[unisog] Server Inventory Project (was blog being used for spam)

[Martin Manjak]

Russell's comments about the distributed and open nature of most higher
ed environments suggested to me that folks on this list might be
interested in a project that we are working on here at the University at
Albany. We are in the process of creating a server inventory that would
be used to notify system owners of the services that are publicly
visible on on their machines. 

Very briefly, the NOC runs a scan, we parse the results using XML, refer
to NetReg to pull ownership information, then send an email notice to
system owners asking them to do three things: 1. verify their ownership;
2. certify that they are in compliance with our campus standards for
connecting servers to the network; and 3. validate each of the services
we see on their machine. 

The notice provides information about the machine that looks like a
server, including a itemized list of the services. Recipients are asked
to click on a link that takes them to a web front end for the server
inventory db. Here, they can perform the tasks that we have requested
(verification, certification, and validation). 

We hope to accomplish a number of objectives with this tool: publicize
the server standards, get assurance that sys admin are in compliance,
confirm that sys admins/owners actually intended to put a server on the
network, and alert them to the services that are publicly available
(e.g., ssh).

If anyone's interested in further details, they can contact me off list
at mmanjak at uamail.albany.edu.

Martin Manjak
CISSP, GIAC GSEC-G, GCIH, GCWN
Information Security Officer
University at Albany
MSC 209   437-3813 
"Information security controls should be considered at the systems and
projects requirements specification and design stage."
ISO/IEC 17799 Information Security Management Code of Practice

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Russell Fulton
Sent: Saturday, November 24, 2007 6:04 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] cornell.edu blog being used for spam - and now
virginia.edu as well




Ali, Saqib wrote:
>
> If your university is putting up Wordpress blog servers, please ensure

> that you are installing spam block plugin as well. I think this 
> problem will only get worse......
>
>   
As Dan has already pointed out most universities do not have tight
central control over servers.  Any one of hundreds of small groups can
and do put up their own web based services.  Some of these groups (or
their admins) are naive and /or  inexperienced which leads to bungles
like these.  This situation is far from ideal but the benefits of the
open academic environment generally outweigh the problems which given
the number of webservers involved is fairly small.

Most of us (central security folk) spend quite a lot of time and effort
educating people in our faculties about such matters but the reality is
that there are always folk who for one reason or another miss the
message. For instance much of the work of putting up such sites is done
by grad students who turn over very rapidly.

Speaking for UoA we have several hundred web servers exposed to the
Internet and we get one or two abused a year.  We consider this risk
well worth the freedom this practice allows our academics.

Most universities are well aware of these risks and have well
established incident response policies that can deal with such matters
very quickly.   Mail to abuse or security @ auckland.ac.nz will get a
compromised server off the net in a minimum of 6 - 8 hours (over night
on a weekend).  Most issues are dealt with much quicker than this.

Russsell
_______________________________________________
unisog mailing list
unisog at lists.dshield.org https://lists.sans.org/mailman/listinfo/unisog