Re: FW: Residence Hall Virus Solutions

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

I hate it when I reread something a couple of times, and after I send it
I see a significant error.
 
In #1, the NAV client we put on the Security CD is set to automatically
get new patterns, I think every two days, from Norton.  As far as I
know, the net.cfg has nothing to do with it.
 
In #3, computers infected with Nachi/Welchia would NOT be seen as
vulnerable to RPC DCOM in our scan and so would NOT be sent to the fix
page.  The fix page, by the way, also patches for Webdav (that is, both
MS03-007 and MS03-026 are applied).
 
Let me also say, as our colleague Jeff Schiller said on CNN: this stuff
is getting old very quickly.
 
M.
 

-- 
Mark S. Bruhn, CISSP, CISM 

Chief IT Security and Policy Officer 
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu <http://cacr.iu.edu/> ) 

Office of the Vice President for Information Technology and CIO 
Indiana University 
812-855-0326 

Incidents involving IU IT resources: it-incident () iu edu 
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 


-----Original Message-----
From: Bruhn, Mark S. 
Sent: Thursday, August 28, 2003 9:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FW: Residence Hall Virus Solutions


I've noted that several of these are being done successfully elsewhere
as well -- if there are other things people can add to this list, or
good improvements to suggest for these, that would be outstanding:
 
1)  we create a quarterly security CD, which contains NAV** and current
(as of then) virus definitions, service packs, patches, ssh client, and
other things.  The net.cfg on this CD also configs the device to
automatically get new virus definitions periodically.  Students get this
in their technology bag during move-in, and they can also buy it at any
time from the Bookstore for $5.  (But, we'd give it to a student free,
if one asked any of us for it.)
 
2)  this year we also created a "Run This CD First" CD.  It
automatically runs worm cleaner tools and applies missing patches.  It
also activates the XP firewall and blocks port 135.  This CD is being
handed to every student who moves into a dorm room, when they get their
technology move in bag.
 
3)  we've been registering student MAC addresses for several years.
Students who plug their computers into ResNet have been redirected to a
registration web page.  (We do not use Regnet.)  We added a scan to that
process, and student machines found vulnerable to RPC DCOM are
re-directed to a fix page before the registration page, that essentially
does the same stuff as the "Run This CD First" CD, except it doesn't
activate the firewall.  We're expiring all registrations that were done
before this new scan process was added, so those students have to
re-register.  Problem with this scan is that Nachi/Welchia patches the
RPC DCOM vulnerability...so they could be infected and would be sent to
the patch page.  But, see #5.
 
4)  we've had a hand-tag service program in residence halls for years
also -- when students get their technololgy move in bag, they get a red
hang tag.  If they have technical trouble, they hang this on their door.
We have a gang of student consultants assigned to various dorms, and
they walk the halls periodically looking for these tags.  They help the
student with whatever their problem is, and at the same time make sure
the student has executed the security CD.  I shadowed one of these teams
for a while yesterday, and this works very well. 
 
5)  we analyze netflow data for worm infections on Resnet and Greeknet,
and an automatic report is generated daily and sent to our incident
response team (part of my office).  They use the student registration
data to contact the student associated with the devices listed, and send
them to the fix page.  Given the things above, we've seen very few
infections, with about 2/3 of the students moved in thus far.
 
6)  we run daily vulnerability scans on Resnet and Greeknet daily, the
results of which are also sent to our response team. They notify
students who are vulnerable to RPC DCOM.  We've had very few of these
also.
 
7)  we are filtering several protocols between ResNet and Greekent and
the rest of campus.
 
All of this is accomplished through a fairly broad partnership,
generally coordinated by me, between my offices (ITPO and ITSO), network
operations, residence hall IT services, the computer support center, and
our messaging team (which manages email and dchp processes).  And, we've
augmented our normal response team with a few volunteers from the IT
computing department -- these people interact (mostly via email) with
students and others who have had their devices blocked, or who have been
told they have something they need to fix.    
 
Have I said here before that partnerships are critical?  :)
 
**We renewed our NAV license under a consortium agreement within the
CIC.  We didn't pay as much as Tammy indicated.  But, I can't say the
exact amount.  But, consider how many desktops we could offer up, in the
Big Ten+Univ. of Chicago, even if only a few of us took advantage of the
terms.  And I think at least 7 campuses did.  Campuses in  a region (or
in a conference, if it isn't only an athletic one) should be ganging up
on some of these vendors.
 
M.

-- 
Mark S. Bruhn, CISSP, CISM 

Chief IT Security and Policy Officer 
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu <http://cacr.iu.edu/> ) 

Office of the Vice President for Information Technology and CIO 
Indiana University 
812-855-0326 

Incidents involving IU IT resources: it-incident () iu edu 
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu 


-----Original Message-----
From: Helms, Sandra [mailto:SANDY () BUMAIL BRADLEY EDU] 
Sent: Wednesday, August 27, 2003 5:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FW: Residence Hall Virus Solutions





Hi there -  I am interested in quick summaries of how people are
handling students bringing computers back to school with no virus
protection.  We do not have a policy in place to require virus
protection software.  Thank you very much.

Sandra J. Helms 
Director of Academic Computing 
Bradley University 
1501 W. Bradley Avenue 
Peoria, IL  61625 
309.677.2808 
sandy () bradley edu <mailto:sandy () bradley edu>  

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/. ********** Participation and subscription
information for this EDUCAUSE Discussion Group discussion list can be
found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.