1. Information Security Awareness
Systems Administrators

2. Why Us?
Institutions of Higher Education are far more tantalizing targets
Exploit vulnerabilities and weaknesses
Publicity/recognition for hacking
Profitability a key motivator
The threat from within
*Over 44% of incidents in 2007 targeted Education and Government *per Web Application Security Consortium

3. Roles and Responsibilities
Strong Passwords
Data Backups
Physical Security
Daily Log Reviews
Software Licensing
User Access
P2P File Sharing
Avoid Disclosure/Compromise

4. Minimum Security Standards for Systems – Backups (Cat I)
Establish/follow regular system backups
Monthly verification of backups through customer/trial restores
System administrator must maintain documented restoration procedures for systems and the data on those systems

5. Minimum Security Standards for Systems – Change Mgmt (Cat I)
System configuration/documented change control process
Evaluation of system changes prior to application in production environment - test patches - if no test environment, communicate to data customer - communicate change in environment due to patches

6. Minimum Security Standards for Systems–Virus Protection (Cat I)
Install & enable Antivirus software
Recommend installation of Anti-spyware software if browsing
Must be configured to update daily
Maintain/make available a description of the standard configuration of antivirus software

7. Minimum Security Standards for Systems – Physical Access (CatI)
Physically secure systems in racks/areas with restricted access
Physically secure portable devices if left unattended
Secure backup media from unauthorized physical access
Encrypt backup media if stored off-site OR document process to prevent unauthorized access

8. Minimum Security Standards for Systems – Hardening Checklist
System is set up in a protected network environment
Install OS and application services security patches expediently
Enable automatic notification of new patches
Disable/uninstall services/apps/user accounts not being used

9. Hardening Checklist (continued)
Limit connections to services running on host to authorized users only
Encrypt commo & storage of services/ apps for systems using Cat I data (confidentiality-integrity-availability)
Integrity checks of critical OS files & system accounts (user least privilege)
University warning banner required
Use of strong passwords

10. Minimum Security Standards for Systems – Security Monitoring
Enable and test log activities
Document and routinely monitor/ analyze OS/service logs
Follow a documented backup strategy for security logs (e.g., acct mgmt, access control, data integrity, etc.)
Retain security logs 14-days minimum
Admin/Root Access must be logged

11. Minimum Security Standards for Systems
For more information please visit the Information Security Office website at admin.utep.edu/securityawareness

12. Password Security At Least 17-characters in length
Do not share or disclose
Use complex or pass phrases containing letters, numbers and special characters
Change at least every 6-months or if a suspected compromise exists
Change anytime Team Member leaves

13. Safe Practices Browsing and downloading Privacy
Misuse of domain credentials
Remote access
New users and folder shares
Disable “Remember Password” features
Report suspected compromise of account(s) or password(s) to ISO

14. Safe Practices (cont) Antivirus – run weekly scans
User Access – check for appropriate approvals
Disaster Recovery
Business Continuity
Don’t give away the “Keys to the Kingdom”
*Use of SQL Injection was 20% in 2007 *according to Web Application Security Consortium

15. Statistics Attack Goal % Stealing Sensitive Information 42% Defacement
23%
Planting Malware
15%
Unknown 8%
Deceit 3%
Blackmail
Link Spam
Worm 1%
Phishing
Information Warfare
The Web Hacking Incidents Database 2007 Annual Report
Prepared by O fer Shezaf and Breach Security Labs team

16. Questions & Answers Information Security Office web page
2007 Statistics:
from Web Application Security Consortium