Information Security

Information Security Bert Hayes UT Austin Information Security Office bhayes@infosec.utexas.edu

Objective Learn about information security best practices within the campus environment

Overview ISO Office Computer Security Best Practices Data Security and Confidentiality Importance of TSC Tools ISORA Reporting Computer Misuse or Abuse Incident Response Disaster Recovery Planning Risk Assessment Services

ISO Mission/Function Manage the university information security program. Provide direction for university information security policies, standards, and procedures. Develop and maintain an institutional information security risk management program for the university. Work in partnership with campus IT leaders, committees and boards, audit, compliance, and legal departments to create appropriate institutional information security strategies and plans. Assure all university network and system security monitoring and testing activities are conducted in accordance with federal, state, and university regulatory requirements.

ISO Mission/Function(continued) Manage university response to IT security incidents and authorized to take any action deemed necessary to protect university IT resources. Advise university departments regarding security administration, implementation, and management. Promote information security awareness and education throughout the university. http://security.utexas.edu/consensus Mission - http://security.utexas.edu/about/ Initiatives - http://security.utexas.edu/about/initiatives.html ISO Organizational Chart - http://security.utexas.edu/about/orgchart.html

Security Best Practices Account and User Management Securely deploy, maintain, and dispose of a system Keep up to date on the latest vulnerabilities for your systems Patch your operating system Use a host-based firewall and virus protection Physical Security Monitor your systems Train your users on security awareness System-level security Application security

Account and User Management Users who have special access must complete a “Position of Special Trust form”. http://www.utexas.edu/hr/PDF/secsens.pdf Choose strong passwords http://www.utexas.edu/its/secure/articles/keep_safe_with_strong_passwords.php Disable unused default accounts and set passwords for required default accounts. Disable or update accounts promptly when an account holder’s status changes. When a vendor or other 3rd party requires access to a University machine, ensure that they have only the minimum necessary access, for the shortest time possible.

Secure, deploy, maintain dispose of systems Secure machines before placing them on the network. Develop an installation/configuration checklist Wide variety of checklists: http://www.cisecurity.org ISO Hardening Checklists: http://security.utexas.edu/personal/ http://security.utexas.edu/admin/ Minimize services/remove unused services Configure the remaining services to be as secure as possible Use scripts/templates to automate the process Dispose of hardware securely: overwrite the contents of drives and other media so that it is no longer recoverable

Secure, deploy, maintain dispose of systems (continued) • Utilize a change management strategy to ensure that information technology resources are protected against improper modification before, during, and after system implementation.

Keep up to date on vulnerabilities Securityfocus.com: Home of Bugtraq and all of its spin-offs http://www.securityfocus.com/archive Microsoft Technical Security Notifications http://www.microsoft.com/technet/security/bulletin/notify.mspx Apple Security-Announce http://lists.apple.com/mailman/listinfo/security-announce Application specific mailing lists Avoid vulnerabilities in locally developed code https://security.utexas.edu/admin/checklists/

Patch Operating System Windows: Windows Update http://windowsupdate.microsoft.com Campus SUS Servers http://www.utexas.edu/its/wsus/ Macintosh Use Software Update http://support.apple.com/kb/HT1338?viewlocale=en_US Linux Red Hat Enterprise: Red Hat Network Update Module https://www.redhat.com/rhn/rhndetails/update/ https://www.redhat.com/security/updates/ Sun Sun Update Connection http://www.sun.com/service/sunconnection/index.jsp

Use a host-based firewall and virus protection Personal firewalls and anti-virus software for Macs and Windows desktop computers are available via Bevoware http://www.utexas.edu/its/bevoware (Check OS X version) Consoles are available for use in a centrally managed environment Windows XP, Vista, and 2003 Server with the latest service pack offer a host-based firewall Apple Firewall - Behaves differently in 10.5 vs 10.4 Unix/Linux: iptables BSD: ipfw

Physical Security Physically secure information resources appropriately for their role Servers should be kept in secured areas with access limited to systems administrators. Public access workstations should be secured against theft Terminate access quickly for those who no longer need physical access to facilities Review access logs regularly and investigate any unusual access Protect access cards, keys, etc., and report them promptly if they are lost or stolen Use a password-protected screensaver

Monitor your systems Logs System logs such as authentication logs and Application logs, such as web logs, Look for activity that is out of the normal profile Consider automated log-monitoring software for high-volume logs UT Enterprise license for Splunk Check to make sure that patches and updates are installed Check to make sure that the system isn’t modified either innocently or maliciously Check configuration files and services after applying patches and updates Consider running an integrity checking tool like Tripwire/samhain/AIDE to check for modifications to critical files Consider running a host-based IDS like OSSEC HIDS http://www.ossec.net

Train Your Users Encourage them to read and understand the AUP as well as other policies and procedures that are applicable. Many users accidentally or intentionally do things that result in a host being compromised Virus scanning software is reactive Training users to recognize and correctly respond to security issues can significantly lighten your workload in the long run

Train Your Users (Continued) Email is NOT secure! Treat attachments like suspicious packages Train them to choose a strong password – with UpPerCaSe and #s !@# Be careful with phishing! No legit bank would ask for your password, pin #, and 3-digit code; much less over an email (remember – email is not secure)

The Big Three Patch Your Operating System Run up to date anti-virus software Run up to date firewall software

Did You Know? What is the minimum amount of time that a vulnerable system has been compromised on UT campus? 15 seconds

Data Security and Confidentiality Data classification guidelines Category I Category II Category III Protecting Data (general) Protecting Category I Data

Category I Data Protection of data is required by law (HIPAA and FERPA) System is immediately categorized as a higher risk Examples of data: Medical, Student information, Contracts, Credit Card Numbers, certain research information Systems with this type of information should be reported to the Information Security Office TSC Utilities A risk assessment or security review by the ISO may be required.

Category II and III Data Category II (Moderate sensitivity) We have a contractual obligation to protect this data Examples: Data releasable in accordance with the Texas Public Information Act (contents of specific e-mail, date of birth, salary, etc.); data that must be protected due to proprietary, ethical, or privacy considerations. Category III (Low/No sensitivity) This is information that may be publicly available; it still may be important to protect the original source data from modification. Example: Data that might otherwise be considered publicly available, personal Internet browsing data, personal notes, etc.

Protecting Data Use File system/Operating system permissions to restrict who has access to data and what kinds of access they have Don’t forget about protecting data in other forms, including removable media, print-outs, and on-screen display Backup your data regularly. Backup media should be securely stored in a physically separate AND SECURE location.

Protecting Category I Data Encrypt the contents of the data on media and while it is being transmitted Transport encryption such as SSL,SSH, unencrypted protocols through TLS, IPSec Encrypt data while it is at rest File/Drive/Volume encryption Safeboot Bitlocker File Vault Protect the display of the data Data should only be visible to those authorized to see it. Printers should be attended at all times or placed in secure area.

Importance of the TSC Tools All systems connected to the University network must be registered via the TSC tools. This information should include: Data classification System Priority TSC Contact Information After hours contact information (if appropriate)

Importance of TSC Tools (continued) This data is used by several different applications ISORA Incident Handlers (ISO) Self Scan security scanner Networking applications

ISO Annual Risk Assessment • Information Security Office Risk Assessment (ISORA) • In-house application designed to meet regulatory and compliance requirements • 2007 is the first time this process has been used on a large scale on campus • Revision process to begin soon before Summer 2008 deployment

Reporting Computer Misuse or Abuse Reporting Incidents to the ISO Reporting Special Security Incidents Incidence Response

Security Assessment Services • http://security.utexas.edu/risk/assessments • Application Vulnerability Assessment • System Security Assessment • Network Vulnerability Assessment • Penetration Testing • Physical Security Assessment • Compliance Assessments

Disaster Recovery Planning ITS Disaster Recovery Plan Overview Mission Objectives Responsibilities Preparation Testing Associated Documents http://security.utexas.edu/risk Restarting Texas

Information Security