Security Update: SUNBURST and College of Sciences

1/8/2020

SUNBURST & Impact to College of Sciences

You may be aware of a serious ongoing cyberattack affecting many federal agencies and private companies. US cybersecurity and intelligence agencies believe that this is  the work of a nation-state, most likely Russia. It is believed that classified networks were not affected at this time. It is difficult to overstate the seriousness of this attack. Many federal agencies* have been compromised, among others, NIH and CDC.

How the attack worked

The technical details around this attack are complex, but in a nutshell, the malicious actors were able to breach a tech company, SolarWinds, and insert malware called SUNBURST into a standard software update, so that when users updated the SolarWinds software, the malware was installed. From there, the malware was able to take advantage of various vulnerabilities and establish control over the networks the affected computers were on. 

While some of the vulnerabilities were previously unknown, they also included some mundane ones which made the situation worse, such as weak administrative passwords, unpatched systems, systems operating with more privileges than they actually needed, and systems that were not behind firewalls.

Impact to NC State

Current

Mardecia Bell, NC State’s Chief Information Security Officer has shared the following:

We have been monitoring this attack and have not seen any impact on the university thus far.  We will communicate otherwise.  The best defense researchers can do is to make sure their machines are patched and adhere to the EPS.  Having machines behind the firewall is a great security measure against these types of attacks.  If anyone sees any unusual activity, please have them report it to either your team or abuse@ncsu.edu. 

ISS will be monitoring activity over the holiday break.   I hope this is helpful.  Let us know if you have any questions.

Future

  • We can expect substantially increased scrutiny of IT security measures from funding agencies and enhanced compliance requirements that may require some level of system redesign. 
  • This will include ensuring that the university is compliant with existing rules, regulations, standards and other requirements. It may also include increased scrutiny and new security requirements.

College of Sciences IT strategy

Protecting the College’s data and technology systems is a fundamental function of IT in the College of Sciences. The current situation highlights issues that must be addressed within the College.

We will follow all university PRRs and encourage additional security best practices.

Top priorities:

1. Endpoint Protection Standard Compliance

  • Any computers with research data that are not yet compliant with EPS ( RUL 08.00.18 – Endpoint Protection Standard) will be brought into compliance as a top priority. 
    • This may include either meeting all of the EPS requirements, or requesting an exception as appropriate. 
    • Exceptions are required to have a justification and provide an alternative way to ensure equivalent security.
  • All other computers that are not yet compliant with the EPS will be addressed as quickly as possible.

2. Private Networks and VPN

  • We will transition all computers with public facing IP addresses to private networks behind a firewall. 
    • Note that this will not impact the ability of computers to access the internet, and as a rule the systems can continue to be accessible via VPN.
    • All new IP addresses will receive private IP addresses by default.
    • Exceptions should be rare. In those cases, we will work with the system owner to find the best solutions to minimize risk.
    • Computers and storage systems with research data will be prioritized.

3. Purchasing

  • Purchasing processes will be implemented to ensure that all new computers, servers, and storage systems are vetted for security issues and that we ensure compliance with EPS and all other university PRRs.

4. Administrative Privileges

  • In accordance with the EPS, administrative rights on computers will be limited to those who have a work-related technical need for those privileges (the “principle of least privilege”).
    • We will ensure that anyone who has such a need has the privileges necessary to do their work.
    • We may implement an option that allows temporary administrative privileges to assist with this.
    • We may provide alternative processes which do not require administrative privileges.

Disruption

  • Everyone should expect to experience some level of inconvenience along the way and may need to make adjustments to workflows as we implement the necessary security measures to protect research data and the rest of the computing environment. 
    • Changes almost always come with some disruption.
    • The tension between security and usability is real, and we will minimize the impact to the greatest extent possible.

Proactive IT Security Consulting

  • Sciences IT  provides consulting in partnership with the University Libraries, OIT Shared Services, and OIT Security & Compliance regarding system design and data storage.
  • Sciences IT also provides consulting in the planning and pre-award stages for funded projects to help researchers identify resources and recommend solutions to protect their data while maintaining research productivity.
  • Sciences IT will assist with identifying existing IT resources and recommending solutions for the proposal budget.
  • Contact us at help@sciences.ncsu.edu to arrange a consultation.