Networks with many users and a mature IT infrastructure are a favourite with hackers.Take, for example, the National University of Singapore (NUS), whose user population exceeds 40,000. “A total of 105,546 intrusion attempts targeted at NUS were detected in 2006,” says Yong Fong Lian, manager, IT security, NUS. The university estimates that if every attack resulted in successful compromise of the network, a staggering 210,000 hours in productivity would be lost. And the potential cost of these man hours? A jaw dropping S$4.2 million (US$2.8 million), or S$350,000 (US$240,000) a month.
Decision-makers at NUS were certain something had to be done about securing the campus’s multitude of networks.
Factors about NUS’s unique environment as an academic and research institution had to be taken into consideration. Firstly, IT administrators had little or no control over notebooks and PCs owned by students, and users also possessed varying levels of technology know-how. The campus also played host to diverse platforms and applications, in addition to a large number of concurrent online systems.
Besides enforcing security policies and using suitable current technologies to combat spam, decision-makers also identified the inefficiencies involved with the manual reporting process to external Internet service providers (ISPs) when an intrusion was detected.
Under the old manual system, attacks detected by the system would be reported to the infocomm security team, alongside details such as the attack date, time, source IP address, destination IP address and port numbers. Attack reports would then be verified against border firewall logs. Once attacks were confirmed, the abuse contact would be retrieved, and an e-mail drafted to the abuse contact with the necessary details. The entire process incurs 20 minutes of manual processing time per intrusion report.
“For the 105,546 external intrusion attempts detected in 2006, tracing and responding to these intrusions manually would have incurred a productivity cost of 35,182 hours of S$703,640 (US$483,196) in monetary loss,” says Yong.
Plan of action
A bottom-up approach was decided upon, in order to optimise the intrusion reporting process and eradicate much of the manual work involved. An auto-pilot application was developed in-house, using open-source scripting language and tools. Advantages included little overhead costs, flexible input method for updates and the ability to handle a high volume of input.
“The application runs every 10 minutes, consolidating attack traffic from the same originating source,” says Yong.
All intrusions from the same source would be consolidated into a single e-mail report to the abuse contact.
The reliability of detecting the attack source was also enhanced, as the application was able to differentiate attacks using TCP, a connection-oriented protocol, from attacks using UDP, a connectionless protocol. Attacks from the former do not camouflage the source IP address, while the latter can easily get its source masqueraded while injecting malicious code. The application polls the sending machine once in order to mitigate the risk of identifying the wrong IP address.
The auto-pilot solution was also integrated with NUS’s honeynet, an isolated unprotected network within NUS used for baiting potential attackers. “Integrating our honeynet with the auto-pilot solution helped us in responding to unknown or new type of attacks while at the same time minimising false positives and negatives in the detection process,” says Yong. “Since a honeynet contains non-productive honeypots, any intrusion attempt must be intentional and attacks cannot be missed amid normal traffic.”
The auto-pilot project, implemented in 2007, helped NUS manage risk more efficiently and reduce the total cost of security ownership. The project even won an MIS Asia IT Excellence Award in the Best Security Strategy category last year.
“In such a situation, we learnt that an in-house developed tool can be considerably more cost-effective than a commercially customised tool, without compromising quality and effectiveness,” says Yong.
Automating the reporting process also helped the university save a minimum 45,000 man-hours, and manpower costs of at least S$900,000 (US$618,000).
“We have been able to further enhance the security of our campus network infrastructure by successfully thwarting external intrusions via this mechanism,” says Yong. MIS Asia
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.