UW Guidelines for Implementing Systems and Data Security Practices

Draft #4
May 2003

Prepared for:
The Privacy Assurance and Systems Security Council

Prepared by:
Kirk Bailey, CISSP
Manager of Strategic Computer Security Services
Computing & Communications
University of Washington

Table of Contents

• Purpose of These Guidelines
  
• Assessing What Security Measures to Implement
  
• Data Classification and Related Protective Measures
  
• Access Control Measures
  
• System and Application Maintenance
  
• Logging
  
• Antivirus Software
  
• Data Entry, Processing, and Reporting
  
• Backup and Data Retention and Disposal
  
• Firewalls and Intrusion Detection Security
  
• Encryption
  
• Authentication Mechanisms
  
• Physical Security Mechanisms
  
• Assistance with Security Implementations

Purpose of These Guidelines

This document provides guidelines for approaching the implementation and maintenance of appropriate and required technical measures, operational practices, and methods for the protection of university computer systems and related data.

University of Washington computing systems, networks, and the information that resides on them are critical assets for the university. They are central and integral to the success of the UW's mission of providing excellence in education, advancements through research, and meaningful public services. These vital information systems assets require proper protection and use to ensure their availability, confidentiality, and integrity.

It is the responsibility of all computer system owners/operators and data custodians to understand and apply laws and UW policy in the operation and administration of their systems. These guidelines offer suggestions for approaches that might work in your environment.

Assessing What Security Measures to Implement

All computer and data security measures are based on the functional nature and degree of criticality of the computer systems, network resources, and data involved. To assess what security measures should be implemented for a computer, the questions to ask include:

• What data are used and stored on it?
• Who uses the system?
• How do users access the system?
• What functions does it provide?
• What is the importance (criticality) of the functions?
• What other systems are sharing a subnet with this system?
• What is the connectivity to other networks and users?
• Where is the system located?
• How are backups made and where are they stored?
• Are there any related statutory and regulatory requirements involved?

The following sections address these questions and offer security measures and practices to evaluate for potential use in protecting computer systems' availability, confidentiality, and integrity.

When assessing a system's security needs, it is important to understand that all of these measures and practices offer different protections against the many risks and potential problems that exist. Taking the time to assess the security needs of a computer system is a valuable exercise for all system owners/operators and data custodians. The only thing more important is ensuring the implementation of the necessary measures.

Data Classification and Related Protective Measures

Beyond the basic requirements to protect all UW networks and systems, the nature of the data is what determines much of the statutory and regulatory compliance requirements and the levels of protection that need to be achieved for a system. In the UW computing environment, personally identifiable information related to student records and health records (see UW Information Systems Security Policy, section 4: Definitions) is sensitive data that requires specific security measures and practices applied to the systems involved. There are also many systems associated with research efforts and resulting intellectual property that need strong security applied to them.

System owners/operators and data custodians should review and understand their obligations, which are defined in the UW Electronic Privacy Policy on Personally Identifiable Information.

While the university does not employ any official data classification system per se, the following defined categories of data can be useful for system owner/operators and data custodians to understand appropriate protection requirements:

• General Access:
  Information that either is available for public access or by its nature not necessary to protect and can be shared with anyone. This includes general public information, published reference documents (within copyright restrictions), open- source materials, approved promotional information, and press releases.
• Restricted:
  Information that is business data, which is intended strictly for use within the university. Most of this information is subject to disclosure laws because of the university's status as a public institution. However, it still requires careful management and protection to ensure the integrity of the university's business operations and to meet obligations and compliance requirements. Restricted data also includes data associated with internal email systems and UW NetID account activity information.
• Confidential:
  Information that is very sensitive in nature and requires careful controls and protection. Unauthorized disclosure of this data could seriously and adversely impact the university or interests of individuals and organizations associated with the university. Confidential data includes student records, personally identifiable information, medical records, legally protected university records, research data, passwords, or protected intellectual property and other proprietary information.

Below is a quick reference matrix for minimum-security measures that should be applied to systems hosting any of the three data types. If there is any question about the categorization of data, the default classification category is "restricted."

Data Classification Quick Reference Matrix for Minimum System Security Measures

System Security Measure	Apply to This Data Category?
	General Access	Restricted	Confidential
Access control	Only as needed for system administration	Yes	Yes
System and application maintenance	Yes	Yes	Yes
Logging	Yes	Yes	Yes
Antivirus measures	Yes	Yes	Yes
Backup and retention	Yes	Yes	Yes
Firewalls and IDS	Recommended	Recommended	Yes
Encryption (during transmission)	No	Recommended	Yes
Encryption (storage)	No	Optional	Optional
Authentication	Only as needed for system administration	Yes	Yes (two-factor minimum)
Physical security	Recommended	Yes	Yes

Access Control Measures

As stated in UW Information Systems Security Policy, all computing systems hosted on UW networks must support and comply with fundamental access control measures, functions, and operating principles (for a list of requirements, see section 6.4: Access Controls).

Management practices adopted to support the access control mechanisms should be sensible, reasonably easy to maintain, and auditable. For shared systems, they should include an electronic or paper request and approval process for all accesses established, modified, or terminated. The system owner/operator and data custodian should maintain this process. In addition, management practices should include a regular process to review existing access accounts to ensure they are still valid.

In addition to controls that are necessary for all systems, controls are particularly important for systems and applications that host restricted or confidential data. Data access privileges should be granted and system functions defined in a manner that establishes all necessary separation of duties and helps prevent potential fraudulent actions or compromise of data.

The guiding rules for this are:

• Access to critical and sensitive servers or applications might require two-factor authentication (for more information, see Authentication Mechanisms in this document).
• Access to personally identifiable information requires authentication at the individual user level.
• Each user is granted access only to those hosts, services, and data for which that user has a legitimate need.
• Excessive access attempts should be logged or cause lockouts or alarms, as appropriate.
• Access and privileges are granted only for the period of time they are needed.
• Warning banners should be posted on computing systems and servers. These security banners should inform all users that the system or application being accessed is proprietary, that it should be accessed only by authorized users, and that the system use is monitored for enforcement purposes. Suggested language for such a banner is as follows:
  

  WARNING

  This is a proprietary system of the University of Washington and is for use by authorized individuals only. Use of this system or any other computer system of the university constitutes an express consent to monitoring at all times. If monitoring of any university system reveals possible violations of criminal statues, all relevant information will be provided to law enforcement officials. Any individuals using this or any other university computer system or related information without proper authority will be subject to civil and/or criminal prosecution.

  Suggested language for a shorter banner is as follows:

  WARNING

  This is a University of Washington system. Use of this system is for authorized users only. UW technical and security staff reserve the right to monitor any and all activity on this system and will take all necessary enforcement measures against unauthorized use of access.

System and Application Maintenance

Because of the rapidly changing and vulnerable technology environment that exists today, it is imperative that system owner/operators properly maintain their systems. Computer systems are easily targeted and compromised through network connections. If a system is not properly secured, someone will compromise and exploit it. Even if a system has no information of value on it, it still must be protected from being used as a resource from which to launch illegal or disruptive activity.

While nothing short of physically disconnecting a system from the network will guarantee that it cannot be broken into, a number of steps should be taken to reduce the risks. The following are recommended basic maintenance practices:

• Change default passwords or disable all default accounts.
  Some systems come with software installed that has password protection, but with passwords that are set at the factory. These default passwords are widely available online. If an account is left running with a password that was set by the vendor or is easily discoverable, then the system is at a high degree of risk for compromise.
• Know what services should be running and which actually are running.
  Many systems come with some services enabled that do not need to be. If a system is running an unknown service and a weakness is found in that service, the security of the system is at risk. It is important for system owners/operators to know what is actually running on their system. If something is running that is not needed, it should be turned off. It is better to start with everything off and turn on the services that are needed than to start with everything on and disable the services that are not needed.
• Separate workstations and servers.
  For example, don't install or use word processing, email, or web browser applications on server systems. This will help limit the number of people who need access to a system, as well as reduce the ways for it to be compromised.
• Keep your operating system and applications up to date.
  Vendors publish notices about updates and patches. Some operating systems come with utilities to help keep them up to date; others require more manual labor. If this task cannot be automated in the operating system, make sure there are procedures in place to check regularly for current patches and to install them. Updates to systems and applications should be handled with appropriate version control procedures, such as tracking, logging, and applying software controls.
• When possible, scan your machine for vulnerabilities.
  Potential intruders regularly scan networks for vulnerable machines. System owners/operators should use scanning tools to scan their systems before others find vulnerabilities.
• Cooperate with UW security engineers who scan the UW network.
  UW security engineers scan computers on the UW network for known vulnerabilities. They also receive reports of computers on the network that appear to be compromised or are participating in an attack on others. They notify system owners/operators when problems are found and request that the computers are cleaned up and patched.

Logging

Wise operation of a computer system and associated applications includes prudent and sensible use of logging tools. While logging can be problematic in its potential volume and usefulness of data collected, is important for system owners/operators to take the time to evaluate their logging needs and ensure that appropriate logging tools are implemented and maintained.

In addition to the logging itself, operational practices need to be implemented to ensure regular review of the logs for anomalies and exception events that could signal potential problems.

Logging efforts have value and are important for several reasons. In addition to supporting audits of selected system activity, security measures, and controls, a logging program also can help to resolve operational problems and contribute valuable information to security incident investigations.

The following are recommended logging practices:

• System activity associated with all system administrators should be logged.
• UW computer systems that handle restricted or confidential data should securely log all significant security events. Examples of significant security events include password-guessing attempts, attempts to use privileges that have not been authorized, modifications to system or application software, and changes to user groups or accounts.
• Computer applications that support processing of restricted or confidential data should log the following key user activity information:
  • User session activity including user-IDs, log-in date/time, log-out date/time and applications invoked
  • Changes to key application system files
  • Additions and changes to the privileges of users
  • System start-ups and shut-downs
• Some activities and information should not be logged. These include passwords and informational application queries.

It is important to establish appropriate retention and access practices for various logs. It is recommended that logs containing security relevant events be retained for at least three (3) months. These logs are important for system effort correction, forensic auditing, security breach investigations, and related efforts. It is important that stored logs be secured so they cannot be modified and only authorized persons have access to them.

Antivirus Software

It is well known that one of the major threats to computer systems and data is exposure to malicious code. Viruses, worms, Trojan horse programs, and other such threats are difficult to defend against and require a systematic approach to mitigate potential harm. These programs most commonly are introduced into university systems through opening email with infected attachments, downloading infected files from the Internet or other external systems, and loading infected files from disks or other media or file servers into the system.

System owners/operators should install and maintain high quality antivirus systems on their file servers and ensure that all system-associated servers and desktop computers (including those used by staff at home) have some kind of protection installed and maintained. System owners/operators should be vigilant about loading all updates to the antivirus software as they become available. Systems should be scanned on a regular basis for potential vulnerabilities.

In addition, to antivirus software, it is important for system owner/operators to establish infection prevention and damage mitigation procedures that could include:

• Scans of all diskettes and other portable storage media before they are loaded into the system
• Scans of all files downloaded from the Internet
• Rules against the use of any software that is not obtained legally through reliable sources or activated through browsers from non-trusted sources
• Response procedures for dealing with infection or attack by malicious software

Data Entry, Processing, and Reporting

Data custodians need to take appropriate steps to ensure that there are authorization and audit controls in the creation of university business data. Further, data must be protected from unauthorized change and viewing. Where appropriate, data entry capability should be protected with access control measures and multiple people should share the roles of entry and authorization. Audit logs and other mechanisms of determining who has created or changed data should be in place where necessary.

Systems and applications that process university business data need to be protected from unauthorized or unintentional changes. Data custodians and system owner/operators should have appropriate system and application change control in place to protect the accuracy of the university's business data.

Reports, whether on paper or accessed online, should be distributed to only those authorized for viewing. People who have access to reports should also be trained to understand the appropriate means of safeguarding the access to and disposal of the reports.

Backup and Data Retention and Disposal

In order to protect their computer systems and data, system owners/operators must implement regular backup procedures. Regular backups of all critical system software, applications, and data are necessary for both recovery and compliance purposes. The frequency of these backup processes also should be sufficient to support the documented contingency plans.

When choosing the location for the storage of backup media, it is important to make certain that it is protected from access, change, or destruction. The level of security associated with the backups should be the same as that for the disk copy. Additionally, backup media should be stored at a separate location that is unlikely to be affected by any disasters befalling the primary copy of the data.

Data retention is a separate issue from backup. Backups rarely, if ever, should be counted upon as the means for records retention management. UW data custodians, system owner/operators, and users are obligated to understand the nature of the data they generate, use, or store and to ensure that they are managing that data in full compliance with all state laws and UW records management policies. UW Records Management Services is the primary resource for information and support regarding these obligations.

At the end of the record retention period for data, it is important that the disposal of the data is in accordance with the level of protection required. Information that is restricted or confidential should be disposed of in a manner that continues to protect that data. This must include the procedures for disposition of the media upon which the data resides.

Firewalls and Intrusion Detection Security

It is essential for UW system owner/operators to deploy and maintain effective host- based security measures. System owners/operators must consider carefully how they manage their network connectivity and what filtering tools and rules best meet their computing needs.

While firewalls provide an additional level of security, they also can introduce vulnerabilities and support problems. Because of the complex computing environment that exists at the university and the wide-range of computing services required, the UW relies on host-based security services and limited network security measures, usually at the subnet level. This approach can and should include firewalls and intrusion detection systems deployed on department-managed subnets and computing systems as described below.

It is recommended that security perimeters be established as close to the subject computer systems as possible, if not on them. This is to minimize the risks from other hosts within the perimeter and allow use of more specific firewall rules.

The initial option to consider for protecting servers and desktop systems is installing host-based network filters (firewall rules that run on the client itself). There are many software products to choose from. C&C security engineers can help a user or system owner/operator select one that would work well for a given environment. In addition, filters are valuable tools for protecting servers.

Some host-based firewall products also include intrusion detection systems (IDS) capabilities that might be useful. An IDS monitors traffic passing through a network and alerts you when certain types of traffic patterns are detected. Such systems are challenging to use because they are susceptible to false positive reports and consequent confusion and loss of productivity. Many of the available firewall software packages include IDS options.

System owners/operators also are encouraged to review the possible use of a logical firewall available on the UW Web site. This logical firewall was developed by C&C engineers to physically exist anywhere on the subnet and protect hosts anywhere on the subnet without rewiring.

Encryption

Encryption can support a variety of security objectives, including authentication, integrity, privacy, and non-repudiation. However, there are some difficult challenges for effectively deploying file encryption tools, and doing so requires careful review and consideration.

Currently, UW central computers require encryption for transmission of confidential data. They use the Kerberos authentication system (based on private-key cryptography), SSH, and SSL, which protect passwords from going across the network in the clear. In addition, email, browser, and file transfer software available in the UW Internet Connectivity Kit (UWICK) provide encryption protection to messages and files sent over the network. Policies and procedures for the build-out of virtual private networks are also being discussed.

Several approaches to file encryption are being used and explored at the UW. However, there are some difficult and substantial barriers to widespread deployment. For one thing, there are many different and incompatible file encryption techniques available. This is problematic because different techniques often are required to meet security objectives. Until the commercial file encryption industry agree on common methods and standards to follow it is important that data custodians choose file encryption tools carefully.

File encryption tools can be abused by users, potentially leading to the loss of access to data, corruption of data, and other problems. Data custodians should not deploy file encryption tools without implementing strict use and management practices.

Authentication Mechanisms

A key security measure that system owners/operators need to implement is a means to authenticate system users. There must be a systematic and reliable method for establishing proof of identity. Users can establish identity with:

• Something they know: passwords, personal identification numbers, pass phrases, secrets
• Something they have: token, smart card, certificate, private key
• Something they are: biometrics, activity signatures

The criticality of the computer systems and the sensitivity of the data determine the kind of authentication process that should be implemented. Some circumstances require the use of a two-layer approach to authenticate a user to a system. This layered approach increases the difficulty for an unauthorized person to fool the system's authentication process.

System owners/operators and data custodians must evaluate their system's authentication requirements and implement the appropriate measures. This evaluation process should not minimize the reality of the situation—existing technologies are vulnerable and can be spoofed.

The most basic protections come from establishing systems and processes that assure that good passwords are created, maintained, and correctly transmitted. Software is available to force the choice of good passwords and check periodically for weak ones. Passwords should be changed regularly. Only protocols that encrypt passwords should be used to transmit them over the network.

Physical Security Mechanisms

As with logical security measures at the UW, physical security measures required for protecting UW computing resources should be commensurate with the nature and degree of criticality of the computer systems, network resources, and data involved.

As a public institution, the UW is a challenging environment. It has buildings and facilities open and accessible to a large population. In addition, office space is often in short supply and locations with logistics that meet security requirements are scarce in many campus buildings. The UW Police Department can help by performing security surveys to assess the physical organization of a site and make recommendations for added security measures to ensure less risk of theft or unauthorized access.

System owner/operators need to implement the following measures to properly protect UW assets:

• Sufficient physical access control measures (e.g. a designated room that can be secured and established procedures to monitor areas housing computing resources) to prevent unauthorized access, use, vandalism, or theft
• Secured network and telecommunications closets
• Sufficient environmental controls (e.g. power supply, surge protection, heating, air conditioning, and plumbing) to protect computing assets from harm and service disruptions
• Smoke detection and fire suppression systems
• Secure and safe storage for all backup data/media required for recovery and retention requirements
• Inventory control measures such as asset tags or other identification markings for tracking and accounting for computing assets and for claiming recovered stolen equipment
• Reports of all equipment theft
• Appropriate management of laptops and other equipment taken to offsite work areas
• Server sanctuaries (with extra physical protection) within secured computing facilities for servers containing personally identifiable information or other critical data or functions

Assistance with Security Implementations

The amount of work required to implement a good security program can be daunting. There are university resources available to assist departments in determining what is needed and how to go about putting good security processes into practice. University of Washington Police, Internal Audit, Computing & Communications, Risk Management, and the Privacy Assurance and Systems Security Council are available for consultation and assistance.

The PASS Council
Modified: January 5, 2007