Security Discussion

IST Retreat

June 2008

IT Security Statement

definition

In the context of computer science, security is the prevention of, or protection against:

• access to information by unauthorized recipients, and

• intentional but unauthorized destruction or alteration of that information

terminology

• Confidentiality - Ensuring that information is not accessed by unauthorized persons

• Integrity - Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users

• Authentication - Ensuring that users are the persons they claim to be

Components

Some New(er) Concerns

• Privacy of Information (e.g. PIPEDA, Health Services)

• Electronic Commerce (e.g. donations)

• Hosted Applications (e.g. Patriot Act)

• Email and Phishing Scams

• Identity theft

Top 7 (All Systems) - SANS

1. Default installs of operating systems and applications

2. Accounts with No Passwords or Weak Passwords

3. Non-existent or Incomplete Backups

4. Large number of open ports

5. Not filtering packets for correct incoming and outgoing addresses

6. Non-existent or incomplete logging

7. Vulnerable CGI Programs

Top 10 - HIPAA

1. Firewall and System Probing

2. Network File Systems (NFS)

3. Electronic Mail Attacks

4. Vendor Default Password Attacks

5. Spoofing, Sniffing, Fragmentation and Splicing

6. Social Engineering Attacks

7. Easy-To-Guess Password Compromise

8. Destructive Computer Viruses

9. Prefix Scanning

10. Trojan Horses

Recent Events

• C&PA - “events” application

• JobMine – resume

• PeopleSoft - URLs

• UW-ACE – “admin” privileges

What We’re Doing – Part I

• security working group

• passkey depot

• server hardening and/or review

• anti-virus software distribution

• machine room firewall

• internal audits

• patches for server and desktop

What We’re Doing – Part II

• campus advisories

• monitoring/scanning (ongoing, monthly)

• e-commerce verification

• external information (SANS, CERT)

• authorization/roles (ERP, Sharepoint)

• wireless access (Minuwet)

• networks (residence)

What We’re Doing – Part III

• certificates (Thawte)

• authentication (ADS, CAS)

• password rules and checks

Problems & Challenges – Part I

• Public security policy/statement for web sites

• Education & Training

• Reliance on vendors

• Keeping up to date on patches

• Laptops

Problems & Challenges – Part II

• Web applications architecture

• “academic” & “computing” institution

• Increases in attacks, trends

Physical Security

• Overlap with Key Control

• Hardcopy documents (internal, UW, academic)

• Overlap with Police Services (Emergency)

• IST and wired/physical security

Moving Forward

• New roles for all?

• More external/outsource testing?

• Testing protocols for applications/services?

Links

http://ist.uwaterloo.ca/security/

http://security.uwo.ca/

http://www.uoguelph.ca/ccs/security/index.shtml

http://www.wlu.ca/page.php?grp_id=47&p=1128

http://www.usask.ca/its/services/itsecurity/

http://www.cse-cst.gc.ca/training/

http://www.cert.org/

http://www.sans.org/

http://en.wikipedia.org/wiki/Security

Discussion