What Does Infosec Do? - OIT Help - University of Notre Dame

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 11 months ago)

99 views

I
NFORMATION

S
ECURITY


University of Notre Dame

W
HAT

D
OES

I
NFOSEC

D
O
?


University of Notre Dame

I
NFORMATION

S
ECURITY

T
EAM



David Seidl


James Smith


Brandon Bauer


Jaime Preciado
-
Beas


Jason Williams


Aaron Wilkey


Kolin Hodgson

I
NFORMATION

S
ECURITY

T
EAM


Who do I contact if I have a question?


Phone:1
-
3888

Email: infosec@nd.edu

In person: Visit the Duty Officer of the day.

After hours: contact Ops



I
NFRASTRUCTURE

N
ETWORK

F
LOW

E
XAMPLE

N
ETWORK

F
LOW

TO

I
NDIA

S
OME

OF

OUR

S
ERVICES


Web Inspect


Risk Assessment


Compliance Support (PCI
-
FERPA
-
HIPAA)


Advisories


Vulnerability Management (Qualys)


Data Center Firewall Management


C
OMPUTER

F
ORENSICS





We know what you did.



YES YOU

C
OMPUTER

F
ORENSICS


Investigations occur after approval from the CIO,
Office of General Counsel, and/or HR



Investigations can occur on any electronic device


Windows,
MacOS
, Linux based systems, and others


Mobile devices


Network devices



Mostly HR or Incident Response

C
ONSULTS


Security Assessments


Cloud/Vendor Security Assessments


Virtualization


Education

P
OLICIES

AND

S
TANDARDS



Information Security Policy


http://policy.nd.edu/policy_files/InformationSecurityPolicy.pdf


Highly Sensitive Information


http://oit.nd.edu/policies/itstandards/infohandling.shtml


Responsible Use


http://policy.nd.edu/policy_files/ResponsibleUseITResourcesPolicy.pdf


Security Configuration Standards


https://secure.nd.edu/standards/index.shtml

DNS B
LACKLIST


Implemented May 2012


Redirects URLs through DNS to prevent users from
visiting malicious web pages


URL lists (feeds) are from known security vendors,
e.g. SANS


Refreshed daily


URLs can be white listed by contacting the help desk


Manually blacklist as phishing attacks occur.


To try this visit 12345.com from campus

DNS B
LACKLIST

DNS B
LACKLIST

T
ESTING



1,528

3,091

2,741

2,603

0
500
1,000
1,500
2,000
2,500
3,000
3,500
9/11/2012
9/12/2012
9/13/2012
9/14/2012
C
REDIT

C
ARD

S
UPPORT

P
ROGRAM

(CCSP)


Separate network behind its own firewall


Credit Card processing environment for ND
merchants


All ND merchants required to comply with PCI DSS


Governance body


Information: ccsp.nd.edu or ccsp@nd.edu


T
EAM

G
HOST
S
HELL


Project WestWind

W
HO

IS

TEAM

G
HOST
S
HELL
?


Hactivists

focused on
hacking to bring
awareness for
what they
consider to be
the greater good


Team
GhostShell has
made successful
dumps prior to
Project West
Wind


IT Wall Street:
Dumped 50,000
accounts to
support the occupy
Wall Street
movement


Project Dragonfly:
Dumped

200,000 accounts
to support freedom
of speech in
communist
countries

Project WestWind



Target: 100 top universities across the world



Purpose: To bring attention to the decaying
status of higher education around the world



Outcome: A massive dump of over 120k
student/faculty/staff records pulled from
university servers



The Data: Usernames, passwords, phone
numbers, class numbers, and more


T
HE

A
TTACK
!











SQL
Injection:


A
code injection
technique that
exploits a
security
vulnerability in
a website's
software.


GhostShell was able to take
advantage of vulnerabilities in the
web applications of the targeted
universities to gain access to their
servers



The vulnerabilities were most likely
exploited using SQL injection



The attack took up to four months to
prepare according to Aaron Titus of
Identity Finder (Chief Privacy
Officer)


The Damage



Reputation: Anytime
there is a data leak, the
reputation of the
institution is affected



Reputation:
GhostShell

also found many of the
machines were already
exploited existing
exploits. Some of these
stored credit card
information.



Cost: Notification and
credit monitoring for
those whose information
was leaked






Sample of Affected
Universities



University of Michigan



(7 servers)



University of Wisconsin



(4 servers)



Cornell University



(3 servers)



Tokyo University



(4 servers)



Stanford



(2 servers)



Cambridge



(2 servers)



Arizona State


(3 servers)



H
OW

N
OTRE

D
AME

A
VOIDED

THE

I
NCIDENT


Vigilantly scanning all web
applications using tools such as HP
Webinspect



Limited the exposure of public facing
servers with the zone network project
and other efforts across the university



Luck?


W
ILL

G
HOST
S
HELL

GET

CAUGHT
?


It is unlikely that anyone from team
GhostShell will get caught.



The team used TOR (anonymity network) to
extract and dump the data. This allowed
them to mask their location through a
network of anonymous proxies around the
world.

Q
UESTIONS

Y
OU

A
SKED

H
OW

DO

N
ET

ID
S

GET

C
OMPROMISED
?


Phishing








M
ALWARE


P
OOR

P
ASSWORDS


P
OOR

P
ASSWORD


GoIrish
, GoIrish1,
GoIrish
!


password,
P@ssword


123123, 12345678, abc123, qwerty


iloveyou


jesus


Trustno1,
letmein


ashley
, Ashley1983


ninja, mustang, dragon

Q
UESTIONS

W
E

DIDN

T

A
NSWER


1. List all of the security software the University
licenses


There’s a lot: check the software downloads page for
many approved software packages. If you have a
specific need, drop us a line.


2. Common
ePO

troubleshooting steps


Rather than talk to the entire room about these, we’ll
schedule an
ePO

users group meeting.