Salsa-CSI2 Conference Call
January 17, 2008
**Attending**
Chris Misra, University of Massachusetts (Chair)
Elliot Kendall, Brandeis University
Randy Marchany, Virginia Tech University
Phil Denault, Worcester Polytechnic Institute
Kevin Amorin, Harvard University
Joel Rosenblatt, Columba University
Dan Adinolfi, Cornell University
Brian Smith-Sweeney, New York University
Doug Pearson, Indiana University/Ren-ISAC
Joe St. Sauver, University of Oregon/Internet2
Renee Frost, Internet2
Steve Olshansky, Internet2
Dean Woodbeck, Internet2 (scribe)
**Google Hacking** (New name: APHIDS)
This follows-up on discussions from last fall about using search engines for more proactive security testing. Elliot posted a Google Hacking project description on the CSI2 wiki. The intent is “to provide an easy, automated method for security administrators to find problematic content on web sites in their domains. Problematic content includes but is not limited to vulnerable web applications, evidence of successful attacks, and exposed sensitive information (SSNs, credit card numbers, etc.).”
Elliot has written code with the intent that it will work with a variety of search engines. To date, the code is most of the way to being functional. The challenge now is coming up with the rules specifying what to look for. Elliot did a search of search engines that have sufficiently complex operators to be useful with this; the three search engines that allow automatic searching are ChaCha, Gigablast and Alexa.
It was suggested to change the name of the project from Google Hacking to APHIDS – Advanced Parallel Hypertext Intrusion Detection System, which is the name of his code. The goal is to allow anyone can download this code and use it against their domain.
Elliot will clean up the code and then send a link to the list.
There was a suggestion to also look to see what might be done with Google Appliances. APHIDS will not require Google appliances to run, but could include a module to allow the use of a Google appliance. UMass and Cornell both are intending to look at this.
Doug mentioned that Indiana University has a very close tie with the ChaCha developers, if that would be a good contact at some point in the future.
In a sidebar, there was a discussion about SSNBreach.org. The operator of that web site Google searches .edu websites looking for files with social security numbers. If so, he puts the person’s name in a database that individuals can search to see if their names have been compromised. If he notifies an institution that he has found such information, and the institution does not respond, he contacts the media.
**RENOIR**
No new progress to report.
**Metrics**
The Security Metrics Working Group is a subgroup of the Security Task Force Effective Practices and Solutions Working Group. It is focused on identifying and promoting practices, tools, and procedures that will lead to the development of interchangeable metrics representing a comprehensive picture of the security environment. These best practices will be compiled and shared with higher education institutions to assist them with developing security metrics practices that result in a coherent, managed, and effective information security architecture.
Within the next year, the group is charged with developing some deliverables; mainly a web site where universities can download a formula for creating site-interchangeable metrics. The intent is to build a set of metrics that provides a value that can be compared between institutions regardless of institutional size or other demographics.
The working group conducts phone meetings twice a month and has completed its charter. They have divided the various metrics among the group for further development. Within the next month there should be a list of the types of metrics being looked at and what the group intends to build. The hope is to start building the web site in about six months.
**Spider**
Spider will move to Internet2, but waiting for a publications person at Cornell to complete the documentation. Once that is finished, Spider will move to I2. There is a draft site on the I2 server, but it is hidden from public view.
**Shifting Landscape**
Brian reviewed the presentation schedule for this topic, which will focus on defining the problem and beginning to build awareness. NERCOMP has accepted the proposal; have not heard yet from EDUCAUSE SPC. Brian and Phil would present the EDUCAUSE talk, which would include security program management and the shifting landscape.
Also under discussion is creation of a document that would extend the presentation and include statistics and other information that defines the problem and provides background.
Another deliverable is the tool taxonomy – tools that schools are using in their security programs, such as vulnerability assessment and incident response, and how those tools have changed with the shifting landscape problem.
After discussion, the problem seems two-fold. Many campuses are still solving problems from several years ago, while others have started addressing the problems of today. The presentations and other deliverables have to be presented in such a way that it does not alienate those who are somewhat behind the curve.
With default firewalls and automatic updates, some threats have significantly decreased, so the focus should perhaps be on, given these changes, should you be looking at your infrastructure differently. So, if you have $50,000 or $100,000 or $X to spend, what sorts of things should you be looking at. For example, there has been a rise in web application based attacks and people aren’t thinking about this area. The number of systems compromised may be lower, but the nature of the problems have changed.
Standardized security controls across the enterprise – Chris, Brian, Dan and Phil have volunteered to develop material in this area, developing a baseline.
Some campuses have begun moving away from a reactive mode – putting out fires – and becoming proactive, focusing on where sensitive data is stored. Randy mentioned pointing people in the university toward tools like Spider and FindSSN to find sensitive data. This approach lays out a practical step that you can use regardless of size of institution. So the landscape has gone from talking about specific tools to talking about efficacy of tools to talking about the location of the data.
Once documents and presentations begin to emerge, it would be good to put information on the wiki in the effective practices work. There are a lot of smaller schools facing the question of allocating scarce resources that would value this information. A reminder that that the CSI2 wiki (by default) is open to the world. If there is a need for private space, that is possible, too. Contact Steveo.
**Upcoming meetings **
Joint Techs is next week – Joe will be there talking on flows.
CAMP is full, but the proceedings will be posted. Once the proceedings are up, Steveo will send a link. CAMP is a Middleware oriented meeting focusing on identity management and security. Chris is doing a couple of presentations.
Security Professionals will be in D.C. in early May, with a Ren-ISAC meeting in conjunction with the conference.
SANS training – Virginia Tech will offer a series of one- and two-day courses, March 3-8, in Blacksburg. A schedule and course descriptions are available at www.cpe.vt.edu/isect. The cost is $700 for academic institutions. Information about other SANS training is available at www.sans.org/partnership
Repackaging discussion for new audiences (NITLE, NWACC - NorthWest Academic Computing Consortium, CLAC - Consortium of Liberal Arts Colleges, WICHE -
Western Interstate Commission for Higher Education)
**Packaging presentations for smaller colleges**
Should we be thinking of ways to repackage presentations and discussions that we’ve had before into materials for new audiences – perhaps approaching EDUCAUSE regional conferences of other consortia, such as state-wide groups? The audiences will tend to be smaller colleges without large IT or security departments.
Some examples of such organizations are:
http://www.nitle.org/
http://www.nwacc.org/
http://www.liberalarts.org/
http://www.wiche.edu/
These presentations and material would focus on security measures institutions can take without a lot of costs or staff time.
In addition, NITLE, an organization of about 80 smaller schools, is interested in providing services to their members – perhaps including partnerships, classes and training – in identity management and security. NITLE is also considering hosting services for members that do not have the staffing resources to do some of these things themselves. The discussions have focused more on identity management and federating, but there is talk about moving into security. Some NITLE members will be at CAMP; Chris and Renee will be talking with them.
Randy mentioned that Virginia Tech has done some outreach with the Council of Independent Colleges in Virginia with similar purposes in mind.
It would be helpful to pursue the discussion of these potential services and presentations via email in-between calls.
**Next call January 31, 2008**