The
10 August 2005 issue of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
SANS NewsBites newsletter featured this comment by John Pescatore:
"There has [sic] been a flood of universities acknowledging data compromises and .edu domains are one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 largest sources of computers compromised with malicious software. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of attention universities pay to security has been rising in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past few years, it has mostly been to react to potential lawsuits do [sic] to illegal file sharing and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 like - universities need to pay way more attention to how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own sys admins manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own servers."
I agree with John's assessment, except for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last phrase that implies university sys admins "need to pay way more attention" to security. From my own view of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world, a lot of university system administrators read TaoSecurity Blog, attend my
classes (especially
USENIX), and read my
books. I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fault lies with professors and university management who generally do not care about security and are unwilling to devote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 will and resources to properly secure .edu networks.
The
17 August 2005 newsletter features a letter to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 editor signed by eleven .edu security analysts. They take exception with Mr. Pescatore's comments. SANS is requesting comments on that letter. Here is my take on a few excerpts.
The letter states:
"Many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se schools are complex and most security implementations typically used at a corporate or government level don't fit a university model because a broader range of network activities is permitted on university networks, in large part due to a much more limited set of policies and controls compared to government and commercial entities."
The "broader range of network activities" is part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem. Most .edu networks apply very little inbound access control and hardly any outbound access control. (Sometimes that is reversed; one .edu I worked with implemented zero inbound control and single outbound control denying TFTP!)
Do .edu networks think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporate world does not support a wide variety of protocols and services? I recently finished a
traffic threat assessment for a client. I was surprised to see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of protocols in use that I did not immediately recognize. This is no different from a .edu, except cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .com had taken steps to restrict use of those protocols and services to defined partners. "I can't define who will access my data," a .edu might reply. If that is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .edu has decided that anyone in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world can access potentially sensitive data. (See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 section below on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "tenth planet" to read consequences of that stance.) In reality, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .edu is saying "it's too difficult" to define who should access data. That's a cop-out.
The "limited set of policies and controls" is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fault of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 administrators. It is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fault of management who refuse to reign in professors, or to force cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to accept responsibility for operating insecure systems. If a professor is a prolific researcher, he or she is often given a "pass" to run whatever infrastructure he or she needs for research purposes. While research is obviously important, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 professors and staff should realize that lack of security
jeopardizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir research. How would cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y feel to know that a team of competing researchers, or even corporate spies, were stealing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next breakthrough in gene cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rapy from research systems?
We already
know that so-called "tenth planet" discoverer Michael Brown was forced to rush his announcement for fear that "hackers" would reveal his work. I heard Mr. (Dr.?) Brown on NPR science Friday a few weeks ago, and he confirmed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 story. He and his colleagues preferred to give an orderly press conference to inform cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir discovery. Instead, Mr. Brown decided to rush cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process. He feared a "hacker" would provide information on how to find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tenth planet to amateur astronomers, who might cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n take credit for its discovery! Security is not an inconvenience; it's a necessity.
The letter continues:
"Many times, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools to secure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se environments don't exist and changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 culture in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se heterogeneous environments to one which promotes secure computing is very difficult."
Actually, all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools to secure a .edu exist. Almost all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m exist in open source form, too. Ten years ago this might not have been cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case, but today one can employ open source countermeasures that in some cases exceed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir commercial counterparts. The array of network-centric security capabilities offered by
OpenBSD , for example, is amazing. Firewall?
Pf. VPN?
IPSec. Secure remote access?
OpenSSH. Centralized time synchronization?
OpenNTPD. I could continue at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host level if one needed a reliable platform for hosting Web sites, handling email, etc.
The tools exist, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 managerial will to implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m does not.
The letter continues:
"Our overall approach to our networking is about promoting research and information sharing and our security architecture needs to take that into account. Many schools uphold cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 'End-to-End' nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original Internet for both research and communication of ideas. These ideas on full connectivity have merit and cannot be dismissed because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of faculty research or inter-university collaboration might rely on unfettered access to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. The concept of a DMZ is not feasible for many schools compared to many in government and business which cannot live without one."
Immense multi-national organizations foster information sharing and research. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y admittedly are not perfect, many enterprises manage to maintain better security than .edu's. The "end-to-end" Internet is a myth that to which too many people cling. That model may have worked when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet was a private network, but "end-to-end" today places no barriers between your system and anyone else in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world with an IP address.
The majority of hosts are not designed, configured, or deployed in a self-defending manner. Hosts that cannot protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves must be supported by additional security resources. Even if a system could be operated indepedently (e.g., an OpenBSD server), without any network-based access control, this is not a tenable defensive model. The .edu world needs to understand that
defense-in-depth is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best ways to compensate for weak host software, potential misconfiguration, and aggressive intruders.
Finally, "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept of a DMZ" is not feasible for many organizations, not just .edu's.
Security zones, which group hosts of similar security requirements, are now cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best way to offer network-centric access control and monitoring.
What are your thoughts?