Educational institutions astound me when it comes to security
on May 2nd, 2007 at 9:37 amMonday and Tuesday found me working on an eval install of the NitroSecurity NitroView SIEM product at a local educational institution in the medical center (I did a quick write up on them a few days ago – my opinion has remained pretty much the same now that I have seen the product warts and all). My last job as an information security manager was at an institution with an educational background, so I am somewhat aware of how these places work when it coomes to their freedoms, but I frankly never get used to the openness of these places when it comes to the Internet and security.
Basically, these guys don’t have any private network at all. All boxes have public IPs on them. That doesn’t mean that all devices are directly accessible via the Internet, but it seems so foreign when you see it. But the real problem is that they really cannot control any access to the Internet and have to fight an almost purely defensive / reactive battle for security. I wrote at Computerworld about us catching an attack while we were installing the SIEM product, and that was pretty neat to see. But it was really not even a drop in the bucket for these guys. They pretty much spend all day watching these exploits happen and then cleaning them up.
One of the analysts there tracks bad networks as best as he can and sets up IDS rules that alert him when traffic is seen from these IP’s. Anyone who has been in security for a month knows that is a losing battle. It is just crazy what they have to do.
Of course, it is kind of exciting as well since these guys get to really play and see the latest stuff. Makes me think that these guys need to be getting paid a stipend from 3com, McAfee, et al so they can let them know about some of these trojans they see before the major players know about it. Pure and simple, this is an untapped resource. The same analyst regularly sees malware that the major AV vendors don’t know about (and quite a few of the more nible minor ones as well).
Of course, that analyst probably can’t work with those vendors due to employment, but there are ways around that, like submitting problems anonymously.
Vet
Having worked at an educational institution with a /16 network exposed directly to the Internet, and with only a very limited policy implemented on blocking incoming ports (and even less blocks on outgoing connections), I can relate to this story. The most important and critical success factor in a setup like that is that patching has to be up-to-date. *Any* unpatched system *will be* compromised, and it will be compromised quickly.
As mentioned in the post, we generally saw recon portscans a few days before the major anti-x vendors picked up on them. Incident response in educational institutions is also interesting. A lot of the stuff that was going on was being cleaned up by helpdesk staff, simply because of the sheer amount of work that it was.
rybolov,
Actually that’s funny you say that, because that is just what the analyst said. He said he a few honeypots he puts up as he deems them necessary, then he amended his statement (with a grin) by saying that he actually had a few thousand honeypots, referring to all his PCs.
Michael
Sounds like some of the world’s biggest honeypots just waiting for somebody to connect the sensors on.