Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Integrating Vulnerability Scanning with Web Authentication
Thursday, January 1, 2004
During fall 2003, a large scale Internet worm (W32.Blaster) exploited a widely known Windows operating system vulnerability throughout academic institutions in the United States. This worm infection presented serious risks to the integrity and availability of computing systems attached to the campus network. In response to this vulnerability, UC Davis developed and implemented several emergency measures to identify susceptible Windows remote procedure call (RPC) services and provide corrective tools and information to remove the vulnerability or, if necessary, disinfect worm-infected computers. This vulnerability reduction and infection removal effort specifically included: • An individual vulnerability probe that was initiated against a computer that was used to access a Web-based campus application. If vulnerability was detected, the user Web browser was redirected to information describing corrective resources. Authentication was not permitted unless relevant security patches were installed. Due to broad campus usage of Web-based authentication services, this vulnerability scan compelled many students, staff, and faculty to apply critical security patches. • An automated scan of computers connected to the campus data network to identify computers with RPC vulnerabilities. This scan was conducted twice per day, and the scan results were stored into a database. • An intrusion detection sensor placed at the campus border to identify computers generating infected and malicious traffic entering or leaving the campus computing network. • A network honeypot was placed on an unused network segment to identify infected computers attempting to scan or connect to nonexistent hosts. • The creation and distribution of CDs with corrective patches and infection removal tools. • On-site staff assistance to Student Housing technology specialists during the fall 2003 opening of the on-campus residences. The results from the probe vulnerability scan, intrusion detection scan, and honeypot were stored in an online database. Campus technical staff were provided a query function against the database to identify vulnerable or infected computers within campus unit VLANs. In addition, campus modem pool permits for individual computing accounts were temporarily revoked if infected RPC traffic was traced to the campus modem pool user. The modem pool permits were reactivated after the infection was removed. The above approach was highly successful in quickly reducing RPC vulnerabilities and removing computer infections relating to exploited RPC vulnerabilities. Accordingly, questions were raised as to whether the RPC vulnerability and infection detection tools could be modified to seriously reduce threats to campus computing by proactively identifying computers that are susceptible to anticipated exploits rather than only reacting to an existing attack. A workgroup was formed in early January to assist the campus to determine the feasibility of adding new vulnerability detection functionality to the emergency RPC vulnerability scanning and reporting mechanism. If feasible, the workgroup was asked to outline the development tasks and resources required for such expansion. Estimates for resource requirements would include software, hardware, labor for development and maintenance for the support of critical vulnerability identification, vulnerability signature creation, integration with existing intrusion detection/infection databases, and vulnerability reporting. The workgroup was also asked to propose a timeline for completion of the expansion efforts. The workgroup, consisting of broad campus representation, met during the first quarter of 2004 to address its charge.