NDSU IT Security

• Theresa SemmensChief Information Technology Security Officer

• Jeff GimbelSenior Security Analyst

NDSU Physical Infrastructure• Open Network

– External facing network• 79 subnets• Open to Internet

– Internal facing network • 79 subnets• Open to the University System and some statewide entities

– Firewalled network• Used by some departments for regulatory compliance

– Server room network• Used for server to server communication (i.e., backup)

NDSU IT Infrastructure

Supported Departments

Distributed IT

Independent Departments

A Little History– 2004, ND Information Technology Department

• SNMP Scan – Found a majority of printers on the University System network that had SNMP set to public

– 2008, Foundstone• 175 insecure devices recognized

as printers

How did the printer problem really come to light?

• Nessus scan– Removed the safe scan

• See how much paper would be wasted– LaserJet M 602

• 3 sheets– Nessus findings

• FTP open• Telnet open• Web page default username and password• SNMP community name set to public

How did the printer problem really come to light? (continued)

• Brought to the attention of IT leadership– Nessus set to “scan the entire network”– Work out alternative solution

Is this really a problem?

• 2008 - NDSU dropped support for printers as cost-savings initiative

• Currently, departments request DNS name for purchased printers– Name is granted within our naming scheme– Name is added to an install script

• Printer plugged into the network

Is this really a problem?

Is this really a problem?

Is this really a problem?

Methodology1. Tools – What are we going to use?2. Locating devices – How widespread is the problem?3. Policies and procedures – Shouldn’t we have covered

this somewhere?4. Identification and notification – How do we let

stakeholders know their printers are not secure?5. Reactions – How could we have been so wrong about

how stakeholders would react?6. Interesting problems – It did WHAT?7. First follow-up scan – Is it working?

Tools Used

• Angry IP scanner (GPLv2)

• Putty (GNU GPL)

• WinSCP (GNU GPL)

• Microsoft Excel (campus agreement)

• Student Employee

Locating Devices

• Finding what is on the network• Angry IP Scanner

– http://angryip.org/w/Home

Locating Devices (continued)

Findings

• External network – Outward facing– 3,526 active hosts (June 7)– 67 recognizable printers

• Internal network – Not routable to the Internet– 1885 active hosts (June 6)– 509 recognizable printers

How bad is it?

• Human solution for finding the vulnerabilities in the printers– Didn’t want to be responsible for:

• Crashing printers• Reams of wasted paper• Default usernames and passwords

Methodology

• What did the student employee do?– Opened a browser to IP and hostname

• Tried to log in using defaults– Used Putty to Telnet into IP or hostname

• Port 23– Tried anonymous FTP connection with

WinSCP• Port 21• Anonymous login selected

Findings (continued)

• External network – 67 printers– 20 with anonymous FTP logins (30%)– 20 default user/admin accounts (30%)– 9 Telnet logins (13%)

Findings (continued)

• Internal network – 509 printers– 177 with anonymous FTP logins (35%)– 219 default user/admin accounts (43%)– 156 Telnet logins (31%)

Policies and Procedures

• Reviewed existing policies and procedures– Did we have any?– Why were they not being followed?– Should we create new ones?– How do we enforce new

policies and procedures?

Review of Policies, Procedures• Vague policies

– N.D. University System 1901.2– NDSU 158

• No documented procedures– No procedures meant few people knew what

should have been done• Started new procedures right away

– Isn’t getting client buy-in the most difficult task anyway?

Vendors• Mind tricks, (policies

or procedures) do not work on them, only money

• Need to make sure departments consult withcentral IT unit before making purchases of devices that will be placed on the network

Identification and Notification

• DNS names include department name, for the most part

• For others, impossible to know to which department they belonged

Methodology

• Sent emails to identified groups– IP address– DNS name– Vulnerabilities found– Directions for cleanup

• Worked with communications coordinator and IT Help Desk

Methodology

Sent out the emails and we waited

Reactions

• Calm and collected• Were able to

configure devices with no problems

• Glad to help

• Panicked when contacted by security office

• Needed help with securing process

• Grateful for help

It did WHAT?!?!

Interesting Problems

• Printers no longer printing– Disabled port 9100 – Disabled SNMP– Client needed reconfiguration

1. Stop the print spooler

2. Delete all jobs in C:\Windows\system32\spool

3. Restart spooler4. Delete all IP ports5. Delete all printers6. Restart computer7. Setup printers

Problems (continued)

• Older printers did not have a Web-based configuration– Older Java

• Did not have any of the sections needed to configure

– Configuration through Telnet• set-password – Changes default password• ftp-config:0 – Disables FTP• set-cmnty-name: <newname> - Changes default SNMP • Idle-timeout: 5 – Sets short timeout for Telnet

Follow-Up Scan

• External network– Initially 67 printers

• 20 with anonymous FTP logins (30%)• 20 default user/admin accounts (30%)• Telnet logins (13%)

– First follow-up scan found 67 Printers• 16 with anonymous FTP logins (24%)• 17 default user/admin accounts (25%)• 7 Telnet logins (10%)

Follow-Up Scan

• Internal network– Initially 509 printers

• 177 with anonymous FTP logins (35%)• 219 default user/admin accounts (43%)• 156 Telnet logins (31%)

– First follow-up scan found 509 Printers• 129 with anonymous FTP logins (25%)• 182 default user/admin accounts (36%)• 118 Telnet logins (23%)

What’s Next?

Questions?