Educause Security Discussion mailing list archives
Re: Brief Survey On Handling Hacked Machines
From: Lance Jordan <lancejor () RCI RUTGERS EDU>
Date: Tue, 29 Oct 2002 15:22:29 -0500
Richard Here is Rutger's response
With that in mind, we are curious about how other universities and institutions of higher learning deal with such things and have a few questions: 1. What processes are you using to insure desktop security? Are you reactive or proactive in your approach? Proactive:
* Rutgers initiated a pc purchase program two years ago to help academic and administrative departments upgrade desktop systems. Computer purchases were subsidized by the university/state and the perferred vendors provided attractive pricing on their products. * We have an academic site license for Zone Alarm personal firewall software. * We have a university wide site license for McAfee AV software * We have an internal scanning program to identify system vulnerabilities * We have a computer security awareness campaign where we visit departments and help them develop security plans * We are developing an IDS capability * We teach a SANS mentor lead basic level security course (GSEC) once a year and we subsidize the cost to the department. * Virus filtering email at our central email servers Reactive: * We have an incident response team that responds to complaints and we followup with departmental computing staff to resolve issues. * We monitor the ongoing trends within the university and publish information to several listservs
2. What issues do you have?
Trying to maintain a balance between a secure computing environment and the ability to open share information and ideas.
3. Are you using firewalls/virus protection?
Yes. We have a university firewall at our gateway and we recommend that departments install firewalls on their subnets.
4. What products are you using for this?
We have a partnership with Cisco for routers, switches, VPNs and firewalls, but our departments are free to purchase any product that meets their needs.
5. Do you have a method of "pushing out" software patches/security fixes?
Some of our departments are using packages such as SMS or SUS on the windows side and Novell with Zen works.
6. How do you handle compromised machines? (That is, a machine that has been hijacked to serve another purpose with the possibilities of backdoors etc remaining)
IF a system is attacking other systems or if it has been discovered to be a warez server or some other media type server it is disconnected from the network until the problem is corrected.
Answers to these from our site's perspective are: 1. User education, promotion of safe computing practices, communication with users about security issues and why they're necessary. The approach is proactive but there are always things not planned for where reaction is the only means of dealing with it. 2. Issues would include such things as user compliance and education, manpower, privacy and feelings of intrusiveness (not everyone likes the IT folks doing any more poking around than necessary!) 3. Antivirus software (desktop and on mail servers), firewalls planned. 4. On the desktop we use Trend's Officescan; servers use Nortons, Sophos on mail servers. 5. We use SMS for some of our business oriented software (like Oracle and Peoplesoft) but not for patches. 6. This can depend on the degree of compromising. Rebuilding is always an option unless a clear means of removal is known. If you have a few moments, we would appreciate your responding with a line or two for these questions. Thanks for your time, Rich Travsky Division of Information Technology RTRAVSKY @ UWYO.EDU University of Wyoming (307) 766 - 3668 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
-- Lance D. Jordan Director, Information Protection & Security Rutgers University Computing Services (Voice) 732-445-8138 (Fax) 732-445-8023 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Brief Survey On Handling Hacked Machines Richard W Travsky (Oct 24)
- <Possible follow-ups>
- Re: Brief Survey On Handling Hacked Machines dennis (Oct 24)
- Re: Brief Survey On Handling Hacked Machines Lance Jordan (Oct 29)