managing information technology @ ut information security bert hayes ut austin information security...
TRANSCRIPT
Managing Information Technology @ UT
Information Security
Bert Hayes UT Austin Information Security Office [email protected]
Managing Information Technology @ UT
Objective
• Learn about information security best practices within the campus environment
Managing Information Technology @ UT
Overview• ISO Office• Computer Security Best Practices• Data Security and Confidentiality• Importance of TSC Tools• ISORA• Reporting Computer Misuse or Abuse• Incident Response• Disaster Recovery Planning• Risk Assessment Services
Managing Information Technology @ UT
ISO Mission/Function• Manage the university information security program.
• Provide direction for university information security policies, standards, and procedures.
• Develop and maintain an institutional information security risk management program for the university.
• Work in partnership with campus IT leaders, committees and boards, audit, compliance, and legal departments to create appropriate institutional information security strategies and plans.
• Assure all university network and system security monitoring and testing activities are conducted in accordance with federal, state, and university regulatory requirements.
Managing Information Technology @ UT
ISO Mission/Function(continued)
• Manage university response to IT security incidents and authorized to take any action deemed necessary to protect university IT resources.
• Advise university departments regarding security administration, implementation, and management.
• Promote information security awareness and education throughout the university.
– http://security.utexas.edu/consensus
• Mission - http://security.utexas.edu/about/
• Initiatives - http://security.utexas.edu/about/initiatives.html
• ISO Organizational Chart - http://security.utexas.edu/about/orgchart.html
Managing Information Technology @ UT
Security Best Practices• Account and User
Management• Securely deploy,
maintain, and dispose of a system
• Keep up to date on the latest vulnerabilities for your systems
• Patch your operating system
• Use a host-based firewall and virus protection
• Physical Security • Monitor your systems • Train your users on
security awareness– System-level security
– Application security
Managing Information Technology @ UT
Account and User Management
• Users who have special access must complete a “Position of Special Trust form”.
– http://www.utexas.edu/hr/PDF/secsens.pdf
• Choose strong passwords – http://www.utexas.edu/its/secure/articles/keep_safe_with_strong_passwords.php
• Disable unused default accounts and set passwords for required default accounts.
• Disable or update accounts promptly when an account holder’s status changes. When a vendor or other 3rd party requires access to a University machine, ensure that they have only the minimum necessary access, for the shortest time possible.
Managing Information Technology @ UT
Secure, deploy, maintain dispose of systems
• Secure machines before placing them on the network.
• Develop an installation/configuration checklist
– Wide variety of checklists: http://www.cisecurity.org
– ISO Hardening Checklists:• http://security.utexas.edu/personal/
• http://security.utexas.edu/admin/
• Minimize services/remove unused services
• Configure the remaining services to be as secure as possible
• Use scripts/templates to automate the process
• Dispose of hardware securely: overwrite the contents of drives and other media so that it is no longer recoverable
Managing Information Technology @ UT
Secure, deploy, maintain dispose of systems (continued)
• Utilize a change management strategy to ensure that information technology resources are protected against improper modification before, during, and after system implementation.
Managing Information Technology @ UT
Keep up to date on vulnerabilities
• Securityfocus.com: Home of Bugtraq and all of its spin-offs – http://www.securityfocus.com/archive
• Microsoft Technical Security Notifications– http://www.microsoft.com/technet/security/bulletin/notify.mspx
• Apple Security-Announce– http://lists.apple.com/mailman/listinfo/security-announce
• Application specific mailing lists• Avoid vulnerabilities in locally developed code
– https://security.utexas.edu/admin/checklists/
Managing Information Technology @ UT
Patch Operating System• Windows:
– Windows Update http://windowsupdate.microsoft.com
– Campus SUS Servers http://www.utexas.edu/its/wsus/
• Macintosh– Use Software Update http://support.apple.com/kb/HT1338?
viewlocale=en_US
• Linux– Red Hat Enterprise: Red Hat Network Update Module
https://www.redhat.com/rhn/rhndetails/update/– https://www.redhat.com/security/updates/
• Sun– Sun Update Connection http://www.sun.com/service/sunconnection/index.jsp
Managing Information Technology @ UT
Use a host-based firewall and virus protection
• Personal firewalls and anti-virus software for Macs and Windows desktop computers are available via Bevoware http://www.utexas.edu/its/bevoware (Check OS X version)
• Consoles are available for use in a centrally managed environment
• Windows XP, Vista, and 2003 Server with the latest service pack offer a host-based firewall
• Apple Firewall - Behaves differently in 10.5 vs 10.4• Unix/Linux: iptables • BSD: ipfw
Managing Information Technology @ UT
Physical Security• Physically secure information resources appropriately for their role
– Servers should be kept in secured areas with access limited to systems administrators.– Public access workstations should be secured against theft
• Terminate access quickly for those who no longer need physical access to facilities
• Review access logs regularly and investigate any unusual access• Protect access cards, keys, etc., and report them promptly if they are lost or
stolen• Use a password-protected screensaver
Managing Information Technology @ UT
Monitor your systems
• Logs– System logs such as authentication logs and – Application logs, such as web logs,– Look for activity that is out of the normal profile– Consider automated log-monitoring software for high-volume logs– UT Enterprise license for Splunk
• Check to make sure that patches and updates are installed• Check to make sure that the system isn’t modified either innocently or
maliciously– Check configuration files and services after applying patches and updates– Consider running an integrity checking tool like Tripwire/samhain/AIDE to check for
modifications to critical files– Consider running a host-based IDS like OSSEC HIDS http://www.ossec.net
Managing Information Technology @ UT
Train Your Users• Encourage them to read and understand the AUP as
well as other policies and procedures that are applicable.
• Many users accidentally or intentionally do things that result in a host being compromised
• Virus scanning software is reactive• Training users to recognize and correctly respond to
security issues can significantly lighten your workload in the long run
Managing Information Technology @ UT
Train Your Users (Continued)– Email is NOT secure! – Treat attachments like suspicious packages– Train them to choose a strong password – with
UpPerCaSe and #s !@#– Be careful with phishing!– No legit bank would ask for your password, pin #, and
3-digit code; much less over an email (remember – email is not secure)
Managing Information Technology @ UT
The Big Three
1. Patch Your Operating System
2. Run up to date anti-virus software
3. Run up to date firewall software
Managing Information Technology @ UT
Did You Know?
What is the minimum amount of time that a vulnerable system has been compromised on UT campus?
Managing Information Technology @ UT
Data Security and Confidentiality
• Data classification guidelines– Category I– Category II– Category III
• Protecting Data (general)
• Protecting Category I Data
Managing Information Technology @ UT
Category I Data• Protection of data is required by law (HIPAA and FERPA)• System is immediately categorized as a higher risk• Examples of data: Medical, Student information, Contracts, Credit
Card Numbers, certain research information• Systems with this type of information should be reported to the
Information Security Office – TSC Utilities
• A risk assessment or security review by the ISO may be required.
Managing Information Technology @ UT
Category II and III Data• Category II (Moderate sensitivity)
– We have a contractual obligation to protect this data– Examples:
• Data releasable in accordance with the Texas Public Information Act (contents of specific e-mail, date of birth, salary, etc.); data that must be protected due to proprietary, ethical, or privacy considerations.
• Category III (Low/No sensitivity)– This is information that may be publicly available; it still
may be important to protect the original source data from modification.
– Example: • Data that might otherwise be considered publicly available, personal
Internet browsing data, personal notes, etc.
Managing Information Technology @ UT
Protecting Data• Use File system/Operating system permissions to restrict who
has access to data and what kinds of access they have
• Don’t forget about protecting data in other forms, including removable media, print-outs, and on-screen display
• Backup your data regularly.
• Backup media should be securely stored in a physically separate AND SECURE location.
Managing Information Technology @ UT
Protecting Category I Data– Encrypt the contents of the data on media and while it is being transmitted
• Transport encryption such as SSL,SSH, unencrypted protocols through TLS, IPSec
– Encrypt data while it is at rest• File/Drive/Volume encryption
– Safeboot– Bitlocker– File Vault
– Protect the display of the data• Data should only be visible to those authorized to see it.• Printers should be attended at all times or placed in secure area.
Managing Information Technology @ UT
Importance of the TSC Tools
All systems connected to the University network must be registered via the TSC tools. This information should include:
– Data classification– System Priority– TSC Contact Information– After hours contact information (if appropriate)
Managing Information Technology @ UT
Importance of TSC Tools (continued)
This data is used by several different applications
- ISORA- Incident Handlers (ISO)- Self Scan security scanner- Networking applications
Managing Information Technology @ UT
ISO Annual Risk Assessment• Information Security Office Risk Assessment
(ISORA)• In-house application designed to meet
regulatory and compliance requirements• 2007 is the first time this process has been used
on a large scale on campus• Revision process to begin soon before Summer
2008 deployment
Managing Information Technology @ UT
Reporting Computer Misuse or Abuse
• Reporting Incidents to the ISO
• Reporting Special Security Incidents
• Incidence Response
Managing Information Technology @ UT
Security Assessment Services• http://security.utexas.edu/risk/assessments• Application Vulnerability Assessment• System Security Assessment• Network Vulnerability Assessment• Penetration Testing• Physical Security Assessment• Compliance Assessments
Managing Information Technology @ UT
Disaster Recovery Planning• ITS Disaster Recovery Plan
– Overview– Mission– Objectives– Responsibilities– Preparation– Testing– Associated Documents– http://security.utexas.edu/risk
• Restarting Texas