Logical Security
Table of Contents
- Vulnerability Assessment
- Access Security
- Data and Software Availability
- Confidential Information
- Local System Protection
Governing UH Policy
Manual of Administrative Policies and Procedures (MAPP):
Computer User Responsibilities
MAPP Policy: | 10.03.01 |
SECTION: | Information Technology |
AREA: | User Guidelines and Responsibilities; Security |
SUBSECTION: | IV (Security Responsibilities) |
Computer Security
MAPP Policy: | 10.03.02 |
SECTION: | Information Technology |
AREA: | User Guidelines and Responsibilities; Security |
SUBSECTION: | IV (Security Responsibilities) |
University of Houston System, System Administrative Memoranda (SAM):
Notification of Automated System Security Guidelines
SAM Number: | 07.A.03 |
SECTION: | Information Technology |
AREA: | Computing Services |
IT Practices and Guidelines
IT recommends that logical security start at the lowest level, the OS, and moves up with securing the desktop functions and usability of applications (Also called "Hardening" a system).
A. Vulnerability Assessment
The objective of a vulnerability assessment is to examine systems for weaknesses that could be exploited, and to determine the chances of someone attacking any of those weaknesses.
Numerous types of vulnerabilities, both physical and electronic, are possible. Each should be examined and documented; controlling all the risks associated with electronic access to systems is moot if someone could physically tamper with them and modify or walk away with data.
Many tools exist for evaluating electronic vulnerabilities. We recommend the use of Internet Security Systems (ISS) Scanner to determine these vulnerabilities. The primary value of this tool lies in automation and detection; that is, typically ISS is used to scan systems for configurations and services, compare the results with a database of known exploits, and produce a report. This prevents the laborious task of examining systems manually and researching the latest exploits. It also provides a method of easily obtaining consistent data on system vulnerabilities.
A list of vulnerabilities starts with host-and network-level exploits that could have an impact on your systems. Although Internet Scanner is confined to the electronic environment, be sure to examine exploits that could occur with physical access as well as electronically. Finally for completeness, examine scripts and applications on systems for potential vulnerabilities. This ensures that all vectors for attack are included in the assessment, so that efforts at reducing risk are based on real threats, not just those that are technical or well advertised.
Once a list of vulnerabilities per system is compiled, each vulnerability should be classified according to the probability that it could be exploited. This probability is the threat associated with vulnerability, and methods for determining this threat level are likely. They can be as complicated as completing a tree analysis, which documents the different series of conditions that could lead to exploitation of a vulnerability, or a simple as relying on reports about the frequency of exploits in the wild. CERT (Computer Emergency Response Team), the SANS (System Administration, Networking, and Security) Institute and other such groups routinely publish listings of exploits that are being seen frequently and thus are high-threat areas.
The combination of vulnerabilities and threats provides a measure of where exposures are, and what the chance is that a motivated attacker might exploit them. This is the level of inherent risk, or the risk that exists in the absence of any control measures.
IT is available for consultation upon request.
B. Access Security
Desktop administrators should ensure that workstations are configured consistent with the job function of the computer user. This may include, but is not limited to:
- Limiting programs or utilities available to only those needed by the position.
- Increasing controls on key system directories.
- Increased levels of auditing.
- Limiting use of removable media, such as floppy disks.
Password guidelines:
(as stated in the Information Technology Security Policy, Item 16 "Password Control")
- Passwords are to be assigned to the individual employee or issued on an individual employee basis if computerized records are being accessed as part of their responsibility.
- Distribution of passwords should be handled with the strictest confidentiality.
- Passwords shall be changed on a regular basis.
- Passwords that are obvious, such as nicknames and dates of birth, should not be allowable.
- Passwords should never be shared with another user. Employees are formally notified as to their role in protecting the security of the user ID and password. Counter accounts, for view only, are an exception to this rule.
- Passwords should have a minimum length of five characters.
- Passwords stored on a computer should be encrypted in storage.
- System software should enforce the changing of passwords and the minimum length and format.
- The non-printing, password-suppression feature should be used on all terminals to prevent the display of a user ID or password at log-on.
- System software should disable the user identification code if more than three consecutive invalid passwords are given.
- System software should maintain a history of at least two previous passwords and prevent their reuse.
- Procedures for forgotten passwords should require that Support Services personally identify the user.
C. Data and Software Availability
- Back up and store important records and programs on a regular schedule.
- Check data and software integrity against original files.
- Use the latest version of specific software when possible.
- Ensure that software patches and updates are applied in a timely fashion.
D. Confidential Information
- Encrypt sensitive and confidential information where appropriate.
- Monitor printers used to produce sensitive and confidential information.
- When deleting sensitive files on fixed disks, floppy disks, or cartridges, over-write the remaining space with software that writes a random bit-pattern (e.g., "SDelete" from SysInternals at http://www.sysinternals.com, PGP (Pretty Good Privacy), by NAI, also has similar functionality in its tool kit).
E. Local System Protection
- Firewalls
Firewalls are hardware devices or software that protect a system or systems from access or intrusion by outside or untrusted systems or users, especially malicious hackers. A firewall should also keep a log of any such attempts. Much of the functionality of a firewall can be implemented through the enabling and disabling of selected system services, Operating System auditing and control of Access Control Lists (ACLs). However, for greater security and more detailed reporting, a personal firewall or a system-based intrusion-detection agent should be installed. - Viruses
Computer viruses are self-propagating programs that infect other programs. Viruses and worms may destroy programs and data as well as using the computer's memory and processing power. Viruses, worms, and Trojan horses are of particular concern in networked and shared resource environments because the possible damage they can cause is greatly increased. Some of these cause damage by exploiting holes in system software. Fixes to infected software should be made as soon as a problem is found.
To decrease the risk of viruses and limit their spread:- Check all software before installing it.
- Use virus-scanning software to detect and remove viruses.
- Ensure that virus definitions for the virus-scanning software is kept updated, preferably automated.
- Immediately isolate any contaminated system.
- Viruses should be reported to IT Security at 713-743-5161 or via email at security@uh.edu.