IT Security in Schools

1
IT Security in Schools

• Tony Wong
• Senior Systems Manager
• IT Security Infrastructure Services
• Information Technology Services Department

2
The Story of
Nimda
3
The Story of Nimda

• Infection via E-Mail

4
Internet mail server
INTERNET
INTRANET
infected PC
5
The Story of Nimda

• Infection via E-Mail
• Scan and Exploit IIS Web Server Vulnerability

6
infected IIS web server
vulnerable IIS server
INTRANET
INTERNET
7
The Story of Nimda

• Infection via E-Mail
• Scan and Exploit IIS Web Server Vulnerability
• Exploit IE Browser Vulnerability

8
infected IIS web server
INTERNET
INTRANET
unpatched IE browser
9
The Story of Nimda

• Infection via E-Mail
• Scan and Exploit IIS Web Server Vulnerability
• Exploit IE Browser Vulnerability
• Infection via Network File Sharing

10
file server
desktop PC
INTRANET
INTERNET
infected PC
11
INTERNET
INTRANET
12
Moral of the Story

• Nimda is a model of modern virus/worm
• Fast globalize spreading, hits 2.2 million
  systems in 24 hours
• Affect beyond end user PCs
• Multi-points attack (e-mail, software loophole,
  file server, web server etc.)
• Blended threats (virus, mass mailing, DoS, Trojan
  horse, intrusion etc.)

13
Common Internet Threats

• Virus and Worm
• Web Defacement
• Hacking Intrusion
• DoS / DDoS

14
Web Defacement

• Exploit system and software vulnerabilities
• Insider attack
• Automatic tools available on the Internet
• detect vulnerable system
• crack server password
• launch attack and remove logging
• install Trojan horse (back door)
• Attacks are easy to launch but difficult to trace
• An average of 500 defacements are recorded by
  Zone-H each day
• http//www.zone-h.com/en/defacements/filter/

15
Web Defacement
A Sample Defaced Web Site
16
Hacking Intrusion

• Exploit system and software vulnerabilities
• Use automatic tools
• crack server password
• detect vulnerable system
• locate Trojan horse (back door)
• Remote access and control other systems
• Access, change or delete programs and files
• Deface web site
• Attack other systems

17
Remote Control Trojan (Sub7)

• Installed in the victims computer through
• e-mail attachment
• access to unprotected network shares
• install manually by hacker (or insider)
• Allows the attacker to do many things in your
  computer remotely including
• run any commands upload/download/delete files
  capture monitor display capture from webcam
  record from microphone capture what you type
  steal passwords and many more
• Ref http//rr.sans.org/toppapers/subseven.php

18
Remote Control Trojan (Sub7)
Sample Sub7 Client Screen (Used by Hacker)
19
DoS / DDoS

• (Distributed) Denial of Service attack
• Continuous flooding of data to target system
• System or network overload or down
• Legitimate users cannot access the system
• Exploit system and software vulnerabilities
• Use automatic tools, virus, Trojan horse etc.
• Plant attack program to large number of infected
  systems
• Trigger global attack to a targeted system

20
The Problem

• Vulnerable products
• Internet was not designed for high security
• Spoofing is easy
• The infrastructure (DNS, Routers) is vulnerable
  to attacks
• Governance is open
• Readily available tools
• Human errors
• Mis-configured or unpatched systems
• Default or easily guessed passwords
• Abuse, hacking
• Lack of awareness and ethic

21
The Impact to School

• Can be a target or a source of attack
• Service interruption
• Compromise of sensitive information
• Cost to recover
• Counter-example to ethic development
• Lost reputation
• Criminal liability

22
Technical Countermeasures

• Remove unused programs and services
• Anti-virus and anti-spam system
• Traffic/Content filtering system
• Firewall
• System Logging
• Intrusion Detection Response System
• Timely apply security patches and updates

23
Technical Countermeasures

• Password and access management
• File and data management
• Segregation of networks, systems and data
• Disconnect from Internet when not in use
• Shutdown workstations when not in use
• Periodic system housekeeping (system cloning)
• Regular risk assessment and review
• and many more.

24
Risk Management

• Know your risk and priority
• Physical security and access control
• Adopt best practices guidelines
• Develop acceptable use policy
• Setup incident response team
• Ethic development
• Security awareness and education
• Information security is everyones business

25
Useful Resources

• Government Web Sites
• http//www.itginfo.gov.hk/content/itsecure/
  (login required)
• http//www.infosec.gov.hk/
• HKCERT/CC
• http//www.hongkongcert.org
• Microsoft Security Bulletins
• http//www.microsoft.com/technet/security/current.
  asp