The EDUCAUSE Security
Professionals Experience
Brian Moeller, CISSP
The Ohio State University
Pre-Conference

Exercise in Ethical Hacking
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
The Keynote
Dan Larkin, FBI
 http://www.ic3.gov

The Botherd is coming!

Overview of how a Help Desk Operation
dealt with an infestation of Bots.
Complete title:
The Botherd is Coming! How Education and
Technology Can Stop The Stampede

Defining the Security Domain

Nothing good to say about this one
PKI at UW-Madison
Vendor/Institution Team Effort
 Presentation covered decisions, costs,
timeframes
 Vendor handled himself with class

Detection and Investigation of
Compromised Hosts on Campus

An affirmation…
Information Sharing the
MOREnet Way

MOREnet is similar to OARnet (but
smaller)
Information sharing the MOREnet
way: How not to keep secrets
Randy Raw
Beth Young
MOREnet Security
1.800.509.6673
security@more.net
Objectives:
Introductions
 What is MOREnet
 Communication options
 Conferences
 Expanding the security community

Introductions
Randy Raw
– CISSP - August 2005
– 1.5 years with MOREnet
– Former Director of Technology Services at Linn State Technical
College
– Former Technology Coordinator for the Osage County R-II schools
Beth Young
– CISSP - July 2003
– 5 years with MOREnet
– Former Network Analyst - University of Missouri Columbia
What is MOREnet
The Missouri Research and Education Network
(MOREnet) provides Internet connectivity, access
to Internet2, technical support, videoconferencing
services and training to Missouri's K-12 schools,
colleges and universities, public libraries, health
care, state government and other affiliated
organizations.
What does the Security office do?
Assist with incident response
 Liaison with law enforcement
 Gather information for dissemination
 Knowledge transfer

The “Old Days”
We were the bad guys. Nobody talked to us
because they were afraid we would use it
against them.
We were a “ticket numbers” group.
Policy issues kept us from being proactive and
helpful
What have we done to change?





Change how we do what we do
Communicate regularly to our members, not just when
they have a problem
Provide opportunities for members to learn and help
them secure their networks, not just be their Internet
police
Establish goals to reduce ticket counts, especially
nuisance tickets
Create and communicate Security roadmap
The “kinder and gentler” security changing what we do

Good Net Neighbor configuration
– Phase I – Microsoft NetBIOS port
– Phase II – Outbound Port 25 spam block




Self-scanning tool to self-evaluate hosts
Blackhole DNS Server
MOREnet network status indicator
Town hall meetings to discover their needs and
issues
Using our lists for proactive
communication
Security-l, MERC-security and State-security lists
– One-way push for critical announcements
» Bot network C&C
» Virus alerts
» Vulnerability announcements
– Two-way discussions for any topic members choose
– Communication of important training opportunities
Monthly Web Seminars communicate








Phishing Schemes
Bot networks
Spyware/malware
Nmap
Ethereal
Securing HP printers
SecCheck and Active Ports
Subpoena handling
Annual Security Symposium education
Mostly member presentations
 Advanced Technical topics
 K-12, Higher Education, Library and State
Government attendees and presenters
 Attorney General’s Office keynote on
dealing with law enforcement

Advanced Security Training education
Contracted with SANS and providing
SANS Forensics course at steep discount
for MOREnet members
 CISSP training for members using video
conferencing technology

Conferences –
education/communication
Security policy generation
 Security Awareness emphasis
 Hands-on training sessions
 Hacking competitions
 Ethical hacking training

Other methods of communications
and sharing of information
Daily Security Newslinks on website
 Security offerings accessible through
MyMOREnet login

–
–
–
–
RADAR (MRTG) statistics
NetFlow statistics
Ticket submission
Research requests
Fee-based Services
E-mail Virus and Spam Filtering (EVSF)
 Remote Vulnerability Assessment

Expanding to the security
community
Security community meetings
 Security community e-mail list for
announcements and discussion
 Infragard involvement
 State Information Technology Advisory
Board (ITAB) involvement

On-going activities
Participate in annual Security Awareness
Month
 Annual advanced topic for training
 Nationally known Security Symposium
keynote speaker
 Expand the security community reach
beyond Columbia

Is there anything left to do?








Blogging
Darknet
DShield log analysis server
On-site Remote Vulnerability Assessment
In-depth firewall assessment
SMTP self-testing tool
Managed firewall
Managed security appliance
For more information

Randy Raw
– rawr@more.net
– 573.882.0749

Beth Young
– youngba@more.net
– 573.884.7200