Presentation is loading. Please wait.

Presentation is loading. Please wait.

UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator."— Presentation transcript:

1 UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator

2 Policy Agenda Data Issues Key Security Concepts Sampling of Laws Complying with the Law Consideration of Ethics Consequences References

3 Data Issues Sensitivity: public or confidential –public: still needs protection – confidential minimal, more sensitive, most sensitive owned by someone specific statements for access, distribution, storage, disposal and penalties for disclosure Criticality: importance of data to function

4 Key Security Concepts Must protect: –Services/Use Functionality: perform function or use device Availability: device or data is ready for use on demand and at operational speed and capacity –Data Confidentiality: prevent unauthorized disclosure Integrity: prevent alteration and spoofing

5 Sampling of Laws International, federal, state, UW –statutes and regulations Federal –privacy, wiretapping, fraud, disclosure, surveillance, counterterrorism –grant-related policy WA State –privacy, malicious mischief, public records, spam, disclosure UW Administrative Code –student and general conduct, records access

6 Complying with the Laws Comply: take action to conform Law => Policies + Standards + Guidelines Policies state what needs to be done Standards define how to implement the policy (via procedures) Guidelines are strongly-recommended practices to assist in adhering to standards

7 Roles and Responsibilities System owners and operators comply with laws, policies, guidelines maintain confidentiality of sensitive data grant access based on “least privilege” and “separation of duties” principles report security incidents and perform incident response Data Custodians manage data access, storage, transmission and usage Users protect and maintain UW information systems/data

8 Policies Monitor user accounts, files and access as needed Understand nature of data on systems, and manage it appropriately Provide logical and physical access control and logging –commensurate with sensitivity and criticality of computing devices, networks and data Document procedures for issuing, altering and revoking access privileges Implement minimum computer and network measures and practices

9 Consideration of Ethics Ethics: principles of conduct that are harmonious with society –arguably higher than policy –notable examples whistleblowing preventing conflicts of interest protecting life Use of university resources; data sensitivity

10 Consequences Loss of privacy Loss of research, funding, reputation Malware infections Unauthorized use Information theft Vandalism Cheating

11 References UW Information Systems Security Policy –http://www.washington.edu/admin/rules/APS/02.01TOC.htmlhttp://www.washington.edu/admin/rules/APS/02.01TOC.html UW Guidelines for Implementing Systems and Data Security Practices –http://passcouncil.washington.edu/securitypractices/http://passcouncil.washington.edu/securitypractices/ UW Minimum Computer Security Standards –http://www.washington.edu/computing/security/pass/MinCompSec.htmlhttp://www.washington.edu/computing/security/pass/MinCompSec.html UW Minimum Data Security Standards Policy –http://www.washington.edu/admin/rules/APS/02.10TOC.htmlhttp://www.washington.edu/admin/rules/APS/02.10TOC.html UW Electronic Information Privacy Policy –http://www.washington.edu/computing/rules/privacypolicy.htmlhttp://www.washington.edu/computing/rules/privacypolicy.html

12 Implementation Agenda UW Minimum Computer Security Standards Summarized Computing System Components Detect the Compromise Block the Vector Remove the Payload

13 Minimum Computer Security Standards: Goals “The focus [...] is on protecting computing devices from misuse and is intended to [...] prevent subject devices from: being accessed or used by unauthorized entities. causing harm to other UW computers or computers at other organizations. causing harm to the UW network or other networks.” Does not address “information security” i.e., protecting the information on those devices

14 Minimum Computer Security Standards: Applicability Applies to one or more of the following: owned by the UW directly connects to the UW network accesses UW network via: –the UW dial-in service –a wireless access point attached to UW network –a Virtual Private Network (VPN), such that the device is effectively part of the UW network and capable of sending arbitrary packets to any UW computer. Doesn't apply to: non-UW computers connected from non-UW locations via secure protocols

15 Minimum Computer Security Standards: Audience All applicable computing devices: –will have, explicitly or implicitly, an individual or group responsible for the configuration and management of that device –If the device lacks a professional system administrator, the owner or end-user is responsible for implementing this standard by whatever means possible

16 Standards for Servers, Desktops, Laptops: Part I restrict physical and logical access to authorized users provide login control to the device through the use of good passwords transmitted only across a secure (encrypted) network link disable and/or block all unnecessary network services. For servers, only allow essential incoming or outgoing traffic. For desktop or laptop computers: block unsolicited incoming connections. use only operating system and application software versions for which security updates are readily available; otherwise, restrict access to vulnerable services

17 Standards for Servers, Desktops, Laptops: Part II enable software auto-patching do not install any software that grants unauthorized users access to non-public data stored on, or accessed through, subject devices. counteract malicious and other prohibited software that may infect computers by installing auto-updating defensive software (e.g., anti-virus and anti-spyware)

18 Standards for Servers, Desktops, Laptops: Part III enable logging; periodically review server logs and keep client logs for audit or diagnostic purposes. Log at least authentication failures and security setting changes. when installing (or re-installing) a computer operating system or other software packages that require multiple steps, and using the network to obtain software updates, ensure that the system is safe during the update process

19 Computing System Components Computing Device –takes some input –processes it OS, services, applications –provides some output Network –connects device Data People Computing Device input output Hub

20 Computing Devices: Reality Microcontroller, Cell phone, Laptop, Desktop, Server, etc. Human Keyboard/Mouse/touch... Data Scanner/GPS/Camera/ Microphone/ Accelerometer... Data Storage Device, ExpressCard, Network, Printer... In Out In/Out Human Audio/Display/ Tactile

21 Computing Devices: Connections removable media –floppy,CD/DVD/Blu-Ray,flash,USB/Firewire/eSATA disk PC Card/ExpressCard (laptops) wired –serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS, twisted pair,fiber wireless –radio (802.11, cellular, Bluetooth, Zigbee,...) –infrared (IR) –ultrasound

22 Lab Network Environment C C C C H/S CC AP H/SR C Time- Share Internet C UW Net C R Server C=Computer; H/S: Hub/Switch; R: Router; AP: wireless access point Colors: black box: lab owns; colored box: owned by others Connections: solid line: wired; dotted line: wireless

23 Vectors and Payloads Vector: route used to gain entry to computer –via a device without human intervention –via an unsuspecting or willing person's actions Payload: what is delivered via the vector –malicious code –may be multiple payloads –spyware, rootkits, keystroke loggers, bots, illegal software, spamming, etc.

24 Detect a Compromise –Detect anomalies; look for vector know what is normal and what is not –Assess the physical environment look for unknown attached devices/inserted media –Record open network ports as seen from outside nmap and vulnerability tools (e.g., Nessus) –Remotely investigate computer net use, regedit, sc, tasklist, schtasks, eventvwr –Locally investigate computer use safe tools, or risk looking at logs, tasks, etc.

25 Block the Vector Update Software Disable Unnecessary Services Strengthen Passwords Limit Privileges Limit Services Setup Host Firewall Enable Audit

26 Remove the Payload Disable Suspicious Services Kill Suspicious Processes Remove Suspicious Files Remove Suspicious Autoruns Remove Suspicious Scheduled Tasks...or re-install and update everything in a safe manner

27 Conclusion Bruce Schneier wrote: "Security is a chain; it's only as secure as the weakest link." “Security is a process, not a product.” Everyone is responsible for it Only have a better chance if you follow best practices and standards to implement policies, to conform to laws Always think about what you are doing

Download ppt "UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.

UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.
Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.

Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Similar presentations

Ads by Google