Virginia Tech needed to assess security threats to the network and bring the university into compliance, reports Greg Masters.
The IT team at a university is faced with many of the same issues as at a retail operation -- in particular, preserving the integrity of customer information on its computer networks. While students are not necessarily thought of as “customers,” the fact is their credit card and personal information traversing the university network must be protected with the same vigilance as at any retail operation.
Fred Pinkett, vice president of product management at Boston-based Core Security Technologies, says that part of the university environment is like an open network. While it tends to be more heterogeneous and built up over time, it is often challenged by funding restrictions.
“Pieces are put in place at different times,” he says. “There's a lot less control in the university environment than with a corporate environment. There's less control over the network.
Added to this patchwork, is the fact that the students are sophisticated users, using Web 2.0 and downloading a slew of music and videos. However, he points to this user base, and the administrators who watch over the network, as an audience inclined toward using sophisticated tools.
At Virginia Tech, that responsibility falls to Randy Marchany, director of the university's IT security laboratory and assistant IT security officer. The Blacksburg, Va.-based university – with more than 21,000 undergrads, 6,000 graduate students and 2,600 faculty members – had been using a freeware program with pen test capabilities to monitor its network operations connecting the user base to over 180 departments. However, when it came time to do security reviews, Marchany found the free utility's report generating to be insufficient.
In the fall of 2006, Marchany and his team began research to find an upgrade. The impetus in making the move, he says, was bringing university departments into compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). Marchany's team had to perform security tests, including vulnerability scans and penetration tests. Specifically, PCI Requirement 11.3 calls for “penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).”
Investigating the marketplace, Marchany's team discovered that there were only two options available commercially that met their criteria to prevent breaches. One choice, Marchany says, didn't have good reporting capabilities. The other option was Core Impact from Core Security Technologies.
The engine of the Core product provides the same scanning as the freeware, Marchany says, but what sold him was the reports that the software generates. Virginia Tech's IT Security Lab is a component of the university's security office. Marchany and his team do actual security reviews, which he designates as sort of a pre-audit.
The review process helps the department take care of issues before they get audited, he explains. For example, the controllor's office once handed his team a list of departments within the university that did credit card transactions. With Core Impact they were able to produce the reports required for PCI compliance.
“We wanted to be ready for PCI. When an external auditor comes in, we can hand in those management quality reports to meet compliance requirements,” he says.
The softwae package does penetration testing. It goes in and basically runs vulnerability scanners on a department's machine. The software examines the system for vulnerabilities. If it finds one, it will deposit a program on the machine. The user then has evidence that the machine is vulnerable to attack. The program takes steps to patch the machine – tweaking a firewall to deny access, or perhaps even shutting the service down.
“By getting the Core Impact tool, we can spot ahead of time any problems that might happen before a pen test,” says Marchany.
The implementation of the Core Impact software went smoothly, Marchany says, adding that trainers from Core Security came onto the campus to walk his team through the initial installation and testing.
“The fun part about Core Security customers are they are a little more advanced in their thinking and security posture – simply by virtue of using proactive tools,” Pinkett says.
This is where a tool like Core Impact becomes useful, he adds. “The tool helps make sure vulnerability is under control and that preventive measures, like anti-virus, firewall, intrusion detection, are in place on an ongoing basis.”
The software, he points out, protects personal information on the network systems and prevents a misuse of resources. “Controls are in place,” he says. Plus, all software updates – including exploits and updating tables – are done automatically over the network.
Mike Yaffe, director of product marketing, Core Security, says that it is easy for someone with a bit of security experience to manage the implementation. “You don't need specialized experience.”
Marchay agrees, but with a caveat. “It's been a fairly easy tool to use,” says Marchany. But, he admits, it is not an easy tool with which to analyze results. “One needs a fair amount of intrusion detection background to interpret the results.”
While the initial implementation in 2006 was intended to fulfill only PCI requirements, the security review process has since been expanded to include Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), and other “plain old” security reviews a department wants performed, says Marchany.
At $25,000 to buy, the price tag is high for an educational institution, Marchany adds. “But at the time we thought it would be worth the price.”
Virginia Tech: Security review
The IT Security Lab at Virgina Tech follows a two-week, white-box testing process, which includes replicating threats from internal staff or students with knowledge of the departmental networks – as well as hacking attempts from outside the university. After gathering information about a department's firewall rules, IP addresses and installed programs, testers leverage a comprehensive toolkit of applications for each security review:
- Local security testing – The tester identifies systems that contain Social Security numbers and credit card numbers using both custom scripts and a spider application from Cornell University.
- Vulnerability scanning – Using Nessus Vulnerability Scanner and Nmap Security Scanner, the tester ssesses the department's IP address space for an overview of all potential security exposures.
- Automated network penetration testing – Scan results are imported into CORE IMPACT, which attempts to exploit found vulnerabilities in a deliberate, controlled manner. The tester uses the product to safely demonstrate exploit paths and interact with compromised systems, allowing departmental staff to see exactly how a real-world data breach could unfold – without suffering the consequences of an actual incident.
- Web application testing – The active review process concludes with an audit of web applications and servers using tools including Nikto, Wikto, WebScarab and Paros. – Core Security Technologies