Secure Your Computer Now

1
Secure Your Computer Now

• How to keep your face off the evening news for
  compromising 98,000 student records

Paul WaterstraatGeology DepartmentUniversity of
California, Davis

2
Secure Your Computer Now
Disclaimer

• Warning. This presentation is only a guide
  containing recommended security settings. It is
  not meant to replace well-structured policy or
  sound judgment. Furthermore this guide does not
  address site-specific configuration issues.
  Care must be taken when implementing these
  recommendations to address local operational and
  policy concerns.

3
Ripped from the headlines...
UCLA laptop theft exposes ID info Representatives
of the University of California, Los Angeles, are
warning 145,000 blood donors they could be at
risk for identity theft due to a stolen
university laptop. June 10, 2004
Boston College reveals alumni data breach Boston
College is fighting against an attack on its
fund-raising databases, which may have exposed
the personal data of more than 100,000
alumni. March 17, 2005
ChoicePoint data loss may be higher than
reported ChoicePoint could have leaked
information on far more than 145,000 U.S.
citizens, the data collector's latest filing to
the Securities and Exchange Commission
suggests. March 10, 2005
Laptop theft puts data of 98,000 at risk The
University of California, Berkeley, is warning
more than 98,000 people that the theft of a
laptop from its graduate school admissions office
has exposed their personal information. March
29, 2005
UCD computer hacked into from Internet The names
and Social Security numbers of about 1,100 UC
Davis students, faculty, visiting speakers and
staff may have been compromised when someone
hacked into a main computer in the universitys
plant biology section last month. April 5, 2005
4
To help protect against identity theft,
California enacted a new law (SB 1386) requiring
businesses and government agencies beginning
July 1, 2003, to notify consumers if hackers gain
entry to computers that contain unencrypted
personal information such as credit card numbers,
pass codes needed for use of personal accounts,
Social Security numbers or drivers license
numbers.
5
Policy and Procedure Manual

• Section 310-022

UC Davis Cyber-Safety Program I. Purpose and
Scope This policy establishes that devices
connected to the UC Davis electronic
communications network must meet UC Davis
security standards or seek exception
authorization. Campus units may develop and
implement more rigorous security standards.
http//manuals.ucdavis.edu/ppm/310/310-22.htm
6
Policy and Procedure Manual

• Section 310-022

UC Davis Cyber-Safety Program III.
Policy C. Campus units must annually report to
their respective Dean, Vice Chancellor or Vice
Provost, the extent to which unit operations are
consistent with the campus security standards.
Where compliance is not complete, the report must
document a compliance plan
7
UC Davis Computing Standards

• Annual checklist includes14 Standards
• 7 Level 1 Practices Highest priority
  standards that apply to all computers on the
  network
• 7 Level II Practices Secondary priority
  standards, some of which apply to servers or
  system administrators

YourMission
http//manuals.ucdavis.edu/ppm/310/310-22a.htm
8
Computing Security Standards

• I-A. Software Patch Updates

Computing hosts connected to the campus network
must use an operating system and application
software for which the publisher maintains a
program to release critical security updates.
Campus units must apply all currently available
critical security updates within seven calendar
days of update release or implement a measure to
mitigate the related security vulnerability.
Exceptions may be appropriate for patches that
compromise the usability of an operating system
or application or for patches for which the
installation is prohibited by regulation.
9
Computing Security Standards

• I-A. Software Patch Updates

10
Computing Security Standards

• I-A. Software Patch Updates

11
Computing Security Standards

• I-A. Software Patch Updates

12
Computing Security Standards

• I-A. Software Patch Updates

13
Computing Security Standards

• I-B. Anti-virus software

Anti-virus software must be running and updates
must be applied within no more than 24 hours of
update release for computing hosts connected to
the campus network. This standard applies to
computing hosts connected to the campus network
which are subject to virus infection. Networked
devices subject to virus infection that are
unable to use anti-virus software must be
protected from malicious network traffic.
14
Computing Security Standards

• I-B. Anti-virus software

15
Computing Security Standards

• I-B. Anti-virus software

16
Computing Security Standards

• I-C. Insecure Network Services

If a computer service/process that provides a
computing host access to network services (e.g,
Telnet, FTP, POP) is not necessary for the
intended purpose or operation of the
network-connected device, that service/process
shall be disabled. Where inherently insecure
network services are needed, their available
encrypted equivalents must be used
17
Computing Security Standards

• I-C. Insecure Network Services

18
Computing Security Standards

• I-C. Insecure Network Services

19
Computing Security Standards

• I-D. Authentication

Campus electronic communications service
providers must have a suitable process for
authenticating users of shared electronic
communications services under their control.
1) No campus electronic communications service
user account shall exist without passwords or
other secure authentication system, e.g.
biometrics, Smart Cards.
20
Computing Security Standards

• I-D. Authentication - Passwords

21
Computing Security Standards

• I-D. Authentication - Passwords

22
Computing Security Standards

• I-D. Authentication - Passwords

2) Where passwords are used to authenticate
users, a password must be configured to enforce
password complexity requirements, if such
capability exists.
23
Computing Security Standards
I-D-2. Password Complexity
24
Computing Security Standards
I-D-2. Password Complexity
Mac OS X 10.4 Tiger offers a password assistant
when setting or changing passwords that can offer
suggestions and rate passwords for complexity and
strength.
25
Computing Security Standards
I-D-2. Password Complexity
26
Computing Security Standards
I-D-2. Password Complexity
27
Computing Security Standards

• I-D. Authentication - Passwords

3) All default account passwords for
network-accessible devices must be modified upon
initial use.
28
Computing Security Standards

• I-D. Authentication - Passwords

4) Passwords used for privileged access must not
be the same as those used for non-privileged
access.
29
Computing Security Standards

• I-D. Authentication - Passwords

5) All campus devices must use encrypted
authentication mechanisms unless an exception has
been approved by the appropriate department head
or campus administrative official. Unencrypted
authentication mechanisms are only as secure as
the network upon which they are used. Any
network traffic may be surreptitiously monitored,
rendering unencrypted authentication mechanisms
vulnerable to compromise.
30
Computing Security Standards

• I-E. Personal Information

Campus units must identify departmental computing
systems and applications that house personal
information (personal name along with Social
Security number, California driver identification
number, or financial account information).
Personal information must be removed from all
computers for which it is not required.
Note from Paul Use Secure Empty Trash!
31
Computing Security Standards

• I-E. Personal Information

Whats in your computer?
Note from Paul Use Secure Empty Trash!
32
Computing Security Standards

• I-E. Personal Information

33
Computing Security Standards

• I-F. Physical Security

Unauthorized physical access to an unattended
computing device can result in harmful or
fraudulent modification of data, fraudulent email
use, or any number of other potentially dangerous
situations. In light of these risks, where
possible and appropriate, devices must be
configured to lock and require a user to
re-authenticate if left unattended for more than
20 minutes. Portable storage devices must also
not be left unattended and be protected from data
theft or unauthorized data modification or
deletion.
34
Computing Security Standards

• I-F. Physical Security

35
Computing Security Standards

• I-F. Physical Security

36
Computing Security Standards

• I-F. Physical Security

37
Computing Security Standards

• I-F. Physical Security

38
Computing Security Standards

• I-F. Physical Security

39
Computing Security Standards

• I-F. Physical Security

.... Portable storage devices must also not be
left unattended and be protected from data theft
or unauthorized data modification or deletion.
40
Ripped from the headlines...
Carjackers swipe biometric Merc, plus owner's
finger A Malaysian businessman has lost a finger
to car thieves impatient to get around his
Mercedes fingerprint security system. Accountant
K Kumaran, the BBC reports, had at first been
forced to start the S-class Merc, but when the
carjackers wanted to start it again without
having him along, they chopped off the end of his
index finger with a machete. April 4, 2005
41
Computing Security Standards

• I-F. Physical Security

Use DiskUtility to create an Encrypted disk image
42
Computing Security Standards

• I-F. Physical Security

Use the i info button to show password strength
43
Computing Security Standards

• I-G. Firewall Services

Firewall services, whether provided by a network
hardware device or through operating system or
add-on software, must be restrictively configured
to deny all traffic unless expressly permitted.
44
Computing Security Standards

• I-G. Firewall Services

45
Computing Security Standards

• I-G. Firewall Services

46
Computing Security Standards

• I-G. Firewall Services

47
Computing Security Standards

• I-G. Firewall Services

48
Computing Security Standards

• II-A. No Open E-mail Relays

Devices connected to the campus network must not
provide an active SMTP service that allows
unauthorized third parties to relay email
messages, i.e., to process an e-mail message
where neither the sender nor the recipient is a
local user
49
Computing Security Standards

• II-B. Proxy Services

An unrestricted proxy server for use from
non-university locations is not allowed on the
campus network. Use of an unauthenticated proxy
server is not permitted on the campus network
unless approved as an exception to the campus
security standards by the appropriate department
head or campus administrative official.
50
Computing Security Standards

• II-C. Audit Logs

Campus units must develop and implement a policy
defining the use, inspection and retention of
audit logs.  Audit log inspection may permit the
identification of unauthorized access to
sensitive electronic communication records. The
use of audit logs should be extended to document
activities such as account use and the network
source of the login, incoming and outgoing
network connections, file transfers and
transactions.
51
Computing Security Standards

• II-D. Backup and Recovery

All critical and sensitive university electronic
communication records residing on electronic
storage shall be backed up on a regular and
frequent basis to separate backup media. The
backup media must be protected from unauthorized
access and stored in a location that is separate
from the originating source. The backup media
must be tested on a regular basis to ensure
recoverability from the backup media.
52
Computing Security Standards

• II-D. Backup and Recovery

53
Computing Security Standards

• II-E. Training for Users, Administrators and
  Managers

A technical training program must be documented
and established for all systems staff responsible
for security administration. In addition, campus
unit administrators and users handling critical
and/or sensitive university electronic
communication records must receive annual
information security awareness program training
regarding university policy and proper
information handling and controls.
54
Computing Security Standards

• II-F. Anti-Spyware Software

The use of programs to identify and remove
spyware programs is strongly advised to help to
maintain the privacy of personal information and
Internet use. The use of an anti-spyware program
must be accompanied by installing program updates
on regular basis to ensure the ability to detect
and remove new spyware or adware programs
55
Computing Security Standards

• II-G. Release of Equipment with Electronic
  Storage

All data must be removed from electronic storage
prior to being released or transferred to another
party. Data removal must be consistent with
physical destruction of the electronic storage
device, degaussing of the electronic storage or
overwriting of the data at least three times. A
quick format or file erasure is insufficient.
56
Computing Security Standards

• II-G. Release of Equipment with Electronic
  Storage

57
Questions?
58