SIRT Contact Orientation

1
SIRT Contact Orientation

• Security Incident Response Team
• Departmental Security Contacts
• April 16, 2004

2
Why Are We Here?

• Introductions
• The SIRT and you
• Compromise recovery procedure
• Current security issues
• Resources
• Future events
• Free refreshments

3
Introductions

• Dr. Elizabeth Unger, VPAST
• Security Incident Response Team
• And their alternates
• Representatives from all academic colleges and
  major administrative units
• Departmental contacts
• When this is all over, introduce yourself to your
  SIRT representatives

4
The SIRT And You

• SIRT History
• March 2003 IT Security SWAT team chaired by
  Roger Terry recommends formation of SIRT
• Summer 2003 Interim SIRT formed
• September 2003 Permanent SIRT formed
• Representatives from all colleges and major
  administrative units
• 0.3 time spent on SIRT activities

5
The SIRT And You

• SIRTs charge (reactive/proactive/advisory)
• Coordinated security incident response
• Alerts to new vulnerabilities and attacks
• Implement/coordinate preventative security
  measures
• Security awareness and best practice training
• Advise on secure design of apps, systems,
  networks
• Host an annual security workshop

6
The SIRT And You

• SIRT is
• Coordinate rapid incident response for campus
• Advise on security best practices
• Communication channel
• SIRT is NOT
• A policy body (thats IRMC)
• IT police
• Additional technical support for your department

7
The SIRT And You

• Role of Departmental Security Contact (and your
  local IT support people)
• Respond to incidents in your unit
• Repair compromised systems
• Implement preventative measures
• Alert your SIRT rep. about unusual activities
• Enforce policies at the local level
• Educate your users on security best practices
• Pass along security information to your unit

8
The SIRT And You

• The goal is for you, your users, the SIRT, and
  central IT services to work together to protect
  K-States information and technology resources.

9
Compromise Recovery Procedure

• A compromised host is detected
• By IDS, network monitoring, or abuse report
• The host is blocked
• Usually by CNS with a router filter
• Sometimes youll pull the plug

10
Procedure, Cont.

• The departmental contact is notified
• Thats you
• Via email to SIRT-CONTACTS
• So you need to watch this email list
• See also Blocked Hosts web page
• You notify the affected user

11
Procedure, Cont.

• You arrange for the host to be cleaned up
• Try to find out what caused the compromise
• Recovery may mean reformat / reinstall
• You contact your SIRT representative to have the
  host unblocked
• Or their alternate, if theyre unavailable
• Your SIRT rep contacts CNS

12
Current Security Issues

• Network-based worms
• E-mail viruses and worms
• Accounts without good password
• Poor patch management
• Insecure servers

13
Problem Network-based Worms

• Currently our biggest issue
• Navpaw, Gaobot
• No user interaction necessary
• Exploiting security vulnerabilities
• Exploiting Windows accounts without good password
• Leaving behind back doors

14
Network-based Worms Solutions

• Patch, patch, patch
• Symantec Antivirus with daily updates
• Good passwords on Windows accounts
• Network vulnerability scans

15
Problem E-mail Viruses And Worms (Malware)

• Zero-Day, fast propagation
• Smarter social engineering
• Leaving behind back doors
• Cleanup is costly and painful

16
E-mail Viruses And Worms Solutions

• New version of Symantec is anomaly-based as well
  as signature-based
• Symantec Antivirus with daily updates
• Coming soon to central e-mail real anti-virus
  filtering
• Managed antivirus installations
• Users are learning to be careful

17
Problem Accounts Without Good Password

• Network-based worms are exploiting Windows
  accounts with no or weak password
• Hackers can do the same thing

18
Accounts Without Good Password Solutions

• All Windows accounts should be disabled or have a
  good password
• Future versions of Windows should enforce this
• Network scans (by the White Hats)

19
Problem Poor Patch Management

• Applications as well as OS
• New Microsoft Update critical patches released
  this week
• Did you know that?
• Were they applied to your computers?

20
Poor Patch Management Solutions

• Windows Software Update Services
• Automatic Updates
• Phase out older OS versions

21
Problem Insecure Servers

• MS/SQL Blaster
• IIS
• Open SMTP relays
• UNIX / Linux / Mac OS/X
• A server on every desktop
• Which are legitimate?

22
Insecure Servers Solutions

• Minimal OS install
• Turn off unneeded servers
• Windows 2003 gets this right
• Regular port scans to detect new servers
• Firewall the campus

23
Problem Lack Of Security Awareness
24
Solution You
25
Resources

• SIRT / Security web site
• Your SIRT representative
• Your peers
• Central IT
• Training

26
SIRT Web Site

• http//www.ksu.edu/InfoTech/security/SIRT
• Blocked hosts
• Departmental security contact list
• SIRT representative and backup list
• Work in progress

27
Training

• CNS TSC Incident Remediation training in May
• All-day training planned for Tuesday, June 29 in
  Union Little Theatre
• You really really should attend. Refreshments!
• Microsoft security training planned for June
• More in the future, probably semi-annually

28
The Future

• Regular network scans of connected devices
• Identify new hosts
• Identify new services (open ports)
• Vulnerability scans
• Server registration
• IDS, ADS
• Firewalls

29
Questions?
30
Thanks For Coming!

• Remember to introduce yourself to your SIRT
  representative