410 likes | 622 Views
Berkeley’s new Minimum Security Standards Policy. a panel presentation at UCCSC August 2, 2004. Minimum Security Standards. PANEL MEMBERS:. Karen Eft (IT Policy Analyst, CIO's Office) Ryan Means (Chief Technical Officer, School of Law) Brad Andrews (Manager-Residential Computing)
E N D
Berkeley’s newMinimum Security Standards Policy a panel presentation at UCCSC August 2, 2004
Minimum Security Standards PANEL MEMBERS: • Karen Eft (IT Policy Analyst, CIO's Office) • Ryan Means (Chief Technical Officer, School of Law) • Brad Andrews (Manager-Residential Computing) • Hua Pei Chen (Director of Computing Resources, Electrical Engineering and Computer Sciences) • Craig Lant (Campus Information Systems Security Officer, CIO's Office)
Minimum Security Standards ORGANIZATIONAL FOUNDATIONS:
Minimum Security Standards SCOPE: √
Minimum Security Standards • IT Security Policy: everyone is responsible for IT security • Policy on Minimum Security Standards for Networked Devices: you must comply with these standards UNIQUE FORMAT: • Appendix A: has the actual Standards • Appendix B: is Implementing Guidelines • one year grace period for enforcement • process for exceptions
Minimum Standards for Security of • Berkeley Campus Networked Devices • The following minimum standards are required for devices connected to the campus network: • Software patch updates • Anti-virus software • Host-based firewall software • Passwords • No unencrypted authentication • No unauthenticated email relays • No unauthenticated proxy services • Physical security • Unnecessary services
Minimum Security Standards • Software patch updates • Campus networked devices must run software for which security patches are made available in a timely fashion. They also must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications. • What are “security patches”? • What does "software for which security patches are made available in a timely fashion" mean? • There is an implicit minimum operating system requirement (no Windows 95, etc) • What about exceptions?
Minimum Security Standards • Anti-virus software • Anti-virus software for any particular type of device currently listed on the Campus software distribution website (http:// software.berkeley.edu) must be running and up-to-date on every level of device, including clients, file servers, mail servers, and other types of campus networked devices. • We have a site license for Symantec Anti-Virus Corporate Edition • Any other AV software must be listed on the software website to satisfy the standard • Yes, this does say every level of device.
Minimum Security Standards • Host-based firewall software • Host-based firewall software for any particular type of device currently listed on the Campus software distribution website must be running • and configured according to the "Implementing Guidelines for the Minimum Standards for Security of Berkeley Campus Networked Devices", on every level of device, including clients, file servers, mail servers, and other types of campus networked devices. While the use • of departmental firewalls is encouraged, they do not necessarily • obviate the need for host-based firewalls. • Implementation Guidelines exist for this and other standards • Similar requirements to the anti-virus standard • Departmental firewalls do not necessarily exempt users from needing a host-based firewall
Minimum Security Standards • Passwords • Campus electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes (e.g. biometrics or Smart Cards).* When passwords are used, they must meet the Minimum Password Com-plexity Standards. In addition, shared-access systems must enforce • these standards whenever possible and appropriate and require that users change any pre-assigned passwords immediately upon initial access to the account. • Minimum Password Complexity Standards are in the Imple-mentation Guidelines • All passwords must meet these standards • The standards must be enforced on “shared-access” systems (Windows Domains, Active Directory, shared Unix machines, etc.)
Minimum Security Standards Passwords cont. All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.
Minimum Security Standards • No unencrypted authentication • Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the campus network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices must use only encrypted authentication mechanisms unless otherwise authorized by the CISC. • Exceptions will most likely be granted for legacy devices • These exceptions will require the use of an alternate form of encryption (VPN, SSL, IPSec, etc.) • This has a significant impact on Telnet, FTP, SNMP, POP and IMAP, services which are commonly left unencrypted.
Minimum Security Standards • No unauthenticated email relays • Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay email messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user. Before transmitting email to a non-local address, the sender must authenticate with the SMTP service. Authenticating the machine (e.g. IP address/domain name) rather than the sender is not sufficient to meet this standard. • Requiring authentication + the previous standard means requiring TLS/SSL for SMTP • The common practice of allowing relay for certain IP addresses or subnets is explicitly forbidden
Minimum Security Standards No unauthenticated proxy services Although properly configured unauthenticated proxy servers may be used for valid purposes, such services commonly exist only as a result of inappropriate device configuration. Unauthenticated proxy servers may enable an attacker to execute malicious pro-grams on the server in the context of an anonymous user account. Therefore, unless an unauthenticated proxy server has been reviewed by SNS and approved by the CISC as to configuration and appropriate use, it is not allowed on the campus network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and reconfigured to prevent unauthenticated proxy services.
Minimum Security Standards • Physical security • Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes. • What does “where possible and appropriate mean”?
Minimum Security Standards • Unnecessary services • If a service is not necessary for the intended purpose or operation of the device, that service shall not be running. • Information on finding and disabling unnecessary services is available in the Implementation Guidelines
Minimum Security Standards - School of Law • What about Minimum Security Standards and • the Law School? • We have reduced support time considerably! • Examples: • Leaving computers on to ensure automatic updates • Every machine is protected with Symantec • IPSec filtering + XP firewall • Challenges that lie ahead: • Dealing with unencrypted authentication • Host-based firewalls with XP SP2 • Passwords are always a problem
Minimum Security Standards Residence Halls • What we were already doing in res halls (for publicity, e.g.) • How central policy has helped • Plans for meeting these standards
Minimum Security Standards - Res Halls: Environment • around 6,000 residents • around 6,000 systems administrators … • over 50% Windows XP • less than 10% Macintosh • the rest are Win98, 2000, and Linux
Minimum Security Standards - Res Halls: Current publicity • “Cal Connects”print document 1/2 hour mandatory educational sessions for new residents • “How to”security documents with recommendations • Secure passwords • Antivirus software • Windows update • “Be Secure”website:http://www.rescomp.berkeley.edu/besecure/ • “Pete the Pirate”print document
Minimum Security Standards - Res Halls: How central policy has helped • Lends legitimacy to our previously optional policies • Provides enforcement weight (Campus policy must be adhered to) • Additional resources for developing and reviewing policies
Minimum Security Standards - Res Halls: Plans for meeting these standards this Fall • “Cal Connects”will emphasize security • adherence to Minimum Security Standards required to be on our network • “Be Secure”website updated to reflect Minimum Standards • “Be Secure”CD with all campus licensed security software: • Antivirus software • Personal firewall software • Auto-configuration of windows update and firewall
E) "Be Secure" print document: • eight-page color comic book • emphasizes four of the • MinimumStandards: • i) OS software update • ii) antivirus software • iii) firewall software • iv) strong passwords • based on public health • outreach campaigns • edgy and current to attract and maintain student attention
Minimum Security Standards - Res Halls: • Enforcement and Verification • self-report honor system for meeting Minimum Standards • scanning for vulnerable or compromised systems • Windows update server to see who is and is not patching • removal from network if not meeting the Minimum Standards
Minimum Security Standards University of CA, BerkeleyDepartment of Electrical Engineering and Computer Sciences
Minimum Security Standards - EECS • Active instructional courses and labs • Demanding administrative services • Dominant research areas: • Wireless • Motes • HPC and large simulations • HoneyPot • Microfabrication • Optical/QoS related networking research
Minimum Security Standards - EECS • Delicate balance between: • stable, 24x7 production services and • the need for flexibility and robustness • Historically, diverse research environment resists “centralization” or “standardization” of IT.
Minimum Security Standards - EECS • “Blaster” Disaster • Two out of five windows based systems were rebuilt • 75% of graduate laptops were compromised (large population of un- or mismanaged mobile systems) • Conservative estimate: min. 2000-3000 FTE hours lost • User awareness was at all time high AFTER the incident, but misconfigured systems still appear on the net daily
Minimum Security Standards - EECS • IT Risk Assessment • EECS department wide activity, encompassing all aspects of IT services • Does not fare well against corporate environment • Serious lacking in user awareness, IT policy and enforcement, and standardized builds for computing devices • Starting point of the year-long EECS IT security project
Minimum Security Standards - EECS • EECS IT Security Project • Training, education, and user awareness • Mandatory IT orientation for incoming graduate students, giving them the know-how and resources to help them manage their own systems in EECS/UCB • Frequent system administration trainings for staff • Town Hall meetings for all users, a chance to discuss, communicate, share, and obtain feedback
Minimum Security Standards - EECS • EECS IT Security Project • Compliance with Minimum Security Standards • Welcomed by most IT support staff within EECS. Consolidates various existing EECS policies into one place • Difficulty lies in the deployment of “firewall” software due to potential conflicts with research needs • Working along campus Data Management, Use and Protection (DMUP) policy task force, proposing stronger security standards for servers with critical or sensitive data
Minimum Security Standards - EECS • Compliance with Standards (cont.) • Strengthening EECS network border management and monitoring (strong firewall proposal was rejected by faculty, but a compromise is in the works) • Proposing a “baseline security” service for all systems within EECS (allowing “centralized” patch and scanning management)
Minimum Security Standards Campus Information Systems Security Officer System and Network Security Office (SNS)
Minimum Security Standards - CISSO / SNS Campuswide security without the Standards • 45,000+ hosts • DHCP / dial up / wireless • Most are unmanaged • No central control • IDS / Incident Response • Scanning • Education / Support
Minimum Security Standards - CISSO / SNS Implementing the Minimum Security Standards • Education / Support • Endpoint Validation • Advanced Scanning Architecture • IDS / Forensics
Minimum Security Standards - CISSO / SNS Education and support • Classes • Departmental Security Planning • Connecting@Berkeley • Guides / Cookbooks / Resources
Minimum Security Standards - CISSO / SNS Endpoint Validation • Authentication • Scanning • Captive Portal
Minimum Security Standards - CISSO / SNS Advanced Scanning Architecture • Network Audit / Profiles / Database • Scanning Profiles • Automated Notification
Minimum Security Standards - CISSO / SNS IDS / Forensics • Increased Coverage Inside Our Network • “John Doe” Tool
Minimum Security Standards Questions?
Berkeley’s new Minimum Security Standards: URL:http://security.berkeley.edu/MinStds/ Responsible Office: System and Network Security http://security.berkeley.edu Contact for questions about this policy: security-policy@berkeley.edu