The (Campus) Empire Strikes Back

• By Fred Archibald
• 07/01/08

Adding to the slew of data security issues already plaguing college and university campuses is an onslaught of stealth malware and botnet attacks. What's a beleaguered network manager to do? Here, from UC-Berkeley's own network pro, a cache of helpful advice.

WHEN IT COMES TO ANTI-MALWARE protection, today's university IT departments have their work cut out for them. Network managers must walk the fine line between enabling a highly collaborative, non-restrictive environment, and ensuring the confidentiality, integrity, and availability of data and computing resources. This is no easy task, especially if we survey the state of the academic network, the current threat landscape, and common user practices. Intrusions can lead to huge productivity losses, strains on already tight budgets, and blemishes on hard-earned reputations. However, with good old-fashioned ingenuity and the right tools in place, universities can succeed at malware detection and prevention to improve network security.

STATE OF THE ACADEMIC NETWORK: Balancing Integrity, Mobility, and Resources

Networks have steadily advanced in their capabilities, their uses, and their misuses as well, with academic networks often providing a glimpse into the future. Preventing security incidents in this advanced network environment presents challenges for universities, which have unique tenets to uphold. IT security professionals within higher ed are under incredible pressure to remain one step ahead of the next destructive incident, while preserving the integrity of university resources and data, and protecting the privacy of users.

Securing open academic networks. By its very nature, the academic network is a uniquely collaborative, open network environment; within education we refrain from imposing too many restrictions, so as to best support unbridled academic research and discovery. Fast-flowing networks and ready access to high-end computing infrastructures are critical for students, faculty, and staff, if they are to succeed in their pursuits.

Another unique characteristic of academic networks: While the university owns the network infrastructure, individuals frequently own the endpoint devices such as laptops and smart phones. This creates very real challenges to maintain a desired level of security within the infrastructure. Given the broad range of platforms and applications in use among students, faculty, staff, and guests, there are few commonalities that can be leveraged in implementing new security controls. And taking into account the sheer volume and variety of users and devices accessing university resources, plus the reality that IT has limited visibility into those endpoints, means that deploying and provisioning (let alone enforcing) any new agent-based security controls are difficult at best.

Many users, especially students, are suspicious of any software additions that might slow down or restrict the usability of their devices. Even if they agree to install the security software, ensuring that installations are done correctly and in a timely manner is yet another issue altogether. For example, many security solutions today-- including popular antivirus software products-- assume machines are "clean" prior to installation. Because of this, they may not function properly when installed on machines that are already compromised in some way. They also may inadvertently allow infected machines to access network resources. In fact, by unloading drivers or stopping signature updates, today's malware and spyware now actively prevent the proper installation of security software and/or disable it, even though users believe they have successfully completed installation. And the roadblocks to installing agentbased security controls constitute only a fraction of the client support issues that consume a large percentage of limited IT resources.

Impact of mobility on security. With the rapid adoption of mobile devices, most universities support some type of wireless network access on their campuses, largely because users gain tremendous productivity advantages with ubiquitous access to applications and resources. Yet, in addition to accessing university resources via secure campus wireless networks, mobile users also leverage home broadband, public hotspots, and other campus networks that expose them to a wide range of cybercrime exploits. In addition, the advent of the wireless network has put up new roadblocks to IT troubleshooting and problem-solving. Just a few years ago, IT could trace problems through wires to particular devices within university buildings. Now, new and advanced technologies are needed to identify misconfigured or compromised devices outside campus walls. So, the increased mobility afforded by wireless networks also increases the risk of contracting a targeted malware infection which, in turn, affects network stability and availability as well as consumes greater IT resources to identify and resolve potential problems.

Compliance and higher education. In addition to maintaining secure networks, universities also must abide by recent legislation around compliance initiatives. Along with the general concern about a university's machines being compromised or prey to malware infections, there are implications with regard to compliance, as well: Compromised resources can mean the potential for compliance violations. If the institution is being audited, or if the network is compromised and data are leaked, there could be consequences in the media or otherwise that could be severely damaging to a user or the university.

Doing more with the same. Adding to the challenges mentioned above, is the ongoing strain on resources: Anyone reading this article knows that IT resources within academia often are stretched to a breaking point. (Network managers, in particular, are continuously asked to do more within existing budgets and resources.) Clearly, managing and maintaining campus resources for thousands of users is a challenge in and of itself for limited IT departments. On top of this, infiltration, when it occurs, diverts IT resources to combat the problem and mitigate or repair damaged equipment. Certainly, monitoring network activity and conducting routine network anomaly detection helps IT identify suspicious behavior and thus eliminate some threats. Yet, the sheer volume of information is overwhelming, the nature of threats is evolving, and there is always more analysis that can be performed.

CURRENT THREAT LANDSCAPE: Stealth Malware and the Lurking Botnet Pandemic

Simply put, the malicious software or "malware" threat has evolved substantially in recent years. Originally, viruses, worms, and spyware were characterized as single-vector threats; they set out to attack a sole vulnerability. They were fast and propagated randomly, victim machines were infected (but not remotely controlled), and hackers were motivated largely by fame. Signature-based solutions were effective in curtailing this type of activity for the most part.

Today's biggest security threats, however, are dynamic, multivector or blended threats that either combine weapons (worm, virus, spyware) to attack one vulnerability, utilize one weapon to target multiple vulnerabilities, or any combination thereof. For example, a directory harvesting attack could provide e-mail addresses, allowing attackers to send malware-laden e-mails that can infiltrate specific machines and then download further malware payloads.

Modern stealth malware evades traditional security controls through a variety of sophisticated schemes including disguise, mutation, and self-propagation. What's more, malware is now designed to move from one vector to another to exploit new vulnerabilities when former targets have been safeguarded. And operating systems have become more robust, making the application layer an attractive hunting ground for hackers.

Stealth malware is designed to covertly infiltrate or damage a computer system without the owner's consent or knowledge, and with the objective of controlling the victim's device to generate a profit. Once hackers gain control over a computer, they can execute any number of elaborate moneymaking plots. The compromised machines, known as "zombies" or "bots," are typically tied together by the thousands to create a complex, high-availability "botnet" capable of nearly any demise.

From data mining, espionage, and identity theft, to stock pump-and-dump scams and cyberterrorism targeting government infrastructures, "bot herders" (as bot hackers are known) leverage stolen computer power and unauthorized access to their fullest. Botnets are rented out, bought and sold, leveraged for particular projects, and otherwise utilized to generate recurring revenue streams.

In fact, botnets have changed the business of malware. Yesterday's attacks were crude attempts to derail business-as-usual, where hackers had little to gain other than some short-lived notoriety and a sense of conquest. Today's targeted attacks carry out criminal objectives with surgical precision. The spread of malware is driven by economic gain, and with each success the malware economy grows.

Not surprisingly, botnets now feed an entire black market economy run by organized crime rings that have little to lose and much to gain. So lucrative is the business model that experts estimate one quarter of the approximate 600 million web-enabled computers worldwide have been compromised by botnet malware.

Antivirus software, behavior-anomaly detection devices, and firewalls can strengthen security but have proven inadequate in protecting users from targeted stealth malware and botnet infiltration. In truth, because botnets and stealth malware in general are very difficult to detect, many end users may not realize their systems have been compromised.

USER PRACTICES: Sabotaging the System

Open environments and stealth malware contribute to the security challenges within today's universities, but user practices are part of the picture, too. The importance of user education and awareness cannot be stressed enough when it comes to network security. Without proper training, users may help facilitate malware infiltration. In particular, lack of backup practices and "social engineering" scams (a type of intrusion used for data gathering that often involves tricking or conning users into divulging information or breaking standard security protocol) can sabotage IT's efforts to protect data and resources.

Social engineering preys on curiosity. Because social engineering scams are dependent upon human intervention, I include them here. Social engineering could be thought of as both a security threat and a destructive user practice. These scams prey upon user trust, curiosity, compassion, and greed, and often are part of a blended or multivector attack. Through social engineering, hackers may gain access to accounts and passwords, which then can be used to infiltrate computers to establish a botnet.

Defending against social engineering is exceptionally difficult because IT must rely upon smart user practices. Network managers can warn against the latest "gimmes" or gimmicks, but it's nearly impossible to catch them all before they have proliferated across the university. The popularity of eCommerce, social networking, and user-hosted content-rich entertainment sites such as YouTube all contribute to a collective curiosity, trust, and naiveté among users which, in turn, fuels social engineering vulnerabilities.

Without backup, data losses are huge. Backup practices are another challenge for university IT departments. When an intrusion is detected, it's often too late to protect the user from data loss, identity theft, remote control of a device, and other illicit activities. In most cases, the user has not recently backed up his or her information, or is inbetween backup cycles, resulting in huge data losses. Then too, if malware is detected on a machine, standard practices usually call for a complete rebuild, which can take days. Users also expect that their machines will be reconstructed exactly as they were, which isn't always possible. Faced with these consequences, many users will attempt to work around the malware or simply ignore it, leaving a back door open on the network which allows perpetrators to bypass any and all security measures to access data and resources. Bottom line: In addition to user productivity loss, IT resources are heavily consumed to mitigate risks and rebuild equipment.

STARTING POINT: Ingenuity and Prevention

When we consider the state of the net, the threat landscape, and unsystematic user practices, it's easy to feel like maintaining security across an academic network is a losing battle. However, by thinking outside the box and focusing on prevention, university IT departments can protect data and resources and stay ahead of today's malicious cybercriminals.

Creativity is key in preserving the delicate balance between academic freedom and network control. IT must continually look for ways to keep the users and their data safe while also allowing them to be as productive as possible. Because productivity loss represents the greatest impact of malware intrusion, universities should focus their efforts on prevention. Targeted anti-malware, anti-botnet protection will help detect and stop today's sophisticated stealth malware attacks; emerging technologies go so far as to combine on-premise anti-botnet security with global botnet discovery and analysis, to deliver a comprehensive solution. When evaluating anti-malware, anti-botnet solutions to complement existing security controls, there are several requirements network managers should keep in mind; these reflect the unique characteristics of the academic network:

Network-based solutions ease IT/user burdens. Network-based rather than agent-based solutions provide several benefits for academic network security. First, they can be deployed, provisioned, and maintained without involving or relying on end users, thereby eliminating most client support issues. Second, they provide centralized management and monitoring capabilities. Both of these benefits help reduce strain on IT personnel. Third, they support and account for the growing wireless, mobile, and remote user communities. Network-based solutions have proven effective in other areas of the IT infrastructure as well. For example, Aruba Networks and Cisco Systems provide network- based wireless networking solutions with centralized management and easy deployment across the network.

Accurate, automated containment/quarantining. Automation is another critical component for university IT security. Frankly, network managers should begin to automate as many monitoring and containment policies as feasible. Automated containment and quarantining together constitute an effective preventive measure that, once fully vetted, requires little IT resources. Automated forensics (as opposed to manual forensics tools) such as Wireshark and NetScout are a particularly important weapon, what with the current strains of stealth malware; using forensics, network managers can identify the activities conducted by malware, once it enters the system. For example, if a computer has been botted, forensics can provide information about which command and control (C&C) server it is calling back to, what protocols are being used, what activities are being conducted, etc. Additionally, automated forensics and monitoring tools such as virtual-machine (VM) replay technologies can be used to correlate information from multiple platforms and systems into something that's useful, filtering out false alerts and false positives, and freeing IT from manually surveying activity across the network. This comprehensive information helps identify future or related malware by characteristics other than signature.

Ease of use and manageability. Overall, universities need solutions that are easy to deploy and manage. Many solutions on the market today are tedious to install, or else they require dedicated, trained technicians to implement and manage them. Yet, as we all know, these resources are not always available within university IT budgets. Solutions that are simple and seamless to implement lessen IT overhead while securing the network. Increasingly, and for just this reason, security vendors are adopting the appliance form factor rather than software solutions. Other techniques include unified threat management (UTM) devices that provide all-in-one capabilities to simplify management and maintenance over time.

Raising network security awareness. Universities also must focus on building user awareness regarding network security, and they need to clearly define usage guidelines and best practices. There are many communication vehicles available to universities to get the message out: From mandatory security policy training for new students, to ongoing security forums and kiosks, e-mail blasts, website alerts, campus newsletters, eLetters, and more, universities must continually engage students in the importance of network security and user policies.

REAL-WORLD IMPLEMENTATION: University of California-Berkeley

In late 2005, the Electrical Engineering and Computer Sciences (EECS) department within UC-Berkeley launched an initiative to investigate potential network access control (NAC) solutions to unify endpoint security, user and system authentication, and network security enforcement. We had been treating the wireless network as less secure than the local area network (LAN), and with the trend toward mobility plus increasing concern about stealth malware and botnet threats, we knew our approach had to change. We wanted to bring the two networks to equal footing and NAC seemed to be the best option.

The EECS computing infrastructure supports approximately 4,000 undergraduates, graduates, faculty, and staff, leveraging an effective wireless network in addition to the departmental LAN. While the EECS network is somewhat autonomous from the larger university, EECS does monitor and receive reports on wireless devices that appear on its wireless network yet are also part of the greater campus community. Containment of these devices, however, is not within our jurisdiction.

Network overlay vs. client-based solution. The EECS IT department and the director of IT for EECS, along with some faculty members, evaluated several options and settled on a solution that comprised a network-based NAC appliance and a required NAC client component. The initial solution the IT team selected worked fairly well; however, it was client-based and there were faculty and graduate student concerns about the client: It quickly became clear that installing and deploying clients on a wide variety of platforms was not going to work. The management overhead also appeared to be substantial and complex. In the end, the solution was rejected and we began to think outside the box.

We then became aware of the Botwall solution from FireEye, and abandoned the NAC initiative in favor of targeted protection against stealth malware and botnets for our wireless network. The IT department elected to implement a network overlay solution that would be complementary to our existing IT security infrastructure, without the complex overhead and burden of client installation and maintenance. While the discovery of this new solution may sound simple, it was the creativity of the entire IT department, coupled with important feedback from our users, that led us in a new direction: evaluating current threats, key objectives, and existing resources in a new light. We came to realize that today's threats and attacks are executed with such extreme precision, that more rigorous and meticulous countermeasures would be necessary. We soon found that an overlay solution would allow network managers to a) take full advantage of capabilities within the wireless infrastructure, and b) leverage all the hooks in place to help track and contain devices. The FireEye protection would help us achieve greater security for this infrastructure while providing more automated analysis of malware and botnet activity.

The solution included three chief components: The FireEye Botwall 4000 Series appliances provided network-based anti-malware/anti-botnet protection by utilizing advanced virtual machine analysis of mirrored network traffic. These appliances block, in real time, known malware and previously unknown botnet malware that are autodiscovered using the FireEye virtual machine analysis technology. Next, the GigaVue-MP data access switch from Gigamon Systems provided critical network-traffic data aggregation and replication. The GigaVue-MP replicates traffic from SPAN ports (of border routers, for example) to extend simultaneous support for multiple network monitoring tools such as security analysis at the network edge. Cisco Airespace Wireless LAN Controllers were implemented to securely communicate with access points, to support systemwide wireless LAN applications. In summary, the UC-Berkeley deployment uses FireEye's Botwall appliances to analyze data mirrored from the Gigamon switches and Cisco Airespace controllers, to guard against malware infection on the wireless network.

IN A NUTSHELL...

Network security professionals within higher education face unique challenges in supporting academic freedom while protecting constituents, resources, and data. However, the threats we're seeing are global and the stakes are mounting. Universities have the ability to counter stealth malware attacks with equal force, but we must be vigilant in pursuing advanced technologies designed to outpace the continued evolution of threats. To protect against the latest, zero-day malware requires stronger security than is typically afforded by up-to-date antivirus signatures, the latest patches, or other host-based agents! Universities need targeted anti-malware, anti-botnet solutions that detect and protect against proactive criminal malware activities and rogue traffic, as well as effectively stopping intrusion-- even with machines that may already be infected when they attempt to access the network. With accurate identification of infected machines, network administrators can automate quarantine measures and eliminate unnecessary restrictions of clean student and guest machines. By combining anti-malware solutions with existing security controls, any college or university can create a coordinated and multilayered approach that guards against today's most sinister threats, and provides protection at all entry points including the internet gateway, messaging gateway, endpoint clients, endpoint servers, and the network. The time to launch your selfassessment, evaluation, and solution search is now.