Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Friday, November 24, 2017

 
  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption
 
  Best Practices
Standards
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Information Security Standards

The Office of Information Security (OIS) has published several standards for common IT environments and scenarios encountered across the University.  These standards represent recommended minimum security controls, and are considered voluntary recommendations at this time.  Additionally, all listed controls are recommended to be implemented regardless of the sensitivity of the data on the machine, as these standards represent the minimum security posture.

You are encouraged to evaluate your environment to determine if it meets these recommendations, and to prioritize system implementation efforts by risk level.  As the field of Information Security is constantly evolving, these standards may be updated over time.

All of the recommendations will be considered for future inclusion in official University IT Policy.

 

If you have any questions regarding these standards, you may email OIS at security@isc.upenn.edu.

 

You may jump to a specific standard here:



Application Standards
Endpoint Standards
Server Standards
Logging Standards
Secure Disposal Standards

 

Application Standards

Definition: An application is defined as software running on a server that is network accessible, including mobile applications.

Standard

Recommendation

Resource

Critical Components

If there is sensitive data, register the host and application in Critical Components to ensure regular vulnerability scanning starting before rollout. For web applications, scan with a web application vulnerability scanner.

Critical Components
https://secure.www.upenn.edu/computing/security/internal/critcomp.php
WebInspect
http://www.upenn.edu/oacp/audit/audit101/it-controls.html#application-security

Secure Coding

Follow secure coding best practices, such as OWASP (for web applications) and implement a SDLC (Software Development Life Cycle) whenever possible. A SDLC should include regular regression testing, code review, security as a design requirement; and use of a framework.

OWASP (See Quick Download section)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CERT (See coding standads for C, Android, C++, Java, and Perl) https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards
Join Developer SIG
https://secure.www.upenn.edu/computing/group/signup/index.html
Developer SIG Code Contributions
https://gitlab.com/groups/upenn-dev-sig
Developer SIG Slack Channel
https://upenn-dev-sig.slack.com

Sensitive Data

Consider your use of sensitive data - if you must store it, use encryption in transit and at rest.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html
Consult ISC Information Security (security@isc.upenn.edu) about alternatives to handling sensitive data.

Patching

Security patches must be applied on a timely basis.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html
University Computing Policies
http://www.upenn.edu/computing/policy/

SPIA

Conduct SPIA (Security and Privacy Impact Assessment), including inventory of applications, libraries on which they depend, application contacts/developers, data classifications, and data volume estimates. Consider any policy or legal implications as appropriate, consulting others as needed.

SPIA
http://www.upenn.edu/computing/security/spia/index.php

Account Review

Review accounts & privileges regularly.

PennGroups where possible, or equivalent control
http://www.upenn.edu/computing/penngroups/

Credential Management

Follow secure password handling practices for passwords used by the application, and wherever possible, use campus authentication system for user passwords.

Strong password recommendations for PennKeys
https://weblogin.pennkey.upenn.edu/changepassword
Best Practices for passwords used by the application
https://secure.www.upenn.edu/computing/security/standards/app-password-best-practices-v2.rtf
Penn WebLogin
http://www.upenn.edu/computing/weblogin/
Two-Step Verification with Duo
http://www.upenn.edu/computing/weblogin/two-step/duo.html

 

 

 

 

Endpoint Standards

Definition: Any laptop, desktop or mobile operating system.

Standard

Recommendation

Resource

Security Patching

Apply security patches within seven days of being published. Use a supported OS version.

Penn Endpoint Management Service (PennEM)
http://www.upenn.edu/computing/isc/lts/PennEM/index.html
Configure OS to perform automatic updates.

Whole Disk/Device Encryption

Run native encryption as available on newer devices.

InfoSec encryption recommendations
http://www.upenn.edu/computing/security/encrypt.php

Backups

Backup user data daily.

Secure Remote Backup
http://www.upenn.edu/computing/isc/lts/srb/srbfaq.html

Access Control

Always use a password or a PIN on the device. Set device to lock the screen automatically when not in use.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html

Malware Protection

Run antimalware/antivirus software.

Symantec Endpoint Protection
https://secure.www.upenn.edu/computing/resources/category/applications/article/symantec-endpoint-protection

Configuration Management

Use an endpoint management solution selected and supported at the school or center level.

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Secure Deletion

Erase or destroy storage media before recycling or donating devices.

Secure Data Deletion
http://www.upenn.edu/computing/security/privacy/data_clear.php

 

 

 

 

Server Standards

Definition: A server is defined as a host that provides a network accessible resource.

Standard

Recommendation

Resource

Physical security

Physical controls to prevent unauthorized access. Server hardware placed inside data centers wherever possible.

ISC Hosting
https://www.isc.upenn.edu/hosting
Facilities Managed Computing
https://www.mr.isc-seo.upenn.edu/Pages/FMComputing.aspx

Multi-Factor Login

Multi-factor authentication required when logging into servers with privileged account access.

Two-Step Verification with Duo
http://www.upenn.edu/computing/weblogin/two-step/duo.html

Patching

Patches to vulnerabilities applied promptly after they have been made available.

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Credential management

Credentials reviewed periodically. Group password management used for all shared credentials. Credential lifecycle management applied.

LastPass Premium at Penn
https://www.isc.upenn.edu/news-announcements/lastpass-premium-now-available-penn-community

Secure Disposal

Hard drives and writeable media used on servers follow secure destruction/deletion upon disposal.

Secure Data Deletion
http://www.upenn.edu/computing/security/privacy/data_clear.php

Inventory

Inventory created, maintained, and periodically reviewed regarding system hardware, applications/software in use, data classification, and any regulated data present on the server (HIPAA, PCI, FERPA, etc).

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Identity Finder

https://secure.www.upenn.edu/computing/resources/category/applications/article/identity-finder

Network firewall

Host-based network filtering (e.g. firewall) configured. Hardware firewall used wherever possible.

 

Centralized logging


Security-relevant events, including privileged access, are logged to a separate system.


Security Logging Service
http://www.upenn.edu/computing/security/logging/

 

Vulnerability management


Servers regularly scanned with a vulnerability scanner. Findings resolved as soon as is practicable. Continuous monitoring used wherever possible.


Nessus Vulnerability Scanner
http://www.upenn.edu/computing/security/scanner/

 

SysAdmin Training


SAs trained with the tools and procedures required to implement the items listed in this standard. University policy, as well as prohibited behaviors covered.

 

Host integrity


Host integrity maintained through some combination of antivirus, antimalware, rootkit detection, and file integrity monitoring, configured with external alerting whenever possible (see Centralized Logging).


OSSEC
https://ossec.github.io/

 

Least privilege

 

Admin/user accounts, processes, and applications limited to the most restrictive set of resources necessary. Periodic review of privileges.

 

 

 

 

Logging Standards

Definition: If you have a need to log the security events taking place on one of your hosts, use these standards to determine what events to collect and how to collect them.

Standard

Recommendation

Resource

Storage

Move event logs off of the machine that generates them and onto a centralized storage solution on a regular basis. Restrict access to that storage solution and the event logs to just those with a need to review the event logs.


Splunk: http://www.upenn.edu/computing/splunk/
EventSentry: www.eventsentry.com
Tripwire: www.tripwire.com

Retention

Conduct a risk analysis of your systems and their data, and choose a retention period that's right for you. Be aware that retaining too much data may put you at risk, and retaining too little data may be of insufficient utility for detecting problems.

Ensure Events are Time-based

All logs compliant with these Standards will record the time at which an event transpired on a system.

PennNet NTP Service: http://www.upenn.edu/computing/ntp/

Ensure Log Record Event Origin

All logs compliant with these Standards will record a host identifier (e.g. domain name, IP address) on which an event took place.

Ensure User Events Record Account Name

All logs compliant with these Standards will record the system account name under which an event took place, where relevant.

End-user workstation

At a minimum, log authentications (both local and remote). Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.

Server

At a minimum, log authentications (both local and remote) at the platform and to authenticated applications running on the server. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.

 

Hardware firewall


At a minimum, log authentications (both local and remote) to the device's control plane. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.

 

Other Devices


At a minimum, log authentications (both local and remote) to the device's control plane. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. I If the system supports it, log the changing of passwords on user accounts.

 

Establish Your Baseline


For each event type being logged, review your logs to determine what "normal" behavior looks like for your systems. Document this behavior as what you expect your systems to do.

 

Monitor & Alert


Through manual or automated review, compare your system's event logs against your established baseline on a regular basis. Where behavior deviates from what you expect, investigate and remediate its cause.


Splunk:
http://www.upenn.edu/computing/splunk/

 

Secure Disposal Standards

Digital Media

Standard

Recommendation

Resource

Hard Drives

- If the hard drive is fully encrypted, destroying the encryption key will render the data unrecoverable

- Secure wipe with a single pass of data over the entire disk

- Degauss and/or physical destruction by shredding


NIST 800-88 : http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Overwriting Hard Drive Data: The Great Wiping Controversy: https://link.springer.com/chapter/10.1007/978-3-540-89862-7_21

SDDs

- If the drive was encrypted prior to adding data, destroying the encryption key will render the data unrecoverable
- If drive manufacturer includes secure ATA erase, this will be a good course of action to render the data unrecoverable
- Physical Destruction by shredding


NIST 800-88 : http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
ATA Secure Erase:https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Optical Disks

Physical destruction by shredding

Portable devices (ie: smartphones)

Use manufacturer methods to implement perform a factory hard reset.


Apple: https://support.apple.com/en-us/HT201351
Android: http://www.androidcentral.com/how-factory-reset-android-phone

Magnetic media (ie: tapes)

- If encrypted, destroying the encryption key will render the data unrecoverable
- Secure wipe with a single pass of data over the entire tape
- Degauss and/or physical destruction by shredding"

Resources

Example tools for overwriting spinning disk drives

DBAN - http://dban.org
Eraser - https://eraser.heidi.ie
Apple Disk Utility- https://support.apple.com/kb/PH22241?viewlocale=en_US&locale=en_US

 

Campus disposal resources


University Records Center - http://www.archives.upenn.edu/urc/urc.html
ISC's Drive Degausser and Crusher - https://www.isc.upenn.edu/how-to/secure-drive-disposal
ISC Security's Secure Deletion Information - http://www.upenn.edu/computing/security/privacy/data_clear.php

 

Recycling services


Electronics:
Elemental, Inc - http://eleminc.com/


CellPhones:
Gazelle.com - https://www.gazelle.com/
sellcell.com - https://sellcell.com

 


Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania