Information Security - The University of Texas at Austin

Download Report

Transcript Information Security - The University of Texas at Austin

Managing Information Technology @ UT
Information Security
Bert Hayes
UT Austin Information Security Office
[email protected]
Managing Information Technology @ UT
Objective
• Learn about information security best
practices within the campus environment
Managing Information Technology @ UT
Overview
•
•
•
•
•
•
•
•
•
ISO Office
Computer Security Best Practices
Data Security and Confidentiality
Importance of TSC Tools
ISORA
Reporting Computer Misuse or Abuse
Incident Response
Disaster Recovery Planning
Risk Assessment Services
Managing Information Technology @ UT
ISO Mission/Function
• Manage the university information security program.
• Provide direction for university information security policies,
standards, and procedures.
• Develop and maintain an institutional information security risk
management program for the university.
• Work in partnership with campus IT leaders, committees and
boards, audit, compliance, and legal departments to create
appropriate institutional information security strategies and plans.
• Assure all university network and system security monitoring and
testing activities are conducted in accordance with federal, state,
and university regulatory requirements.
Managing Information Technology @ UT
ISO Mission/Function
(continued)
•
Manage university response to IT security incidents and authorized to take any action
deemed necessary to protect university IT resources.
•
Advise university departments regarding security administration, implementation, and
management.
•
Promote information security awareness and education throughout the university.
– http://security.utexas.edu/consensus
•
Mission - http://security.utexas.edu/about/
•
Initiatives - http://security.utexas.edu/about/initiatives.html
•
ISO Organizational Chart - http://security.utexas.edu/about/orgchart.html
Managing Information Technology @ UT
Security Best Practices
• Account and User
Management
• Securely deploy,
maintain, and dispose of
a system
• Keep up to date on the
latest vulnerabilities for
your systems
• Patch your operating
system
• Use a host-based
firewall and virus
protection
• Physical Security
• Monitor your systems
• Train your users on
security awareness
– System-level security
– Application security
Managing Information Technology @ UT
Account and User Management
• Users who have special access must complete a “Position of
Special Trust form”.
–
http://www.utexas.edu/hr/PDF/secsens.pdf
• Choose strong passwords
–
http://www.utexas.edu/its/secure/articles/keep_safe_with_strong_passwords.php
• Disable unused default accounts and set passwords for required
default accounts.
• Disable or update accounts promptly when an account holder’s
status changes. When a vendor or other 3rd party requires access
to a University machine, ensure that they have only the minimum
necessary access, for the shortest time possible.
Managing Information Technology @ UT
Secure, deploy, maintain dispose of
systems
• Secure machines before placing them on the network.
• Develop an installation/configuration checklist
– Wide variety of checklists: http://www.cisecurity.org
– ISO Hardening Checklists:
• http://security.utexas.edu/personal/
• http://security.utexas.edu/admin/
• Minimize services/remove unused services
• Configure the remaining services to be as secure as possible
• Use scripts/templates to automate the process
• Dispose of hardware securely: overwrite the contents of drives and
other media so that it is no longer recoverable
Managing Information Technology @ UT
Secure, deploy, maintain dispose
of systems (continued)
• Utilize a change management strategy to ensure that information technology re
implementation.
Managing Information Technology @ UT
Keep up to date on vulnerabilities
• Securityfocus.com: Home of Bugtraq and all of
its spin-offs
– http://www.securityfocus.com/archive
• Microsoft Technical Security Notifications
– http://www.microsoft.com/technet/security/bulletin/notify.mspx
• Apple Security-Announce
– http://lists.apple.com/mailman/listinfo/security-announce
• Application specific mailing lists
• Avoid vulnerabilities in locally developed code
– https://security.utexas.edu/admin/checklists/
Managing Information Technology @ UT
Patch Operating System
• Windows:
– Windows Update http://windowsupdate.microsoft.com
– Campus SUS Servers http://www.utexas.edu/its/wsus/
• Macintosh
– Use Software Update
http://support.apple.com/kb/HT1338?viewlocale=en_US
• Linux
– Red Hat Enterprise: Red Hat Network Update Module
https://www.redhat.com/rhn/rhndetails/update/
– https://www.redhat.com/security/updates/
• Sun
– Sun Update Connection
http://www.sun.com/service/sunconnection/index.jsp
Managing Information Technology @ UT
Use a host-based firewall
and virus protection
• Personal firewalls and anti-virus software for Macs and
Windows desktop computers are available via Bevoware
http://www.utexas.edu/its/bevoware (Check OS X version)
• Consoles are available for use in a centrally managed
environment
• Windows XP, Vista, and 2003 Server with the latest
service pack offer a host-based firewall
• Apple Firewall - Behaves differently in 10.5 vs 10.4
• Unix/Linux: iptables
• BSD: ipfw
Managing Information Technology @ UT
Physical Security
• Physically secure information resources appropriately for
their role
– Servers should be kept in secured areas with access limited to
systems administrators.
– Public access workstations should be secured against theft
• Terminate access quickly for those who no longer need
physical access to facilities
• Review access logs regularly and investigate any
unusual access
• Protect access cards, keys, etc., and report them
promptly if they are lost or stolen
• Use a password-protected screensaver
Managing Information Technology @ UT
Monitor your systems
•
Logs
–
–
–
–
–
•
•
System logs such as authentication logs and
Application logs, such as web logs,
Look for activity that is out of the normal profile
Consider automated log-monitoring software for high-volume logs
UT Enterprise license for Splunk
Check to make sure that patches and updates are installed
Check to make sure that the system isn’t modified either innocently or
maliciously
– Check configuration files and services after applying patches and updates
– Consider running an integrity checking tool like Tripwire/samhain/AIDE to check
for modifications to critical files
– Consider running a host-based IDS like OSSEC HIDS http://www.ossec.net
Managing Information Technology @ UT
Train Your Users
• Encourage them to read and understand the
AUP as well as other policies and procedures
that are applicable.
• Many users accidentally or intentionally do
things that result in a host being compromised
• Virus scanning software is reactive
• Training users to recognize and correctly
respond to security issues can significantly
lighten your workload in the long run
Managing Information Technology @ UT
Train Your Users (Continued)
– Email is NOT secure!
– Treat attachments like suspicious packages
– Train them to choose a strong password – with
UpPerCaSe and #s !@#
– Be careful with phishing!
– No legit bank would ask for your password, pin #, and
3-digit code; much less over an email (remember –
email is not secure)
Managing Information Technology @ UT
The Big Three
1. Patch Your Operating System
2. Run up to date anti-virus software
3. Run up to date firewall software
Managing Information Technology @ UT
Did You Know?
What is the minimum amount of time that a
vulnerable system has been compromised
on UT campus?
Managing Information Technology @ UT
Data Security and
Confidentiality
• Data classification guidelines
– Category I
– Category II
– Category III
• Protecting Data (general)
• Protecting Category I Data
Managing Information Technology @ UT
Category I Data
• Protection of data is required by law (HIPAA and FERPA)
• System is immediately categorized as a higher risk
• Examples of data: Medical, Student information, Contracts, Credit
Card Numbers, certain research information
• Systems with this type of information should be reported to the
Information Security Office
– TSC Utilities
• A risk assessment or security review by the ISO may be required.
Managing Information Technology @ UT
Category II and III Data
• Category II (Moderate sensitivity)
– We have a contractual obligation to protect this data
– Examples:
• Data releasable in accordance with the Texas Public Information Act
(contents of specific e-mail, date of birth, salary, etc.); data that must
be protected due to proprietary, ethical, or privacy considerations.
• Category III (Low/No sensitivity)
– This is information that may be publicly available; it still
may be important to protect the original source data
from modification.
– Example:
• Data that might otherwise be considered publicly available, personal
Internet browsing data, personal notes, etc.
Managing Information Technology @ UT
Protecting Data
• Use File system/Operating system permissions to restrict
who has access to data and what kinds of access they
have
• Don’t forget about protecting data in other forms,
including removable media, print-outs, and on-screen
display
• Backup your data regularly.
• Backup media should be securely stored in a physically
separate AND SECURE location.
Managing Information Technology @ UT
Protecting Category I Data
– Encrypt the contents of the data on media and while it is being
transmitted
• Transport encryption such as SSL,SSH, unencrypted
protocols through TLS, IPSec
– Encrypt data while it is at rest
• File/Drive/Volume encryption
– Safeboot
– Bitlocker
– File Vault
– Protect the display of the data
• Data should only be visible to those authorized to see it.
• Printers should be attended at all times or placed in secure
area.
Managing Information Technology @ UT
Importance of the TSC Tools
All systems connected to the University network
must be registered via the TSC tools. This
information should include:
–
–
–
–
Data classification
System Priority
TSC Contact Information
After hours contact information (if appropriate)
Managing Information Technology @ UT
Importance of TSC Tools
(continued)
This data is used by several different applications
-
ISORA
Incident Handlers (ISO)
Self Scan security scanner
Networking applications
Managing Information Technology @ UT
ISO Annual Risk Assessment
• Information Security Office Risk Assessment
(ISORA)
• In-house application designed to meet
regulatory and compliance requirements
• 2007 is the first time this process has been used
on a large scale on campus
• Revision process to begin soon before Summer
2008 deployment
Managing Information Technology @ UT
Reporting Computer Misuse or
Abuse
• Reporting Incidents to the ISO
• Reporting Special Security Incidents
• Incidence Response
Managing Information Technology @ UT
Security Assessment Services
•
•
•
•
•
•
•
http://security.utexas.edu/risk/assessments
Application Vulnerability Assessment
System Security Assessment
Network Vulnerability Assessment
Penetration Testing
Physical Security Assessment
Compliance Assessments
Managing Information Technology @ UT
Disaster Recovery Planning
• ITS Disaster Recovery Plan
–
–
–
–
–
–
–
–
Overview
Mission
Objectives
Responsibilities
Preparation
Testing
Associated Documents
http://security.utexas.edu/risk
• Restarting Texas