NDSU IT Security
• Theresa SemmensChief Information Technology Security Officer
• Jeff GimbelSenior Security Analyst
NDSU Physical Infrastructure• Open Network
– External facing network• 79 subnets• Open to Internet
– Internal facing network • 79 subnets• Open to the University System and some statewide entities
– Firewalled network• Used by some departments for regulatory compliance
– Server room network• Used for server to server communication (i.e., backup)
NDSU IT Infrastructure
Supported Departments
Distributed IT
Independent Departments
A Little History– 2004, ND Information Technology Department
• SNMP Scan – Found a majority of printers on the University System network that had SNMP set to public
– 2008, Foundstone• 175 insecure devices recognized
as printers
How did the printer problem really come to light?
• Nessus scan– Removed the safe scan
• See how much paper would be wasted– LaserJet M 602
• 3 sheets– Nessus findings
• FTP open• Telnet open• Web page default username and password• SNMP community name set to public
How did the printer problem really come to light? (continued)
• Brought to the attention of IT leadership– Nessus set to “scan the entire network”– Work out alternative solution
Is this really a problem?
• 2008 - NDSU dropped support for printers as cost-savings initiative
• Currently, departments request DNS name for purchased printers– Name is granted within our naming scheme– Name is added to an install script
• Printer plugged into the network
Is this really a problem?
Is this really a problem?
Is this really a problem?
Methodology1. Tools – What are we going to use?2. Locating devices – How widespread is the problem?3. Policies and procedures – Shouldn’t we have covered
this somewhere?4. Identification and notification – How do we let
stakeholders know their printers are not secure?5. Reactions – How could we have been so wrong about
how stakeholders would react?6. Interesting problems – It did WHAT?7. First follow-up scan – Is it working?
Tools Used
• Angry IP scanner (GPLv2)
• Putty (GNU GPL)
• WinSCP (GNU GPL)
• Microsoft Excel (campus agreement)
• Student Employee
Locating Devices
• Finding what is on the network• Angry IP Scanner
– http://angryip.org/w/Home
Locating Devices (continued)
Findings
• External network – Outward facing– 3,526 active hosts (June 7)– 67 recognizable printers
• Internal network – Not routable to the Internet– 1885 active hosts (June 6)– 509 recognizable printers
How bad is it?
• Human solution for finding the vulnerabilities in the printers– Didn’t want to be responsible for:
• Crashing printers• Reams of wasted paper• Default usernames and passwords
Methodology
• What did the student employee do?– Opened a browser to IP and hostname
• Tried to log in using defaults– Used Putty to Telnet into IP or hostname
• Port 23– Tried anonymous FTP connection with
WinSCP• Port 21• Anonymous login selected
Findings (continued)
• External network – 67 printers– 20 with anonymous FTP logins (30%)– 20 default user/admin accounts (30%)– 9 Telnet logins (13%)
Findings (continued)
• Internal network – 509 printers– 177 with anonymous FTP logins (35%)– 219 default user/admin accounts (43%)– 156 Telnet logins (31%)
Policies and Procedures
• Reviewed existing policies and procedures– Did we have any?– Why were they not being followed?– Should we create new ones?– How do we enforce new
policies and procedures?
Review of Policies, Procedures• Vague policies
– N.D. University System 1901.2– NDSU 158
• No documented procedures– No procedures meant few people knew what
should have been done• Started new procedures right away
– Isn’t getting client buy-in the most difficult task anyway?
Vendors• Mind tricks, (policies
or procedures) do not work on them, only money
• Need to make sure departments consult withcentral IT unit before making purchases of devices that will be placed on the network
Identification and Notification
• DNS names include department name, for the most part
• For others, impossible to know to which department they belonged
Methodology
• Sent emails to identified groups– IP address– DNS name– Vulnerabilities found– Directions for cleanup
• Worked with communications coordinator and IT Help Desk
Methodology
Sent out the emails and we waited
Reactions
• Calm and collected• Were able to
configure devices with no problems
• Glad to help
• Panicked when contacted by security office
• Needed help with securing process
• Grateful for help
It did WHAT?!?!
Interesting Problems
• Printers no longer printing– Disabled port 9100 – Disabled SNMP– Client needed reconfiguration
1. Stop the print spooler
2. Delete all jobs in C:\Windows\system32\spool
3. Restart spooler4. Delete all IP ports5. Delete all printers6. Restart computer7. Setup printers
Problems (continued)
• Older printers did not have a Web-based configuration– Older Java
• Did not have any of the sections needed to configure
– Configuration through Telnet• set-password – Changes default password• ftp-config:0 – Disables FTP• set-cmnty-name: <newname> - Changes default SNMP • Idle-timeout: 5 – Sets short timeout for Telnet
Follow-Up Scan
• External network– Initially 67 printers
• 20 with anonymous FTP logins (30%)• 20 default user/admin accounts (30%)• Telnet logins (13%)
– First follow-up scan found 67 Printers• 16 with anonymous FTP logins (24%)• 17 default user/admin accounts (25%)• 7 Telnet logins (10%)
Follow-Up Scan
• Internal network– Initially 509 printers
• 177 with anonymous FTP logins (35%)• 219 default user/admin accounts (43%)• 156 Telnet logins (31%)
– First follow-up scan found 509 Printers• 129 with anonymous FTP logins (25%)• 182 default user/admin accounts (36%)• 118 Telnet logins (23%)
What’s Next?
Questions?
Recommended
