1 / 16

Information Security Awareness

Information Security Awareness. for Systems Administrators. Why Us?. Institutions of Higher Education are far more tantalizing targets Exploit vulnerabilities and weaknesses Publicity/recognition for hacking Profitability a key motivator The threat from within

croman
Download Presentation

Information Security Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Awareness for Systems Administrators

  2. Why Us? • Institutions of Higher Education are far more tantalizing targets • Exploit vulnerabilities and weaknesses • Publicity/recognition for hacking • Profitability a key motivator • The threat from within • *Over 44% of incidents in 2007 targeted Education and Government*per Web Application Security Consortium

  3. Roles and Responsibilities • Strong Passwords • Data Backups • Physical Security • Daily Log Reviews • Software Licensing • User Access • P2P File Sharing • Avoid Disclosure/Compromise

  4. Minimum Security Standards for Systems – Backups (Cat I) • Establish/follow regular system backups • Monthly verification of backups through customer/trial restores • System administrator must maintain documented restoration procedures for systems and the data on those systems

  5. Minimum Security Standards for Systems – Change Mgmt (Cat I) • System configuration/documented change control process • Evaluation of system changes prior to application in production environment- test patches- if no test environment, communicate to data customer- communicate change in environment due to patches

  6. Minimum Security Standards for Systems–Virus Protection (Cat I) • Install & enable Antivirus software • Recommend installation of Anti-spyware software if browsing • Must be configured to update daily • Maintain/make available a description of the standard configuration of antivirus software

  7. Minimum Security Standards for Systems – Physical Access (CatI) • Physically secure systems in racks/areas with restricted access • Physically secure portable devices if left unattended • Secure backup media from unauthorized physical access • Encrypt backup media if stored off-site OR document process to prevent unauthorized access

  8. Minimum Security Standards for Systems – Hardening Checklist • System is set up in a protected network environment • Install OS and application services security patches expediently • Enable automatic notification of new patches • Disable/uninstall services/apps/user accounts not being used

  9. Hardening Checklist(continued) • Limit connections to services running on host to authorized users only • Encrypt commo & storage of services/ apps for systems using Cat I data (confidentiality-integrity-availability) • Integrity checks of critical OS files & system accounts (user least privilege) • University warning banner required • Use of strong passwords

  10. Minimum Security Standards for Systems – Security Monitoring • Enable and test log activities • Document and routinely monitor/ analyze OS/service logs • Follow a documented backup strategy for security logs (e.g., acct mgmt, access control, data integrity, etc.) • Retain security logs 14-days minimum • Admin/Root Access must be logged

  11. Minimum Security Standards for Systems • For more information please visit the Information Security Office website athttp://admin.utep.edu/Default.aspx?alias= admin.utep.edu/securityawareness

  12. Password Security • At Least 17-characters in length • Do not share or disclose • Use complex or pass phrases containing letters, numbers and special characters • Change at least every 6-months or if a suspected compromise exists • Change anytime Team Member leaves

  13. Safe Practices • Browsing and downloading • Privacy • Misuse of domain credentials • Remote access • New users and folder shares • Disable “Remember Password” features • Report suspected compromise of account(s) or password(s) to ISO

  14. Safe Practices (cont) • Antivirus – run weekly scans • User Access – check for appropriate approvals • Disaster Recovery • Business Continuity • Don’t give away the “Keys to the Kingdom” • *Use of SQL Injection was 20% in 2007 *according to Web Application Security Consortium

  15. Statistics The Web Hacking Incidents Database 2007 Annual Report Prepared by O fer Shezaf and Breach Security Labs team http://www.webappsec.org/projects/whid/statistics.shtml

  16. Questions & Answers Information Security Office web page http://admin.utep.edu/securityawareness 2007 Statistics: http://www.webappsec.org/projects/whid/statistics.shtmlfrom Web Application Security Consortium

More Related