Security Standards in Higher Education

Presented by:

Karen Eft, IT Policy Manager

University of California, Berkeley

Robert Ono, IT Security Coordinator

University of California, Davis

Copyright Karen Eft and Robert Ono 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

Session Focus

As consumers, we see evidence of and benefit from operational standards every day.

The University of California promotes the use of information security standards within each of its 10 campuses. This presentation will review the

different approaches UC Berkeley and UC Davis use to develop, maintain, and enforce

information security standards.

2

Session Agenda

3

Institutional Information

Development of Security Standards• UC Berkeley• UC Davis

Differences Between Two Programs

Common Program Features

Institutional Highlights

UC Berkeley 34,000 students degree programs: 108

bachelor’s, 66 masters, 98 doctoral, 24 concurrent, 13 other

$516 million in research awards in 2005-2006

34 Professional School degree programs

UC Davis 30,500 students 100 academic majors

and 86 graduate programs

$544 million in research awards in 2005-06

UCD Medical Center Law, Medicine,

Education, Management and Veterinary Medicine

4

Session Agenda

5

Development of UC Berkeley Security Standards

• Policy & procedures• Organization• Marketing• Informing users• What’s next?

UCB Policy & procedures

1. Departmental Security Contact Policy

To implement this policy, each department needs to appoint a security contact and one or more backup contacts. Departments may agree to share contacts for efficiency. …

Contacts need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the contact to have extensive security expertise.

6University of California, Berkeley

UCB Policy & procedures

2. Campus IT Security Policy

Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control.

Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.

7University of California, Berkeley

UCB Policy & procedures

3. Guidelines and Procedures for Blocking Network Access

When computers pose a serious risk to campus information system resources or the Internet, their network connection may be blocked.

If the threat is immediate, the offending computer(s) will be blocked immediately and notification will be sent to the departmental security contact(s) via email that the block has occurred

8University of California, Berkeley

UCB Policy & procedures

3. blocking (continued):

If the threat is not immediate, notification of the threat will be sent to the departmental security contact(s) via email. If a response is not received within 4 hours indicating that the department is taking action to mitigate the threat, the offending computer(s) will then be blocked

Requires use of a goodincident tracking system

9University of California, Berkeley

UCB Policy & procedures

3. blocking (continued):

In either case, central campus network and security personnel will work with the departmental security contact(s) and/or the system administrator(s) to ensure that the computer(s) are properly re-secured. If a block has been put in place it will be removed when both the department and central campus security personnel agree that the problem causing the incident has been sufficiently addressed.

10University of California, Berkeley

UCB Policy & procedures

and finally …

4. Minimum Standards for Security of Berkeley Campus Networked Devices

( Appendix A to the “IT Security Policy” :)

http://security.berkeley.edu/MinStds/AppA.min.htm

11University of California, Berkeley

UCB Policy & procedures

The Minimum Security Standards:

1. Keep software patches current2. Run approved anti-virus software3. Run approved host-based firewall software4. Use secure passwords5. No unencrypted authentication6. No unauthenticated email relays7. No unauthenticated proxy services8. Ensure physical security9. Don’t run unnecessary services

12University of California, Berkeley

UCB Policy & procedures

5. Implementing Guidelinesto assist system administrators and end-users to configure their networked devices to comply with the Minimum Standards.

Include:• clarifying information about the Standards• configuration details for many situations

They do not include:• step-by-step instructions for every existing

device or operating system

13University of California, Berkeley

UCB organization

14

Key groups:Campus Information Security and Privacy Committee (CISPC)

IT Policy Services (Office of the CIO)

System and Network Security• Campus security operations group.• Policy enforcement through blocking hosts from

accessing the campus network

Data Stewardship Council

Security SIG

UCB organization

15

SNS assists campus users with securing information assets.• Risk assessment for network connected hosts: Operation of host

vulnerability scanner to identify hosts that are at risk. Longitudinal analysis of campus risk for attack. Inventory of systems containing restricted data and assessment of these systems security position.

• Assist departments with developing systems and processes to handle information securely: Assist in the development of plans for securing personal information like credit-card data. Review systems security plans for departments and assist with the creation of these plans.

• Incident response: Notify users or departmental security contacts of systems at risk or that have been compromised. Assist law enforcement agencies with security requests while protecting privacy. Enforce campus minimum standards where necessary.

• Coordinate and assist with campus security efforts: Participate in user community security training. Assist central campus organizations, like the CISPC, where needed. Represent UCB security both to external and internal organizations.

(Michael Green, March 2007)

UCB marketing

A revolutionary new concept:

16University of California, Berkeley

“minimum” ≠ “minimal”

UCB marketing

Get “real”:

One-year implementation period

Exception process

17University of California, Berkeley

UCB marketing

Request for Exception to the Campus Minimum Security Standards

If devices such as computers, printers, or other network appliances do not have at least a basic level of security, they are subject to being blocked from campus network connection. (See the Minimum Standards for Security of Berkeley Campus Networked Devices.)

Departments, units, or individuals who believe their devices require configurations that do not comply with these Minimum Standards may request exceptions to the Policy*, using one of the following links:

( for a single device) (for multiple devices)

http://security.berkeley.edu/MinStdsException.html

18University of California, Berkeley

Minimum Security Standards Exception Request Form - Complex (To submit a Simple request, go back to http://security.berkeley.edu/MinStdsException.html )

Your Information:Your Name (Required) Your Department (Required)Your Position/RoleYour E-mail (Required)Your PhoneSecurity Contact E-mail (if known)

Devices Requiring ExceptionPlease describe in detail. Include IPs, hostnames and MACs (if available)For services, indicate which ports are used.

 

 

 

 

UCB informing users

University of California, Berkeley 19

MCwCFD1298 117

Representative IP (Required) (For determining/verifying security contact. This should be one of the IPs included in the request).

From what standards are you requesting an exception?(Check all that apply and give a detailed explanation.)

Software patch updates

Anti-virus software

Host-based firewall

Passwords

 

Explanation: 

 

 

UCB informing users

University of California, Berkeley 20

No unencrypted authentication

No unauthenticated email relays

No unauthenticated proxy services

Physical security

Unnecessary services

MCwCFD1298 117

Correction and Mitigation Exceptions to the standards are expected to be temporary. For example, until needed resources can be acquired, changes can be made in the types of activities conducted, or new mitigating technology becomes available. What steps are you taking, or changes do you expect to occur, that will enable you to meet the minimum standards in the future?

What is your timeframe for meeting the Minimum Standards?

What are you doing to mitigate the situation until you come into full compliance with the minimum standards?

 

 

 

 

UCB informing users

University of California, Berkeley 21

MCwCFD1298 117

UCB informing users

Keep the community fully informed.

State as many places as possible that connections will be blocked for non-compliance with MSS.

Send individual security event notices to security contact address.

Provide look-up website: has my IP been blocked?

Send current activity publicity.

22University of California, Berkeley

UCB informing users

SAMPLE of specific email:

“After a suspension of several months, SNS is now fully staffed and ready to resume enforcement of the campus Minimum Security Standards for Networked Devices (MSS) for unpatched Windows hosts and Windows hosts with blank admin passwords. Beginning Tuesday, March 13, we will ramp up our operations by beginning with campus hard-wired non-DHCP Ethernet hosts and dial-up modem hosts, then later add AirBears, VPN, and DHCP-based hosts over the next few months.

23University of California, Berkeley

UCB informing users

sample (cont’d):

The sequence of messages will be as follows: After an initial notification of non-compliance with the MSS, if no response is received within 5 working days, and if no active compromise or other security risk is noted, a second notice will be sent 2 working days before active blocking begins.

The list of blocked IP addresses and SNS tracking numbers is available on this SNS web page:

http://sec-info.berkeley.edu/cgi-bin/blockinfo-login.pl

If you have any questions about the MSS or this notice, please write to the security@berkeley.edu address.”

24University of California, Berkeley

UCB what’s next?

Procurement Requirements BEFORE you buy …

Minimum Standards for Applications

Minimum Standards for Restricted Data

25University of California, Berkeley

UCD – Early Beginnings

New Policies and Technology with Broad Campus Consultation Intrusion Detection Email Anti-Virus and Spam Controls Central Vulnerability Scans and Reports

• Authentication and Daily Network Scans• Honey-pot

Privacy Policy Network Firewalls at Campus Border Computer Forensics Capability

26University of California, Davis

UCD – Changing Program

2003: California Civil Code Revised to Require Notification After Unauthorized Access to Personal Information

2004: Internal Audit Concerns

Campus-wide Program Needed to Enhance Campus Unit Security for Electronic Systems and Data

Program Needed to Clearly Recognize Lines of Responsibility

27University of California, Davis

UCD: Cyber-safety Policy

2005: New Policy Requires Devices Connecting to Campus Network Meet Security Standards

16 Security Standards

Exceptions Approved by Campus Executives

Annual Compliance Reporting by Colleges, Schools and Units

Annual State of Security Report to Campus Executives

28University of California, Davis

UCD: Security Standards

Level 1 Software Patches

Anti-Virus Software

Non-Secure Services

Authentication• Strong Passwords• Encrypted Transmission• Default Passwords• Privileged Accounts

Personal Information

VLAN & Host-based Firewalls

29University of California, Davis

Level 2 Physical Security Open Email Relays Web Proxy Services Audit Logging Backup & Recovery Security Training Anti-Spyware Secure Media Disposal Incident Response Plan Web Application

Security Evaluation

UCD: Marketing the Program

Campus Unit Technologists Participation in Policy and Standards Development

Web and Print Communication

Target Audience

Senior Campus Executives

Technologists

Administrators and Department Chairs

30University of California, Davis

UCD: Annual Survey

Annual Survey Instrument 2005: Manual Compliance Questionnaire

2006: Detailed Campus Unit Online Survey Focusing on Compliance Characteristics with Summary Reports

2006 Report Common Security Themes Identified – Metrics Available

One-on-one Meetings with Executives

State of Campus Security Presentation to Chancellor, Provost, Deans and Vice Chancellors

31University of California, Davis

UCD: Security Gaps

Challenges for Selected Campus Areas Academic Units Residential Computing Wireless & Public NAMs Secure Remote Access (Virtual Private Network)

Common Campus Unit Needs AV License VLAN Firewalls Personal Identity Security Update Servers

32University of California, Davis

UCD: Security Standards Benefits

Enhanced Central Security Investments Anti-Virus License for All Affiliates

Subsidy for Campus Unit VLAN Firewall Acquisition and Support

Scanning Tools and Whole-Disk Encryption for Mobile Devices

Deploy OS and AV Update Servers

Redesign of Intrusion Detection/Prevention Methods

Network Admission Control for Residential Computing, Wireless and VPN

Cyber-Safety Auditor Hired for Annual Campus Unit Surveys

33University of California, Davis

UCD: Cyber-safety Tools

Dear System/Network Administrator,Please note that the numbers in the subject line of this message indicate the total number of scanner hits, honey pot hits and IDS hits, respectively, by all systems included in the following report.

The link below will take you to a report displaying vulnerable or infected systems assigned to you on the VLAN: XXXXXX.We encourage you to inspect the systems identified in this report and correct problems immediately. Click on the link below for the results of the campus network scan that occurred on 2007-04-08 at 16:42:38. <http://secalert.ucdavis.edu/xxxxxxxx>

CONTACT INFORMATION:To request access to the report page, contact itsecurity@ucdavis.edu.To notify us of problems with a report or to provide feedback about false positive notifications so that we can tune our rule sets, please contact the UC Davis Computer Security Team at cybersecurity@ucdavis.edu.If you receive email notifications for a VLAN that is not yours, please contact the Network Operations Center (NOC) at noc@ucdavis.edu to request that the database be updated.<http://security.ucdavis.edu/digsig.cfm>-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.0 (SunOS)iD8DBQFGGsyFpjhx/Mnq4fARAt2zAJ4vaQ941zigQSfkzFhd52v2Eh9o9gCeL1o4QEPHSguAH/AnWOBPguOCBCQ==DJop-----END PGP SIGNATURE-----

34University of California, Davis

UCD: Cyber-safety Tools

35University of California, Davis

UCD: Cyber-safety Tools

36University of California, Davis

UCD: Cyber-safety Tools

37University of California, Davis

Key Model Differences

38

Compliance Responsibility Senior Executives vs Campus Unit

Exception Approval Responsibility Senior Executives vs Chief Information Officer

Response to Non-compliance Required Annual Compliance Plan and

Network Disconnection vs Network Disconnection

Common Program Features

39

Policy-based Program

Exceptions Available

Campus Constituents Participate in Standards Development

Compliance Monitoring

Need to Respond to Gaps Between Standards and Reality

Broad Communication/Marketing Strategies

References

• UCD Cyber-safety Policy http://manuals.ucdavis.edu/PPM/310/310-22.htm

• UCD Security References http://security.ucdavis.edu/

• UCB Security Standards Policy http://security.berkeley.edu/MinStds/#sum

• UCB Security References http://security.berkeley.edu/

• Proposed UC system-wide policy for minimum security requirements http://www.ucop.edu/irc/itsec/uc/documents/IS-3v51017.06.pdf

40

Questions

41