Information security on campus – lessons from the US

On May 23 2012, Joshua Mauk got a nasty shock. Mauk, who works as an information security officer at the University of Nebraska, found that a critical database had been compromised on the school’s system. It wasn’t just any database, either, it was the Nebraska Student Information System (NeSIS), which held the personal details of 654,000 students.

“They got access to student data, financial aid and billing,” recalls Mauk, explaining that protecting networks in higher-education campus environments is often more difficult than in conventional private sector ones. “The main challenge with campuses is just that culture of openness,” he says.

According to the Open Security Foundation, 15% of data breaches since records began have happened at educational institutions. These places face a unique set of challenges that keep people like Mauk on their toes.

Many of these challenges are intimately bound together. For example, the network environment in universities is often sophisticated and intricate. This, in turn, is a result of higher education’s idiosyncratic organisational structure. These fragmented networks are common because of the decentralised nature of most schools. Mauk explains that universities have at least three parts: academic, research, and business. This inherent looseness creates challenges not only in technical infrastructure, but also in leadership and decision-making.

Universities also have to worry about those pesky users, who are a diverse bunch. Aaron Massey, a postdoctoral fellow at the Georgia Institute of Technology, describes a syndrome, well understood among IT admins in higher education, called Eternal September. Professors and IT staff used to get a constant stream of questions from clueless students in September, at the start of the academic year, as they grappled with networks and computing systems. To compound the problem, both students and tutors like to bring in their own devices, and the explosion of post-PC hardware over the last two years has exponentially expanded the number of platforms. Some administrators solve this problem by completely blocking access to administrative systems from unapproved devices.

Cohesion on campus isn’t enough, experts argue. Sharing information between academic institutions to establish and reinforce best practices is a key part of the process. Openness may be one of the educational sector’s biggest weaknesses from a cybersecurity standpoint, but it is also one of its saving characteristics.

The University of Nebraska is just one of many educational institutions across the globe that continues to tighten their security. Although the university notified all affected users of the compromise, over the next three to six weeks it narrowed the group of users at a higher risk from 600,000 to 150. In education, as elsewhere, compromises can happen. It’s how you respond that sets you apart from the pack.

Read full article at: TheGuardian

New D/TLS attacks published

Researchers Nadhem AlFardan and Kenneth Patterson of the University of London’s Royal Holloway College on Monday released a paper demonstrating attacks on the TLS and DTLS protocols, the most popular ways to encrypt data on the Internet today. While the attacks require complex statistical analysis in order to decrypt the messages, code to exploit these weaknesses is likely to emerge in the wild in the relatively near term, due to the high potential value of a successful attack.

The TLS (Transport Layer Security) protocol and its predecessor, the SSL (Secure Sockets Layer) protocol, are a core part of HTTPS (Hypertext Transfer Protocol Secure), the primary method of securing communications on the Web. The DTLS (Datagram Transport Layer Security) protocol is based on TLS and used for encrypting connections between applications that communicate over UDP (User Datagram Protocol).

“OpenSSL, NSS, GnuTLS, yaSSL, PolarSSL, Opera, and BouncyCastle are preparing patches to protect TLS in CBC-mode against our attacks,” the researchers said on their website. Network detection revolves around the fact that a large number of requests must be sent to crack the encryption, similar to the SSL-BEAST attack of 2011. Vendors ranging from Microsoft to OpenSSL have released announcements on the subject, either verifying that their implementations are already secure, releasing patches, or confirming current patch development. Users are encouraged to upgrade all SSL-capable applications on their systems/networks as soon as feasible.

SANS: 20 Critical Security Controls

Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines

The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. With the change in FISMA reporting implemented on June 1, the 20 Critical Controls become the centerpiece of effective security programs across government These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.

These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.

The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 94% reduction in “measured” security risk through the rigorous automation and measurement of the Top 20 Controls.

A Brief History Of The 20 Critical Security Controls >>

20 Critical Security Controls – Version 4.0

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Critical Control 4: Continuous Vulnerability Assessment and Remediation
• Critical Control 5: Malware Defenses
• Critical Control 6: Application Software Security
• Critical Control 7: Wireless Device Control
• Critical Control 8: Data Recovery Capability
• Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
• Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 12: Controlled Use of Administrative Privileges
• Critical Control 13: Boundary Defense
• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 15: Controlled Access Based on the Need to Know
• Critical Control 16: Account Monitoring and Control
• Critical Control 17: Data Loss Prevention
• Critical Control 18: Incident Response and Management
• Critical Control 19: Secure Network Engineering
• Critical Control 20: Penetration Tests and Red Team Exercises

Download PDF Version from SANS