Educause Security Discussion mailing list archives
Re: SECURITY Digest - 11 Feb 2021 (#2021-40)
From: Jesse F Moore <moorej1 () UW EDU>
Date: Thu, 11 Feb 2021 22:53:28 +0000
Regarding Security Onion. I would be very interested in others experience with using SecurityOnion2 in Distributed mode implementations that have tried to solve the East to West Traffic (mirror port from switch in each building perhaps) issues. Reference: https://docs.securityonion.net/en/2.3/architecture.html#architecture Jesse Moore (he/him/his<https://www.mypronouns.org/>) Office of the CISO | Sr. Cybersecurity Advisor moorej1 () uw edu | cellphone: 425-628-9070 University of Washington Bothell -------------------------------------------------------- https://ciso.uw.edu/ https://www.washington.edu/admin/rules/policies/ NOTE:If this record is not needed for any retention policies/laws please delete. This email (send/responded) is a Public Record. The university's public records are available for public inspection, except as otherwise provided by law. RCW 42.56.070(8)<https://apps.leg.wa.gov/rcw/default.aspx?cite=42.56.070> ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of SECURITY automatic digest system <LISTSERV () LISTSERV EDUCAUSE EDU> Sent: Thursday, February 11, 2021 2:00 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: SECURITY Digest - 11 Feb 2021 (#2021-40) There are 7 messages totalling 1961 lines in this issue. Topics of the day: 1. [External] [SECURITY] Security Onion - Hardware Recommendations 2. Security Onion - Hardware Recommendations 3. Final reminder - Session 201 survey responses due TODAY 4. DingTalk software concerns? (3) 5. [EdTalks] How Cornell University Provides IT Support Before, During & After the Pandemic ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ---------------------------------------------------------------------- Date: Thu, 11 Feb 2021 08:14:09 -0600 From: Jason Rinne <rinnej () MOVAL EDU> Subject: Re: [External] [SECURITY] Security Onion - Hardware Recommendations Hi Kevin, I knew there would be a lot of questions but I didn't know where to start to get the ball rolling. -I would say 1-2 users logged in and searching. -I would like to run suricata + zeek with this deployment but I don't know about full pcap. I doubt I have the budget for storing full pcap. *Jason Rinne* *Systems Administrator* 500 E College Street | Marshall, MO 65340 P| 660.831.4088 rinnej () moval edu | www.moval.edu<http://www.moval.edu> <http://www.google.com/url?q=http%3A%2F%2Fwww.moval.edu%2F&sa=D&sntz=1&usg=AFQjCNGKt2IG1bGuzs-09SwzY5L1h8waMQ> [image: www.moval.edu<http://www.moval.edu>] <http://www.moval.edu> On Thu, Feb 11, 2021 at 8:07 AM Kevin Wilcox <wilcoxkm () appstate edu> wrote:
Hi, Jason! What volume of data do you plan to pull in, how many users logged in and searching, are you running suricata + zeek, are you storing full pcap, there are lots of questions before any recommendations can be made =) kmw On Thu, Feb 11, 2021 at 8:50 AM Jason Rinne < 000001eec16a232b-dmarc-request () listserv educause edu> wrote:Does anyone have Security Onion running in their environment that would be willing to share your hardware specs? I had an older version of SO running before but only in a stand alone setup. I want to jump back in with the new version and need advice on hardware and deployment strategy. *Jason Rinne* *Systems Administrator* 500 E College Street | Marshall, MO 65340 P| 660.831.4088 rinnej () moval edu | www.moval.edu<http://www.moval.edu> <http://www.google.com/url?q=http%3A%2F%2Fwww.moval.edu%2F&sa=D&sntz=1&usg=AFQjCNGKt2IG1bGuzs-09SwzY5L1h8waMQ> [image: www.moval.edu<http://www.moval.edu>] <http://www.moval.edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Thu, 11 Feb 2021 14:25:04 +0000 From: "Foss, Henry L." <fossh () SACREDHEART EDU> Subject: Re: Security Onion - Hardware Recommendations I want to piggyback on this. On the same line of intrusion detection, can others share what they are using? We have looked at DarkTrace, and have determined that just PA FWs at the edge and DC are not enough to give us much visibility. We’re using Cisco DNA and ISE to provide further detail, but it is a manual process researching incidents. Thank you Hank Foss Manager of Security Infrastructure CISSP, MSCS, GPEN Sacred Heart University Main Campus HC112 Office: (203) 396-8279 Mobile: (203) 295-1356 [cid:image001.jpg@01D70057.C76E2C40] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jason Rinne Sent: Thursday, February 11, 2021 8:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security Onion - Hardware Recommendations Does anyone have Security Onion running in their environment that would be willing to share your hardware specs? I had an older version of SO running before but only in a stand alone setup. I want to jump back in with the new version and need advice on hardware and deployment strategy. Jason Rinne Systems Administrator 500 E College Street | Marshall, MO 65340 P| 660.831.4088 rinnej () moval edu<mailto:rinnej () moval edu> | www.moval.edu<http://www.google.com/url?q=http%3A%2F%2Fwww.moval.edu%2F&sa=D&sntz=1&usg=AFQjCNGKt2IG1bGuzs-09SwzY5L1h8waMQ> [https://lh6.googleusercontent.com/XuZa3j7pHH3iFjepH4P14cXRavn1djc__UIiuR2od_dQECRQltJCLnKmFTEWzkhijQf9osBLbwkTDBL0Z68lNAEFnJ6fN-dFsSaRQpbuBwIPZEw9HjO9W3lm_oJRtXEp2mDG_7wC]<http://www.moval.edu/> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community The sender of this email is external to Sacred Heart University. Do not click any links unless you know and trust the sender. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at ------------------------------ Date: Thu, 11 Feb 2021 07:01:51 -0800 From: Mitchell Pautz <mitchell.pautz () GMAIL COM> Subject: Final reminder - Session 201 survey responses due TODAY Dear Colleagues, Just a friendly reminder to please take a few minutes to complete this *survey <https://urldefense.com/v3/__https:/forms.gle/iAEBgUxj2aTUeom86__;!!LIr3w8kk_Xxm!58u7-dAby372tGqgu1S6qNCoD1ySW2FjhzA8shEu3Vy09fXHJB1iSSaTCjBWdA$> * Your responses will be extremely valuable in helping us plan for exciting and engaging future sessions. We want to hear from all of you regardless of whether you attended the last session or not. *Please complete this survey <https://urldefense.com/v3/__https:/forms.gle/iAEBgUxj2aTUeom86__;!!LIr3w8kk_Xxm!58u7-dAby372tGqgu1S6qNCoD1ySW2FjhzA8shEu3Vy09fXHJB1iSSaTCjBWdA$>by EOD TODAY. * Or copy and paste this link https://forms.gle/iAEBgUxj2aTUeom86 <https://urldefense.com/v3/__https:/forms.gle/iAEBgUxj2aTUeom86__;!!LIr3w8kk_Xxm!58u7-dAby372tGqgu1S6qNCoD1ySW2FjhzA8shEu3Vy09fXHJB1iSSaTCjBWdA$> Thank you The ITSM and DevOps session planning committee ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Thu, 11 Feb 2021 10:04:59 -0600 From: Ramon Rentas <rentas () MACALESTER EDU> Subject: Re: DingTalk software concerns? I never heard of that app until now, so I did some google searches and found lots of articles warning about the app's weak security that would allow the Chinese Government to spy in the app's users. Below is one of such articles. https://www.cnbc.com/2019/10/14/china-xi-jinping-ideology-app-has-backdoor-that-could-let-beijing-snoop-on-users-report.html Good luck, Ramón --- Ramón Rentas Associate Director for Infrastructure, Security & Enterprise Services Information Technology Services rentas () macalester edu 1600 Grand Avenue Saint Paul, MN 55105 USA [image: mac-sec-horizontal-logo-150w.jpg] *Never email your password to anyone!* The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of, or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender. The opinions expressed are those of the sender, and not necessarily those of Macalester College. On Thu, Feb 11, 2021 at 8:09 AM Bole, Jim A <jbole () albany edu> wrote:
We have a faculty group planning to teach students at a Chinese university. The university, as well as a lot of folks in China, use DingTalk. Our faculty wants to install it to conduct classes, much in the same manner as they use Zoom. Anyone have any experience with this? I do have some privacy concerns for the faculty members using the software. It’s entirely possible that their activities would be tracked by someone in China. And that tracking could potentially include things like our network ranges, etc. But it looks like the software itself isn’t malicious. The mobile app has been vetted by Apple and Google. I’ve reviewed their privacy page: https://page.dingtalk.com/wow/dingtalk/act/privacy-en-lite? I’ve reviewed their security whitepaper (attached). First time I’d heard of ChaCha20 encryption. While it does have some interesting language, it covers most of the basics. It’s an interesting use case and I’d appreciate any feedback. Jim Bole Chief Information Security Officer Information Technology Services University at Albany ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Thu, 11 Feb 2021 16:26:55 +0000 From: "Barton, Robert W." <bartonrt () LEWISU EDU> Subject: Re: DingTalk software concerns? I've had this conversation about our services in other countries, but China is even a little more different. Please see this from Stanford. https://uit.stanford.edu/security/travel/high-risk-countries-recommendations I know some recommendations that I have heard are to send new equipment and expect it to come home corrupted (don't even allow it back until 100% wiped), don't use your normal services (segment this group specially), rely more on manual process (if small group, email back grades to be input, etc.), and beware of physical security issues (not physical danger, but theft). Recommendations for Travelers to High Risk Countries - University IT<https://uit.stanford.edu/security/travel/high-risk-countries-recommendations> High risk countries Travel to High Risk Countries requires special consideration and preparation. Let’s start with what you’re taking with you. It’s important to take the minimum you need in order to get your work done while you’re gone. There are a range of options starting with the most secure and going down the minimum required actions. uit.stanford.edu Robert W. Barton Executive Director of Information Security & Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ramon Rentas <rentas () MACALESTER EDU> Sent: Thursday, February 11, 2021 10:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] DingTalk software concerns? I never heard of that app until now, so I did some google searches and found lots of articles warning about the app's weak security that would allow the Chinese Government to spy in the app's users. Below is one of such articles. https://www.cnbc.com/2019/10/14/china-xi-jinping-ideology-app-has-backdoor-that-could-let-beijing-snoop-on-users-report.html Good luck, Ramón --- Ramón Rentas Associate Director for Infrastructure, Security & Enterprise Services Information Technology Services rentas () macalester edu<mailto:rentas () macalester edu> 1600 Grand Avenue Saint Paul, MN 55105 USA [mac-sec-horizontal-logo-150w.jpg] Never email your password to anyone! The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of, or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender. The opinions expressed are those of the sender, and not necessarily those of Macalester College. On Thu, Feb 11, 2021 at 8:09 AM Bole, Jim A <jbole () albany edu<mailto:jbole () albany edu>> wrote: We have a faculty group planning to teach students at a Chinese university. The university, as well as a lot of folks in China, use DingTalk. Our faculty wants to install it to conduct classes, much in the same manner as they use Zoom. Anyone have any experience with this? I do have some privacy concerns for the faculty members using the software. It’s entirely possible that their activities would be tracked by someone in China. And that tracking could potentially include things like our network ranges, etc. But it looks like the software itself isn’t malicious. The mobile app has been vetted by Apple and Google. I’ve reviewed their privacy page: https://page.dingtalk.com/wow/dingtalk/act/privacy-en-lite? I’ve reviewed their security whitepaper (attached). First time I’d heard of ChaCha20 encryption. While it does have some interesting language, it covers most of the basics. It’s an interesting use case and I’d appreciate any feedback. Jim Bole Chief Information Security Officer Information Technology Services University at Albany ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ Date: Thu, 11 Feb 2021 16:52:10 +0000 From: Henry Wojteczko <hank.wojteczko () CLASSEDESIGNUSA COM> Subject: Re: DingTalk software concerns? Robert: Chinese government sponsored cyber-hacks are very aggressive and highly sophisticated. I strongly agree with an approach of a high degree of segmentation with zero access to applications that contain sensitive data residing in the USA. Bear in mind that smart phones are also a risk. Consider loaning the person a tablet and flip phone. Have in place an intruder response plan in preparation for the inevitable attack. I have direct experience with an intrusion event from China during an engagement with a large corporate client. This client had a policy of loaning employees and contractors a loaner device that was highly hardened. Persons traveling to China for this company were not permitted access to sensitive data. Nor were they permitted to carry any corporate or personally owned devices into China of any kind. In this particular case, I witnessed an intrusion attempt from an employee’s compromised loaner device into the corporate network. The hackers did not get any data, but the intrusion attempts were very targeted in a failed attempt to steal vital company intellectual property. Best of luck. Thanks; Hank Wojteczko Practice Manager – Cloud Professional Services David Kent Consulting, Inc. 832.226.4432(m) hankwojteczko () davidkentconsulting com<mailto:hankwojteczko () davidkentconsulting com> www.davidkentconsulting.com<http://www.davidkentconsulting.com<http://www.davidkentconsulting.com<http://www.davidkentconsulting.com>> Notice of Confidentiality: This E-mail message and attachments (if any) are intended solely for the use of the intended addressee(s) hereof. In addition, this message and the attachments may contain information that is confidential, privileged or otherwise exempt from disclosure under applicable law. If you are not one of the intended recipients of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or otherwise using this transmission. Delivery of this E-mail to any person other than the intended recipient is not intended to waive any right or privilege. Unauthorized use of distribution is prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender by reply E-mail and immediately delete this E-mail from your system and destroy any and all other copies. Thank you. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Barton, Robert W." <bartonrt () LEWISU EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, February 11, 2021 at 10:27 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] DingTalk software concerns? I've had this conversation about our services in other countries, but China is even a little more different. Please see this from Stanford. https://uit.stanford.edu/security/travel/high-risk-countries-recommendations I know some recommendations that I have heard are to send new equipment and expect it to come home corrupted (don't even allow it back until 100% wiped), don't use your normal services (segment this group specially), rely more on manual process (if small group, email back grades to be input, etc.), and beware of physical security issues (not physical danger, but theft). Recommendations for Travelers to High Risk Countries - University IT<https://uit.stanford.edu/security/travel/high-risk-countries-recommendations> High risk countries Travel to High Risk Countries requires special consideration and preparation. Let’s start with what you’re taking with you. It’s important to take the minimum you need in order to get your work done while you’re gone. There are a range of options starting with the most secure and going down the minimum required actions. uit.stanford.edu Robert W. Barton Executive Director of Information Security & Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ramon Rentas <rentas () MACALESTER EDU> Sent: Thursday, February 11, 2021 10:04 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] DingTalk software concerns? I never heard of that app until now, so I did some google searches and found lots of articles warning about the app's weak security that would allow the Chinese Government to spy in the app's users. Below is one of such articles. https://www.cnbc.com/2019/10/14/china-xi-jinping-ideology-app-has-backdoor-that-could-let-beijing-snoop-on-users-report.html Good luck, Ramón --- Ramón Rentas Associate Director for Infrastructure, Security & Enterprise Services Information Technology Services rentas () macalester edu<mailto:rentas () macalester edu> 1600 Grand Avenue Saint Paul, MN 55105 USA [cid:~WRD0001.jpg] Never email your password to anyone! The information transmitted may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of, or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender. The opinions expressed are those of the sender, and not necessarily those of Macalester College. On Thu, Feb 11, 2021 at 8:09 AM Bole, Jim A <jbole () albany edu<mailto:jbole () albany edu>> wrote: We have a faculty group planning to teach students at a Chinese university. The university, as well as a lot of folks in China, use DingTalk. Our faculty wants to install it to conduct classes, much in the same manner as they use Zoom. Anyone have any experience with this? I do have some privacy concerns for the faculty members using the software. It’s entirely possible that their activities would be tracked by someone in China. And that tracking could potentially include things like our network ranges, etc. But it looks like the software itself isn’t malicious. The mobile app has been vetted by Apple and Google. I’ve reviewed their privacy page: https://page.dingtalk.com/wow/dingtalk/act/privacy-en-lite? I’ve reviewed their security whitepaper (attached). First time I’d heard of ChaCha20 encryption. While it does have some interesting language, it covers most of the basics. It’s an interesting use case and I’d appreciate any feedback. Jim Bole Chief Information Security Officer Information Technology Services University at Albany ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/commu ------------------------------ Date: Thu, 11 Feb 2021 17:25:20 +0000 From: Lilly Berkley <lilly.berkley () CAMPUSCONSORTIUM ORG> Subject: [EdTalks] How Cornell University Provides IT Support Before, During & After the Pandemic Please join Keyan T Williams, Assistant Director, I.T. Support Operations from Cornell University and Karl Horvath, Ph.D., President at Campus Consortium for an EdTalk on “How Cornell University Provides IT Support Before, During & After the Pandemic” on Thursday, February 18, 2021, from 2:00 pm – 3:00 pm ET. Register here for free: [https://bit.ly/3aZvlNE] (only 100 seats available – first come, first serve) Keyan and Karl will discuss: The impacts of the pandemic and higher education sector challenges strain budgets and human resources. Already burdened with doing more for less institutions have to find a way to not just keep the IT service and support status quo but to increase quality service in the face of supporting online learning and a mobile work force. Why you should consider attending: Join this EdTalk to learn how Cornell University maintained service and support with limited staff and staying within budget. Our presenter will share the thought process behind his support strategies and how he plans to meet post pandemic demands in the future. Audience participation is encouraged. Past EdTalks: Kansas City Art Institute (KCAI) and University of Redlands [https://bit.ly/3gTb12R] Wisconsin Technical College System, Delaware County Community College and Pima Community College [https://bit.ly/3gTb12R] Columbia University, Wharton Online & University of Illinois at Chicago [https://bit.ly/3gTb12R] EDUCAUSE and NASFAA [https://bit.ly/3gTb12R] Thank you. Regards, Lilly Berkley| Manager, Community Engagement Campus Consortium ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ------------------------------ End of SECURITY Digest - 11 Feb 2021 (#2021-40) *********************************************** ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: SECURITY Digest - 11 Feb 2021 (#2021-40) Jesse F Moore (Feb 11)