secure your computer now l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Your Computer Now PowerPoint Presentation
Download Presentation
Secure Your Computer Now

Loading in 2 Seconds...

play fullscreen
1 / 58

Secure Your Computer Now - PowerPoint PPT Presentation


  • 143 Views
  • Uploaded on

Secure Your Computer Now. How to keep your face off the evening news for compromising 98,000 student records. Paul Waterstraat Geology Department University of California, Davis. Disclaimer. Secure Your Computer Now.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure Your Computer Now' - LionelDale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure your computer now
Secure Your Computer Now
  • How to keep your face off the evening news for compromising 98,000 student records

Paul WaterstraatGeology DepartmentUniversity of California, Davis

secure your computer now2

Disclaimer

Secure Your Computer Now
  • Warning. This presentation is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing these recommendations to address local operational and policy concerns.
slide3

Ripped from the headlines...

UCLA laptop theft exposes ID info

Representatives of the University of California, Los Angeles, are warning 145,000 blood donors they could be at risk for identity theft due to a stolen university laptop.

June 10, 2004

Boston College reveals alumni data breach

Boston College is fighting against an attack on its fund-raising databases, which may have exposed the personal data of more than 100,000 alumni.

March 17, 2005

ChoicePoint data loss may be higher than reported

ChoicePoint could have leaked information on far more than 145,000 U.S. citizens, the data collector's latest filing to the Securities and Exchange Commission suggests.

March 10, 2005

Laptop theft puts data of 98,000 at risk

The University of California, Berkeley, is warning more than 98,000 people that the theft of a laptop from its graduate school admissions office has exposed their personal information.

March 29, 2005

UCD computer hacked into from Internet

The names and Social Security numbers of about 1,100 UC Davis students, faculty, visiting speakers and staff may have been compromised when someone hacked into a main computer in the university’s plant biology section last month.

April 5, 2005

slide4

To help protect against identity theft, California enacted a new law (SB 1386) requiring businesses and government agencies beginning July 1, 2003, to notify consumers if hackers gain entry to computers that contain unencrypted personal information such as credit card numbers, pass codes needed for use of personal accounts, Social Security numbers or driver’s license numbers.

policy and procedure manual
Policy and Procedure Manual

UC Davis Cyber-Safety Program

I. Purpose and Scope

This policy establishes that devices connected to the UC Davis electronic communications network must meet UC Davis security standards or seek exception authorization. Campus units may develop and implement more rigorous security standards.…

  • Section 310-022

http://manuals.ucdavis.edu/ppm/310/310-22.htm

policy and procedure manual6
Policy and Procedure Manual

UC Davis Cyber-Safety Program

III. Policy

C. Campus units must annually report to their respective Dean, Vice Chancellor or Vice Provost, the extent to which unit operations are consistent with the campus security standards. Where compliance is not complete, the report must document a compliance plan…

  • Section 310-022
uc davis computing standards
UC Davis Computing Standards
  • Annual checklist includes14 Standards
    • 7 Level 1 Practices: “Highest priority” standards that apply to all computers on the network
    • 7 Level II Practices: “Secondary priority” standards, some of which apply to servers or system administrators

YourMission

http://manuals.ucdavis.edu/ppm/310/310-22a.htm

computing security standards
Computing Security Standards
  • I-A. Software Patch Updates

Computing hosts connected to the campus network must use an operating system and application software for which the publisher maintains a program to release critical security updates. Campus units must apply all currently available critical security updates within seven calendar days of update release or implement a measure to mitigate the related security vulnerability. Exceptions may be appropriate for patches that compromise the usability of an operating system or application or for patches for which the installation is prohibited by regulation.

computing security standards9
Computing Security Standards
  • I-A. Software Patch Updates
computing security standards10
Computing Security Standards
  • I-A. Software Patch Updates
computing security standards11
Computing Security Standards
  • I-A. Software Patch Updates
computing security standards12
Computing Security Standards
  • I-A. Software Patch Updates
computing security standards13
Computing Security Standards
  • I-B. Anti-virus software

Anti-virus software must be running and updates must be applied within no more than 24 hours of update release for computing hosts connected to the campus network. This standard applies to computing hosts connected to the campus network which are subject to virus infection. Networked devices subject to virus infection that are unable to use anti-virus software must be protected from malicious network traffic.

computing security standards14
Computing Security Standards
  • I-B. Anti-virus software
computing security standards15
Computing Security Standards
  • I-B. Anti-virus software
computing security standards16
Computing Security Standards
  • I-C. Insecure Network Services

If a computer service/process that provides a computing host access to network services (e.g, Telnet, FTP, POP) is not necessary for the intended purpose or operation of the network-connected device, that service/process shall be disabled. Where inherently insecure network services are needed, their available encrypted equivalents must be used

computing security standards17
Computing Security Standards
  • I-C. Insecure Network Services
computing security standards18
Computing Security Standards
  • I-C. Insecure Network Services
computing security standards19
Computing Security Standards
  • I-D. Authentication

Campus electronic communications service providers must have a suitable process for authenticating users of shared electronic communications services under their control.

1) No campus electronic communications service user account shall exist without passwords or other secure authentication system, e.g. biometrics, Smart Cards.

computing security standards20
Computing Security Standards
  • I-D. Authentication - Passwords
computing security standards21
Computing Security Standards
  • I-D. Authentication - Passwords
computing security standards22
Computing Security Standards
  • I-D. Authentication - Passwords

2) Where passwords are used to authenticate users, a password must be configured to enforce password complexity requirements, if such capability exists.

computing security standards23
Computing Security Standards

I-D-2. Password Complexity

computing security standards24
Computing Security Standards

I-D-2. Password Complexity

Mac OS X 10.4 “Tiger” offers a password assistant when setting or changing passwords that can offer suggestions and rate passwords for complexity and strength.

computing security standards25
Computing Security Standards

I-D-2. Password Complexity

computing security standards26
Computing Security Standards

I-D-2. Password Complexity

computing security standards27
Computing Security Standards
  • I-D. Authentication - Passwords

3) All default account passwords for network-accessible devices must be modified upon initial use.

computing security standards28
Computing Security Standards
  • I-D. Authentication - Passwords

4) Passwords used for privileged access must not be the same as those used for non-privileged access.

computing security standards29
Computing Security Standards
  • I-D. Authentication - Passwords

5) All campus devices must use encrypted authentication mechanisms unless an exception has been approved by the appropriate department head or campus administrative official. Unencrypted authentication mechanisms are only as secure as the network upon which they are used. Any network traffic may be surreptitiously monitored, rendering unencrypted authentication mechanisms vulnerable to compromise.

computing security standards30
Computing Security Standards
  • I-E. Personal Information

Campus units must identify departmental computing systems and applications that house personal information (personal name along with Social Security number, California driver identification number, or financial account information). Personal information must be removed from all computers for which it is not required.

Note from Paul: Use “Secure Empty Trash!”

computing security standards31
Computing Security Standards
  • I-E. Personal Information

What’s in your computer?

Note from Paul: Use “Secure Empty Trash!”

computing security standards32
Computing Security Standards
  • I-E. Personal Information
computing security standards33
Computing Security Standards
  • I-F. Physical Security

Unauthorized physical access to an unattended computing device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of these risks, where possible and appropriate, devices must be configured to “lock” and require a user to re-authenticate if left unattended for more than 20 minutes. Portable storage devices must also not be left unattended and be protected from data theft or unauthorized data modification or deletion.

computing security standards34
Computing Security Standards
  • I-F. Physical Security
computing security standards35
Computing Security Standards
  • I-F. Physical Security
computing security standards36
Computing Security Standards
  • I-F. Physical Security
computing security standards37
Computing Security Standards
  • I-F. Physical Security
computing security standards38
Computing Security Standards
  • I-F. Physical Security
computing security standards39
Computing Security Standards
  • I-F. Physical Security

.... Portable storage devices must also not be left unattended and be protected from data theft or unauthorized data modification or deletion.

slide40

Ripped from the headlines...

Carjackers swipe biometric Merc, plus owner's finger

A Malaysian businessman has lost a finger to car thieves impatient to get around his Mercedes’ fingerprint security system. Accountant K Kumaran, the BBC reports, had at first been forced to start the S-class Merc, but when the carjackers wanted to start it again without having him along, they chopped off the end of his index finger with a machete.

April 4, 2005

computing security standards41
Computing Security Standards
  • I-F. Physical Security

Use DiskUtility to create an Encrypted disk image

computing security standards42
Computing Security Standards
  • I-F. Physical Security

Use the “i ” info button to show password strength

computing security standards43
Computing Security Standards
  • I-G. Firewall Services

Firewall services, whether provided by a network hardware device or through operating system or add-on software, must be restrictively configured to deny all traffic unless expressly permitted.

computing security standards44
Computing Security Standards
  • I-G. Firewall Services
computing security standards45
Computing Security Standards
  • I-G. Firewall Services
computing security standards46
Computing Security Standards
  • I-G. Firewall Services
computing security standards47
Computing Security Standards
  • I-G. Firewall Services
computing security standards48
Computing Security Standards
  • II-A. No Open E-mail Relays

Devices connected to the campus network must not provide an active SMTP service that allows unauthorized third parties to relay email messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user

computing security standards49
Computing Security Standards
  • II-B. Proxy Services

An unrestricted proxy server for use from non-university locations is not allowed on the campus network. Use of an unauthenticated proxy server is not permitted on the campus network unless approved as an exception to the campus security standards by the appropriate department head or campus administrative official.

computing security standards50
Computing Security Standards
  • II-C. Audit Logs

Campus units must develop and implement a policy defining the use, inspection and retention of audit logs.  Audit log inspection may permit the identification of unauthorized access to sensitive electronic communication records. The use of audit logs should be extended to document activities such as account use and the network source of the login, incoming and outgoing network connections, file transfers and transactions.

computing security standards51
Computing Security Standards
  • II-D. Backup and Recovery

All critical and sensitive university electronic communication records residing on electronic storage shall be backed up on a regular and frequent basis to separate backup media. The backup media must be protected from unauthorized access and stored in a location that is separate from the originating source. The backup media must be tested on a regular basis to ensure recoverability from the backup media.

computing security standards52
Computing Security Standards
  • II-D. Backup and Recovery
computing security standards53
Computing Security Standards
  • II-E. Training for Users, Administrators and Managers

A technical training program must be documented and established for all systems staff responsible for security administration. In addition, campus unit administrators and users handling critical and/or sensitive university electronic communication records must receive annual information security awareness program training regarding university policy and proper information handling and controls.

computing security standards54
Computing Security Standards
  • II-F. Anti-Spyware Software

The use of programs to identify and remove spyware programs is strongly advised to help to maintain the privacy of personal information and Internet use. The use of an anti-spyware program must be accompanied by installing program updates on regular basis to ensure the ability to detect and remove new spyware or adware programs

computing security standards55
Computing Security Standards
  • II-G. Release of Equipment with Electronic Storage

All data must be removed from electronic storage prior to being released or transferred to another party. Data removal must be consistent with physical destruction of the electronic storage device, degaussing of the electronic storage or overwriting of the data at least three times. A “quick” format or file erasure is insufficient.

computing security standards56
Computing Security Standards
  • II-G. Release of Equipment with Electronic Storage