Transcript Slide 1

Information Security
Awareness
for
Systems Administrators
Why Us?
• Institutions of Higher Education are far
more tantalizing targets
• Exploit vulnerabilities and weaknesses
• Publicity/recognition for hacking
• Profitability a key motivator
• The threat from within
• *Over 44% of incidents in 2007
targeted Education and Government
*per Web Application Security Consortium
Roles and Responsibilities
•
•
•
•
•
•
•
•
Strong Passwords
Data Backups
Physical Security
Daily Log Reviews
Software Licensing
User Access
P2P File Sharing
Avoid Disclosure/Compromise
Minimum Security Standards for
Systems – Backups (Cat I)
• Establish/follow regular system
backups
• Monthly verification of backups
through customer/trial restores
• System administrator must maintain
documented restoration procedures
for systems and the data on those
systems
Minimum Security Standards for
Systems – Change Mgmt (Cat I)
• System configuration/documented
change control process
• Evaluation of system changes prior to
application in production environment
- test patches
- if no test environment, communicate
to data customer
- communicate change in environment
due to patches
Minimum Security Standards for
Systems–Virus Protection (Cat I)
• Install & enable Antivirus software
• Recommend installation of Antispyware software if browsing
• Must be configured to update daily
• Maintain/make available a description
of the standard configuration of
antivirus software
Minimum Security Standards for
Systems – Physical Access (CatI)
• Physically secure systems in
racks/areas with restricted access
• Physically secure portable devices if
left unattended
• Secure backup media from
unauthorized physical access
• Encrypt backup media if stored offsite OR document process to prevent
unauthorized access
Minimum Security Standards for
Systems – Hardening Checklist
• System is set up in a protected
network environment
• Install OS and application services
security patches expediently
• Enable automatic notification of new
patches
• Disable/uninstall services/apps/user
accounts not being used
Hardening Checklist
(continued)
• Limit connections to services running
on host to authorized users only
• Encrypt commo & storage of services/
apps for systems using Cat I data
(confidentiality-integrity-availability)
• Integrity checks of critical OS files &
system accounts (user least privilege)
• University warning banner required
• Use of strong passwords
Minimum Security Standards for
Systems – Security Monitoring
• Enable and test log activities
• Document and routinely monitor/
analyze OS/service logs
• Follow a documented backup strategy
for security logs (e.g., acct mgmt,
access control, data integrity, etc.)
• Retain security logs 14-days minimum
• Admin/Root Access must be logged
Minimum Security Standards for
Systems
• For more information please visit the
Information Security Office website at
http://admin.utep.edu/Default.aspx?alias=
admin.utep.edu/securityawareness
Password Security
• At Least 17-characters in length
• Do not share or disclose
• Use complex or pass phrases
containing letters, numbers and
special characters
• Change at least every 6-months or if a
suspected compromise exists
• Change anytime Team Member leaves
Safe Practices
•
•
•
•
•
•
•
Browsing and downloading
Privacy
Misuse of domain credentials
Remote access
New users and folder shares
Disable “Remember Password” features
Report suspected compromise of
account(s) or password(s) to ISO
Safe Practices (cont)
• Antivirus – run weekly scans
• User Access – check for appropriate
approvals
• Disaster Recovery
• Business Continuity
• Don’t give away the
“Keys to the Kingdom”
• *Use of SQL Injection was 20% in 2007
*according to Web Application Security Consortium
Statistics
Attack Goal
Stealing
Sensitive
Information
Defacement
Planting
Malware
Unknown
Deceit
Blackmail
Link Spam
Worm
Phishing
Information
Warfare
The Web Hacking Incidents Database 2007 Annual Report
Prepared by O fer Shezaf and Breach Security Labs team
http://www.webappsec.org/projects/whid/statistics.shtml
%
42%
23%
15%
8%
3%
3%
3%
1%
1%
1%
Questions & Answers
Information Security Office web page
http://admin.utep.edu/securityawareness
2007 Statistics:
http://www.webappsec.org/projects/whid/sta
tistics.shtml from Web Application Security Consortium