security standards in higher education presented by: karen eft, it policy manager university of...
TRANSCRIPT
Security Standards in Higher Education
Presented by:
Karen Eft, IT Policy Manager
University of California, Berkeley
Robert Ono, IT Security Coordinator
University of California, Davis
Copyright Karen Eft and Robert Ono 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.
Session Focus
As consumers, we see evidence of and benefit from operational standards every day.
The University of California promotes the use of information security standards within each of its 10 campuses. This presentation will review the
different approaches UC Berkeley and UC Davis use to develop, maintain, and enforce
information security standards.
2
Session Agenda
3
Institutional Information
Development of Security Standards• UC Berkeley• UC Davis
Differences Between Two Programs
Common Program Features
Institutional Highlights
UC Berkeley 34,000 students degree programs: 108
bachelor’s, 66 masters, 98 doctoral, 24 concurrent, 13 other
$516 million in research awards in 2005-2006
34 Professional School degree programs
UC Davis 30,500 students 100 academic majors
and 86 graduate programs
$544 million in research awards in 2005-06
UCD Medical Center Law, Medicine,
Education, Management and Veterinary Medicine
4
Session Agenda
5
Development of UC Berkeley Security Standards
• Policy & procedures• Organization• Marketing• Informing users• What’s next?
UCB Policy & procedures
1. Departmental Security Contact Policy
To implement this policy, each department needs to appoint a security contact and one or more backup contacts. Departments may agree to share contacts for efficiency. …
Contacts need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the contact to have extensive security expertise.
6University of California, Berkeley
UCB Policy & procedures
2. Campus IT Security Policy
Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control.
Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.
7University of California, Berkeley
UCB Policy & procedures
3. Guidelines and Procedures for Blocking Network Access
When computers pose a serious risk to campus information system resources or the Internet, their network connection may be blocked.
If the threat is immediate, the offending computer(s) will be blocked immediately and notification will be sent to the departmental security contact(s) via email that the block has occurred
8University of California, Berkeley
UCB Policy & procedures
3. blocking (continued):
If the threat is not immediate, notification of the threat will be sent to the departmental security contact(s) via email. If a response is not received within 4 hours indicating that the department is taking action to mitigate the threat, the offending computer(s) will then be blocked
Requires use of a goodincident tracking system
9University of California, Berkeley
UCB Policy & procedures
3. blocking (continued):
In either case, central campus network and security personnel will work with the departmental security contact(s) and/or the system administrator(s) to ensure that the computer(s) are properly re-secured. If a block has been put in place it will be removed when both the department and central campus security personnel agree that the problem causing the incident has been sufficiently addressed.
10University of California, Berkeley
UCB Policy & procedures
and finally …
4. Minimum Standards for Security of Berkeley Campus Networked Devices
( Appendix A to the “IT Security Policy” :)
http://security.berkeley.edu/MinStds/AppA.min.htm
11University of California, Berkeley
UCB Policy & procedures
The Minimum Security Standards:
1. Keep software patches current2. Run approved anti-virus software3. Run approved host-based firewall software4. Use secure passwords5. No unencrypted authentication6. No unauthenticated email relays7. No unauthenticated proxy services8. Ensure physical security9. Don’t run unnecessary services
12University of California, Berkeley
UCB Policy & procedures
5. Implementing Guidelinesto assist system administrators and end-users to configure their networked devices to comply with the Minimum Standards.
Include:• clarifying information about the Standards• configuration details for many situations
They do not include:• step-by-step instructions for every existing
device or operating system
13University of California, Berkeley
UCB organization
14
Key groups:Campus Information Security and Privacy Committee (CISPC)
IT Policy Services (Office of the CIO)
System and Network Security• Campus security operations group.• Policy enforcement through blocking hosts from
accessing the campus network
Data Stewardship Council
Security SIG
UCB organization
15
SNS assists campus users with securing information assets.• Risk assessment for network connected hosts: Operation of host
vulnerability scanner to identify hosts that are at risk. Longitudinal analysis of campus risk for attack. Inventory of systems containing restricted data and assessment of these systems security position.
• Assist departments with developing systems and processes to handle information securely: Assist in the development of plans for securing personal information like credit-card data. Review systems security plans for departments and assist with the creation of these plans.
• Incident response: Notify users or departmental security contacts of systems at risk or that have been compromised. Assist law enforcement agencies with security requests while protecting privacy. Enforce campus minimum standards where necessary.
• Coordinate and assist with campus security efforts: Participate in user community security training. Assist central campus organizations, like the CISPC, where needed. Represent UCB security both to external and internal organizations.
(Michael Green, March 2007)
UCB marketing
A revolutionary new concept:
16University of California, Berkeley
“minimum” ≠ “minimal”
UCB marketing
Get “real”:
One-year implementation period
Exception process
17University of California, Berkeley
UCB marketing
Request for Exception to the Campus Minimum Security Standards
If devices such as computers, printers, or other network appliances do not have at least a basic level of security, they are subject to being blocked from campus network connection. (See the Minimum Standards for Security of Berkeley Campus Networked Devices.)
Departments, units, or individuals who believe their devices require configurations that do not comply with these Minimum Standards may request exceptions to the Policy*, using one of the following links:
( for a single device) (for multiple devices)
http://security.berkeley.edu/MinStdsException.html
18University of California, Berkeley
Minimum Security Standards Exception Request Form - Complex (To submit a Simple request, go back to http://security.berkeley.edu/MinStdsException.html )
Your Information:Your Name (Required) Your Department (Required)Your Position/RoleYour E-mail (Required)Your PhoneSecurity Contact E-mail (if known)
Devices Requiring ExceptionPlease describe in detail. Include IPs, hostnames and MACs (if available)For services, indicate which ports are used.
UCB informing users
University of California, Berkeley 19
MCwCFD1298 117
Representative IP (Required) (For determining/verifying security contact. This should be one of the IPs included in the request).
From what standards are you requesting an exception?(Check all that apply and give a detailed explanation.)
Software patch updates
Anti-virus software
Host-based firewall
Passwords
Explanation:
UCB informing users
University of California, Berkeley 20
No unencrypted authentication
No unauthenticated email relays
No unauthenticated proxy services
Physical security
Unnecessary services
MCwCFD1298 117
Correction and Mitigation Exceptions to the standards are expected to be temporary. For example, until needed resources can be acquired, changes can be made in the types of activities conducted, or new mitigating technology becomes available. What steps are you taking, or changes do you expect to occur, that will enable you to meet the minimum standards in the future?
What is your timeframe for meeting the Minimum Standards?
What are you doing to mitigate the situation until you come into full compliance with the minimum standards?
UCB informing users
University of California, Berkeley 21
MCwCFD1298 117
UCB informing users
Keep the community fully informed.
State as many places as possible that connections will be blocked for non-compliance with MSS.
Send individual security event notices to security contact address.
Provide look-up website: has my IP been blocked?
Send current activity publicity.
22University of California, Berkeley
UCB informing users
SAMPLE of specific email:
“After a suspension of several months, SNS is now fully staffed and ready to resume enforcement of the campus Minimum Security Standards for Networked Devices (MSS) for unpatched Windows hosts and Windows hosts with blank admin passwords. Beginning Tuesday, March 13, we will ramp up our operations by beginning with campus hard-wired non-DHCP Ethernet hosts and dial-up modem hosts, then later add AirBears, VPN, and DHCP-based hosts over the next few months.
23University of California, Berkeley
UCB informing users
sample (cont’d):
The sequence of messages will be as follows: After an initial notification of non-compliance with the MSS, if no response is received within 5 working days, and if no active compromise or other security risk is noted, a second notice will be sent 2 working days before active blocking begins.
The list of blocked IP addresses and SNS tracking numbers is available on this SNS web page:
http://sec-info.berkeley.edu/cgi-bin/blockinfo-login.pl
If you have any questions about the MSS or this notice, please write to the [email protected] address.”
24University of California, Berkeley
UCB what’s next?
Procurement Requirements BEFORE you buy …
Minimum Standards for Applications
Minimum Standards for Restricted Data
25University of California, Berkeley
UCD – Early Beginnings
New Policies and Technology with Broad Campus Consultation Intrusion Detection Email Anti-Virus and Spam Controls Central Vulnerability Scans and Reports
• Authentication and Daily Network Scans• Honey-pot
Privacy Policy Network Firewalls at Campus Border Computer Forensics Capability
26University of California, Davis
UCD – Changing Program
2003: California Civil Code Revised to Require Notification After Unauthorized Access to Personal Information
2004: Internal Audit Concerns
Campus-wide Program Needed to Enhance Campus Unit Security for Electronic Systems and Data
Program Needed to Clearly Recognize Lines of Responsibility
27University of California, Davis
UCD: Cyber-safety Policy
2005: New Policy Requires Devices Connecting to Campus Network Meet Security Standards
16 Security Standards
Exceptions Approved by Campus Executives
Annual Compliance Reporting by Colleges, Schools and Units
Annual State of Security Report to Campus Executives
28University of California, Davis
UCD: Security Standards
Level 1 Software Patches
Anti-Virus Software
Non-Secure Services
Authentication• Strong Passwords• Encrypted Transmission• Default Passwords• Privileged Accounts
Personal Information
VLAN & Host-based Firewalls
29University of California, Davis
Level 2 Physical Security Open Email Relays Web Proxy Services Audit Logging Backup & Recovery Security Training Anti-Spyware Secure Media Disposal Incident Response Plan Web Application
Security Evaluation
UCD: Marketing the Program
Campus Unit Technologists Participation in Policy and Standards Development
Web and Print Communication
Target Audience
Senior Campus Executives
Technologists
Administrators and Department Chairs
30University of California, Davis
UCD: Annual Survey
Annual Survey Instrument 2005: Manual Compliance Questionnaire
2006: Detailed Campus Unit Online Survey Focusing on Compliance Characteristics with Summary Reports
2006 Report Common Security Themes Identified – Metrics Available
One-on-one Meetings with Executives
State of Campus Security Presentation to Chancellor, Provost, Deans and Vice Chancellors
31University of California, Davis
UCD: Security Gaps
Challenges for Selected Campus Areas Academic Units Residential Computing Wireless & Public NAMs Secure Remote Access (Virtual Private Network)
Common Campus Unit Needs AV License VLAN Firewalls Personal Identity Security Update Servers
32University of California, Davis
UCD: Security Standards Benefits
Enhanced Central Security Investments Anti-Virus License for All Affiliates
Subsidy for Campus Unit VLAN Firewall Acquisition and Support
Scanning Tools and Whole-Disk Encryption for Mobile Devices
Deploy OS and AV Update Servers
Redesign of Intrusion Detection/Prevention Methods
Network Admission Control for Residential Computing, Wireless and VPN
Cyber-Safety Auditor Hired for Annual Campus Unit Surveys
33University of California, Davis
UCD: Cyber-safety Tools
Dear System/Network Administrator,Please note that the numbers in the subject line of this message indicate the total number of scanner hits, honey pot hits and IDS hits, respectively, by all systems included in the following report.
The link below will take you to a report displaying vulnerable or infected systems assigned to you on the VLAN: XXXXXX.We encourage you to inspect the systems identified in this report and correct problems immediately. Click on the link below for the results of the campus network scan that occurred on 2007-04-08 at 16:42:38. <http://secalert.ucdavis.edu/xxxxxxxx>
CONTACT INFORMATION:To request access to the report page, contact [email protected] notify us of problems with a report or to provide feedback about false positive notifications so that we can tune our rule sets, please contact the UC Davis Computer Security Team at [email protected] you receive email notifications for a VLAN that is not yours, please contact the Network Operations Center (NOC) at [email protected] to request that the database be updated.<http://security.ucdavis.edu/digsig.cfm>-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.0 (SunOS)iD8DBQFGGsyFpjhx/Mnq4fARAt2zAJ4vaQ941zigQSfkzFhd52v2Eh9o9gCeL1o4QEPHSguAH/AnWOBPguOCBCQ==DJop-----END PGP SIGNATURE-----
34University of California, Davis
UCD: Cyber-safety Tools
35University of California, Davis
UCD: Cyber-safety Tools
36University of California, Davis
UCD: Cyber-safety Tools
37University of California, Davis
Key Model Differences
38
Compliance Responsibility Senior Executives vs Campus Unit
Exception Approval Responsibility Senior Executives vs Chief Information Officer
Response to Non-compliance Required Annual Compliance Plan and
Network Disconnection vs Network Disconnection
Common Program Features
39
Policy-based Program
Exceptions Available
Campus Constituents Participate in Standards Development
Compliance Monitoring
Need to Respond to Gaps Between Standards and Reality
Broad Communication/Marketing Strategies
References
• UCD Cyber-safety Policy http://manuals.ucdavis.edu/PPM/310/310-22.htm
• UCD Security References http://security.ucdavis.edu/
• UCB Security Standards Policy http://security.berkeley.edu/MinStds/#sum
• UCB Security References http://security.berkeley.edu/
• Proposed UC system-wide policy for minimum security requirements http://www.ucop.edu/irc/itsec/uc/documents/IS-3v51017.06.pdf
40
Questions
41