IT Security: Information Security Essentials

Transcript

1. Information Security Essentials Joe Gengler Andrew Singletary ACUI Region 15

   Conference Saturday, November 10, 12

2. Introductions Information Security Essentials | University Union | Sacramento State

   University • Joe Gengler: Manager, Information Technology Services • Andrew Singletary: Assistant Director, Information Technology Services Saturday, November 10, 12

3. Passwords vs. Passphrases Information Security Essentials | University Union |

   Sacramento State University • Passwords commonly based on dictionary based words. • Passphrases are a short sentence, 12 characters or more, provides better security. • Passphrases should include spaces. • Passphrases should never contain personal information such as family/friend/pet names, phone numbers, addresses, birth dates, social security, hobbies, activities, sports teams. • Good Passphrase Examples: • Iced tea is good! (16 characters) • The Well has a nice gym. (23 characters) • Is it hot in Sacramento? (24 characters) • How secure is your password? URL: http://howsecureismypassword.net/ • Other Passphrase Resources: http://en.wikipedia.org/wiki/Passphrase Source: http://www.codelord.net/2011/06/18/statistics-of-62k-passwords Saturday, November 10, 12

4. Data Classification Standards Information Security Essentials | University Union |

   Sacramento State University • Level 1 - Confidential Data • Comprised mostly of health and financial information. • SSN / Tax ID / Birth Date+Last 4 SSN / Passwords / Driver’s License / Credit Cards / Bank Accounts • Potential Impact: Severe or catastrophic • Level II - Business Use • Comprised mostly of data that is available for disclosure to restricted group of individuals. • Birth Date / Budget Worksheets / Educational Records / Employee Information & History / Assets & Inventory / Sealed Bids • Potential Impact: Serious • Level III - Public • Comprised of publicly available information. Intended to be available to on/off campus organizations and/or individuals. • User ID’s / Student & Employee Directory Information / Signatures • Potential Impact: Limited • Sacramento State Information Security Office Data Classification Standards: http://www.csus.edu/irt/is/policies/8065/dataclassification.html • Identify Finder Software http://www.identityfinder.com/ Saturday, November 10, 12

5. Workstation Security Information Security Essentials | University Union | Sacramento

   State University • Virus & Malware Protection: • Personal Use: Microsoft Security Essentials • URL: http://windows.microsoft.com/en-US/windows/ security-essentials-download • Enterprise Use: Microsoft Forefront End-Point Protection • Contact your central IT department • Other Virus/Malware Protection Software Packages: • AVG / McAfee / ESET / Sophos • MAC Compatible: Sophos Saturday, November 10, 12

6. Workstation Patching Information Security Essentials | University Union | Sacramento

   State University • Keep machines up-to-date with operating system critical and security updates. • Keep vendor applications up-to-date with minor/major revision updates. • Setup routine maintenance/patch windows to accomplish installing or deploying updates. • Patch management procedures should be documented to meet IT audit requirements. • Systems for assisting in patch management: • Dell Kace: KBOX 1000 URL: http://www.kace.com/products/systems-management-appliance/ • Microsoft: WSUS, Free Solution URL: http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx • Microsoft System Center URL: http://www.microsoft.com/en-us/server-cloud/system-center/datacenter- management.aspx • Most central IT departments have a patch management solution. Saturday, November 10, 12

7. Workstation Deployment Information Security Essentials | University Union | Sacramento

   State University • Workstations should be deployed via a standard image. • Standard image deployment saves a significant amount of time to setup new workstations or reinstall. • Solutions for deploying workstation images: • Dell Kace: KBOX 2000 URL: http://www.kace.com/products/systems-deployment- appliance • Altiris URL: http://www.symantec.com/theme.jsp?themeid=altiris • Acronis URL: http://www.acronis.com/ • Microsoft System Center URL: http://www.microsoft.com/en-us/server-cloud/system- center/datacenter-management.aspx Saturday, November 10, 12

8. Information Security Essentials | University Union | Sacramento State University

   Hard Drive Disk Wipe • Most University IT policies require wiping a drive before it can be disposed as E-Waste. • Audit requirements: • A drive wipe procedure • A running log (spreadsheet) of hard drive wipes including: date / brand / size / serial number • Two solutions for wiping a drive: • DBAN (Darik’s Boot and Nuke) Software • Quick Erase • URL: http://www.dban.org/ • Youtube: http://www.youtube.com/watch?v=lwCCim2V_Jw • Wiebetech Drive Erazer Ultra ~$250 • NIST Wipe (Recommended) • Wiebetech URL: http://bit.ly/Iqc45f • MCM Electronics: http://bit.ly/RHNS3A Saturday, November 10, 12

9. Server Vulnerability Scanning Information Security Essentials | University Union |

   Sacramento State University • Servers running Microsoft Windows Server and or Linux should be scanned for vulnerabilities routinely/weekly. • Vulnerability reports should be reviewed by IT staff and severe vulnerabilities should be addressed immediately. • Popular Vulnerabilities: Brute Force Attack / Cross-Site Scripting / Denial of Service / Session Hijacking / Information Disclosure / Spoofing • Avoid vulnerabilities by keeping operating system and application server software updated. • Vulnerability Scanning Solutions: • Rapid 7 Nexpose Community Edition ~$0 Free URL: http://www.rapid7.com/products/nexpose-community- edition.jsp • Contact your central IT department Saturday, November 10, 12

10. Server Hardening Information Security Essentials | University Union | Sacramento

    State University • Servers that have been hardened are more resistant to security issues and concerns. • Tips for basic server hardening: • Disable unnecessary services running • Verify host firewall is enabled and disable any unnecessary incoming ports • Only open required incoming ports and scope open ports to specific IP ranges if possible. • Contact central IT for assistance with network/enterprise firewalls. • Only provision required user access, avoid administration access when possible • All default passwords should be changed • Do not use local administrator to run services • Verify and maintain log files for important applications and services • Verify and maintain proper backups of data Saturday, November 10, 12

11. Web Security Scanning Information Security Essentials | University Union |

    Sacramento State University • Third party web applications should be scanned with a web vulnerability scanner before launching. • Web Security Vulnerability Scanners Solutions: • Acunetix (Self-Hosted Application): URL: http://www.acunetix.com/ • Free Edition: Web Vulnerability Scanner • Enterprise Edition: Pricing starting at $1500 • Contact your central IT department Saturday, November 10, 12

12. User Provision / De-Provisioning Information Security Essentials | University Union

    | Sacramento State University • What is provisioning and de-provisioning? • Creating user accounts and permission to systems and applications. • IT audits require provision and de-provisioning policies for systems that require user access. • Two factor provisioning request process for systems: • Request originates from user • Submitted by manager • Approved by higher level manager or director • Provisioned by Information Technology department • Provisioning to systems should be logged or tracked in a spreadsheet • Utilize Wufoo for creating and storing provisioning forms URL: http://www.wufoo.com Saturday, November 10, 12

13. Web Content Filtering Information Security Essentials | University Union |

    Sacramento State University • Web content filtering allows you to filter web access from your workstations based on categorized topics. • Topic Examples: Entertainment, Social Networking, Gambling, Games, News and Media, Shopping, Sports, etc. • Filter web content at workstations that are utilized by multiple student employees on public facing desks. • Web filtering helps minimize workstation vulnerabilities and malware. • Web filtering solution: • Websense: Triton Cloud Security ~$1500/yr URL: http://www.websense.com/content/TRITON- solutions.aspx Saturday, November 10, 12

14. Payment Card Industry (PCI) Information Security Essentials | University Union

    | Sacramento State University • What is PCI? • Do you accept credit cards? • How do you become PCI compliant? • Shifting risk to third parties • PCI Certified Solutions: PayPal, Square, Cloud based products • Security Breach Risk: Up to $500,000 per incident plus additional fees: consultants, lawyers, etc. • Easiest way to accept credit card? • Credit card terminal • Verifone VX570 Terminal Saturday, November 10, 12

15. Questions? Contact Info IT and Design Collaboration | University Union

    | Sacramento State University • Joe Gengler: [email protected] • @jgengler • Andrew Singletary: [email protected] • @drewies Saturday, November 10, 12

16. Social Networking Information IT and Design Collaboration | University Union

    | Sacramento State University sacstateunion @sacstateunion thewellsacstate @wellsacstate Saturday, November 10, 12