security discussion ist retreat june 2008. it security statement definition in the context of...
TRANSCRIPT
Security Discussion
IST Retreat
June 2008
IT Security Statement
definition
In the context of computer science, security is the prevention of, or protection against:
• access to information by unauthorized recipients, and
• intentional but unauthorized destruction or alteration of that information
terminology
• Confidentiality - Ensuring that information is not accessed by unauthorized persons
• Integrity - Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users
• Authentication - Ensuring that users are the persons they claim to be
Components
Some New(er) Concerns
• Privacy of Information (e.g. PIPEDA, Health Services)
• Electronic Commerce (e.g. donations)
• Hosted Applications (e.g. Patriot Act)
• Email and Phishing Scams
• Identity theft
Top 7 (All Systems) - SANS
1. Default installs of operating systems and applications
2. Accounts with No Passwords or Weak Passwords
3. Non-existent or Incomplete Backups
4. Large number of open ports
5. Not filtering packets for correct incoming and outgoing addresses
6. Non-existent or incomplete logging
7. Vulnerable CGI Programs
Top 10 - HIPAA
1. Firewall and System Probing
2. Network File Systems (NFS)
3. Electronic Mail Attacks
4. Vendor Default Password Attacks
5. Spoofing, Sniffing, Fragmentation and Splicing
6. Social Engineering Attacks
7. Easy-To-Guess Password Compromise
8. Destructive Computer Viruses
9. Prefix Scanning
10. Trojan Horses
Recent Events
• C&PA - “events” application
• JobMine – resume
• PeopleSoft - URLs
• UW-ACE – “admin” privileges
What We’re Doing – Part I
• security working group
• passkey depot
• server hardening and/or review
• anti-virus software distribution
• machine room firewall
• internal audits
• patches for server and desktop
What We’re Doing – Part II
• campus advisories
• monitoring/scanning (ongoing, monthly)
• e-commerce verification
• external information (SANS, CERT)
• authorization/roles (ERP, Sharepoint)
• wireless access (Minuwet)
• networks (residence)
What We’re Doing – Part III
• certificates (Thawte)
• authentication (ADS, CAS)
• password rules and checks
Problems & Challenges – Part I
• Public security policy/statement for web sites
• Education & Training
• Reliance on vendors
• Keeping up to date on patches
• Laptops
Problems & Challenges – Part II
• Web applications architecture
• “academic” & “computing” institution
• Increases in attacks, trends
Physical Security
• Overlap with Key Control
• Hardcopy documents (internal, UW, academic)
• Overlap with Police Services (Emergency)
• IST and wired/physical security
Moving Forward
• New roles for all?
• More external/outsource testing?
• Testing protocols for applications/services?
Links
http://ist.uwaterloo.ca/security/
http://security.uwo.ca/
http://www.uoguelph.ca/ccs/security/index.shtml
http://www.wlu.ca/page.php?grp_id=47&p=1128
http://www.usask.ca/its/services/itsecurity/
http://www.cse-cst.gc.ca/training/
http://www.cert.org/
http://www.sans.org/
http://en.wikipedia.org/wiki/Security
Discussion