Ira Winkler talks Campus Network Security

Ira Winkler talks Campus Network Security Ensuring College Web Portals "First, web portals must deal with both inteal and exteal systems as hostile," said Ira Winkler, chief security strategist, Hewlett-Packard. Together with the isolation of the network, this is Mr. Winkler principle with reference to the recommendation of the web portals. As far as the audit is done, even within systems of systems should be hardened against intrusion. This includes ensuring that all security patches available for all the software was downloaded and installed, all permissions are set at a minimum, and that can be verified and fully assess how these things are done. In addition to hardening the operating system is necessary to harden the application software, the Web server is the first example. "Often it is not the operating system is compromised when someone hack is the application, the Web Server and Microsoft Inteet Information Server (IIS). Macromedia ColdFusion is a bad one for that, "says Winkler. It is necessary to tighten any software as well. Any software, including the home of his pride and joy, which has some bugs in it. The proof of these applications and ensure their safety. "Hardening sure you did not include Perl [(a script open source programming language)] as an executable or other executable programs on the management boards and things like that wrong," says Winkler. The next step is to assess the availability of hardware and software such as firewalls, routers, servers and databases. A security hole in a router, for example, invites the intrusion of routers, which leads to compromising the functions of the web server. After all hard and said that everything that you are secure control of that network, which analyzes a hacker could do. Commercial tools are preferable because they tend to be somewhat 'larger and provide better reporting, said Winkler. You should explore systems regularly. New vulnerabilities can be discovered at any time and even human error can lead to a reconfiguration of the accident, leaving a hole behind. Rely on the industry? How can schools and industry work together to minimize the students become victims or perpetrators of hacking - stealing bandwidth networks on campus, for example? "A university must have its own safety program. N. organization, academic or otherwise, must rely on exteal parties for their safety. What is doing is basically a loss of control, which should never do. Sometimes, for example, if the ISP of the University is weak, this is a problem, but there are things that [the university] can do, even if your ISP has its problems. With regard to collaboration with industry, frankly, a good safety is good management systems. What you have to do is make sure that systems are properly managed and has adequate access controls and intrusion detection, and which has the effect of ensuring that individuals do not contribute to piracy and violation of policies and procedures, "says Winkler. Here is the solution of Wrath - less leverage industry. You need a strong program of basic safety. Need access controls. Do you need inteal and exteal systems of intrusion detection to see if someone is acting "maliciously" or even "exceptional". Research and policy services provided by the network, "said Winkler. Lea how people use their systems. Make sure there is a creation of their systems of "warez" sites. "If you see a bandwidth large scale, if you see that the service is not running [which has detected a problem]." policy management tools like Polivec of Polivec 3 of Securify and SecurVantage line of products, and other types of products are now available and some of them might be useful to explore. The legislation is a solution? Very definitely. "The Inteet has had two decades to seek the knowledge of the system. And while there are some efforts, good efforts are biased and industry-specific, in many cases, "says Winkler. When setting the industry standards or recommendations, voluntary is often poor or that the application of relatively non-existent QoS and measurable. The Inteet is a conglomerate of large transmission networks throughout the world. "Even if you have an entire industry and academia for theoretically, it would be impossible - say all universities across the country that are voluntarily self-insurance - if a [campus] does not fit securely, which is compromising the safety of all, "said Winkler. If a participant in the Inteet is not secure against password sniffing, for example, schools in the register of voters within or without the University will have accounts compromised [see Figures 1-3]. This affects those who are connected to the Inteet at the University, the University at a distance, all. "The only way [the implementation of security] is required by the Regulation ... by the insurance industry or the govement, "said Winkler. [Title: World Bank, the commitment is entered by Using Password sniffer universities] [Insert Figures 1, 2 and 3 here] [Figure 1 Caption: Courtesy of Ira Winkler, chief security strategist, Hewlett-Packard] [ Figure 2 Caption: The Way of the World Bank through a password sniffer hack universities and using other tools, courtesy of Ira Winkler, chief security strategist, Hewlett-Packard] [Figure 3 Caption: The results of the World Bank trick, courtesy granting of Ira Winkler, chief security strategist, Hewlett-Packard] A good model of an application for benefits is the insurance industry's response to the Y2K problem. "The whole world talked about Y2K, but nobody should do anything until the insurance companies started saying you will not get the directors and officers insurance unless there is an adequate program of Y2K place. Then the govement passed laws that said that federal agencies must be acceptable to have a place in the Y2K program as well. Then people saw the act, "said Winkler. Later, people claimed that the money spent to solve the Y2K bug was paid to the drainage, because there was no major disasters related to the error of the end of the century. However, it is because the money was spent and the bug was patched had no problems. Another model is the automotive industry. Mr. Winkler's life saved by seat belts, which are probably no laws had been wearing seat belts is not available in the voting law. Despite industry opposition to airbags and seatbelts, insurers exercised Congress of airbags and seat belts are compulsory. "Without regulation, we do not see any significant improvement," says Winkler. Panorama - The best response in the greatest point of view is the best solution to ensure efficient management of staff resources and training. There must be enough people on staff, there must be a reasonable amount of money set aside for the tools and access controls and everything you need. You need to know and follow the recommendations for service providers by the number of systems administrators are eligible. "Often, organizations do not have the slightest idea of what is that number. What it means is that managers tend to be fighting fires instead of proactively secure their systems. If that had been proactive in ensuring their systems do not have to worry about fighting fires, "says Winkler. Social engineering colleges and universities face the same threats of social engineering, like any group or organization. Social engineering is the manipulation of social interaction for access to information. "Usually when you do social engineering may be an attempt to access a company or something, but the university systems tend to be open so that a hacker, do not often use social engineering to obtain passwords or data access systems dell 'Università. Frankly, only the works, in many cases, to guess the password, "says Winkler. Conclusion In part to maintain security in an environment where maintaining full control and take full responsibility that you are willing to say that if there is no guarantee that you can not use it. Hypothetically, if you go the route of trying to build a company like Microsoft to ensure their products correctly, it can theoretically be at risk of waiting ever actually do something. However, if we adopt the approach of total responsibility, which could not run properly protected, you can navigate through the wide range of open source solutions like Linux and decide that you have options that allow it to assume responsibility for systems insurance and meet their constituents, as well. Ira Nickel If network administrators and staff members are well trained and sufficient numbers, which will greatly reduce security holes. What happens if the staff is short and resources are tight? "This is a great experience for students and all others on how to protect your system. It is infinitely more difficult to protect your system from that which is their way to hack. If you wish, and at the University to train people in computer science in useful skills, training people in safety systems are active will be more useful the ability to lea. To help the University. Make sure you have people who are adequately trained and, perhaps, even some 'of his team students extra credit - not to break into systems, but to help ensure and harden their systems, "says Winkler. A sidebar above Ed Hacks Who and why? A lot of hackers breaking into university systems to be used as "break points" for much bigger hack. "The number of students who actually hack in the grand scheme of things, fortunately, is a limited set of people. However, the systems at the University tend to be open so that the hackers used as a jumping point to other locations. For example, many of the teams participating in distributed denial of service Mafiaboy committed [on the start of 2000], which occurred over a significant number of University of hack. Hacks into systems of the Department of Defense has gone through the University of the systems. In the case of an Argentine Hacker was reported in 1999, stole 100 of the 1000 's password and is used by many universities as places to skip the U.S. military hack systems, "said Ira Winkler, chief security strategist, Hewlett-Packard. Hackers also collect "trophies", the hacking of the University of the computer just to deface a campus site, and then through another hack system. Some hackers use advanced hacks involving many systems in order to gain and maintain access, a sort of agent of bed, waking up one day to use the hole that they discovered and reserved for themselves to do more damage. "Once a compromised system that will make a note and then use the [next] to go ahead and compromise [systems] in order to make some effort to cover their tracks for Distributed Denial service," he Winkler said, "This is our university in which computers are the main targets. "Two things are always better How sidebar. Extra security measures for the campus networks are always available. For example, while the wireless 802.11g standard was ratified in June 2003, the WPA and WEP security has failed to replace the beef and wireless security. Security technologies such as authentication and verification of fingerprints may be impractical for devices in the configuration of the university. Applications which are deemed at risk, such as instant messaging programs are offered to strengthen and more secure, the client messaging company, using its own secure servers. "IBM / Lotus Sametime is an instant messaging server that addresses the issue of security. By injecting Microsoft published October 21, the "Microsoft Office Live Communications Server 2003 product. IM This server not only deals with security issues, but offers tight integration with Microsoft Office, particularly Outlook and Exchange e-mail client, "said Todd Clark, president of DenaliTEK, security consultants. Universities are increasingly aware. Through organizations such as acute and articles like this, IT managers and specialists have opportunities to forge alliances, share resources and ask questions.