SIRT Contact Orientation
Security Incident Response Team
Departmental Security Contacts
April 16, 2004
Why Are We Here?
•
•
•
•
•
•
Introductions
The SIRT and you
Compromise recovery procedure
Current security issues
Resources
Future events
• Free refreshments
SIRT Departmental Security Contact
Orientation
Introductions
• Dr. Elizabeth Unger, VPAST
• Security Incident Response Team
– And their alternates
– Representatives from all academic colleges and
major administrative units
• Departmental contacts
– When this is all over, introduce yourself to your
SIRT representatives
SIRT Departmental Security Contact
Orientation
The SIRT And You
• SIRT History
– March 2003: IT Security SWAT team chaired
by Roger Terry recommends formation of SIRT
– Summer 2003: Interim SIRT formed
– September 2003: Permanent SIRT formed
• Representatives from all colleges and major
administrative units
• 0.3 time spent on SIRT activities
SIRT Departmental Security Contact
Orientation
The SIRT And You
• SIRT’s charge (reactive/proactive/advisory):
– Coordinated security incident response
– Alerts to new vulnerabilities and attacks
– Implement/coordinate preventative security
measures
– Security awareness and best practice training
– Advise on secure design of apps, systems, networks
– Host an annual security workshop
SIRT Departmental Security Contact
Orientation
The SIRT And You
• SIRT is:
– Coordinate rapid incident response for campus
– Advise on security best practices
– Communication channel
• SIRT is NOT:
– A policy body (that’s IRMC)
– IT police
– Additional technical support for your department
SIRT Departmental Security Contact
Orientation
The SIRT And You
• Role of Departmental Security Contact (and
your local IT support people):
–
–
–
–
–
–
–
Respond to incidents in your unit
Repair compromised systems
Implement preventative measures
Alert your SIRT rep. about unusual activities
Enforce policies at the local level
Educate your users on security best practices
Pass along security information to your unit
SIRT Departmental Security Contact
Orientation
The SIRT And You
• The goal is for you, your users, the SIRT, and
central IT services to work together to protect
K-State’s information and technology resources.
SIRT Departmental Security Contact
Orientation
Compromise Recovery
Procedure
• A compromised host is detected
– By IDS, network monitoring, or abuse report
• The host is blocked
– Usually by CNS with a router filter
– Sometimes you’ll pull the plug
SIRT Departmental Security Contact
Orientation
Procedure, Cont.
• The departmental contact is notified
– That’s you
– Via email to SIRT-CONTACTS
• So you need to watch this email list
– See also Blocked Hosts web page
• You notify the affected user
SIRT Departmental Security Contact
Orientation
Procedure, Cont.
• You arrange for the host to be cleaned up
– Try to find out what caused the compromise
– Recovery may mean reformat / reinstall
• You contact your SIRT representative to
have the host unblocked
– Or their alternate, if they’re unavailable
• Your SIRT rep contacts CNS
SIRT Departmental Security Contact
Orientation
Current Security Issues
•
•
•
•
•
Network-based worms
E-mail viruses and worms
Accounts without good password
Poor patch management
Insecure servers
SIRT Departmental Security Contact
Orientation
Problem: Network-based Worms
• Currently our biggest issue
– Navpaw, Gaobot
• No user interaction necessary
• Exploiting security vulnerabilities
• Exploiting Windows accounts without good
password
• Leaving behind back doors
SIRT Departmental Security Contact
Orientation
Network-based Worms: Solutions
•
•
•
•
Patch, patch, patch
Symantec Antivirus with daily updates
Good passwords on Windows accounts
Network vulnerability scans
SIRT Departmental Security Contact
Orientation
Problem: E-mail Viruses And
Worms (“Malware”)
•
•
•
•
‘Zero-Day’, fast propagation
Smarter social engineering
Leaving behind back doors
Cleanup is costly and painful
SIRT Departmental Security Contact
Orientation
E-mail Viruses And Worms:
Solutions
• New version of Symantec is anomaly-based
as well as signature-based
• Symantec Antivirus with daily updates
• Coming soon to central e-mail: real antivirus filtering
• Managed antivirus installations
• Users are learning to be careful
SIRT Departmental Security Contact
Orientation
Problem: Accounts Without
Good Password
• Network-based worms are exploiting
Windows accounts with no or weak
password
• Hackers can do the same thing
SIRT Departmental Security Contact
Orientation
Accounts Without Good
Password: Solutions
• All Windows accounts should be disabled
or have a good password
• Future versions of Windows should enforce
this
• Network scans (by the White Hats)
SIRT Departmental Security Contact
Orientation
Problem: Poor Patch
Management
• Applications as well as OS
• New Microsoft Update critical patches
released this week
– Did you know that?
– Were they applied to your computers?
SIRT Departmental Security Contact
Orientation
Poor Patch Management:
Solutions
• Windows Software Update Services
• Automatic Updates
• Phase out older OS versions
SIRT Departmental Security Contact
Orientation
Problem: Insecure Servers
•
•
•
•
•
MS/SQL Blaster
IIS
Open SMTP relays
UNIX / Linux / Mac OS/X
A server on every desktop
– Which are legitimate?
SIRT Departmental Security Contact
Orientation
Insecure Servers: Solutions
•
•
•
•
•
Minimal OS install
Turn off unneeded servers
Windows 2003 gets this right
Regular port scans to detect new servers
Firewall the campus
SIRT Departmental Security Contact
Orientation
Problem: Lack Of Security
Awareness
SIRT Departmental Security Contact
Orientation
Solution: You
SIRT Departmental Security Contact
Orientation
Resources
•
•
•
•
•
SIRT / Security web site
Your SIRT representative
Your peers
Central IT
Training
SIRT Departmental Security Contact
Orientation
SIRT Web Site
• http://www.ksu.edu/InfoTech/security/SIRT
–
–
–
–
Blocked hosts
Departmental security contact list
SIRT representative and backup list
Work in progress
SIRT Departmental Security Contact
Orientation
Training
• CNS TSC Incident Remediation training in
May
• All-day training planned for Tuesday, June
29 in Union Little Theatre
– You really really should attend. Refreshments!
• Microsoft security training planned for June
• More in the future, probably semi-annually
SIRT Departmental Security Contact
Orientation
The Future
• Regular network scans of connected devices
– Identify new hosts
– Identify new services (open ports)
– Vulnerability scans
• Server registration
• IDS, ADS
• Firewalls
SIRT Departmental Security Contact
Orientation
Questions?
SIRT Departmental Security Contact
Orientation
Thanks For Coming!
Remember to introduce yourself to
your SIRT representative