Best Practices For Securing IT Resources

This material is meant as a guide for department administrators and technicians working to minimize the chance of an IT security breach on Indiana University computer systems, telecommunications, or other information technology systems. This document is not meant to be comprehensive -- there are other resources and actions administrators and technicians must take to maximize the appropriate protections afforded to these IT systems.

Document and understand the local technical environment

Each organizational unit of Indiana University must create and maintain documents describing the systems that are hosting functions and databases that support their local operations. Technicians assigned to systems supporting critical applications and/or hosting sensitive data can't begin to protect those systems or data without first knowing what technologies they have deployed, how they are interconnected and how they communicate. In order for senior department managers and technicians to assess risks associated with their operation, and to allocate appropriate resources to mitigate those risks, they must collect and maintain information about their technical environment, including information concerning: Computer systems by IP and name (DNS and NetBIOS) Operating systems Operating systems version and patch level Services active on each computer File Transfer Protocol (FTP) servers Telnet servers Web servers File servers Mail servers Applications software Anti-virus Email Local department applications Database Management Systems (DBMS) MS-Access SQL Server Sybase Oracle Extensions to the local network segment Hubs Switches Active/always-on modems RAS and other remote access services Virtual Private Network (VPN) services Wireless access points Public access terminals and workstations

Here's an Example Technical Architecture Document for your reference.

Provide technicians adequate resources to enable them to secure IT resources

It is extremely important that technicians be provided adequate resources to secure the IT systems that they maintain. Incorrect system configuration settings by insufficiently trained and/or over-extended technicians will lead to breaches of security. Managers should provide technicians: ample time to spend on securing systems ample time to spend on responding to security incidents ample training on the technologies that they support necessary staffing to ensure adequate coverage for all systems

Apply vendor-supplied fixes necessary to repair security vulnerabilities

It is imperative that vendor-supplied security fixes (patches) be applied to protect against system compromise. Almost all security breaches occur because of inadequately patched systems. Technicians must: subscribe to the UISO Bulletins mailing list service. subscribe to vendor and industry security alert services for technologies supported. apply relevant security patches promptly. where patches cannot be applied because they will negatively affect critical operations, mitigating controls (either at host-level or at network-level) must be installed in order to minimize the risk caused by the particular flaw.

Scan computers for security vulnerabilities using available technical tools

Crackers use readily available automated scanners to scan entire networks for vulnerable systems and services. These scans, often referred to as probes, occur daily and originate from network addresses throughout the world. It is a fact that your IT systems are probed several times a day by these crackers. To ensure that you know as much about your systems as these miscreants, technicians should: scan systems using the UISO External System Scanner regularly, at least every 30 days to ensure new vulnerabilities are identified promptly immediately after installation/configuration of a new system is completed immediately after introduction of a new operating system or an upgrade to a current operating system immediately after installation or upgrade of networking or other system software Repairs of identified vulnerabilities must be handled commensurate with the level of risk involved: For problems that pose a high risk for intrusion or compromise, repairs should be accomplished with 24 hours. For problems that pose a medium risk for intrusion or compromise, should be accomplished with 48 hours. For problems that pose a low risk for intrusion or compromise, repairs should be accomplished with 72 hours. Where identified vulnerabilities cannot be repaired because they will negatively affect critical operations, mitigating controls (either at host-level or at network component-level) must be

installed in order to minimize the risk caused by the particular flaw. Consider scanning and securing a single machine and then using a disk imaging utility (like Norton's Ghost product) to copy that secure image to other machines. This process is extremely helpful when deploying similarly configured machines that are purchased as part of the equipment life-cycle replacement process.

Install and maintain anti-virus software

Viruses represent a significant threat to the security of University systems. Malware has been developed that can: record all keystrokes (usernames and passwords, institutional data, etc.) entered by a user, initiate Distributed Denial of Service (DDoS) attacks against sites on the Internet, and even inflict significant damage to the infected computer. Worms (similar to ILOVEYOU and Melissa) use email quite effectively to carry their damaging payloads. To combat the threat of viruses, technicians should: Install Symantec's Norton AntiVirus (NAV) software to protect servers and workstations. Install NAV Corporate Edition in a managed installation to maintain better control over installed NAV clients. Install server-based anti-virus software to protect e-mail systems. Update virus pattern files daily or schedule automatic updates to get new patterns when they are released. Subscribe to the UISO VIRUS-L discussion list.

Remove unneeded services and software

All services and software installed on a system serve as possible entry points for crackers. For this reason, technicians should: Evaluate all services and programs running on systems. Remove those that are not absolutely required. Install workstation versions of operating systems (e.g., Windows Vista) instead of server versions (e.g., Windows 2003 Server) when possible. Server-based operating systems install numerous services that are not required for normal desktop computers. Consult security guides and documents available in the Guides for Sysadmins section of the UISO web site for assistance.

Stay abreast of technology security issues

New security vulnerabilities, exploits, and issues are discovered daily. To stay informed of these newly discovered issues as well as older ones, technicians should: Routinely monitor the UISO web site, especially the UISO Bulletins, Guides for Everyone, External Advisories, and Further Reading. Monitor other security discussion lists: NTBugTraq BugTraq

Encrypt sensitive data where possible

Unencrypted data, whether it be stored in a file or transmitted across the network, is vulnerable to

disclosure. There are several technologies that can be used to protect sensitive data: Technicians and data users must encrypt sensitive data where the application or process can support it. PGP can be used to encrypt standalone files as well as e-mail communications. SSL is a method used to protect data passed between a web browser and web server. An SSL certificate should be installed on any web server that: Displays or collects sensitive institutional and/or personal data Performs username and password authentication SSH is a replacement for insecure protocols such as TELNET and FTP. It uses strong cryptography to protect the data transferred between a client and a server. See SSH Installation and Use for additional information. For a broader discussion of secure data transmission, see Secure File Transfer Alternatives.

Replace insecure software and systems with secure alternatives

Communication protocols such as TELNET and FTP transmit information across the network in clear text, making it possible for attackers to intercept network transmissions. In addition, certain operating systems (e.g., Windows 95, 98, and ME) are not designed with enterprise level security controls in place. To help eliminate such insecure technologies at the University, technicians should: Use SSH instead of technologies like TELNET, FTP, rsh, rlogin, rcp, etc. Additional information on SSH can be found in our SSH Installation and Use article. Use scp (Secure CoPy) and sftp (Secure FTP) instead of FTP. Both of these programs come with SSH. Use Kerberos-aware services (e.g., Kerberized TELNET) where possible and use the UISO's centralized Kerberos Key Distribution Centers (KDCs) for account authentication. Additional information on Kerberos can be found in the IU Knowledge Base article What is Kerberos?. Do not store institutional data on computers that also run web servers, FTP servers, or end-user workstations. If institutional data is stored on file servers, consider using secure communications to access or protect that data (e.g., IPsec, SSH, PGP).

Follow adequate procedures for user accounts and access

Access to University systems and data should only be provided to those who legitimately require it. In providing this access, adequate procedures should be followed to ensure that university policy and guidelines are adhered to. Managers and technicians should: Provide access to only those persons who are otherwise eligible to use university technology resources. Require all users to be identified and authenticated before access is allowed (i.e., no guest access, no shared accounts, unless absolutely necessary). Limit access to needed services to only authorized persons. Assign accounts only to individuals (i.e., don't use group accounts). Use different passwords for privileged accounts (e.g., root, administrator) on various systems being maintained by the same technicians. Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities.

Follow adequate procedures for user passwords

Inadequate password procedures are a common source of system and account intrusions. Technicians should: Ensure that all accounts require a password and that, if technically possible, there are automatic routines (dictionaries, pattern enforcers, etc.) that force the user to choose a good password initially and each time the password expires. Implement a system such that all re-usable passwords are not sent over the network in cleartext. Eliminate the storage of passwords on systems where feasible. Alternatives include Kerberized services or SSH with PAM support. Both can be configured to use use the UISO's Kerberos KDCs to validate authentication data. Remind users that passwords should not be shared with anyone, including friends, roommates, co-workers, supervisors, technicians, etc.. Do not allow web browsers and other applications to "remember" user passwords.

Maintain adequate system logs

System logs are critical in performing troubleshooting. They also play a key role in detecting intrusion attempts and performing forensics on a compromised machine. To ensure that adequate logs are maintained, technicians should: Audit successful logins, including the location from which the logins originated. Audit unsuccessful logins, including the location from which the attempts originated. Audit unsuccessful file accesses. Audit the use of administrative privileges with operating system settings or tools such as sudo. Maintain logs for other services, such as httpd and syslog logs. Ensure that all logs are routinely backed up, preferably each night. Keep logs for at least 30 days, but no longer than 60 days.

Maintain adequate system backups

System backups are important in recovering from a system compromise. In addition, they provide key timing information when performing forensics on a compromised machine. Technicians should ensure that all critical servers are routinely backed up.

Provide adequate physical protection

Physical protection of IT systems is an often overlooked but critical component to any IT security plan. If someone has physical access to your machines, (s)he would have the ability to bypass most logical protection methods described elsewhere in this document. Technicians should: Ensure that physical access to all critical servers is restricted. Provide adequate climate control for all critical servers.

Limit access to IT resources to local network addresses where possible

In order to reduce our exposure to outside cracking attempts, technicians should, where feasible, restrict access to IT resources so that only IU network addresses can connect. TCP Wrappers is an

example of a product that provides such features.

Securely remove data from storage media

All traces of personal and business data should be securely removed from storage media (e.g., hard drives, floppy disks) before reassigning the equipment or before sending the equipment to surplus. Attention: Deleting files and reformatting a hard drive does not remove the data stored on the hard drive. To securely remove all remnants of data, technicians should review and understand the alternatives described in the Securely Removing Data guide.

Immediately report any successful or attempted security breach to the UISO

In order to adequately respond to successful or attempted security breaches at the university, managers and technicians should immediately report such events to the UISO. Upon receiving a report of a successful breach, the UISO will: Minimally, file the report for future reference. Ensure that all logs and other information are protected from loss or damage. Immediately assess actual or potential disclosure or inappropriate access to institutional or personal information. Report the situation to the Chief Information Security and Policy Officers, and, if circumstances dictate, to the Vice President for Information Technology and Chief Information Officer (VPIT/CIO). Assign the incident to a security analyst or technician within the IT Security Office. Provide advice or comment to the functional unit technician as necessary. Warn other Indiana University technicians if it appears that the situation has the potential to affect other University systems as well. Consult with functional unit technicians and management, University Counsel, law enforcement, and other agencies as required. Perform or assist in any subsequent investigation and/or perform computer forensics.