INFORMATION SECURITY University of Notre Dame WHAT DOES INFOSEC DO? University of Notre Dame INFORMATION SECURITY TEAM David Seidl James Smith Brandon Bauer Jaime Preciado-Beas Jason Williams Aaron Wilkey Kolin Hodgson INFORMATION SECURITY TEAM Who do I contact if I have a question? Phone:1-3888 Email: [email protected] In person: Visit the Duty Officer of the day. After hours: contact Ops INFRASTRUCTURE NETWORK FLOW EXAMPLE NETWORK FLOW TO INDIA SOME OF OUR SERVICES Web Inspect Risk Assessment Compliance Support (PCI-FERPA-HIPAA) Advisories Vulnerability Management (Qualys) Data Center Firewall Management COMPUTER FORENSICS We know what you did. YES YOU COMPUTER FORENSICS Investigations occur after approval from the CIO, Office of General Counsel, and/or HR Investigations can occur on any electronic device Windows, MacOS, Linux based systems, and others Mobile devices Network devices Mostly HR or Incident Response CONSULTS Security Assessments Cloud/Vendor Security Assessments Virtualization Education POLICIES AND STANDARDS Information Security Policy Highly Sensitive Information http://oit.nd.edu/policies/itstandards/infohandling.shtml Responsible Use http://policy.nd.edu/policy_files/InformationSecurityPolicy.pdf http://policy.nd.edu/policy_files/ResponsibleUseITResourcesPolicy.pdf Security Configuration Standards https://secure.nd.edu/standards/index.shtml DNS BLACKLIST Implemented May 2012 Redirects URLs through DNS to prevent users from visiting malicious web pages URL lists (feeds) are from known security vendors, e.g. SANS Refreshed daily URLs can be white listed by contacting the help desk Manually blacklist as phishing attacks occur. To try this visit 12345.com from campus DNS BLACKLIST DNS BLACKLIST TESTING 3,500 3,091 3,000 2,741 2,603 2,500 2,000 1,500 1,528 1,000 500 0 9/11/2012 9/12/2012 9/13/2012 9/14/2012 CREDIT CARD SUPPORT PROGRAM (CCSP) Separate network behind its own firewall Credit Card processing environment for ND merchants All ND merchants required to comply with PCI DSS Governance body Information: ccsp.nd.edu or [email protected] TEAM GHOSTSHELL Project WestWind Target: 100 top universities across the world Purpose: To bring attention to the decaying status of higher education around the world Outcome: A massive dump of over 120k student/faculty/staff records pulled from university servers The Data: Usernames, passwords, phone numbers, class numbers, and more WHO IS TEAM GHOSTSHELL? Project WestWind “Hactivists” focused on hacking to bring awareness for what they consider to be the greater good Team GhostShell has made successful dumps prior to Project West Wind IT Wall Street: Dumped 50,000 accounts to support the occupy Wall Street movement Project Dragonfly: Dumped 200,000 accounts to support freedom of speech in communist countries GhostShell was able to take advantage of vulnerabilities in the web applications of the targeted universities to gain access to their servers The vulnerabilities were most likely exploited using SQL injection The attack took up to four months to prepare according to Aaron Titus of Identity Finder (Chief Privacy Officer) THE ATTACK! SQL Injection: A code injection technique that exploits a security vulnerability in a website's software. The Damage Reputation: Anytime there is a data leak, the reputation of the institution is affected Reputation: GhostShell also found many of the machines were already exploited existing exploits. Some of these stored credit card information. Cost: Notification and credit monitoring for those whose information was leaked Sample of Affected Universities University of Michigan (7 servers) University of Wisconsin (4 servers) Cornell University (3 servers) Tokyo University (4 servers) Stanford (2 servers) Cambridge (2 servers) Arizona State (3 servers) HOW NOTRE DAME AVOIDED THE INCIDENT Vigilantly scanning all web applications using tools such as HP Webinspect Limited the exposure of public facing servers with the zone network project and other efforts across the university Luck? WILL GHOSTSHELL GET CAUGHT? It is unlikely that anyone from team GhostShell will get caught. The team used TOR (anonymity network) to extract and dump the data. This allowed them to mask their location through a network of anonymous proxies around the world. QUESTIONS YOU ASKED HOW DO NET IDS GET COMPROMISED? Phishing MALWARE POOR PASSWORDS POOR PASSWORD GoIrish, GoIrish1, GoIrish! password, [email protected] 123123, 12345678, abc123, qwerty iloveyou jesus Trustno1, letmein ashley, Ashley1983 ninja, mustang, dragon QUESTIONS WE DIDN’T ANSWER 1. List all of the security software the University licenses There’s a lot: check the software downloads page for many approved software packages. If you have a specific need, drop us a line. 2. Common ePO troubleshooting steps Rather than talk to the entire room about these, we’ll schedule an ePO users group meeting.