Re: Brief Survey On Handling Hacked Machines

[Lance Jordan <lancejor () RCI RUTGERS EDU>]

Richard

Here is Rutger's response

> With that in mind, we are curious about how other universities and institutions
> of higher learning deal with such things and have a few questions:
>
> 1. What processes are you using to insure desktop security? Are you reactive or
> proactive in your approach?
>
> Proactive:
   *  Rutgers initiated a pc purchase program two years ago to help
     academic and administrative departments upgrade desktop systems.
      Computer purchases were subsidized by the university/state and
     the perferred vendors provided attractive pricing on their products.
   *  We have an academic site license for Zone Alarm personal firewall
     software.
   *  We have a university wide site license for McAfee AV software
   * We have an internal scanning program to identify system
     vulnerabilities
   * We have a computer security awareness campaign where we visit
     departments and help them develop security plans
   * We are developing an IDS capability
   * We teach a SANS mentor lead basic level security course (GSEC)
     once a year and we subsidize the cost to the department.
   * Virus filtering email at our central email servers

Reactive:

   *     We have an incident response team that responds to complaints
     and we followup with departmental computing staff to resolve issues.
   *        We monitor the ongoing trends within the university and
     publish information to several listservs


> 2. What issues do you have?
Trying to maintain a balance between a secure computing environment and
the ability to open share information and ideas.

> 3. Are you using firewalls/virus protection?
Yes.  We have a university firewall at our gateway and we recommend that
departments install firewalls on their subnets.

> 4. What products are you using for this?
We have a partnership with Cisco for routers, switches, VPNs and
firewalls, but our departments are free to purchase any product that
meets their needs.

> 5. Do you have a method of "pushing out" software patches/security fixes?
Some of our departments are using packages such as SMS or SUS on the
windows side and Novell with Zen works.

> 6. How do you handle compromised machines? (That is, a machine that has been
> hijacked to serve another purpose with the possibilities of backdoors etc remaining)
IF a system is attacking other systems or if it has been discovered to
be a warez server or some other media type server it is disconnected
from the network until the problem is corrected.

> Answers to these from our site's perspective are:
>
> 1. User education, promotion of safe computing practices, communication with users
> about security issues and why they're necessary. The approach is proactive but there
> are always things not planned for where reaction is the only means of dealing with
> it.
>
> 2. Issues would include such things as user compliance and education, manpower,
> privacy and feelings of intrusiveness (not everyone likes the IT folks doing any
> more poking around than necessary!)
>
> 3. Antivirus software (desktop and on mail servers), firewalls planned.
>
> 4. On the desktop we use Trend's Officescan; servers use Nortons, Sophos on mail
> servers.
>
> 5. We use SMS for some of our business oriented software (like Oracle and
> Peoplesoft) but not for patches.
>
> 6. This can depend on the degree of compromising. Rebuilding is always an option
> unless a clear means of removal is known.
>
>
> If you have a few moments, we would appreciate your responding with a line or two
> for these questions.
>
> Thanks for your time,
>
> Rich Travsky
> Division of Information Technology     RTRAVSKY @ UWYO.EDU
> University of Wyoming              (307) 766 - 3668
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/memdir/cg/.

--

Lance D. Jordan

Director, Information Protection & Security

Rutgers University Computing Services

(Voice) 732-445-8138           (Fax) 732-445-8023





**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.