Managing Information Technology @ UT Information Security Bert Hayes UT Austin Information Security...

Managing Information Technology @ UT

Information Security

Bert Hayes UT Austin Information Security Office [email protected]


Objective

• Learn about information security best practices within the campus environment


Overview• ISO Office• Computer Security Best Practices• Data Security and Confidentiality• Importance of TSC Tools• ISORA• Reporting Computer Misuse or Abuse• Incident Response• Disaster Recovery Planning• Risk Assessment Services


ISO Mission/Function• Manage the university information security program.

• Provide direction for university information security policies, standards, and procedures.

• Develop and maintain an institutional information security risk management program for the university.

• Work in partnership with campus IT leaders, committees and boards, audit, compliance, and legal departments to create appropriate institutional information security strategies and plans.

• Assure all university network and system security monitoring and testing activities are conducted in accordance with federal, state, and university regulatory requirements.


ISO Mission/Function(continued)

• Manage university response to IT security incidents and authorized to take any action deemed necessary to protect university IT resources.

• Advise university departments regarding security administration, implementation, and management.

• Promote information security awareness and education throughout the university.

– http://security.utexas.edu/consensus

• Mission - http://security.utexas.edu/about/

• Initiatives - http://security.utexas.edu/about/initiatives.html

• ISO Organizational Chart - http://security.utexas.edu/about/orgchart.html


Security Best Practices• Account and User

Management• Securely deploy,

maintain, and dispose of a system

• Keep up to date on the latest vulnerabilities for your systems

• Patch your operating system

• Use a host-based firewall and virus protection

• Physical Security • Monitor your systems • Train your users on

security awareness– System-level security

– Application security


Account and User Management

• Users who have special access must complete a “Position of Special Trust form”.

– http://www.utexas.edu/hr/PDF/secsens.pdf

• Choose strong passwords – http://www.utexas.edu/its/secure/articles/keep_safe_with_strong_passwords.php

• Disable unused default accounts and set passwords for required default accounts.

• Disable or update accounts promptly when an account holder’s status changes. When a vendor or other 3rd party requires access to a University machine, ensure that they have only the minimum necessary access, for the shortest time possible.


Secure, deploy, maintain dispose of systems

• Secure machines before placing them on the network.

• Develop an installation/configuration checklist

– Wide variety of checklists: http://www.cisecurity.org

– ISO Hardening Checklists:• http://security.utexas.edu/personal/

• http://security.utexas.edu/admin/

• Minimize services/remove unused services

• Configure the remaining services to be as secure as possible

• Use scripts/templates to automate the process

• Dispose of hardware securely: overwrite the contents of drives and other media so that it is no longer recoverable


Secure, deploy, maintain dispose of systems (continued)

• Utilize a change management strategy to ensure that information technology resources are protected against improper modification before, during, and after system implementation.


Keep up to date on vulnerabilities

• Securityfocus.com: Home of Bugtraq and all of its spin-offs – http://www.securityfocus.com/archive

• Microsoft Technical Security Notifications– http://www.microsoft.com/technet/security/bulletin/notify.mspx

• Apple Security-Announce– http://lists.apple.com/mailman/listinfo/security-announce

• Application specific mailing lists• Avoid vulnerabilities in locally developed code

– https://security.utexas.edu/admin/checklists/


Patch Operating System• Windows:

– Windows Update http://windowsupdate.microsoft.com

– Campus SUS Servers http://www.utexas.edu/its/wsus/

• Macintosh– Use Software Update http://support.apple.com/kb/HT1338?

viewlocale=en_US

• Linux– Red Hat Enterprise: Red Hat Network Update Module

https://www.redhat.com/rhn/rhndetails/update/– https://www.redhat.com/security/updates/

• Sun– Sun Update Connection http://www.sun.com/service/sunconnection/index.jsp


Use a host-based firewall and virus protection

• Personal firewalls and anti-virus software for Macs and Windows desktop computers are available via Bevoware http://www.utexas.edu/its/bevoware (Check OS X version)

• Consoles are available for use in a centrally managed environment

• Windows XP, Vista, and 2003 Server with the latest service pack offer a host-based firewall

• Apple Firewall - Behaves differently in 10.5 vs 10.4• Unix/Linux: iptables • BSD: ipfw


Physical Security• Physically secure information resources appropriately for their role

– Servers should be kept in secured areas with access limited to systems administrators.– Public access workstations should be secured against theft

• Terminate access quickly for those who no longer need physical access to facilities

• Review access logs regularly and investigate any unusual access• Protect access cards, keys, etc., and report them promptly if they are lost or

stolen• Use a password-protected screensaver


Monitor your systems

• Logs– System logs such as authentication logs and – Application logs, such as web logs,– Look for activity that is out of the normal profile– Consider automated log-monitoring software for high-volume logs– UT Enterprise license for Splunk

• Check to make sure that patches and updates are installed• Check to make sure that the system isn’t modified either innocently or

maliciously– Check configuration files and services after applying patches and updates– Consider running an integrity checking tool like Tripwire/samhain/AIDE to check for

modifications to critical files– Consider running a host-based IDS like OSSEC HIDS http://www.ossec.net


Train Your Users• Encourage them to read and understand the AUP as

well as other policies and procedures that are applicable.

• Many users accidentally or intentionally do things that result in a host being compromised

• Virus scanning software is reactive• Training users to recognize and correctly respond to

security issues can significantly lighten your workload in the long run


Train Your Users (Continued)– Email is NOT secure! – Treat attachments like suspicious packages– Train them to choose a strong password – with

UpPerCaSe and #s !@#– Be careful with phishing!– No legit bank would ask for your password, pin #, and

3-digit code; much less over an email (remember – email is not secure)


The Big Three

1. Patch Your Operating System

2. Run up to date anti-virus software

3. Run up to date firewall software


Did You Know?

What is the minimum amount of time that a vulnerable system has been compromised on UT campus?


Data Security and Confidentiality

• Data classification guidelines– Category I– Category II– Category III

• Protecting Data (general)

• Protecting Category I Data


Category I Data• Protection of data is required by law (HIPAA and FERPA)• System is immediately categorized as a higher risk• Examples of data: Medical, Student information, Contracts, Credit

Card Numbers, certain research information• Systems with this type of information should be reported to the

Information Security Office – TSC Utilities

• A risk assessment or security review by the ISO may be required.


Category II and III Data• Category II (Moderate sensitivity)

– We have a contractual obligation to protect this data– Examples:

• Data releasable in accordance with the Texas Public Information Act (contents of specific e-mail, date of birth, salary, etc.); data that must be protected due to proprietary, ethical, or privacy considerations.

• Category III (Low/No sensitivity)– This is information that may be publicly available; it still

may be important to protect the original source data from modification.

– Example: • Data that might otherwise be considered publicly available, personal

Internet browsing data, personal notes, etc.


Protecting Data• Use File system/Operating system permissions to restrict who

has access to data and what kinds of access they have

• Don’t forget about protecting data in other forms, including removable media, print-outs, and on-screen display

• Backup your data regularly.

• Backup media should be securely stored in a physically separate AND SECURE location.


Protecting Category I Data– Encrypt the contents of the data on media and while it is being transmitted

• Transport encryption such as SSL,SSH, unencrypted protocols through TLS, IPSec

– Encrypt data while it is at rest• File/Drive/Volume encryption

– Safeboot– Bitlocker– File Vault

– Protect the display of the data• Data should only be visible to those authorized to see it.• Printers should be attended at all times or placed in secure area.


Importance of the TSC Tools

All systems connected to the University network must be registered via the TSC tools. This information should include:

– Data classification– System Priority– TSC Contact Information– After hours contact information (if appropriate)


Importance of TSC Tools (continued)

This data is used by several different applications

- ISORA- Incident Handlers (ISO)- Self Scan security scanner- Networking applications


ISO Annual Risk Assessment• Information Security Office Risk Assessment

(ISORA)• In-house application designed to meet

regulatory and compliance requirements• 2007 is the first time this process has been used

on a large scale on campus• Revision process to begin soon before Summer

2008 deployment


Reporting Computer Misuse or Abuse

• Reporting Incidents to the ISO

• Reporting Special Security Incidents

• Incidence Response


Security Assessment Services• http://security.utexas.edu/risk/assessments• Application Vulnerability Assessment• System Security Assessment• Network Vulnerability Assessment• Penetration Testing• Physical Security Assessment• Compliance Assessments


Disaster Recovery Planning• ITS Disaster Recovery Plan

– Overview– Mission– Objectives– Responsibilities– Preparation– Testing– Associated Documents– http://security.utexas.edu/risk

• Restarting Texas

Managing Information Technology @ UT Information Security Bert Hayes UT Austin Information Security...

Documents

Transcript of Managing Information Technology @ UT Information Security Bert Hayes UT Austin Information Security...