Security Standards in Higher Education Presented by: Karen Eft, IT Policy Manager University of California, Berkeley Robert Ono, IT Security Coordinator University of California, Davis Copyright Karen Eft and Robert Ono This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the authors.

Session Focus As consumers, we see evidence of and benefit from operational standards every day. The University of California promotes the use of information security standards within each of its 10 campuses. This presentation will review the different approaches UC Berkeley and UC Davis use to develop, maintain, and enforce information security standards. 2

Session Agenda 3 Institutional Information Development of Security Standards UC Berkeley UC Davis Differences Between Two Programs Common Program Features

Institutional Highlights UC Berkeley  34,000 students  degree programs: 108 bachelor’s, 66 masters, 98 doctoral, 24 concurrent, 13 other  $516 million in research awards in  34 Professional School degree programs UC Davis  30,500 students  100 academic majors and 86 graduate programs  $544 million in research awards in  UCD Medical Center  Law, Medicine, Education, Management and Veterinary Medicine 4

Session Agenda 5 Development of UC Berkeley Security Standards Policy & procedures Organization Marketing Informing users What’s next?

UCB Policy & procedures 1.Departmental Security Contact Policy To implement this policy, each department needs to appoint a security contact and one or more backup contacts. Departments may agree to share contacts for efficiency. … Contacts need to have some familiarity with the computers in their department and be able to determine who a responsible technical person is; it is not necessary for the contact to have extensive security expertise. 6University of California, Berkeley

UCB Policy & procedures 2.Campus IT Security Policy Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. 7University of California, Berkeley

UCB Policy & procedures 3.Guidelines and Procedures for Blocking Network Access When computers pose a serious risk to campus information system resources or the Internet, their network connection may be blocked. If the threat is immediate, the offending computer(s) will be blocked immediately and notification will be sent to the departmental security contact(s) via that the block has occurred 8University of California, Berkeley

UCB Policy & procedures 3.blocking (continued): If the threat is not immediate, notification of the threat will be sent to the departmental security contact(s) via . If a response is not received within 4 hours indicating that the department is taking action to mitigate the threat, the offending computer(s) will then be blocked Requires use of a good incident tracking system 9University of California, Berkeley

UCB Policy & procedures 3.blocking (continued): In either case, central campus network and security personnel will work with the departmental security contact(s) and/or the system administrator(s) to ensure that the computer(s) are properly re-secured. If a block has been put in place it will be removed when both the department and central campus security personnel agree that the problem causing the incident has been sufficiently addressed. 10University of California, Berkeley

UCB Policy & procedures and finally … 4.Minimum Standards for Security of Berkeley Campus Networked Devices ( Appendix A to the “IT Security Policy” :) 11University of California, Berkeley

UCB Policy & procedures The Minimum Security Standards: 1.Keep software patches current 2.Run approved anti-virus software 3.Run approved host-based firewall software 4.Use secure passwords 5.No unencrypted authentication 6.No unauthenticated relays 7.No unauthenticated proxy services 8.Ensure physical security 9.Don’t run unnecessary services 12University of California, Berkeley

UCB Policy & procedures 5.Implementing Guidelines to assist system administrators and end-users to configure their networked devices to comply with the Minimum Standards. Include: clarifying information about the Standards configuration details for many situations They do not include: step-by-step instructions for every existing device or operating system 13University of California, Berkeley

UCB organization 14 Key groups: Campus Information Security and Privacy Committee (CISPC) IT Policy Services (Office of the CIO) System and Network Security Campus security operations group. Policy enforcement through blocking hosts from accessing the campus network Data Stewardship Council Security SIG

UCB organization 15 SNS assists campus users with securing information assets. Risk assessment for network connected hosts: Operation of host vulnerability scanner to identify hosts that are at risk. Longitudinal analysis of campus risk for attack. Inventory of systems containing restricted data and assessment of these systems security position. Assist departments with developing systems and processes to handle information securely: Assist in the development of plans for securing personal information like credit-card data. Review systems security plans for departments and assist with the creation of these plans. Incident response: Notify users or departmental security contacts of systems at risk or that have been compromised. Assist law enforcement agencies with security requests while protecting privacy. Enforce campus minimum standards where necessary. Coordinate and assist with campus security efforts: Participate in user community security training. Assist central campus organizations, like the CISPC, where needed. Represent UCB security both to external and internal organizations. (Michael Green, March 2007)

UCB marketing A revolutionary new concept: 16University of California, Berkeley “minimum” ≠ “minimal”

UCB marketing Get “real”:  One-year implementation period  Exception process 17University of California, Berkeley

UCB marketing Request for Exception to the Campus Minimum Security Standards If devices such as computers, printers, or other network appliances do not have at least a basic level of security, they are subject to being blocked from campus network connection. (See the Minimum Standards for Security of Berkeley Campus Networked Devices.) Departments, units, or individuals who believe their devices require configurations that do not comply with these Minimum Standards may request exceptions to the Policy*, using one of the following links: ( for a single device) (for multiple devices) 18 University of California, Berkeley

Minimum Security Standards Exception Request Form - Complex (To submit a Simple request, go back to ) Your Information: Your Name (Required) Your Department (Required) Your Position/Role Your (Required) Your Phone Security Contact (if known) Devices Requiring Exception Please describe in detail. Include IPs, hostnames and MACs (if available) For services, indicate which ports are used. UCB informing users University of California, Berkeley19

Representative IP (Required) (For determining/verifying security contact. This should be one of the IPs included in the request). From what standards are you requesting an exception? (Check all that apply and give a detailed explanation.) Software patch updates Anti-virus software Host-based firewall Passwords Explanation: UCB informing users University of California, Berkeley20 No unencrypted authentication No unauthenticated relays No unauthenticated proxy services Physical security Unnecessary services

Correction and Mitigation Exceptions to the standards are expected to be temporary. For example, until needed resources can be acquired, changes can be made in the types of activities conducted, or new mitigating technology becomes available. What steps are you taking, or changes do you expect to occur, that will enable you to meet the minimum standards in the future? What is your timeframe for meeting the Minimum Standards? What are you doing to mitigate the situation until you come into full compliance with the minimum standards? UCB informing users University of California, Berkeley21

UCB informing users Keep the community fully informed. State as many places as possible that connections will be blocked for non-compliance with MSS. Send individual security event notices to security contact address. Provide look-up website: has my IP been blocked? Send current activity publicity. 22University of California, Berkeley

UCB informing users SAMPLE of specific “After a suspension of several months, SNS is now fully staffed and ready to resume enforcement of the campus Minimum Security Standards for Networked Devices (MSS) for unpatched Windows hosts and Windows hosts with blank admin passwords. Beginning Tuesday, March 13, we will ramp up our operations by beginning with campus hard-wired non-DHCP Ethernet hosts and dial-up modem hosts, then later add AirBears, VPN, and DHCP-based hosts over the next few months. 23University of California, Berkeley

UCB informing users sample (cont’d): The sequence of messages will be as follows: After an initial notification of non-compliance with the MSS, if no response is received within 5 working days, and if no active compromise or other security risk is noted, a second notice will be sent 2 working days before active blocking begins. The list of blocked IP addresses and SNS tracking numbers is available on this SNS web page: If you have any questions about the MSS or this notice, please write to the address.” 24University of California, Berkeley

UCB what’s next? Procurement Requirements  BEFORE you buy … Minimum Standards for Applications Minimum Standards for Restricted Data 25University of California, Berkeley

UCD – Early Beginnings New Policies and Technology with Broad Campus Consultation  Intrusion Detection  Anti-Virus and Spam Controls  Central Vulnerability Scans and Reports Authentication and Daily Network Scans Honey-pot  Privacy Policy  Network Firewalls at Campus Border  Computer Forensics Capability 26University of California, Davis

UCD – Changing Program 2003: California Civil Code Revised to Require Notification After Unauthorized Access to Personal Information 2004: Internal Audit Concerns Campus-wide Program Needed to Enhance Campus Unit Security for Electronic Systems and Data Program Needed to Clearly Recognize Lines of Responsibility 27University of California, Davis

UCD: Cyber-safety Policy 2005: New Policy Requires Devices Connecting to Campus Network Meet Security Standards 16 Security Standards Exceptions Approved by Campus Executives Annual Compliance Reporting by Colleges, Schools and Units Annual State of Security Report to Campus Executives 28University of California, Davis

UCD: Security Standards Level 1  Software Patches  Anti-Virus Software  Non-Secure Services  Authentication Strong Passwords Encrypted Transmission Default Passwords Privileged Accounts  Personal Information  VLAN & Host-based Firewalls 29University of California, Davis Level 2  Physical Security  Open Relays  Web Proxy Services  Audit Logging  Backup & Recovery  Security Training  Anti-Spyware  Secure Media Disposal  Incident Response Plan  Web Application Security Evaluation

UCD: Marketing the Program Campus Unit Technologists Participation in Policy and Standards Development Web and Print Communication Target Audience  Senior Campus Executives  Technologists  Administrators and Department Chairs 30University of California, Davis

UCD: Annual Survey Annual Survey Instrument  2005: Manual Compliance Questionnaire  2006: Detailed Campus Unit Online Survey Focusing on Compliance Characteristics with Summary Reports 2006 Report  Common Security Themes Identified – Metrics Available  One-on-one Meetings with Executives  State of Campus Security Presentation to Chancellor, Provost, Deans and Vice Chancellors 31University of California, Davis

UCD: Security Gaps Challenges for Selected Campus Areas  Academic Units  Residential Computing  Wireless & Public NAMs  Secure Remote Access (Virtual Private Network) Common Campus Unit Needs  AV License  VLAN Firewalls  Personal Identity Security  Update Servers 32University of California, Davis

UCD: Security Standards Benefits Enhanced Central Security Investments  Anti-Virus License for All Affiliates  Subsidy for Campus Unit VLAN Firewall Acquisition and Support  Scanning Tools and Whole-Disk Encryption for Mobile Devices  Deploy OS and AV Update Servers  Redesign of Intrusion Detection/Prevention Methods  Network Admission Control for Residential Computing, Wireless and VPN  Cyber-Safety Auditor Hired for Annual Campus Unit Surveys 33University of California, Davis

UCD: Cyber-safety Tools Dear System/Network Administrator, Please note that the numbers in the subject line of this message indicate the total number of scanner hits, honey pot hits and IDS hits, respectively, by all systems included in the following report. The link below will take you to a report displaying vulnerable or infected systems assigned to you on the VLAN: XXXXXX. We encourage you to inspect the systems identified in this report and correct problems immediately. Click on the link below for the results of the campus network scan that occurred on at 16:42:38. CONTACT INFORMATION: To request access to the report page, contact To notify us of problems with a report or to provide feedback about false positive notifications so that we can tune our rule sets, please contact the UC Davis Computer Security Team at If you receive notifications for a VLAN that is not yours, please contact the Network Operations Center (NOC) at to request that the database be BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (SunOS) iD8DBQFGGsyFpjhx/Mnq4fARAt2zAJ4vaQ941zigQSfkzFhd52v2Eh9o9gCeL1o4 QEPHSguAH/AnWOBPguOCBCQ= =DJop -----END PGP SIGNATURE University of California, Davis

UCD: Cyber-safety Tools 35University of California, Davis

UCD: Cyber-safety Tools 36University of California, Davis

UCD: Cyber-safety Tools 37University of California, Davis

Key Model Differences 38 Compliance Responsibility  Senior Executives vs Campus Unit Exception Approval Responsibility  Senior Executives vs Chief Information Officer Response to Non-compliance  Required Annual Compliance Plan and Network Disconnection vs Network Disconnection

Common Program Features 39 Policy-based Program Exceptions Available Campus Constituents Participate in Standards Development Compliance Monitoring Need to Respond to Gaps Between Standards and Reality Broad Communication/Marketing Strategies

References UCD Cyber-safety Policy UCD Security References UCB Security Standards Policy UCB Security References Proposed UC system-wide policy for minimum security requirements 40

Questions 41