O'Reilly logo

Enemy at the Water Cooler by Brian T Contos

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Rapid
Remediation—
A University in the
United States
“You can’t defend. You can’t prevent. The only
thing you can do is detect and respond.”
—Bruce Schneier
Chapter 10
145
424_Wtr_Clr_10.qxd 7/27/06 1:40 PM Page 145
Colleges and universities, by design, are open environments that promote
access to and sharing of information within the institution and amongst out-
side groups. Historically, they haven’t been early adopters of security solutions.
However, I’ve actually seen an increased level of interest in security among
university systems over the past two years. Security for them is often an
afterthought, except perhaps around sensitive areas of research. When it comes
to the general student population using network resources, accessing the
Internet, or otherwise interacting with computers, it is still pretty much an
untamed environment run fully or partly by students.
Because of the turnover in administrators and users, the university envi-
ronment is incredibly dynamic. Whenever there is high turnover in any orga-
nization, security becomes more difficult. As a result, universities are popular
targets for attacks from outside and within, and are popular staging areas for
attacking others. When I first started working in security, I recall my manager
telling me that if I saw malicious traffic, and it turned out to come from a
university, two things were likely. One, the university was probably the victim
of a compromise—their systems were being used without their knowledge—
and two, even if we contacted the university about the events, nothing would
or could be done. I don’t agree with this today, but universities certainly had a
black mark at the time.
Over the last two years, there have been several incidents of academic
institutions’ systems being broken into. Here are some that made headlines:
The University of Texas at Austin’s system was broken into, and a stu-
dent was fined one hundred and seventy thousand dollars and sen-
tenced to five years of probation. A year later, two hundred thousand
records containing information on students, alumni, faculty, and staff
were illegally accessed.
The University of Notre Dame in Indiana investigated an apparent
hack that exposed confidential data belonging to an undisclosed
number of donors to the school.
Officials at California State University, Chico, announced that that
they were victims of hackers who had broken into a computer
system that contained information for around fifty-nine thousand
current, former, and prospective students, as well as faculty and staff.
www.syngress.com
146 Chapter 10 • Rapid Remediation—A University in the United States
424_Wtr_Clr_10.qxd 7/27/06 1:40 PM Page 146
A Stanford hack exposed ten thousand identities stored in the
university’s Career Development Center computer system.
The University of California, Berkeley, had 1.4 million identities
exposed.
The University of California, San Diego, network leaked three hun-
dred and eighty thousand records.
The University of Colorado may have exposed forty-three thousand
people to identity theft after two of its servers were attacked.
I’ve seen several universities that run their networks like an ISP where
each department runs its own local network, servers, and security safeguards.
The university essentially provides links between all the departments, student
facilities, and the Internet. As with an ISP, there isn’t a lot being done in the
cloud beyond ensuring that packets continue to move within the network.
Just as in a corporation, this decentralization may also continue by bifurcating
the local network between server responsibilities and network responsibilities
while security is addressed by both groups as an overlay.
More proactive universities, lacking the resources to manually respond to
critical events effectively with in-house solutions, are implementing ESM
and leveraging rapid remediation capabilities that don’t require real-time
human intervention. In the late 1990s, automated remediation was consid-
ered a joke, and rightly so. Organizations that jumped on the bandwagon
and allowed their IDS to make changes to router ACLs or firewall rules
when it detected an attack, proved to be so laden with false positives that it
couldn’t be successfully used. Once enough people got knocked off the net-
work accidentally, the plug was pulled on this form of incident response.
Fairly recently—thanks to ESM—remediation options with smarter IPS
started showing up in greater numbers.
If an ESM is at the core of the remediation capability, better decisions can
be made more quickly and with less risk of turning the response mechanism
into a weapon. While the risk of a false positive is greatly reduced, it isn’t
zero. But since the ESM gets real-time event information and can correlate
that information with supporting events, target vulnerabilities, active lists, asset
values, and more, basing decisions on its output is much more dependable.
www.syngress.com
Rapid Remediation—A University in the United States • Chapter 10 147
424_Wtr_Clr_10.qxd 7/27/06 1:40 PM Page 147

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required