This guide is for department administrators and technicians working to minimize the chance of an information security incident on Indiana University computers, networks, or other information technology systems. This document is not meant to be comprehensive—each unit should develop a comprehensive information security plan to address all its needs, general and particular.
Technicians assigned to systems supporting critical applications and/or hosting institutional data can't begin to protect those systems or data without first knowing what technologies they have deployed, how they are interconnected, and how they communicate. For senior department managers and technicians to assess risks associated with their operation, and to allocate appropriate resources to mitigate those risks, they must collect and maintain information about their technical environment, including information concerning:
- Computer systems by IP and name (DNS and NetBIOS)
- Operating systems
- Operating systems version and patch level
- Services active on each computer
- Web servers
- File servers
- Mail servers
- Applications software
- Local department applications
- Database Management Systems (DBMS)
- Extensions to the local network segment
- Virtual Private Network (VPN) services
- Wireless access points
- Network Address Translation (NAT) devices
- Public access terminals and workstations
Technicians must be provided adequate resources to secure the IT systems that they maintain. Incorrect system configuration settings by insufficiently trained and/or over-extended technicians will lead to security incidents. Managers should provide technicians:
- Ample time to spend on securing systems
- Ample time to spend on responding to security incidents
- Ample training on the technologies that they support
- Necessary staffing to ensure adequate coverage for all systems
- Subscribe to the UISO Bulletins mailing list service. (See KB document, "At IU, what are my options for viewing IT security bulletins from the UISO?")
- Subscribe to vendor and industry security alert services for technologies supported
- Apply relevant security patches promptly
- Where patches cannot be applied because they will negatively affect critical operations, institute mitigating safeguards (either at host-level or at network-level) to minimize the risk caused by the particular flaw
Online criminals use readily available automated reconnaissance tools to scan entire networks for vulnerable systems and services. These scans occur daily and originate from network addresses throughout the world. Your IT systems are probed several times a day by these criminals. To ensure that you know as much about your systems as your adversaries, technicians should:
- Scan systems using the UISO vulnerability scanners
- Regularly, at least every 30 days to ensure new vulnerabilities are identified promptly
- Immediately after installation/configuration of a new system is completed
- Immediately after introduction of a new operating system or an upgrade to a current operating system
- Immediately after installation or upgrade of networking or other system software
Repairs of identified vulnerabilities must be handled commensurate with the level of risk involved:
- For vulnerabilities posing a high risk of intrusion or compromise, mitigation should be accomplished within 24 hours
- For medium-risk vulnerabilities, 48 hours.
- For low-risk vulnerabilities, 72 hours.
Where identified vulnerabilities cannot be fixed because they will negatively affect critical operations, mitigating safeguards (either at host-level or at network component-level) must be implemented to minimize the risk caused by the particular flaw.
Consider scanning and securing a single machine and then using a disk imaging utility to copy that secure image to other machines. This process is helpful when deploying similarly configured machines that are purchased as part of the equipment life-cycle replacement process.
- record all keystrokes (usernames and passphrases, institutional data, etc.) entered by a user
- initiate Distributed Denial of Service (DDoS) attacks against sites on the Internet
- inflict significant damage to the infected computer etc.
To combat the threat of viruses, technicians should:
- Install anti-virus software to protect servers and workstations
- Employ a managed installation to maintain better control over installed anti-virus clients
- Update virus pattern files daily or schedule automatic updates to get new patterns when they are released
- Evaluate all services and programs running on systems
- Remove those that are not absolutely required
- Consult other security guides and documents available on this site for assistance
New security vulnerabilities, exploits, and issues are discovered daily. To stay informed of these newly discovered issues as well as older ones, technicians should routinely monitor the security news feed and other resources identified in the KB document, "At IU, what are my options for viewing IT security bulletins from the UISO?".
Unencrypted data, whether it's stored in a file or transmitted across the network, is vulnerable to disclosure. Protect it using techniques from our Data Encryption page.
Communication protocols such as HTTP and FTP transmit information across the network in clear text, making it possible for attackers to intercept network transmissions. See Transferring Data Securely and Using SSH for information on software that uses strong cryptography to protect data.
Access to University systems and data should only be provided to those who legitimately require it. In providing this access, adequate procedures should be followed to ensure that university policy and guidelines are adhered to. Managers and technicians should:
- Provide access to only those persons who are eligible to use university technology resources
- Require all users to be identified and authenticated before access is allowed (i.e., no guest access and no shared accounts unless absolutely necessary)
- Grant access only to authorized individuals and only to those services they need to do their jobs
- Avoid group accounts
- Use different passwords for privileged accounts (e.g., root, administrator) on various systems being maintained by the same technicians
- Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities
- Require passwords for all accounts and, if technically possible, require strong passwords and passphrases, initially and each time the password expires
- Implement a system preventing re-usable passwords from being sent over the network in clear-text
- Where technically possible, eliminate the storage of passwords on systems, instead using Kerberos, NTLMv2, or CAS.
- Remind users that passwords should not be shared with anyone, including friends, roommates, co-workers, supervisors, technicians, etc.
- Do not allow web browsers and other applications to "remember" user passwords.
System logs are critical for troubleshooting. They also play a key role in detecting intrusion attempts and performing forensics on a compromised machine. To ensure that adequate logs are maintained, technicians should:
- Review successful logins, including the locations from which the logins originated
- Review unsuccessful logins, including the locations from which the attempts originated
- Review unsuccessful file accesses
- Review the use of administrative privileges with operating system settings or tools such as sudo
- Maintain logs for other services, such as web servers and web applications
- Ensure all logs are routinely backed up, preferably nightly
- Keep logs for at least 30 days, but no longer than 60 days
System backups are important in recovering from a system compromise. In addition, they provide key timing information when performing forensics on a compromised machine. See our article on Backing Up Data for more information.
Physical protection of IT systems is an often overlooked but critical component to any IT security plan. Someone having physical access to your machines, could bypass most of the logical safeguards described elsewhere in this document. Technicians should:
- Restrict physical access to all servers
- Provide appropriate climate control for all critical servers
- Consider UITS' Intelligent Infrastructure for all servers
*Attention:* Deleting files and reformatting a hard drive does not remove the data stored on the hard drive. To securely remove all remnants of data, technicians should review and understand the alternatives described in the Securely Removing Data guide.
To respond adequately to successful or attempted security incidents at the university, managers and technicians should immediately report such events to the UISO. Upon receiving a report of a successful breach, the UISO will:
- Minimally, file the report for future reference
- Ensure all logs and other information are protected from loss or damage
- Immediately assess actual or potential disclosure or inappropriate access to institutional or personal information
- Report the situation to the Chief Information Security and Policy Officers, and, if circumstances dictate, to the Vice President for Information Technology and Chief Information Officer (VPIT/CIO)
- Assign the incident to a security analyst or engineer within the UISO
- Provide advice or comment to the functional unit technician as necessary
- Warn other Indiana University technicians if the situation may also impact other university systems
- Consult with functional unit technicians and management, University Counsel, law enforcement, and other agencies as required
- Perform or assist in any subsequent investigation and/or perform computer forensics