[unisog] Large Scale User Education

Gary Flynn flynngn at jmu.edu
Sun Sep 29 22:34:41 GMT 2002


Allen Chang wrote:

>Hi,
>
>I'm wondering if anyone out in unisog-land has attempted large scale user
>education campaigns in regards to securing their computers. After the
>amount of time that we've spent cleaning up compromised Windows 2000
>computers, we're going to try for the prevention route.
>
>To people who have done it, how effective has it been and how was it
>implemented.
>

While we have a variety of security awareness programs, I suspect that 
the preventive
measure with the most success for these Windows 2000 problems is our 
Internet border
netbios filters. Not that they've been 100% effective :)

As far as education efforts:

1) Whenever someone goes through the mandatory password change process 
for their
      university accounts, they also must go through a mandatory 
security awareness
      training  session.  Its online at:

       http://www.jmu.edu/computing/security/sa/

        Feedback has been mixed. Some find it eye-opening and useful. 
Some don't.
        I take pleasure from the feedback indicating that someone's eyes 
were opened. :)

2) We have a general computer security program called RUNSAFE which has
     voluntary workshops associated with it. A video was produced as 
part of a
     student project that was supplied to students on the CD we 
distribute to our
     student residences during move-in. Its a 160Mb mpeg file at:

       http://www.jmu.edu/computing/runsafe/runsafe.mpeg

     I don't know yet how many people have actually viewed it nor 
whether they've
     they've changed their behavior because of it.

3) Along the Windows 2000 problem line. I run a script I call 
"findshares" regularly that
     searches out systems without passwords or with their entire hard 
drives shared. If
     found,  several icons containing the following web page is dropped 
on the user's
     desktop:

      http://www.jmu.edu/computing/security/tools/warn.html

       Along this same line, I'm working on having our vulnerability 
scanner mail reports
       to the registered owners of systems reported to have certain 
vulnerabilities. I also
       send warnings when our mail server sees a virus sent from a JMU 
system.

4) I'm working on a program similar to RUNSAFE called StartSafe which 
will provide
     minimum recommendations for secure starting points. It will replace 
a lot of stuff
     in the "Nullify unneeded risk" section of RUNSAFE. I'm hoping it 
will evolve
     into automated desktop management efforts and tools.

How effective its been is anyone's guess. I haven't seen but a few of 
the windows
2000 problems that have been described here on the list but that is 
almost certainly
due to our netbios blocks and regular findshare scans than with our 
education
efforts.

Last year I was disappointed several times when, as a guest speaker, I asked
classrooms of students about RUNSAFE and almost none of them had heard
about it. The security awareness material was re-written to concentrate on
RUNSAFE topics, a feedback form was supplied, and the video was installed
on the student CDs. I haven't had the opportunity this year to see how
awareness or behavior has changed.

To really find out how effective the training is would require incident 
statistics from
similarly sized organizations with similar platform populations and 
network access
controls.

We've had about four dozen Aplore worm infections since the start of 
school.
Perhaps a dozen Nimda infections. A dozen or so miscellaneous mailing 
worms.
Two Linux slapper worm infections. One wu-ftp compromise. I think we've
had less than a dozen unauthorized Serv-U FTP installations on Windows 
systems
but I'm still doing follow-up. Since the start of  school, I haven't 
seen any
IRC-BOTS generating significant traffic but as you and I both know that 
doesn't
mean anything. There may be hundreds of  inactive ones or ones that aren't
detected using the methods I'm using. I haven't seen any JMU addresses on
any IRCBOT lists or been notified of one. Of course now that
I've said that.... :(

I'll add my usual disclaimer...those are the incidents we know about. 
Its the
ones we don't know about that worry me the most. While viruses, web
defacements, and ddos attacks get all the press, its those folks that 
may be
sitting quietly collecting information, collecting slaves, and further 
infiltrating
our infrastructure that give me nightmares.

Gary Flynn
Security Engineer - Technical Services
James Madison University

>  
>



More information about the unisog mailing list