Information Security - PowerPoint PPT Presentation

1 / 29

About This Presentation

Title:

Information Security

Description:

... ipfw Physical Security Physically secure information resources appropriately for their role Servers should be kept in secured areas with access limited to ... – PowerPoint PPT presentation

Number of Views:440

Avg rating:3.0/5.0

Slides: 30

Provided by: utexasEdu83

Category:

more less

Transcript and Presenter's Notes

Title: Information Security

1
Information Security

Bert Hayes
UT Austin Information Security Office
bhayes_at_infosec.utexas.edu

2
Objective

Learn about information security best practices
within the campus environment

3
Overview

ISO Office
Computer Security Best Practices
Data Security and Confidentiality
Importance of TSC Tools
ISORA
Reporting Computer Misuse or Abuse
Incident Response
Disaster Recovery Planning
Risk Assessment Services

4
ISO Mission/Function

Manage the university information security
program.
Provide direction for university information
security policies, standards, and procedures.
Develop and maintain an institutional information
security risk management program for the
university.
Work in partnership with campus IT leaders,
committees and boards, audit, compliance, and
legal departments to create appropriate
institutional information security strategies and
plans.
Assure all university network and system security
monitoring and testing activities are conducted
in accordance with federal, state, and university
regulatory requirements.

5
ISO Mission/Function(continued)

Manage university response to IT security
incidents and authorized to take any action
deemed necessary to protect university IT
resources.
Advise university departments regarding security
administration, implementation, and management.
Promote information security awareness and
education throughout the university.
http//security.utexas.edu/consensus
Mission - http//security.utexas.edu/about/
Initiatives - http//security.utexas.edu/about/ini
tiatives.html
ISO Organizational Chart - http//security.utexas.
edu/about/orgchart.html

6
Security Best Practices

Account and User Management
Securely deploy, maintain, and dispose of a
system
Keep up to date on the latest vulnerabilities for
your systems
Patch your operating system

Use a host-based firewall and virus protection
Physical Security
Monitor your systems
Train your users on security awareness
System-level security
Application security

7
Account and User Management

Users who have special access must complete a
Position of Special Trust form.
http//www.utexas.edu/hr/PDF/secsens.pdf
Choose strong passwords
http//www.utexas.edu/its/secure/articles/keep_saf
e_with_strong_passwords.php
Disable unused default accounts and set passwords
for required default accounts.
Disable or update accounts promptly when an
account holders status changes. When a vendor or
other 3rd party requires access to a University
machine, ensure that they have only the minimum
necessary access, for the shortest time possible.

8
Secure, deploy, maintain dispose of systems

Secure machines before placing them on the
network.
Develop an installation/configuration checklist
Wide variety of checklists http//www.cisecurity.
org
ISO Hardening Checklists
http//security.utexas.edu/personal/
http//security.utexas.edu/admin/
Minimize services/remove unused services
Configure the remaining services to be as secure
as possible
Use scripts/templates to automate the process
Dispose of hardware securely overwrite the
contents of drives and other media so that it is
no longer recoverable

9
Secure, deploy, maintain dispose of systems
(continued)

Utilize a change management strategy to ensure
that information technology resources are
protected against improper modification before,
during, and after system implementation.

10
Keep up to date on vulnerabilities

Securityfocus.com Home of Bugtraq and all of its
spin-offs
http//www.securityfocus.com/archive
Microsoft Technical Security Notifications
http//www.microsoft.com/technet/security/bulletin
/notify.mspx
Apple Security-Announce
http//lists.apple.com/mailman/listinfo/security-a
nnounce
Application specific mailing lists
Avoid vulnerabilities in locally developed code
https//security.utexas.edu/admin/checklists/

11
Patch Operating System

Windows
Windows Update http//windowsupdate.microsoft.com
Campus SUS Servers http//www.utexas.edu/its/wsus/
Macintosh
Use Software Update http//support.apple.com/kb/HT
1338?viewlocaleen_US
Linux
Red Hat Enterprise Red Hat Network Update Module
https//www.redhat.com/rhn/rhndetails/update/
https//www.redhat.com/security/updates/
Sun
Sun Update Connection http//www.sun.com/service/s
unconnection/index.jsp

12
Use a host-based firewall and virus protection

Personal firewalls and anti-virus software for
Macs and Windows desktop computers are available
via Bevoware http//www.utexas.edu/its/bevoware
(Check OS X version)
Consoles are available for use in a centrally
managed environment
Windows XP, Vista, and 2003 Server with the
latest service pack offer a host-based firewall
Apple Firewall - Behaves differently in 10.5 vs
10.4
Unix/Linux iptables
BSD ipfw

13
Physical Security

Physically secure information resources
appropriately for their role
Servers should be kept in secured areas with
access limited to systems administrators.
Public access workstations should be secured
against theft
Terminate access quickly for those who no longer
need physical access to facilities
Review access logs regularly and investigate any
unusual access
Protect access cards, keys, etc., and report them
promptly if they are lost or stolen
Use a password-protected screensaver

14
Monitor your systems

Logs
System logs such as authentication logs and
Application logs, such as web logs,
Look for activity that is out of the normal
profile
Consider automated log-monitoring software for
high-volume logs
UT Enterprise license for Splunk
Check to make sure that patches and updates are
installed
Check to make sure that the system isnt modified
either innocently or maliciously
Check configuration files and services after
applying patches and updates
Consider running an integrity checking tool like
Tripwire/samhain/AIDE to check for modifications
to critical files
Consider running a host-based IDS like OSSEC HIDS
http//www.ossec.net

15
Train Your Users

Encourage them to read and understand the AUP as
well as other policies and procedures that are
applicable.
Many users accidentally or intentionally do
things that result in a host being compromised
Virus scanning software is reactive
Training users to recognize and correctly respond
to security issues can significantly lighten your
workload in the long run

16
Train Your Users (Continued)

Email is NOT secure!
Treat attachments like suspicious packages
Train them to choose a strong password with
UpPerCaSe and s !_at_
Be careful with phishing!
No legit bank would ask for your password, pin ,
and 3-digit code much less over an email
(remember email is not secure)

17
The Big Three

Patch Your Operating System
Run up to date anti-virus software
Run up to date firewall software

18
Did You Know?

What is the minimum amount of time that a
vulnerable system has been compromised on UT
campus?

15 seconds
19
Data Security and Confidentiality

Data classification guidelines
Category I
Category II
Category III
Protecting Data (general)
Protecting Category I Data

20
Category I Data

Protection of data is required by law (HIPAA and
FERPA)
System is immediately categorized as a higher
risk
Examples of data Medical, Student information,
Contracts, Credit Card Numbers, certain research
information
Systems with this type of information should be
reported to the Information Security Office
TSC Utilities
A risk assessment or security review by the ISO
may be required.

21
Category II and III Data

Category II (Moderate sensitivity)
We have a contractual obligation to protect this
data
Examples
Data releasable in accordance with the Texas
Public Information Act (contents of specific
e-mail, date of birth, salary, etc.) data that
must be protected due to proprietary, ethical, or
privacy considerations.
Category III (Low/No sensitivity)
This is information that may be publicly
available it still may be important to protect
the original source data from modification.
Example
Data that might otherwise be considered publicly
available, personal Internet browsing data,
personal notes, etc.

22
Protecting Data

Use File system/Operating system permissions to
restrict who has access to data and what kinds of
access they have
Dont forget about protecting data in other
forms, including removable media, print-outs, and
on-screen display
Backup your data regularly.
Backup media should be securely stored in a
physically separate AND SECURE location.

23
Protecting Category I Data

Encrypt the contents of the data on media and
while it is being transmitted
Transport encryption such as SSL,SSH, unencrypted
protocols through TLS, IPSec
Encrypt data while it is at rest
File/Drive/Volume encryption
Safeboot
Bitlocker
File Vault
Protect the display of the data
Data should only be visible to those authorized
to see it.
Printers should be attended at all times or
placed in secure area.

24
Importance of the TSC Tools

All systems connected to the University network
must be registered via the TSC tools. This
information should include
Data classification
System Priority
TSC Contact Information
After hours contact information (if appropriate)

25
Importance of TSC Tools (continued)