to
really do something about it. If, however, you take the approach
of total responsibility, tossing out what you can\'t adequately
secure, you can then take a look at the vast array of open
source solutions like Linux and decide that you have choices
that allow you to take that responsibility, secure your systems
fully and satisfy your constituents too.
Ira\'s Nickel
If network administrators and staff members are well trained and
sufficient in number it will greatly reduce security holes. What
if staff is short or resources are tight? \"It\'s a great
experience for college students and everybody else to figure out
how to protect systems. It\'s infinitely harder to protect
systems than it is to figure out how to hack them. If you\'re in
a University and you want to train people in computer science in
useful skills, training people in how to secure systems
proactively is going to be the most useful skill they could ever
learn. That would help the University. Make sure they have
people that are properly trained and maybe even give some of
their computer science students extra credit - not for breaking
into systems but for helping to secure and harden the systems,\"
says Winkler.
Sidebar One
Who Hacks Higher Ed and Why?
A lot of hackers break into University systems to use them as
\"jumping points\" to much larger hacks. \"The number of University
students that actually hack in the grand scheme of things is
luckily a limited set of people. However, University systems
tend to be so open that hackers use them as a regular jumping
point to other places. For example, many of the computers that
were involved in the distributed denial of service attacks that
Mafiaboy committed [about early 2000], those occurred through a
significant number of University hacks. Hacks into DOD systems
went through University systems as well. In the case of an
Argentinean hacker that was reported back in 1999, he stole
100\'s of 1,000\'s of passwords and used many Universities as
jumping places to hack the U.S. military systems,\" says Ira
Winkler, chief security strategist, Hewlett-Packard.
Hackers also collect \"trophies\", hacking a University computer
just to deface a campus Website and then hack on through to
another internal system. Some hackers use more advanced hacks
involving many systems in order to gain and maintain access,
kind of like a sleeper agent, one day waking up to use the hole
they\'ve discovered and reserved for themselves to do more harm.
\"Once they compromise a system, they\'ll make a note and then use
that system [later] to go ahead and compromise [other systems]
so that they make some efforts to cover their tracks for
distributed denial of service attacks,\" says Winkler, \"This is
where our University computers are prime targets.\"
Sidebar Two
How things are getting better.
Additional security measures for campus networks are becoming
available. For example, while the 802.11g wireless standard has
been ratified as of June, 2003, WPA security is coming to
replace WEP and beef up wireless security. Security technologies
like thumb print verification and authentication may eventually
be practical for IT devices in University settings.
Applications that are considered to be threats themselves, like
Instant Messaging programs, are being beefed up and offered as
more secure, enterprise level messaging clients, with their own
secure servers. \"IBM/Lotus has an IM server called SameTime that
addresses the security issue. It\'s worth injecting that
Microsoft will release on October 21, the \"Microsoft Office Live
Communications Server 2003\" product. This IM server not only
deals with the security issues, but offers tight integration
with Microsoft Office, Exchange and specifically the Outlook
e-mail client,\" says Todd Clark, president, DenaliTEK, security
consultants.
Universities are becoming more aware. Through organizations like
ACUTA and articles like these, IT managers and experts have the
opportunity to form alliances, ask questions and pool resources.
|
|
| |
