New Security Requirements for
All Networked Computers
Our ever-greater reliance on the Internet has been accompanied by an enormous increase in the number and frequency of malicious computer viruses and worms: Last Fall's series of virus and worm attacks is something most of us still vividly recall. While the introduction of PennKey authentication and the implementation of email security enhancements such as spam and virus filtering and password encryption have reduced risk, they are only pieces of a more comprehensive security strategy. This Fall, the University is taking a further step to ensure the integrity of our network by focusing on securing personal desktops.
To protect individual computers and data as well as the network, the University is requiring the adoption of several security practices detailed in "Stay a Step Ahead." In support of this behavioral strategy, a new computing security policy has been promulgated, and ISC has introduced Software Update Service or SUS, a subscription service that automatically downloads and installs Windows XP and 2000 security patches.
PennNet Computer Security Policy
ISC, School management, and School IT leaders have built a campus-wide consensus on the basic steps that must be taken to secure every computer connected to PennNet. Under the aegis of Penn's Network Policy Committee and IT Roundtable, a policy was drafted earlier in the year and circulated broadly for comment and review. The new "PennNet Computer Security Policy" prescribing the measures that must be taken to properly secure all campus computers was subsequently published in AlmanacJuly 13, 2004.
The measures mandated by the policy are:
Security patches to operating systems must be applied promptly. Experience shows that fully patched systems are rarely, if ever, compromised by computer worms.
Up-to-date antivirus software must be installed and maintained.
Passwords protecting remote access to computers must be sufficiently complex to withstand automated password-guessing attacks.
To facilitate compliance with the security patching provision of the policy, ISC has launched an on-campus Microsoft Software Update Services (SUS) server. Windows XP and 2000 computers configured to connect to ISC's SUS server will download and install critical updates (but not Service Packs) within two days of their release from Microsoft. The service works from anywhere on or off campus, and requires a live Internet connection.
Many departments across campus already have similar strategies in place to effectively patch faculty and staff computers. However, departments wanting to participate in this service may register faculty and administrative users for an annual cost-recovery fee of $3 per computer. For information, please speak to your Local Support Provider. All students are eligible to use SUS without registration. More information about SUS, including an FAQ, can be found at www.upenn.edu/computing/sus/.
Conclusion/Next Steps in Security
Because the threats to the availability and integrity of Penn computers and networks are constantly evolving, security is an ongoing task. We believe that the most effective way to avoid harmful computer security incidents is to prevent them in the first place, but the simple fact is that no economical solution will be 100% effective. Our next layer of defense is improving our capability to quickly detect problems before they develop the potential to cause significant problems. Expect to see additional policy and technical measures announced in the near future as part of our key strategies of prevention, detection, and response.
—Robin Beck, Vice President, Information Systems & Computing
Stay A Step Ahead: Four Practices that Work Together to Secure your PC
Why risk data loss, a corrupted system that needs to be rebuilt, or disconnection from the Internet until your system has been cleaned up and secured against future compromise. Four easy-to-implement security practices will protect your system and data and prevent your computer from spreading worms or viruses to other Internet users.
Because procedures vary across the University, it's important to consult your Local Support Provider (LSP), Information Technology Advisor (ITA), or School/unit web site for specifics pertaining to your environment. Many departments across campus have effective strategies in place to meet Penn's security requirements and may already have implemented the proper protections on departmental machines. If you don't know whom to ask for advice, check www.upenn.edu/computing/view/support/. And remember–good security practices apply to home computers as well.
1. Installing and regularly updating antivirus software
Antivirus software detects and eliminates computer viruses, which are commonly spread via infected files attached to email or shared by some other means. Penn's supported antivirus software for Macintosh and Windows, configured for automatic updates from the vendor's site, is available, together with instructions, at www.upenn.edu/computing/product/desk/nav.html or on the 2004 PennConnect CD. Because of the large volume of virus activity targeting Windows computers, Windows antivirus software is configured for daily updates to prevent infection by newly released viruses. Macintosh antivirus software is configured for weekly updates.
2. Applying security patches to your operating system promptly
Virus software alone doesn't protect your computer from malicious activity. Equally important are security patches, which "plug" security holes in your computer's operating system to prevent infection by Internet worms. These are malicious programs that hijack your hard drive and allow spammers to use your computer to cover their tracks. Worm-infected systems usually need to be rebuilt, and that means you'll be unable to use your computer for hours, or even days, while that is done.
Patches are available online for Windows XP, Windows 2000, Macintosh OS X, and Macintosh OS 9. Owners of older, unsupported systems such as Windows 98 and Macintosh OS 8 can still find basic information about securing their systems at www.upenn.edu/computing/security/oldos.html.
3. Assigning a strong administrative password to your computer
Newer computers running Windows XP, Windows 2000, and Mac OS X allow you to assign an administrative password, another method of preventing infection by worms and viruses. Because worms and viruses often carry their own password-guessing dictionaries to gain access to your computer, it's important to choose a "strong" or complex password that can withstand automated password-guessing attempts. "Weak" passwords, such as those based on your name or on words that appear in language or specialized dictionaries, can be easily cracked and offer little protection. Penn's password guidelines can be found at www.upenn.edu/computing/email/pswd_guide.html.
4. Activating your system's firewall—subject to your LSP's recommendation
Windows XP and Macintosh OS X have built-in firewall capability, which provides a supplementary level of security. If you forget to apply a security patch, the firewall would likely prevent infection by a worm trying to exploit the security hole the patch was designed to close.
Firewalls may, however, interfere with certain operations, such as file and print sharing. Please consult with your support provider as a first step if you encounter a problem. Windows XP users can also refer to www.microsoft.com/athome/security/protect/ports.mspx for Microsoft's solutions. The Macintosh OS X firewall is a more sophisticated implementation that is configured by default to avoid most problems.
Win an iPod! Visit www.upenn.edu/computing/security by September 12, for your chance to win one of several prizes, including an Apple iPod. Have your PennKey and password handy to take a quick, three-question quiz testing your security savvy.
Almanac, Vol. 51, No. 2, September 7, 2004
September 7, 2004
Volume 51 Number 2