Information security best practices

Each organizational unit of Indiana University must create and maintain documents describing the systems hosting functions and databases supporting their local operations.

Technicians assigned to systems supporting critical applications and/or hosting institutional data can't begin to protect those systems or data without first knowing what technologies they have deployed, how they are interconnected, and how they communicate. For senior department managers and technicians to assess risks associated with their operation, and to allocate appropriate resources to mitigate those risks, they must collect and maintain information about their technical environment, including information concerning:

• Computer systems by IP and name (DNS and NetBIOS)
• Operating systems
• Operating systems version and patch level
• Services active on each computer
• Web servers
• File servers
• Mail servers
• Applications software
• Antivirus
• Email
• Local department applications
• Database Management Systems (DBMS)
• Extensions to the local network segment
• Switches
• Virtual Private Network (VPN) services
• Wireless access points
• Proxies
• Network Address Translation (NAT) devices
• Public access terminals and workstations

Technicians must be provided adequate resources to secure the IT systems that they maintain. Incorrect system configuration settings by insufficiently trained and/or over-extended technicians will lead to security incidents. Managers should provide technicians:

• Ample time to spend on securing systems
• Ample time to spend on responding to security incidents
• Ample training on the technologies that they support
• Necessary staffing to ensure adequate coverage for all systems

Vendor-supplied security fixes (patches) must be applied to protect against system compromise. Almost all security breaches occur because of inadequately patched systems. Technicians must:

• Subscribe to the UISO Bulletins mailing list service. (See KB document, "View UISO IT security bulletins")
• Subscribe to vendor and industry security alert services for technologies supported
• Apply relevant security patches promptly
• Where patches cannot be applied because they will negatively affect critical operations, institute mitigating safeguards (either at host-level or at network-level) to minimize the risk caused by the particular flaw

Online criminals use readily available automated reconnaissance tools to scan entire networks for vulnerable systems and services. These scans occur daily and originate from network addresses throughout the world. Your IT systems are probed several times a day by these criminals. To ensure that you know as much about your systems as your adversaries, technicians should:

• Scan systems using the UISO vulnerability scanners
• Regularly, at least every 30 days to ensure new vulnerabilities are identified promptly
• Immediately after installation/configuration of a new system is completed
• Immediately after introduction of a new operating system or an upgrade to a current operating system
• Immediately after installation or upgrade of networking or other system software

Repairs of identified vulnerabilities must be handled commensurate with the level of risk involved:

• For vulnerabilities posing a high risk of intrusion or compromise, mitigation should be accomplished within 24 hours
• For medium-risk vulnerabilities, 48 hours.
• For low-risk vulnerabilities, 72 hours.

Where identified vulnerabilities cannot be fixed because they will negatively affect critical operations, mitigating safeguards (either at host-level or at network component-level) must be implemented to minimize the risk caused by the particular flaw.

Consider scanning and securing a single machine and then using a disk imaging utility to copy that secure image to other machines. This process is helpful when deploying similarly configured machines that are purchased as part of the equipment life-cycle replacement process.

Viruses represent a significant threat to the security of university systems. Malware has been developed that can:

• record all keystrokes (usernames and passphrases, institutional data, etc.) entered by a user
• initiate Distributed Denial of Service (DDoS) attacks against sites on the Internet
• inflict significant damage to the infected computer etc.

To combat the threat of viruses, technicians should:

• Install anti-virus software to protect servers and workstations
• Employ a managed installation to maintain better control over installed anti-virus clients
• Update virus pattern files daily or schedule automatic updates to get new patterns when they are released

All services and software installed on a system serve as possible entry points for criminals. For this reason, technicians should:

• Evaluate all services and programs running on systems
• Remove those that are not absolutely required
• Consult other security guides and documents available on this site for assistance

New security vulnerabilities, exploits, and issues are discovered daily. To stay informed of these newly discovered issues as well as older ones, technicians should routinely monitor the security news feed and other resources identified in the KB document, "View UISO IT security bulletins".

Unencrypted data, whether it's stored in a file or transmitted across the network, is vulnerable to disclosure. Protect it using techniques from our Data Encryption page.

Communication protocols such as HTTP and FTP transmit information across the network in clear text, making it possible for attackers to intercept network transmissions. See Transferring Data Securely and Using SSH for information on software that uses strong cryptography to protect data.

Access to University systems and data should only be provided to those who legitimately require it. In providing this access, adequate procedures should be followed to ensure that university policy and guidelines are adhered to. Managers and technicians should:

• Provide access to only those persons who are eligible to use university technology resources
• Require all users to be identified and authenticated before access is allowed (i.e., no guest access and no shared accounts unless absolutely necessary)
• Grant access only to authorized individuals and only to those services they need to do their jobs
• Avoid group accounts
• Use different passwords for privileged accounts (e.g., root, administrator) on various systems being maintained by the same technicians
• Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities

Inadequate password procedures are a common source of system and account intrusions. Technicians should:

• Require passwords for all accounts and, if technically possible, require strong passwords and passphrases, initially and each time the password expires
• Implement a system preventing re-usable passwords from being sent over the network in clear-text
• Where technically possible, eliminate the storage of passwords on systems, instead using Kerberos, NTLMv2, or CAS.
• Remind users that passwords should not be shared with anyone, including friends, roommates, co-workers, supervisors, technicians, etc.
• Do not allow web browsers and other applications to "remember" user passwords.

System logs are critical for troubleshooting. They also play a key role in detecting intrusion attempts and performing forensics on a compromised machine. To ensure that adequate logs are maintained, technicians should:

• Review successful logins, including the locations from which the logins originated
• Review unsuccessful logins, including the locations from which the attempts originated
• Review unsuccessful file accesses
• Review the use of administrative privileges with operating system settings or tools such as sudo
• Maintain logs for other services, such as web servers and web applications
• Ensure all logs are routinely backed up, preferably nightly
• Keep logs for at least 30 days, but no longer than 60 days

System backups are important in recovering from a system compromise. In addition, they provide key timing information when performing forensics on a compromised machine. See our article on Backing Up Data for more information.

Physical protection of IT systems is an often overlooked but critical component to any IT security plan. Someone having physical access to your machines, could bypass most of the logical safeguards described elsewhere in this document. Technicians should:

• Restrict physical access to all servers
• Provide appropriate climate control for all critical servers
• Consider UITS' Intelligent Infrastructure for all servers

To reduce our exposure to external attack, technicians should, where feasible, restrict access to IT resources so that only IU network addresses can connect.

All traces of personal and business data should be securely removed from storage media (e.g., hard drives, floppy disks) before reassigning the equipment or sending the equipment to surplus.

*Attention:* Deleting files and reformatting a hard drive does not remove the data stored on the hard drive. To securely remove all remnants of data, technicians should review and understand the alternatives described in the Securely Removing Data guide.

To respond adequately to successful or attempted security incidents at the university, managers and technicians should immediately report such events to the UISO. Upon receiving a report of a successful breach, the UISO will:

• Minimally, file the report for future reference
• Ensure all logs and other information are protected from loss or damage
• Immediately assess actual or potential disclosure or inappropriate access to institutional or personal information
• Report the situation to the Chief Information Security and Policy Officers, and, if circumstances dictate, to the Vice President for Information Technology and Chief Information Officer (VPIT/CIO)
• Assign the incident to a security analyst or engineer within the UISO
• Provide advice or comment to the functional unit technician as necessary
• Warn other Indiana University technicians if the situation may also impact other university systems
• Consult with functional unit technicians and management, University Counsel, law enforcement, and other agencies as required
• Perform or assist in any subsequent investigation and/or perform computer forensics