Security@IU
Mark Bruhn
Indiana University IT Policy Officer
1
• January 1997 - Michael McRobbie arrives as the
first CIO at Indiana University
• March 1997 – self-proclaimed “privacy
advocate” finds 2760 records of personal info via
an gopher-http gateway
• Posts them to his web site
• Notifies major media outlets
• Information Security Officer was in buried in
Administrative Computing department
• No incident response capability existed
2
• Subsequent actions:
• University Computer Security Task Force appointed
• University Computer Security Office created with an
interim Director
• One of the best technicians available assigned to the
UCSO immediately
• External reviews (company and peer) commissioned
• Interim IT Policy Officer appointed
• External reviews:
• No real surprises
• Peer review recommended permanent IT Policy and
Security Offices
• Developed an action plan
• CIO presented the action plan to the President,
who directed that it be implemented
3
• Offices created in August 1998:
• Positioned in the Office of the Vice President
and CIO, not in computing department
• Several new staff positions created, including
two high-level “officers”
• IT Policy Officer reports to the CIO, and is a
member of OVPIT executive management
• IT Security Officer reports to the IT Policy
Officer, but with dotted-line to the CIO
4
• IT Policy Office
• 14 full-time staff variously responsibly for
• Policy development
• Incident response
• Identification, authentication, authorization
services
• Enterprise directory
• Disaster recovery
• IT Security Office
• 7 full-time staff responsible for
• Maintaining a wide-breadth and specific indepth technical expertise
• Developing security resources for technicians
• Developing/maintaining tools for technicians
• Security consulting
• Security reviews on request
5
University Information Technology Policy
Office
Office of the Vice President for Information
Technology
Michael
McRobbie
September 2001
VP/CIO
Mark Bruhn
IT Policy Officer/
Contracts &
Agreements Officer
Admin Asst
Tom Davis
IT Security Officer
Disaster Recovery
Program Manager
Data Administrator
Info Mgt Officer
Cross-Unit
Recovery Planning
Team
Global Directory
Services Team
1 Lead Data/
Applications Analyst
2 Senior Data/
Applications Analysts
Merri Beth Lavagnino
Deputy IT Policy
Officer
Computer Accounts
Manager
Incident Response
Coordinator
6 Accounts
Administrators
Technical
Investigators
2 Principal Security Engineers
3 Lead Security Engineers
1 Senior Security Analysts
Information Technology
Security Office
6
• February 2001 – Bursar’s Office
• Technician inadvertently allowed anon FTP
• Gigabytes of bootleg movies and music
stashed by unknown individuals
• A file of personal data amongst these
media files, and was downloaded
• In May 2001, Trustees pass a resolution
directing VP/CIO to take steps to
improve security
• Proactive
• Reactive
7
• June 2001 – School of Music
• Web server exploited via known vulnerability
• School was collecting personal information from
prospective students
• Data was stored in directory accessible to the
intruder
• June 2001, CIO directed University units to
eliminate unnecessary files of sensitive
information and to secure the rest
• By December 2001, 55 major units indicated
projects underway or projects completed
• Creating an enterprise directory
• Permits applications to access central secure
store of person information instead of maintaining
distributed stores
• “Translate service” permits departments to store
username instead of SSN and convert as required
8
•
•
•
•
Developed issues list
Developed strategy
Developed talking points
CIO and ITPO/ITSO use all opportunities to
discuss security issues with various
constituencies
• Key is to translate vulnerabilities and issues into
INSTITUTIONAL RISKS
• Role for CIO and IT Policy Officer
• Security Officer many times mostly technical
(which is a good thing) and not schmoozy
• But, key person is the CIO (if organizationally
positioned correctly):
•
•
•
•
Especially if also an academic
Understands technology
Understands business/mission
Has the attention of executive administration
9
• Published general best practices
documents:
•
•
•
•
• Best Practices for Security IT Resources
• Best Practices for Handling Sensitive Electronic
Information (long and short)
Deliver formal technician seminars which include
general information and technical security (partner
with computing department and Human
Resources Management)
Deliver non-credit technician Security
Education/Certification courses, which are already
proving very popular (partner with computing
department; plans to make these mandatory)
Deliver an enhanced suite of technician support
tools (for vulnerabilities assessment, anti-virus,
advisory service, etc.)
Made available many technician/user how-to
guides
10
Purchased:
•
•
•
•
•
•
Intrusion Detection:
Shadow Style
Securing Linux: Step-byStep
Solaris Security: Stepby-Step
Windows NT Security:
Step-by-Step
Windows 2000 Security:
Step by Step
Windows 2000
Vulnerabilities and
Solutions
Locally developed:
Handle a system compromise
Install and Use SSH
Install and Use TCP Wrappers
Obtain a certificate for an IUbased web server
Prevent mail relay abuse
Protect against viruses
Protect your home PC
Protect your IIS web server
Protect your laptop computer
Recover from a System
Compromise
Secure your personal computer
accounts
Secure your Windows FTP
server
Secure your Windows NT
system
Secure your Windows 95/98
system
Secure your UNIX system
11
• Eliminated several insecure email communications
protocols; working to eliminate all
• Developed “virtual private network”, which provides
for authentication and encryption for:
• Connections from off-campus
• On-campus wireless networks
• Commissioned a group to develop a comprehensive
enterprise firewalling proposal, with specific selfdefense goals:
• A large portion of the ~65,000 networked IU systems support
campus functions and do not need to be visible to the
Internet
• On the remaining systems, only certain services (e.g., web
pages) need to be visible to the Internet
• IUB Halls of Residence student computers need special
protection from external influences; services that students
provide to the Internet must be limited
• Security consulting engagements to projects and
systems within UITS and departments increasing
dramatically
12
•
•
•
Placement of a firewall at the edge of the IU
network to protect workstations and local
servers from many types of attacks.
Departmental servers providing services
beyond the IU network would exist on a
separate Class B network than
workstations. Servers on this network
would be registered and hardened and
would be protected via router ACLs.
Servers residing in the UITS machine
rooms on each campus would use a
separate firewall with unique rule sets for
each server.
13
• Created new IT policies:
• Use of Indiana University Information Technology Resources
• Sanctions for Misuse or Abuse of Indiana University
Technology Resources
• Eligibility to Use Indiana University Technology Resources
• Privacy of University Information Technology Resources
• Information Technology Facilitative/Fair Usage Policy
• Security of University IT Resources
• Network and Computer Accounts Administration
• Extending the Network
• Wireless Networking
• Use of Electronic Mail
• Policy on Use of Email for Mass Communications
• Created Deputy IT Policy Officer based at
IUPUI; affords more presence there and at
regional campuses
14
• Web-based scanner management
interface
• ISS and Nessus as scan engines
• Several scan engines
• Scans are required and automatically
executed for OVPIT systems
• Scans are requested by administrators,
security staff, or auditors
• Web-based incident tracking system
• Incidents are triaged by full-time IRC, and
other handled by that person or assigned
15