INFORMATION SECURITY IN K-12 EDUCATION NEW JERSEY TECHNOLOGY STUDY COUNCIL 11/19/2015 Mark Lachniet [email protected] (517-242-4874)

INFORMATION SECURITY IN K-12 EDUCATION

NEW JERSEYTECHNOLOGY STUDY

COUNCIL11/19/2015

Mark [email protected]

(517-242-4874)

mailto:[email protected]

2

About The Speaker

| Security solutions

• Information Security Solutions Manager, CDW (previously Security Engineer)

• Presales and practice development

• Penetration testing

• Incident response & forensics

• Regulatory compliance (HIPAA, PCI, NIST 800-53)

• Past employment:

• K-12 Technology Director (Holt Schools)

• Instructor, Masters in Information Assurance, Walsh College

• Consulting at Analysts International, Promethean Security

• Industry certifications:

• Certified Information Systems Security Professional (CISSP)

• Certified Information Systems Auditor (CISA)

• Licensed Private Investigator #3701-205679 (Michigan)

3

About The Speaker


• Historical perspective

• Hundreds of assessments over the last 15 years

• Penetration tests – i.e. “White Hat Hacking”

• Policy and Procedure Gap Analysis

• Incident Response / forensics

• Prior to doing consulting I was a K12 technology director

• Approximately 3,500 kids

• Annual budget of $300k - $600k

• Team of 5-8 staff

• Inherited 12-site WAN with 56k Leased Lines, Netware 4.0, Groupwise

• Most board positions on Michigan Association for Educational Data Systems (mostly technical, non-curriculum)

4

About The Speaker


• My one claim to K-12 fame:

• 1997 Linux Journal #41

• Replaced 56k with WLAN

• 1-4 mile hops

• Installed Linux firewalls

• Squid proxy server

• “naughty filter”

5

Agenda


• Discuss the landscape of information security as revealed by the 2015 Verizon Data Breach Report with an emphasis on education

• Discuss the most critical controls that should be in place to stop bad guys (i.e. things that would stop me if I were doing a penetration test)

• Review a case example of an investigation I did on a student that had performed a major hack on a college and K-12 school district in Michigan

• Relate the most-critical controls to the real-life example

• Question and Answers

• No sales pitch!

6

The 2015 Verizon Data Breach Report


• A fair number of incidents logged in the “education” category – seems to include Higher Ed

• Seems to be a limited amount of investigation?

7



• Looked at reported incidents (i.e. self-reported)

• Analyzed % of “Scope Unknown” removed < 50

• Is this because they don’t want to say how big the incident was or don’t know?

8



• Looked at confirmed data losses (i.e. public disclosures)

• Analyzed % of “Scope Unknown” removed < 50

• By my math, about 2/3rds of incidents in education were not investigated deeply enough to know what was affected (or they weren’t saying)

9

Malware Events Per Week (5 analyzed)


• Other Industries:

10

Malware Events Per Week (5 analyzed)


• Education: Ouch!

• Higher Ed Issues:

• Many machines on network

• “Academic Freedom” (to contract malware and fail?)

• Lack of oversight / central management

• Multiple departments & policies

• K-12 Issues:

• Budget?

• Different use patterns?

• Anti-Spam / Phishing difficulties?

11

Time to Remediation – Other Industries


• How long did it take, by industry, to stop malware once it was established?

• Identified by malware command and control beacons

12

Time to Remediation – Education


• Education has the worst record of those analyzed

• Chances are, it took around a month or more for malware to be discovered and eradicated

• Many non-managed systems

• Risky use cases:

• Home use laptops

• Video games

• Sketchy websites

• Social media

• Etc.

13

Types of “Bad Stuff”


• When a root cause was found, education had the most in Crimeware and Errors, plus some theft

14

Summary of Verizon Breach Data - Education


• A bit muddled because it mixes universities and K-12

• Higher Ed would be more of a target for espionage (key research, government funded programs, etc.)

• Less centralized oversight in Higher Ed – many departments

• Not good at keeping malware out (A/V, Anti-Phishing)

• Lots of malware, persistent malware – likely because it is on unmanaged systems

• Probably equally bad for semi-official devices like laptops used by students

• Must wonder how many student laptops were not even reported as they weren’t formally managed?

15

My Top-10 Controls List


• Since Top-N lists are so popular, I made my own based on the things that slow me up the most when I am attacking an organization:• Formal security management program – take time to do it right• Software patching – especially third-party software like Acrobat• Data Handling – data classification and handling, encryption• Trust relationships – DNS, shared passwords and other windows

“features”• Accounts and passwords – too many admins, too guessable a

password• Regular security testing – test before someone else does• Logging and log analysis – system visibility and awareness• Incident response planning – communications and avoiding

“chicken little”• Border security – DMZ security and egress filtering• Employee awareness – why not to open that attachment

• I will focus on issues that seem most important to K-12

16

3rd Party Software Patching


• A problem that virtually every organization has, in every industry, is the problem of maintaining workstation client software

• Especially Adobe Flash, Acrobat, Java, etc.

• Simply put, it is painful (costly / time consuming) to keep all of this software up to date

• Truly requires a good tool and someone else to keep all the update packages ready for you

• Many technical issues – inventory completeness, silent installation, installations requiring reboot, etc.

• Interesting article: “Gone in a Flash: Top 10 Vulnerabilities Used by Exploit Kits”(https://www.recordedfuture.com/top-vulnerabilities-2015/)

• 8 of 10 exploit kits use Flash (IE and Silverlight are others)

https://www.recordedfuture.com/top-vulnerabilities-2015/

17

Passwords and Trust Relationships


• Almost every organization has them, often don’t think about them, but this is how we usually get in

• Password guessing does work more than you would think, even given that most organizations require complex passwords

• The bigger the available user list (number of user ID’s that exist and can be properly discovered) the greater the chance of a hit.

• Big organizations definitely suffer more chance of this working

• Use automated tools such as Medusa (http://www.foofus.net/?cat=4) or scripts to try passwords on systems such as OWA

• Do a little bit of testing at a time, perhaps 3/hour, so as not to lock out the account

18



• Some crowd favorites include:

• Password1 (and 01, 2, and 3 and Password! – matches complexity, just increment numbers or try some common punctuation like ! or ?)

• Summer2015, Summer15! (password changes are usually quarterly, so you’ll often see Summer, Fall, Winter, Spring followed by the year in 4-number or 2-number format)

• P@ssw0rd (the ‘ole leet speak vowel substitution trick, pick your favorite word or sports team and swap out some vowels)

• Variations on local sports teams, obscenity

• This is all good for remote guessing against mail servers and such

19



• From the inside, plugged into your network (or your wireless) we have other tricks like the sticky samba:

• To do this, use a customized version of SAMBA (a Windows fileshare emulator) that is configured for this purpose

• See: http://www.foofus.net/~jmk/passhash.html for patches, or use Metasploit

• The SAMBA server will automatically respond to all broadcast requests for a Windows file share by clients on the network and hold up its electronic hand saying “Oh! Oh! That’s me!”

• When the client connects, we get their password hash and can then crack it or use it encrypted

• Does tend to cause a lot of tech support calls for internal staff, as every single Windows request on that “broadcast domain” can go to our server and fail

http://www.foofus.net/~jmk/passhash.html

20



• Responder.py is demonstrative of another typical attack:

• Issue comes with machines that are not properly configured to the local name resolution system (DNS)

1. Windows tries to resolve names like SERVER1 or cnn.com

2. If the machine cannot resolve the name using DNS, it resorts to LLMNR and NetBIOS which are *broadcast* on the local network

3. Any machine that sees the broadcast may respond that it is them, and hence get the machine to connect to them and the malicious processes they are running (like Responder.py)

• Common for IT people who like to set up their own machines

• Responder.py can get people to go through a proxy and inject an executable, give up their windows password hash

21



• Example: the WPAD server (from my log files)

LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name was : OFFICECUBES-015.

LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name was : wpad.

[+]WPAD (no auth) file sent to: 172.16.12.34LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name

was : isaproxysrv..Client IP is: 172.16.12.34LLMNR poisoned answer sent to this IP: 172.16.12.34. The requested name

was : cnnRequested URL: http://www.bing.com/search?q=cnn&src=IE-

TopResult&FORM=IE10TR

Complete Cookie: _FS=mkt=en-US&NU=1; _SS=SID=D4BDAC3EFAA0459AA61EE66D4C33B36C; MUID=24A89A3984E36E6E24F79C4685FC6E88; OrigMUID=24A89A3984E36E6E24F79C4685FC6E88%2c367b40a8a956494fb9d5b3a227458330; SRCHD=D=3448476&MS=3448476&AF=IE10SS; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20140722

Client IP is: 172.16.12.34

22

Internal Penetration and Pivoting


• Assume that at some point, one or more of your users is going to be compromised using a guess, malware with keyword scarfing, or an active attack like just seen

• Also assume that at least one of your end user passwords is known by an attacker

• What can we get in to?

• Webmail? If so, lets look for passwords and pull directory names

• VPN? Great, we are in! Lets start working!

• Citrix / Remote Desktop? Awesome, a shared system!

• In virtually any attack that isn’t simple botnet stuff (i.e. a human is driving, which is more than you might think) the name of the game is penetration and pivoting

23

Internal Penetration and Pivoting


• Once I get an end user ID and password, I start looking to see what this account will get me into – usually this is a large chunk of workstations (if not all workstations, if not all windows systems, if not all systems)

• Once I am on a machine, use Metasploit’s Meterpreter to dump the local password hashes and session tokens

• In the case of domain controllers, use volume shadow copy to get NTDS.DIT (the database of user Active Directory)

• This allows me to get the credentials of every user that has a password cached on the machine, or that has a local account (often a service account or domain admin)

• May be plaintext, or an encrypted hash that I can use natively

• I then use THOSE accounts to repeat the process, until I finally find a local password or password hash that has domain privileges

• Add myself as a domain admin, done

• Don’t use the same local admin passwords, or grant admin!

24

Logging and Incident Response


• Many organizations do not have formal oversight of information security (i.e. a group that meets regularly to talk about security risks, track findings and tasks, etc.)

• Most organizations do not have a good logging system, let alone a way to use log data proactively to identify abuse

• While some organizations do have an incident response plan, many don’t and those that do have one that isn’t terribly good

• The most effective way to catch a hacker is a combination of technology (logging systems) and human oversight (someone to tune and monitor systems)

• Consider the following Hierarchy of logging – each level assumes all of the levels below it

25

Lachniet’s Hierarchy of Logging


26

Logging and Incident Response


• Even basic logging, providing it is stored off-device and includes minimal information such as IP addresses, ports, administrative actions, etc. is better than nothing

• Can then be used in the event that you have a particularly nasty incident that involves fraud, pornography, etc.

• Example: Simply getting an email any time a user is added to “Domain Admins” or “Enterprise Admins”

• Example: Getting a list of all new user adds and having helpdesk staff tie these back to a specific ticket so they can see if they are all legitimate

• Example: Logins to Internet-facing systems (from other countries, from multiple simultaneous locations, during odd hours when they should be sleeping or on-site, etc.)

27

Phishing


• Given the strong prevalence of malware in K-12 it seems likely that the problem is part patching, part stopping the malware from being introduced (i.e. through bad web sites or Phishing)

• My own company did a phishing exercise and a frightening number of our employees clicked on the link. NO employees reported it to information security

• This resulted in a significant corporate effort – mandatory training and a second phishing exercise

• As a penetration tester, I can say that attacking an organization through phishing is FAR easier than attacking it through technical means

• Humans have an in-built desire to be helpful, and attackers take advantage of this (and will continue to do so at an increasing rate)

28

Phishing – How I do it


• The first step is to do research using public records:

• Social media (LinkedIn, Facebook, etc.,)

• Scripts and software to enumerate names and e-mail addresses

• Look for directories on official web sites

• Identify generic inboxes such as marketing, accounts payable, IT helpdesk, etc.

• Metadata from word and PDF documents – shows actual usernames and software packages used

• Free Tool: FOCA

• https://www.elevenpaths.com/labstools/foca/index.html

• Free Tool: Maletego

• https://www.paterva.com/web6/products/maltego.php

https://www.elevenpaths.com/labstools/foca/index.html

https://www.paterva.com/web6/products/maltego.php

29

Phishing – How I do it


• TIP: Using a different format for user ID’s and e-mail addresses makes it harder for attackers, as its much harder to find the login ID than the e-mail address

• Focus on: Management, billing, HR

• Avoid: IT, Risk Management, legal

• Create customized phishing emails:

• “bypass your organization’s firewall and content filter”

• General messages from I.T. – new requirements, testing

• Amazon gift card for participating in a survey

• Infected PDF documents – tracking from UPS or a vendor invoice that looks just legit enough to open

• Free iPad! (who falls for this any more!?!)

30

Phishing – The Citrix Server


• Create a fake Citrix web site registered under a name such as http://www.organization-beta.com that looks exactly like the official Citrix server (costs about $15)

• Send a phishing e-mail saying that IT is responding to user demand and rolling out a new, much faster, Citrix server and that they have been selected to test it. Fake the IT director as the source with a perfectly copied signature at the end

• The e-mail is from the lookalike domain, so any responses go to the attacker and not the IT director

• The fake web site will take their login information (user ID and password) and log it to a text file. After submitting their login, they get redirected to the real Citrix server

• User believes that they must have made a mistake typing in their password and often doesn’t notice the change

• Sometimes take 3-4 logins before redirecting – the users will type in every password they know which is useful to the attacker

http://www.organization-beta.com/

31

Border Security


• Most organizations are pretty good about blocking incoming traffic from the Internet and DMZ

• Those IT directors that haven’t been have already been “moved on” and hopefully learned their lesson

• K-12 is also usually okay about outgoing (egress) traffic to some degree and will typically block HTTP/HTTPS unless it goes through a proxy or filter

• However, this is not enough – must block ALL outgoing ports except those which are necessary for functionality

• Example: Kid uses Remote Desktop to control a home computer to browse from there

• Even that isn’t really good enough because most malware now uses HTTPS – use (at a minimum) one that blocks to known malware IP’s or (better) inspects HTTPS traffic)

• Use workstation or network firewalls to stop pivoting

32

Training and Testing


• You can never get too much training

• K-12 has in-service days – you may be competing for limited time but at least you have a venue

• Consider using LMS system and make sure that all users with above-student privileges take it

• Use real-world phishing exercises to make the point (without being cruel of course)

• Perform vulnerability assessments (i.e. scanning your stuff with tools such as Nessus to find vulnerable systems)

• Perform red team / penetration tests (i.e. having someone actually get admin-level access and tell you how they did it. A little bit of real-life F.U.D. can be useful during budgetary negotiations)

• Send your IT people to decent training

33

Data Handling


• Another common mistake of organizations is a failure to accurately identify their sensitive information and appropriately handle it from “cradle to grave”

• Once I get a domain user account password (or preferably domain admin account) one of the first things I do is connect to the organization’s various file shares and search for all files containing the word ‘password’ in them

• Similarly, identify and connect to IT administrator workstations and do the same thing, find config files, saved logins, etc.

• Inevitably, I will find passwords for various internal systems, scripts and batch files that get run automatically, passwords used for testing, passwords for vendors or service accounts, or users’ personal passwords to gmail and such

• Approximately 50% of the time I can find a password for the organization, about 25% of the time it is an admin password.

• Often the fault of IT staff or developers

34

Incident Response: Higher Ed & K12


• Received a call from a college in Michigan that they had an issue with malware on their workstations and wanted help investigating it in 2002

• Had identified a possible suspect based on log entries and wanted verification

• Student was using a laptop and flash drive that were university property

• At the time I was engaged, the student still had his laptop and was attending class

• I verified the log entries and agreed on their identification of the individual

• Advised them on seizing potential evidence and some forensic best practices

35



• At that time they went to the student while he was in class and took his laptop and flash drive from him

• Made a copy of his data to a new flash drive so he could retain his work while he looked on

• Student was visibly nervous, and tried to “move” his data rather than “copy” his data from the laptop and flash drive

• Began a forensic analysis on flash drive and several machines

• College interviewed student another time and he admitted to the hacking but stated that there was no “key loggers” to get passwords

• I sat in an interview and asked technical questions about how it was done

36



• Student admitted to writing his own malware, used Metasploit to attack other machines that were college issued

• This was possible because the administrator password on all college laptops was the same

• Used a “pass the hash” attack to distribute the malware

• Went undetected for months until he made a mistake with a document showing up on desktop

• Also used a home computer to receive the results of the malware

• Law enforcement was involved

• Student agreed to bring in his home computer for analysis (this turned out to be a mistake on his part)

37



• Performed additional forensic analysis and found hacking evidence not only of the college but also of his K12 school (he had graduated 2 years previously) and other wireless networks

• Involved the K12 school

• Also discovered what I believed to be child pornography

• The pornography was also found in the “swap” virtual memory file, indicating that it had recently been accessed

• Created a report of findings, versions of which were provided to the K12, College and law enforcement

• At this point went into the void of law enforcement

• In late 2013 got a request from law enforcement to resend report, 2014 learned prosecutor wasn’t going to charge

38

Top-10 List – Redux & Review


• Formal security management program – take time to do it right• Software patching – especially third-party software like Acrobat• Data Handling – data classification and handling, encryption• Trust relationships – DNS, shared passwords and other

windows “features”• Accounts and passwords – too many admins, too guessable a

password• Regular security testing – test before someone else does• Logging and log analysis – system visibility and awareness• Incident response planning – communications and avoiding

“chicken little”• Border security – DMZ security and egress filtering• Employee awareness – why not to open that attachment

TAKE-AWAY- FREE NETWORK THREAT ASSESSMENT

IDENTIFY HIDDEN THREATS

UNCOVER NETWORK SECURITY RISKS WITH A FREE CDW THREAT CHECK

We've partnered with Cisco, Tenable and Symantec to offer the CDW Threat Check, a free malware detection scan that includes a detailed assessment of your network vulnerabilities to help you determine your most critical risks.

cdw.com/cdwthreatcheck

| Strategic Solutions & Services

40

Q&A / Discussion


????Thank You!

Mark Lachniet

[email protected], Information Security Solutions

CDW1000 Town Center Suite 1800 Southfield, MI 48075

Mobile: 616-304-3526

Documents

INFORMATION SECURITY IN K-12 EDUCATION NEW JERSEY TECHNOLOGY STUDY COUNCIL 11/19/2015 Mark Lachniet [email protected] (517-242-4874)