UC Davis CyberSafety Program

1
UC Davis Cyber-Safety Program

• Information and Educational Technology
• University of California, Davis
• June 24, 2005

2
Why Focus on Information Security?

• Growing Reliance on Information Technology at UC
  Davis
  
• Increasing Use of Electronic Storage for
  Electronic Personal Information
  
• Increasing Malicious Activity Directed at
  Networked Computing Systems
  
• Increasing Regulatory Mandates for the Protection
  of Electronic Personal Information
  
• Increasing Regulatory Mandates for Notification
  After Personal Information Security Breaches

3
From the Files of the US Federal Trade
Commission.

• My purse was stolen in December 1990. In
  February 1991, I started getting notices of
  bounced checks. About a year later, I received
  information that someone using my identity had
  defaulted on a number of lease agreements and
  bought a car. In 1997, I learned that someone had
  been working under my Social Security number for
  a number of years. A man had been arrested and
  used my SSN on his arrest sheet. Theres a hit in
  the FBI computers for my SSN with a different
  name and gender. I cant get credit because of
  this situation. I was denied a mortgage loan,
  employment, credit cards, and medical care for my
  children. Ive even had auto insurance denied,
  medical insurance and tuition assistance denied.
  

4
How Does Identify Theft Occur?

• Stolen Wallets and Purses
• Stolen Financial Statements and Credit Offers
  Delivered Via the Mail
  
• Dumpster Diving or Trash Inspection
• Fraudulent Collection of Your Credit Report by
  Posing as a Landlord, Employer or Someone Else
  Who May Have a Legitimate Need For, and Legal
  Right to, the Information.
• Personal Information You Share on the Internet.
• Business Record Theft from the Workplace

5
How Prevalent is Identity Theft?

• 27 Million Victims in US Over Past Five Years
• 10 Million Victims in US in 2003
• 26 Percent Related to Credit Cards/Banks
• 15 Percent Related to Non-Financial Use
• Financial Impact of Identity Theft
• US Businesses 48 billion
• Consumers/Victims - 5 billion

6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
Cyber-safety Program Policy

• Adopted April 2005
• Establishes 14 Security Measures to Protect the
  Integrity, Availability and Confidentiality of UC
  Davis Comp
  
• Annual Compliance Report Submitted to the Office
  of the Chancellor and Provost

10
Cyber-safety Program Policy

• Software Patches
• Anti-Virus
• Insecure Network Services
• Authentication
• Personal Information
• Physical Security
• Firewall Services

• Open Mail Relays
• Open Proxies
• Audit Logs
• Backup/Recovery
• Security Training
• Anti-Spyware
• Data Removal

11
Cyber-safety Program Policy

• July 1, 2005
• Identification of Assessment Preparers
• Anticipated Assessment Completion Date
• Identification of Needed Additional Resources
• October 1, 2005
• Initial Compliance Status
• Action Plan
• July 1 Annual Update Report

12
Apply Software Patches

• Computing hosts connected to the campus network
  must use an operating system and application
  software for which the publisher maintains a
  program to release critical security updates.
  Campus units must apply all currently available
  critical security updates within seven calendar
  days of update release or implement a measure to
  mitigate the related security vulnerability.
  Exceptions may be appropriate for patches that
  compromise the usability of an operating system
  or application or for patches for which the
  installation is prohibited by regulation.

13
Use/Update Anti-Virus Software

• Anti-virus software must be running and updates
  must be applied within no more than 24 hours of
  update release for computing hosts connected to
  the campus network. This standard applies to
  computing hosts connected to the campus network
  which are subject to virus infection. Networked
  devices subject to virus infection that are
  unable to use anti-virus software must be
  protected from malicious network traffic.

14
Disable/Remove Unneeded Network Services

• If a computer service/process that provides a
  computing host access to network services (e.g,
  Telnet) is not necessary for the intended purpose
  or operation of the network-connected device,
  that service/process shall be disabled. Where
  inherently insecure network services are needed,
  their encrypted equivalents must be used.

15
Authentication

• Campus electronic communications service
  providers must have a suitable process for
  authenticating users of shared electronic
  communications resources under their control.
• No campus electronic communications service user
  account shall exist without passwords or other
  secure authentication system, e.g. biometrics,
  Smart Cards.
• Where passwords are used to authenticate users, a
  password must be configured to enforce password
  complexity requirements, if such capability
  exists.
• All default account passwords for
  network-accessible devices must be modified upon
  initial use.
  
• Passwords used for privileged access must not be
  the same as those used for non-privileged access.
  
  
• All campus devices must use encrypted
  authentication mechanisms unless an exception has
  been approved by the appropriate department head
  or campus administrative official. Unencrypted
  authentication mechanisms are only as secure as
  the network upon which they are used. Any network
  traffic may be surreptitiously monitored,
  rendering unencrypted authentication mechanisms
  vulnerable to compromise.

16
Protect Personal Information

• Campus units must identify departmental computing
  systems and applications that house personal
  information (personal name along with Social
  Security number, California driver identification
  number, or financial account information).
  Personal information must be removed from all
  computers for which it is not required.  If the
  personal information cannot be removed from the
  computing system, the campus unit must develop a
  plan specifically outlining how the information
  and systems will be kept secure. Measures to
  protect the information could include removing
  several digits from the personal identifiers,
  moving the files to removable media and storing
  this media in a secure location apart from the
  computer, or encrypting the personal information.

17
Maintain Physical Security

• Unauthorized physical access to an unattended
  computing device can result in harmful or
  fraudulent modification of data, fraudulent email
  use, or any number of other potentially dangerous
  situations. In light of these risks, where
  possible and appropriate, devices must be
  configured to "lock" and require a user to
  re-authenticate if left unattended for more than
  20 minutes. Portable storage devices must also
  not be left unattended and be protected from data
  theft or unauthorized data modification or
  deletion. Physical security measures protecting
  computers hosting critical or sensitive
  university electronic communication records from
  theft must also be implemented. The use of data
  encryption may mitigate the security risks
  related to a physical security breach. 

18
Maintain Firewall Services

• Firewall services, whether provided by a network
  hardware device or through operating system or
  add-on software, must be restrictively configured
  to deny all traffic unless expressly permitted.
  The use of a VLAN firewall however, may not
  obviate the need to use software-based firewalls
  if insecure computing devices are permitted
  access to network services behind a campus unit
  VLAN firewall.

19
Remove Open Mail Relays

• Devices connected to the campus network must not
  provide an active SMTP service that allows
  unauthorized third parties to relay email
  messages, i.e., to process an e-mail message
  where neither the sender nor the recipient is a
  local user.

20
Remove Open Proxies

• An unrestricted proxy server for use from
  non-university locations is not allowed on the
  campus network. Use of an unauthenticated proxy
  server is not permitted on the campus network
  unless approved as an exception to the campus
  security standards by the appropriate department
  head or campus administrative official. Although
  properly configured unauthenticated proxy servers
  may be used for valid purposes (e.g. a caching
  proxy for local LAN users), such services
  commonly exist as the result of inappropriate
  device configuration.
• Any proxy server for use from non-university
  locations must ensure that
  
• All users are authenticated.
• All users meet the criteria used to qualify for
  access to campus licensed intellectual property
  such as online journals restricted to UC Davis IP
  addresses.

21
Maintain Audit Logs

• Campus units must develop and implement a policy
  defining the use, inspection and retention of
  audit logs.  Audit log inspection may permit the
  identification of unauthorized access to
  sensitive electronic communication records. The
  use of audit logs should be extended to document
  activities such as account use and the network
  source of the login, incoming and outgoing
  network connections, file transfers and
  transactions. 

22
Backup and Recovery

• All critical and sensitive University electronic
  communication records residing on electronic
  storage shall be backed up on a regular and
  frequent basis to separate backup media. The
  backup media must be protected from unauthorized
  access and stored in a location that is separate
  from the originating source. The backup media
  must be tested on a regular basis to ensure
  recoverability from the backup media.

23
Provide Security Training Opportunities

• A technical training program must be documented
  and established for all systems staff responsible
  for security administration. In addition, campus
  unit administrators and users handling critical
  and/or sensitive University electronic
  communication records must receive annual
  information security awareness program training
  regarding University policy and proper
  information handling and controls. 

24
Use Anti-Spyware

• The use of programs to identify and remove
  spyware programs is strongly advised to help to
  maintain the privacy of personal information and
  Internet use.  The use of an anti-spyware program
  must be accompanied by installing program updates
  on regular basis to ensure the ability to detect
  and remove new spyware or adware programs

25
Remove Personal Data

• All data must be removed from electronic storage
  prior to being released or transferred to another
  party. Data removal must be consistent with
  physical destruction of the electronic storage
  device, degaussing of the electronic storage or
  overwriting of the data at least three times. A
  quick format or file erasure is insufficient.

26
References and Tools to Help

• http//security.ucdavis.edu/cybersafety.cfm
• Policy
• Security Standards
• Exceptions
• Timetable
• References and Tools

27
(No Transcript)
28
Questions?