Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000

Similar documents
Information Technology. Information and Systems Security/Compliance Information Security Vulnerability Assessment Program Version: 1.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Security from the Cloud

About Botnet, and the influence that Botnet gives to broadband ISP

Networking for Caribbean Development

NUIT Tech Talk. Peeking Behind the Curtain of Security. Jeff Holland Security Vulnerability Analyst Information & Systems Security/Compliance

Advanced Persistent Threats

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Streamlining Web and Security

Information Security Threat Trends

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

UNCLASSIFIED. General Enquiries. Incidents Incidents

Countermeasures against Bots

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Security A to Z the most important terms

Current counter-measures and responses by CERTs

24/7 Visibility into Advanced Malware on Networks and Endpoints

A Critical Investigation of Botnet

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Malware Trend Report, Q April May June

Seminar Computer Security

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Introduction: 1. Daily 360 Website Scanning for Malware

Payment Card Industry (PCI) Data Security Standard

Symantec Hosted Mail Security Getting Started Guide

Protecting the Infrastructure: Symantec Web Gateway

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

Configuring Allied Telesyn Equipment to Counter Nimda Attacks

2010 Carnegie Mellon University. Malware and Malicious Traffic

Fraud and Abuse Policy

The anatomy of an online banking fraud

FIREWALL POLICY November 2006 TNS POL - 008

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Malware & Botnets. Botnets

Using big data analytics to identify malicious content: a case study on spam s

Deep Security Vulnerability Protection Summary

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Proxies. Chapter 4. Network & Security Gildas Avoine

SPAM FILTER Service Data Sheet

Network Service, Systems and Data Communications Monitoring Policy

Updated January Hosting and Managed Services Acceptable Use Policy

Passive Vulnerability Detection

Getting Ahead of Malware

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Payment Card Industry (PCI) Executive Report. Pukka Software

UNMASKCONTENT: THE CASE STUDY

How To Audit The Mint'S Information Technology

Secondary DMZ: DMZ (2)

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

RSA Security Analytics

INFORMATION SECURITY REVIEW

Computer and Network Security Policy

Codes of Connection for Devices Connected to Newcastle University ICT Network

Security Management. Keeping the IT Security Administrator Busy

DDoS Attacks Can Take Down Your Online Services

DBC 999 Incident Reporting Procedure

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

RAMPART HOSTING, LLC ACCEPTABLE USE POLICY ("AUP")

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Networks and Security Lab. Network Forensics

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Quick Heal Exchange Protection 4.0

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Firewall Firewall August, 2003

(For purposes of this Agreement, "You", " users", and "account holders" are used interchangeably, and where applicable).

Bronco Ltd does not allow any of the following content to be stored on its servers:

Standard: Information Security Incident Management

Detecting peer-to-peer botnets

Advanced Mail Server Settings Options for Shared Hosting Clients

Network Instruments white paper

Office of Education Technology (OET) Security Best Practices Guideline for Districts

ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

Fifty Critical Alerts for Monitoring Windows Servers Best practices

PCI Security Scan Procedures. Version 1.0 December 2004

Unknown threats in Sweden. Study publication August 27, 2014

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Web DLP Quick Start. To get started with your Web DLP policy

BotNets- Cyber Torrirism

Acceptable Use Policy

F-SECURE MESSAGING SECURITY GATEWAY

How To Mitigate A Ddos Attack

AT&T Real-Time Network Security Overview

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting

ENABLING FAST RESPONSES THREAT MONITORING

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

Introduction to Computer Security Benoit Donnet Academic Year

Avira Managed Security AMES FAQ.

Cyber Essentials Scheme

How To Perform A Large Scale Attack On A Large Network

STOWE COMMUNICATIONS ACCEPTABLE USE POLICY FOR BUSINESS SERVICES HIGH SPEED INTERNET

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Migration Project Plan for Cisco Cloud Security

Security Incidents And Trends In Croatia. Domagoj Klasić

Acceptable Use Policy

Incident Response. Proactive Incident Management. Sean Curran Director

Transcription:

Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000 To: Information Security Advisory Committee Information Security Coordinators Information Technology Coordinating Council Technology Leaders From: David Kovarik Subject: Monthly Security Report for September 2009 Date: October 09, 2009 During the month of September 2009, we experienced 148 Security Events, including 31 Security Incidents, all of Low Severity. During the same month of 2008, we had a total of 153 Events. Security Incidents NUSA Notifications Copyright Violations Total Security Events September 2009 31 77 40 148 September 2008 28 103 22 153 Two incidents are worth further examination: 1) A school experienced a compromise of a number Macintosh computers, due to the following: a) the department was using asset management software requiring port 22 (SSH-Secure Shell protocol) to be open on the department s firewall; b) the department was scanned by an outside party for SSH accounts. An account named test with a password of test was identified, overtaken and then used to compromise the other computers. 2) A computer lab was being used to teach a computer security class, with virtual machines installed on each computer within the lab. A student teaching the class left an account named test with a password of test on the virtual machines that was subsequently overtaken and used to compromise all machines within the lab. The September Events are separated into the following categories: Administrative Network Dormitory Network Remote Access & NetIDs o Suspected malware o Suspicious services o Notices via NUSA o Copyright violations o Other incidents 5 8 76 9 1 o Suspected malware o Suspicious services o Notices via NUSA o Copyright violations o Other incidents 2 1 1 7 0 o Suspected malware o Suspicious services o Notices via NUSA o Copyright violations o Other incidents 5 9 0 24 0 Total 99 Total 11 Total 38 Total All Incidents: 148 Classified: INTERNAL 1

Vulnerability Assessments - Completed web scan for Oncofertility site - Completed 3rd quarter Data Center assessment Table and Category Descriptions Security Incidents Actual compromise of a system or application; includes investigations conducted as a result of a suspected or actual incident. Suspected malware An incident indicating that the host was detected doing outbound scans on various TCP ports. This is often how malware spreads. Suspicious service An incident indicating that the host has a service that is being used, in violation of university policies. These services include a FTP server for file transfers and spam relays that allow the host to be used to send bulk commercial email, installed on it. These hosts can also have bots installed on them. Bots are a series of remote hosts that will follow the commands of the controlling host. Often these are used to attack other networks. Typically these actions are done as part of an infection and is used to share various, often illegal content. Other incidents Includes incident-related activities, e.g., research conducted at request of Human Resources or University Police. Also includes reported phishing activities that require some action and response by ISS/C and/or NUIT personnel. Security Events The combination of Security Incidents (as defined above) and the following: Copyright violations Events that are usually indicated by receipt of external notification that one of our hosts is being used to distribute copyrighted material in violation of the DMCA. Often these hosts are running various forms of Peer to Peer networking software. NUSA notifications Events indicated by our remote vulnerability scanning software that detected a potential security problem (vulnerability) with the host. We put this information into NUSA to notify the system administrator, so that the problem may be addressed before it is exploited. Classified: INTERNAL 2

Summary Report of Security Incidents Severity 2 and 3, September 2008 September 2009 Date Description Severity Action / Recommendation Jun-09 Feb-09 Jan-09 Apr-09 On June 15 and 22, ISS/C discovered two staff members who appeared to have been victims of a successful phishing attack. The compromised accounts were used to generate large amounts of spam, resulting in the temporary blacklisting of NU mail servers by several ISPs. On February 13, notification was received of possible compromise of two NU accounts assigned to a student and visiting scholar. The NetIDs were suspended and users contacted. A computer that was used to process reports for a research project was compromised. The exact date of the compromise is unknown. The compromise happened at least as far back as November 2008. The machine had been moved to the department in 2007. It was not being properly maintained and was discovered to have more than 50 different viruses and adware. The computer contained a file that contained research data on approximately 1700 individuals. Several hosts on the Northwestern network were found to be using a Ukrainian Domain Name Server (DNS) instead of the Northwestern DNS. ISS/C s investigation discovered approximately 70 hosts with Microsoft Windows or Apple OS-X infected with malware. 3 The users appeared to have responded to phishing e-mail with personal information. Users were instructed to change account passwords and monitor the accounts for unusual behavior. 3 The users appeared to have responded to phishing e-mail with personal information. Users were instructed to change account passwords and monitor the accounts for unusual behavior. 3 The department mailed notices to the individuals contained in the file, in early February, and the computer was secured and returned to service. Additional measures and technical support were recommended to help minimize risk of future occurrence. 2 NU-IT instituted a block of DNS (port 53) traffic to the Ukrainian network. The malware could not be removed by the then available anti-viral solutions, so a rebuild of infected machines was recommended. Classified: INTERNAL 3

Legend Security Incidents: Severity 1, 2 and 3 Severity Symptoms 3 High A. Network or system outage with significant impact to user population or operation of the University B. High probability of propagation C. Probable or actual release or compromise of sensitive data (financial records, personal data, passwords) D. Requires immediate remedial action to prevent further compromise of data or adversity to network E. Notification of entities outside the University is required. F. Coded Red. 2 Medium A. Some adverse impact to the operation of the University. B. Adverse effects are localized or contained, or minimal risk of propagation. C. No sensitive data was released or compromised. D. Remedial but not immediate action is required. E. Notification of entities within the University may be recommended. F. Coded Orange 1 Low A. Minimal impact to small segment of user population or operation of the University. B. Completely localized, with few individuals affected, and presenting little or no risk to other entities. C. No apparent loss or compromise of data. D. Remedial action is required. E. No notification required. F. Coded Yellow Classified: INTERNAL 4

Legend Description Outbound Scanning FTP Server BotNet Participation Spam Relay Notices via NUSA Copyright Violations Security Incidents: Severity 1 (Low) Explanation This host was detected performing outbound scans on various TCP ports. This condition is often indicative of malware infestation and its attempt to propagate. This host was subjected to the installation of an FTP server, typical of many types of infections. The FTP server is used to transfer files of various types and often illegal content. The host has been determined to be executing comparisons of DNS requests to hosts that are known BotNet controllers. Bots are a series of remote hosts that follow the commands of the controlling host. Often these hosts are used to attack other networks. This host is being used to originate various types of bulk email. Often these hosts are infected with a backdoor virus that allows spammers to use the host to send e-mail of their choice. Indicates that our remote vulnerability scanning software detected a potential security problem with the host. This information is placed into NUSA, and notification sent to the NUSA contact to address the problem before it is exploited. Notices are included in the total incident account as it is assumed an unresolved vulnerability has a high probability of compromise. These are usually external notifications we receive indicating that one of our hosts is being used to distribute copyrighted material in violation of the DMCA. Often these hosts are running various forms of Peer to Peer networking software. Classified: INTERNAL 5

Classified: INTERNAL 6

2005: September-December Classified: INTERNAL 7

Classified: INTERNAL 8

For information on NU BAYU Be Aware You re Uploading, see http://www.it.northwestern.edu/security/nubayu/ Classified: INTERNAL 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information