Educause Security Discussion mailing list archives
Re: Deepfreeze - Why not?
From: Tim Doty <tdoty () MST EDU>
Date: Fri, 18 Nov 2011 12:17:18 -0600
On Thu, 2011-11-17 at 22:17 -0500, Mclaughlin, Kevin (mclaugkl) wrote:
I wonder if it would be worthwhile to tie this thread into thought discussions on the large scale relatively undiscovered theft and siphoning off of intellectual property from IHE’s.
In this context it would depend on what access to IP was possible through the lab machine and how would such activity be identified, substantiated and tracked. Our labs all require authentication (central logging provides tracking) and have no more access to IP than a random computer on the Internet excepting the journals. And access to the journals is tracked via network activity and tied to an account via authentication. None of which depends on the local machine (other than it being in our domain forcing use of our authentication). A greater risk from that view point is the fact that the network jacks are not secured and a miscreant can bring in their own computing device, connect it to the network, hand configure the MAC address to the computer they disconnected, take over its DHCP lease and leave us with no authentication records. (Though I've not seen or heard of anyone manipulating the dhcp client id which has allowed identifying the culprit when the culprit's system was normally used on our network, and some Windows systems end up being configured such that you get the user's name.) That approach is difficult to protect against. You can have cameras, but they are easily defeated (dark green hoodie, low light conditions) even if unintentional (there was a theft where the only precaution the person took was turning out the lights. Too bad for him we use IR cameras, too bad for us the resolution and framerate never quite matched up with a frame good enough for an identification.)
I guess what I am really stuck on and trying to figure out is whether or not we continue to make decisions of convenience to/for IT when those decisions may be ones that make it easier for the bad guys to access data and infrastructure that we don’t want them to access?
That is a good point. While I don't think that is so much an issue in this particular case, it is always one to consider. If convenience rules security is often the first victim, even if unintended.
I’m not saying that this is happening but my gut tells me that it’s worth taking a good hard look at.
We don't use DeepFreeze, but even if we did there are very few instances in which it would impact anything. There was an ediscovery, for example, that would have been less useful to the requestor. Not sure what impact it would really have made on the case as a whole, and certainly would have been something that they would have just accepted (at least in that case). Because we use roaming profiles in the labs and students don't have admin privileges files of interest are often not local to the machine and would be unaffected. Authentication is logged by the domain controllers so we can always tie account authentication to a system by time. Similarly, netflow provides a certain amount of tracking for network activity. Server logs and netflow are my best tools when tracking down misbehavior.
However, if forensic tools and carving still work on a DeepFreeze machine then most of my arguments and concerns are moot. Would anyone on the thread who uses DeepFreeze be willing to run an image through FTK or send me an image to run through FTK so we could see what results we get?
That would be an interesting exercise. But in the end I just don't see DeepFreeze adding up to that much an issue for lab computers. Tim Doty
Current thread:
- Re: Deepfreeze - Why not?, (continued)
- Re: Deepfreeze - Why not? Gibson, Nathan J. (HSC) (Nov 17)
- Re: Deepfreeze - Why not? Rob Whalen (Nov 17)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
- Re: Deepfreeze - Why not? Michael Sana (Nov 17)
- Re: Deepfreeze - Why not? Schoenefeld, Keith P. (Nov 17)
- Re: Deepfreeze - Why not? Ryan Hiebert (Nov 17)
- Re: Deepfreeze - Why not? Dave Koontz (Nov 17)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
- Re: Deepfreeze - Why not? SCHALIP, MICHAEL (Nov 17)
- Re: Deepfreeze - Why not? Rich Graves (Nov 17)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 17)
- Re: Deepfreeze - Why not? Tim Doty (Nov 18)
- Re: Deepfreeze - Why not? Rich Graves (Nov 17)
- Re: Deepfreeze - Why not? Heath Barnhart (Nov 18)
- Malware forensics Nevin, David (Nov 18)
- Re: Malware forensics Mclaughlin, Kevin (mclaugkl) (Nov 18)
- Re: Malware forensics Brian J Smith-Sweeney (Nov 20)
- Re: Malware forensics Nevin, David (Nov 28)
- Re: Deepfreeze - Why not? Mclaughlin, Kevin (mclaugkl) (Nov 18)