Proposal for an LSA HPC Community Cluster

advertisement

LSA’s First General IT Security Meeting

Presented to:

LSA IT Staff (and anyone else that wants to attend)

By: LSA-Sec-ITAM Group October 24, 2007

0

Introductions

• Chris Brenner

• Michelle Burr

• Scott Lemm

• Jeremy Hallum

• WCC Interns – Laurel Marotta & Kyle Ellicot

*All members (excepting Jeremy) are Infragard Members

(b_checks)

1

What we are not as concerned with

• Wireless

• SNMP

• Instant Messaging

• Exchange Email

2

What are current issues

• Incident Tracking

• Scanning and Reporting (Retina, Spider*, Web Application scanning)

• Departmental Risk Assessments

• Protecting Sensitive data on laptops, removable media

• Secure NAS solutions

• Printer Security (config)

Any items you would like to add?

*We have a CD version of this for those interested

BTW: Terry MacDonald signed the LSA Security Plan

3

The LSA Security Webpage

• http://www.lsa.umich.edu/lsait/admin/security.asp

• LSA Security Initiative

• Notification Policy for Security Incidents

• Email Groups

• Advisories

• Encryption Solutions (LTD.)

Links to UM resourses (ITSS, the SPG, etc)

4

Why IT Security is becoming more critical*

• Frequent Data Breaches

• Russian Business Network

*Or at least SHOULD BE more critical

5

The Problem – Sensitive Data Breaches

5/06 – 137K SSNs

12/06 – 800K SSNs

6/11/07 - 6000 SSNs

SSNs

School of Ed – 7/3/07 – 5500 SSNs

School of Nursing – 9/19/07 – 8000

• specific Incidents:

– July 2006 SQL Injection (potential SSN exposure – in

English Dept)

– August 2006 - Internet facing vitae containing SSN

6

Possible Consequences

• Loss of Alumni donations

• Damage to the College’s Image & Reputation

• Lawsuits filed against the College

• Potential for Identity Theft and fraud crimes (will attackers sell this info to organized crime?)

• Informing victims is now required (MI ESB #309 Law

7/07) – fines for non-compliance can reach $750K

• UVA offered one year of credit monitoring to the victims ($240K)

• Costs of Forensics Investigation and Service

Disruption/Restoration

• Media Notification & Negative Public Relations

7

8

• What to do with a Suspicious Computer

So you got an Alert from UMNET Admins, the NOC or ITSS (or

LSA.Security)….

• Check Network Connections

• Check Services and Processes on the system

• Web Searches for anomalies

• WhoIS or NICR DB for abuse contacts (email)

• Look for unusual local accounts

• Check Log files (Event logs, firewall logs, etc)

• Run Full AV scan (Rootkitrevealer, Stinger, Malicous software removal tool)

• Spyware/Adware removal tools

• Trace the MAC address to a network jack to track system location

• Search Local Files for IP address of Bot Server for example

• Recent File access can be found in Registry

9

Quick Tools Reference

• FPORT.EXE, Netstat – an, TCPView

• Event logs

• Search Google for any unknown processes or services running on suspect computer

• Compare Properties, Date, Size and Ownership of suspicious files with those of a Clean computer ’ s

• Bart PE disk, Knoppix

• Ps –aux, Process Explorer, Regmon, FileMon, etc

• Sh cam <MAC address> (COS version)

• Sh MAC_Add <HH.HH.HH> (IOS version)

• Latest backup media

• Write protected Flash ROM (or CDs) with the binaries you need

Here is our current collection of tools for Compromised

Systems.

11

FPORT.EXE /P

(shows all open TCP/UDP ports on local computer and the EXEs running on them)

Netstat -an

More on Netstat

• Netstat will show you connections the computer has on the network, much like fport, but rather than providing a list of what processes are using each port (a very useful thing and a good reason to use fport) netstat gives you information about the port numbers at both ends instead, and also shows you the current state of each network socket.

• netstat -e - Shows you E-net interface information

• netstat -s - Shows you some general networks stats

• netstat – rn - Shows you machine's routing tables

• TCPView – GUI version.

I

E

W

P

V

T

C

Task Manager

- Processes

NOTE: On Some Computers, you may need to check the

“Show Processes from all users” Check box.

You can click on the Column headers to sort processes alphabetically (shown) or based on CPU utilization, etc.

You may see .EXE’s running in

FPORT and NOT see them in

Task Manager or Manage ->

Services!

Tasklist command on XP.

TASKLIST

You may see

.

EXE’s running in

TASKLIST and NOT see them in Task

Manager or

Manage ->

Services!

20

Whois URLs - Reference

• Whois.geektools.com, whois.arin.net, whois.ripe.net, etc

• Umnet NICR Information: https://netinfo.umnet.umich.edu/

• Sam Spade Utility (GUI for all this – later slide)

Info from WhoIS should include:

Two Points of contact, The Mailing Address, The phone #(s), the IP range, the ISP (if exists) and the DNS name servers.

Other Security Resources

• Retina Scans

• FailedLogins.pl (Eventlog.VBS)

• Contacts to Mark Weishan

• Contacts with UMNET Admins (umnet.admins@umich.edu)

• Peakflow-X

• V-Firewall

• UMNET Flow data (ITSS too)

• Antigen on Exchange

• MS Outlook 2000 Security Update on all LSA build clients (blocked extensions) – slipstreamed into Office 2000 package

• [\\lsa-dev\dev-w2k-packages\secure] dir

• File System Auditing (when requested – explain procedure)

NOTE: With Regards to the contacts and email lists I’m posting here. Please be aware that these resources are NOT for basic OS/Networking questions. Don’t abuse the privilege. Call/email LSA-SST first if in doubt.

Quick Tools Reference

• PING (is the offending machine alive and running?)

• NSLOOKUP (is the offending computer in DNS? – do

Internet name AND IP address)

• WHOIS (find remote Admin ’ s email)

• IP BLOCK WHOIS (find remote Admin ’ s email)

• DIG (for DNS)

• TRACEROUTE (tracert.exe – Windows)

• FINGER (find user in x.500 or on a specific server)

• ARP – to match IP to MAC address (PING from LAN)

29

Presentations or Reports from other LSA-Sec-

ITAM members

•Scott Lemm

•Michelle Burr

30

Download