Docstoc

ISG3_SysAdm_InfoSec_Guidance_20March2010

Document Sample
ISG3_SysAdm_InfoSec_Guidance_20March2010 Powered By Docstoc
					http://laptop1.blogbus.com/
    	
  




           	
  	
  System	
  and	
  Departmental	
  Administrators	
  
                               Information	
  Security	
  Guidelines	
                 	
   2010                     	
  
    This	
  document	
  is	
  intended	
  to	
  provide	
  guidance	
  to	
  department	
  system	
              Server	
  and	
  
    administrators	
  and	
  other	
  technical	
  staff	
  in	
  creating	
  a	
  baseline	
  security	
  
    and	
  usage	
  standard	
  for	
  all	
  servers,	
  workstations	
  and	
  systems	
  that	
  access	
     Workstation	
  
    the	
  [CUMC	
  /	
  NYP]	
  network.	
  	
                                                                  Guidelines	
  




                                                 This is trial version
                                                 www.adultpdf.com
http://laptop1.blogbus.com/
    	
  


    Table	
  of	
  Contents	
  
    	
  

    I.	
               Overview	
  and	
  objectives ......................................................................................................................3	
  
    II.	
              Network	
  Controls .................................................................................................................................3	
  
              A.	
   Device	
  Registration...........................................................................................................................3	
  
              B.	
   Firewall	
  Exclusions............................................................................................................................3	
  
    III.	
                      Servers..............................................................................................................................................4	
  
              A.	
   Physical	
  Security ...............................................................................................................................4	
  
              B.	
   Server	
  Hardening	
  	
  Guidelines ...........................................................................................................4	
  
                       1.	
        Default/Baseline	
  Server	
  builds .....................................................................................................4	
  
              C.	
              Disable	
  Unnecessary	
  Services...........................................................................................................5	
  
              D.	
   Security	
  Patching	
  and	
  Software	
  Updates .........................................................................................6	
  
              E.	
              Auditing	
  and	
  Event	
  Logging ..............................................................................................................6	
  
              F.	
              Access	
  Control ..................................................................................................................................6	
  
              G.	
   Firewalls,	
  File	
  integrity	
  monitoring	
  and	
  Antivirus.............................................................................7	
  
              H.	
   Encryption ........................................................................................................................................7	
  
              I.	
              Backup ..............................................................................................................................................7	
  
              J.	
              Vulnerability	
  Scanning	
  and	
  remediation ..........................................................................................8	
  
              K.	
              Web	
  Applications	
  &	
  Websites ..........................................................................................................8	
  
    IV.	
                       Workstation	
  and	
  End	
  User	
  Security..................................................................................................8	
  
              A.	
   Workstation	
  Security........................................................................................................................8	
  
                       1.	
        Baseline	
  Workstation	
  Build ..........................................................................................................9	
  
                       2.	
        Security	
  Patching	
  and	
  Software	
  Updates .....................................................................................9	
  
                       3.	
        Access	
  Control ..............................................................................................................................9	
  
                       4.	
        Firewalls	
  and	
  Antivirus	
  Software ................................................................................................10	
  
                       5.	
        Encryption	
  [Folder,	
  Disk	
  and	
  USB]..............................................................................................10	
  
                       6.	
        Backup ........................................................................................................................................10	
  
    V.	
   User	
  Awareness	
  Training....................................................................................................................10	
  
    VI.	
                       Training	
  and	
  Education	
  Resources .................................................................................................11	
  
    VII.	
                      Additional	
  Resources	
  and	
  Links ......................................................................................................11	
  
                                                                ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                                          CUMC	
  IT	
  Security	
                                                                                 	
  
                                                                                         2	
  
                                                                      This is trial version
                                                                      www.adultpdf.com
http://laptop1.blogbus.com/
    	
  


    I.          Overview	
  and	
  objectives	
  
    	
  
    This	
  document	
  is	
  intended	
  to	
  provide	
  guidance	
  to	
  department	
  system	
  administrators	
  and	
  other	
  
    technical	
  staff	
  in	
  creating	
  a	
  baseline	
  security	
  and	
  usage	
  standard	
  for	
  all	
  servers,	
  workstations	
  and	
  
    systems	
  that	
  access	
  the	
  [CUMC	
  /	
  NYP]	
  network.	
  	
  
    	
  
    All	
  servers	
  and	
  workstations	
  that	
  store,	
  transmit,	
  serve	
  or	
  access	
  [CUMC	
  /	
  NYP]	
  data	
  must	
  be	
  configured	
  
    using	
  appropriate	
  and	
  necessary	
  measures	
  to	
  ensure	
  the	
  security,	
  integrity,	
  and	
  protection	
  of	
  the	
  server	
  
    and	
  the	
  data	
  it	
  contains	
  against	
  such	
  threats	
  as	
  unauthorized	
  access,	
  inappropriate	
  disclosure,	
  malicious	
  
    use	
  or	
  other	
  compromise.	
  
    	
  
    This	
  document	
  is	
  intended	
  to	
  function	
  as	
  a	
  guideline	
  to	
  improving	
  the	
  overall	
  security	
  of	
  a	
  department’s	
  
    computer	
  and	
  data	
  infrastructure.	
  Providing	
  improved	
  security	
  is	
  a	
  dynamic	
  and	
  ongoing	
  process	
  
    requiring	
  periodical	
  reviews	
  and	
  revisions	
  of	
  existing	
  policies,	
  procedures	
  and	
  controls.	
  	
  
    	
  


    II.         Network	
  Controls	
  

                A.          Device	
  Registration	
  
    	
  
    All	
  servers	
  need	
  to	
  be	
  registered	
  with	
  Core	
  Resources	
  in	
  order	
  to	
  provide	
  network	
  access	
  to	
  that	
  device.	
  
    Register	
  each	
  server	
  with	
  [CUMC	
  /	
  NYP]	
  including	
  contact	
  information	
  for	
  the	
  person	
  or	
  persons	
  in	
  
    charge	
  of	
  administering	
  that	
  device.	
  	
  
    	
  
    The	
  university	
  network	
  is	
  monitored	
  for	
  serious	
  problems	
  such	
  as	
  Malware	
  systems,	
  systems	
  responsible	
  
    for	
  Denial	
  of	
  Service	
  attacks,	
  scanning	
  systems	
  and	
  in	
  general,	
  any	
  system	
  that	
  is	
  either	
  using	
  unusual	
  
    amounts	
  of	
  network	
  resources	
  or	
  is	
  communicating	
  with	
  known	
  compromised	
  systems.	
  If	
  a	
  server	
  is	
  
    compromised	
  in	
  a	
  way	
  that	
  our	
  network	
  monitoring	
  software	
  detects,	
  the	
  registration	
  information	
  will	
  
    be	
  used	
  to	
  notify	
  the	
  appropriate	
  parties.	
  
    	
  

                B.          Firewall	
  Exclusions	
  
    	
  
    All	
  inbound	
  traffic	
  to	
  servers	
  from	
  outside	
  the	
  [CUMC	
  /	
  NYP]	
  network	
  is	
  allowed	
  or	
  blocked	
  by	
  perimeter	
  
    controls.	
  In	
  order	
  for	
  a	
  server	
  to	
  be	
  accessible	
  from	
  the	
  internet,	
  a	
  firewall	
  exclusion	
  needs	
  to	
  be	
  
    requested.	
  This	
  request	
  is	
  logged	
  and	
  reviewed	
  by	
  the	
  appropriate	
  groups.	
  	
  
    	
  
    The	
  firewall	
  Exclusion	
  request	
  form	
  can	
  be	
  found	
  at:	
  
    	
  
    [http://www.cumc.columbia.edu/it/getting_help/online.html#advanced]	
  
    	
  


                                              ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                        CUMC	
  IT	
  Security	
                                                                             	
  
                                                                       3	
  
                                                   This is trial version
                                                   www.adultpdf.com
http://laptop1.blogbus.com/
    III.   Servers	
  

           A.          Physical	
  Security	
  
           	
  
           Ensure	
  that	
  a	
  secure	
  environment	
  is	
  created	
  for	
  all	
  servers.	
  Ideally	
  servers	
  should	
  be	
  stored	
  in	
  a	
  
           temperature	
  control	
  data	
  center	
  with	
  24/7	
  access	
  control	
  and	
  monitoring.	
  	
  
           	
  
           Servers	
  should	
  never	
  be	
  used	
  as	
  a	
  desktop	
  or	
  workstation	
  for	
  functions	
  such	
  as	
  checking	
  email	
  
           or	
  browsing	
  the	
  web.	
  A	
  server	
  should	
  be	
  dedicated	
  to	
  a	
  single	
  function	
  only.	
  Physical	
  access	
  to	
  
           servers	
  should	
  be	
  limited	
  to	
  personnel	
  that	
  have	
  a	
  legitimate	
  need	
  to	
  access	
  that	
  server.	
  

           B.          Server	
  Hardening	
  	
  Guidelines	
  
                       1.          Default/Baseline	
  Server	
  builds	
  
                       	
  
                       All	
  servers	
  should	
  have	
  a	
  default	
  or	
  baseline	
  configuration	
  that	
  is	
  used	
  to	
  create	
  or	
  build	
  
                       new	
  servers.	
  These	
  baselines	
  should	
  be	
  specific	
  to	
  the	
  function	
  of	
  the	
  server.	
  
                       	
  
                       Use	
  hardening	
  tools	
  or	
  guidelines	
  to	
  further	
  lockdown	
  the	
  server.	
  	
  	
  
                       	
  

                       a)             Web	
  Servers	
  
                       	
  
                       Websites	
  and	
  Web	
  Applications	
  add	
  an	
  additional	
  layer	
  of	
  complexity	
  to	
  securing	
  and	
  
                       protecting	
  servers	
  and	
  data.	
  Web	
  Servers	
  allow	
  access	
  by	
  default	
  and	
  as	
  such	
  require	
  
                       extra	
  effort	
  to	
  secure.	
  In	
  addition	
  to	
  following	
  standard	
  hardening	
  guidelines	
  for	
  servers	
  
                       care	
  needs	
  to	
  be	
  taken	
  to	
  configure	
  the	
  web	
  server	
  components	
  accordingly.	
  For	
  
                       example	
  it	
  is	
  suggested	
  that	
  tools	
  such	
  as	
  URLScan	
  and	
  IIS	
  Lockdown	
  be	
  used	
  to	
  secure	
  
                       IIS	
  and	
  disable	
  unnecessary	
  services.	
  
                       	
  
                       For	
  Windows	
  Internet	
  Information	
  Services	
  secure	
  configuration	
  please	
  refer	
  to:	
  	
  
                       	
  
                       [https://www.cisecurity.org/tools2/iis/CIS_IIS_Benchmark_v1.0.pdf]	
  
                       	
  
                       For	
  Apache	
  Web	
  Server	
  secure	
  configuration	
  please	
  refer	
  to:	
  	
  
                       	
  
                       [https://www.cisecurity.org/tools2/apache/CIS_Apache_Benchmark_v2.2.pdf]	
  
                       	
  

                       b)         Email	
  Servers	
  
                       	
  
                       Extra	
  consideration	
  should	
  be	
  taken	
  when	
  configuring	
  email	
  servers.	
  A	
  default	
  install	
  of	
  
                       email	
  server	
  software	
  may	
  allow	
  a	
  malicious	
  user	
  to	
  relay	
  mail/spam	
  through	
  the	
  server	
  
                       and,	
  potentially,	
  have	
  the	
  server	
  end	
  up	
  on	
  a	
  spam	
  blocklist	
  that	
  can	
  impact	
  the	
  sending	
  
                       and	
  receiving	
  of	
  legitimate	
  emails.	
  
                       	
  
                       Sendmail	
  should	
  be	
  installed	
  in	
  a	
  chrooted	
  environment	
  if	
  possible.	
  Microsoft	
  Exchange	
  

                                          ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                    CUMC	
  IT	
  Security	
                                                                                    	
  
                                                                   4	
  
                                               This is trial version
                                               www.adultpdf.com
http://laptop1.blogbus.com/
                       should	
  be	
  configured	
  and	
  secured	
  accordingly	
  as	
  well	
  to	
  prevent	
  relaying	
  and	
  unsecured	
  
                       email.	
  IMAPS	
  should	
  be	
  used	
  instead	
  of	
  POP3.	
  Please	
  review	
  the	
  following	
  document	
  for	
  
                       secure	
  server	
  configuration	
  for	
  Microsoft	
  Exchange:	
  
                       	
  
                       [https://www.cisecurity.org/tools2/exchange/CIS_Benchmark_Exchange2007_1.0.pdf]	
  	
  
                       	
  
                       Additional	
  Configuration	
  guides	
  and	
  tools	
  can	
  be	
  found	
  at	
  the	
  following	
  sites	
  for	
  
                       various	
  servers,	
  applications	
  and	
  databases:	
  	
  
                       	
  
                       NIST	
  Guide	
  to	
  General	
  Server	
  Security:	
  
                       [http://csrc.nist.gov/publications/nistpubs/800-­‐123/SP800-­‐123.pdf]	
  
                       	
  
                       NIST	
  Guidelines	
  on	
  Securing	
  Public	
  Web	
  Servers:	
  
                       [http://csrc.nist.gov/publications/nistpubs/800-­‐44-­‐ver2/SP800-­‐44v2.pdf]	
  
                       	
  
                       NIST	
  Guidelines	
  on	
  Electronic	
  Mail	
  Security:	
  
                       [http://csrc.nist.gov/publications/nistpubs/800-­‐45-­‐version2/SP800-­‐45v2.pdf]	
  
                       This	
  guide	
  covers	
  the	
  management	
  and	
  securing	
  of	
  various	
  mail	
  servers	
  	
  
                       	
  
                       National	
  Checklist	
  Program	
  Repository	
  supported	
  by	
  NIST:	
  	
  
                       [http://web.nvd.nist.gov/view/ncp/repository]	
  
                       This	
  is	
  a	
  repository	
  of	
  publicly	
  available	
  security	
  checklists	
  for	
  various	
  operating	
  systems	
  
                       and	
  applications.	
  
                       	
  
                       DISA	
  Security	
  Technical	
  Implementation	
  Guides	
  &	
  Documents:	
  
                       [http://iase.disa.mil/stigs/stig/index.html]	
  
                       [http://iase.disa.mil/stigs/draft-­‐stigs/index.html]	
  
                       [http://iase.disa.mil/stigs/SRR/index.html]	
  
                       These	
  checklists	
  cover	
  multiple	
  operating	
  systems,	
  databases,	
  web	
  and	
  mail	
  servers.	
  
                       Readiness	
  Review	
  Evaluation	
  scripts	
  are	
  included	
  to	
  help	
  assess	
  the	
  level	
  of	
  compliance	
  
                       with	
  the	
  guides.	
  
                       	
  
                       The	
  Center	
  for	
  Internet	
  Security	
  Benchmarks:	
  
                       [http://www.cisecurity.org/benchmarks.html]	
  
                       Recommended	
  technical	
  control	
  rules/values	
  for	
  hardening	
  operating	
  systems,	
  
                       middleware	
  and	
  software	
  applications,	
  and	
  network	
  devices.	
  This	
  is	
  a	
  comprehensive	
  list	
  
                       of	
  guides	
  coving	
  workstation	
  and	
  server	
  operating	
  systems,	
  applications	
  and	
  mobile	
  
                       devices.	
  E.g.:	
  Exchange	
  2007,	
  RedHat	
  Linux,	
  Novell,	
  Oracle,	
  Vmware,	
  IIS,	
  etc….	
  
                       	
  
                       	
  

           C.          Disable	
  Unnecessary	
  Services	
  
    	
  
           All	
  services	
  that	
  are	
  not	
  required	
  for	
  the	
  continued	
  operation	
  of	
  the	
  server	
  should	
  be	
  disabled.	
  
           Running	
  unnecessary	
  services	
  and	
  applications	
  exposes	
  the	
  server	
  to	
  additional	
  security	
  risks	
  
           and	
  vulnerabilities.	
  	
  
           	
  
    	
  
                                         ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                   CUMC	
  IT	
  Security	
                                                                              	
  
                                                                  5	
  
                                              This is trial version
                                              www.adultpdf.com
http://laptop1.blogbus.com/
    	
  

           D.          Security	
  Patching	
  and	
  Software	
  Updates	
  
           	
  
           All	
  software,	
  whether	
  vendor	
  applications	
  or	
  operating	
  systems,	
  needs	
  to	
  be	
  checked	
  at	
  least	
  
           once	
  a	
  week	
  for	
  the	
  availability	
  of	
  security	
  updates	
  and	
  patches.	
  Check	
  frequently	
  with	
  the	
  
           vendor	
  of	
  any	
  software	
  that	
  is	
  run	
  and	
  sign	
  up	
  for	
  updates	
  from	
  the	
  vendors	
  if	
  possible.	
  	
  
           	
  
           Software	
  and	
  security	
  updates	
  should	
  be	
  automated	
  to	
  whatever	
  extent	
  is	
  possible.	
  A	
  regular	
  
           patching	
  schedule	
  should	
  be	
  implemented	
  and	
  all	
  installed	
  patches	
  should	
  be	
  tested	
  and	
  
           documented.	
  
           	
  

           E.          Auditing	
  and	
  Event	
  Logging	
  
           	
  
           Audit	
  and	
  event	
  logs	
  are	
  used	
  to	
  ensure	
  integrity,	
  confidentiality	
  and	
  availability	
  of	
  information	
  
           and	
  resources,	
  to	
  investigate	
  possible	
  security	
  incidents,	
  monitor	
  user	
  or	
  system	
  activity	
  and	
  
           ensure	
  compliance	
  with	
  the	
  various	
  laws	
  and	
  regulations	
  applicable	
  to	
  your	
  environment.	
  	
  
           	
  
           Logs	
  are	
  important	
  in	
  assessing	
  or	
  determining	
  the	
  cause	
  of	
  a	
  compromise.	
  At	
  a	
  minimum	
  
           logging	
  should	
  keep	
  track	
  of	
  access	
  to	
  applications,	
  data	
  and	
  the	
  server.	
  Audit	
  logs	
  should	
  be	
  
           enabled	
  on	
  all	
  servers	
  and	
  should	
  be	
  logged	
  to	
  a	
  central	
  or	
  non	
  default	
  location	
  for	
  review	
  and	
  
           storage.	
  
           	
  
           E.g.:	
  Review	
  security	
  logs	
  for	
  indicators	
  of	
  unauthorized	
  access	
  or	
  use:	
  
           	
  
                • Invalid	
  logon	
  attempts	
  
                • Unsuccessful	
  attempts	
  to	
  access/modify	
  data	
  
                • Attempts	
  to	
  alter	
  security	
  privileges	
  or	
  Logs	
  
                • Server	
  reboot/shutdown	
  attempts	
  
                       	
  

           F.          Access	
  Control	
  
           	
  
           Administrator	
  access	
  or	
  logins	
  to	
  the	
  server	
  should	
  be	
  restricted	
  to	
  only	
  those	
  individuals	
  that	
  
           require	
  this	
  level	
  of	
  access.	
  A	
  user	
  account	
  should	
  be	
  created	
  that	
  has	
  limited	
  privileges	
  for	
  
           regular	
  tasks.	
  The	
  Principle	
  of	
  Least	
  Privilege	
  should	
  be	
  followed.	
  If	
  a	
  user	
  does	
  not	
  require	
  
           access	
  then	
  that	
  access	
  should	
  be	
  denied	
  or	
  restricted.	
  
           	
  
           Passwords	
  should	
  meet	
  complexity	
  requirements	
  and	
  should	
  include	
  uppercase,	
  lowercase,	
  non	
  
           ascii	
  characters	
  and	
  numbers	
  at	
  a	
  minimum.	
  	
  
           	
  
           All	
  insecure	
  or	
  unencrypted	
  remote	
  access	
  to	
  the	
  server	
  should	
  be	
  restricted.	
  Any	
  service	
  that	
  
           requires	
  the	
  use	
  of	
  clear	
  text	
  passwords	
  should	
  be	
  disabled.	
  E.g.:	
  FTP,	
  Telnet.	
  	
  Do	
  not	
  login	
  to	
  
           the	
  system	
  remotely	
  as	
  Administrator.	
  All	
  connections	
  should	
  be	
  tunneled	
  over	
  SSH	
  and	
  any	
  
           remote	
  access	
  products	
  [PCAnywhere,	
  VNC]	
  should	
  support	
  encryption.	
  
           	
  
                                          ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                    CUMC	
  IT	
  Security	
                                                                                   	
  
                                                                   6	
  
                                               This is trial version
                                               www.adultpdf.com
http://laptop1.blogbus.com/
           G.           Firewalls,	
  File	
  integrity	
  monitoring	
  and	
  Antivirus	
  
           	
  
           Use	
  of	
  software	
  firewalls	
  and	
  Antivirus	
  software	
  can	
  further	
  lock	
  down	
  and	
  secure	
  the	
  server	
  
           from	
  Malware	
  and	
  outside	
  attacks	
  and	
  compromise.	
  	
  
           	
  
           Activate	
  or	
  configure	
  the	
  default	
  firewall	
  or	
  install	
  a	
  3rd-­‐party	
  firewall	
  on	
  each	
  server.	
  Windows,	
  
           Linux	
  and	
  Mac	
  servers	
  have	
  firewall	
  software	
  built	
  in	
  today,	
  though	
  it	
  will	
  still	
  need	
  to	
  be	
  
           activated	
  and	
  properly	
  configured.	
  This	
  augments	
  any	
  network	
  controls	
  in	
  place	
  to	
  prevent	
  
           unwanted	
  and	
  malicious	
  traffic.	
  	
  	
  
           	
  
           Antivirus	
  or	
  Antispyware	
  software	
  should	
  be	
  installed	
  and	
  configured.	
  	
  
           	
  
           File	
  Integrity	
  Checking	
  software	
  should	
  also	
  be	
  considered	
  as	
  this	
  allows	
  monitoring	
  of	
  any	
  
           changes	
  to	
  files	
  or	
  applications	
  running	
  on	
  a	
  server.	
  
           	
  

           H.           Encryption	
  
           	
  
           Encryption	
  of	
  data	
  should	
  be	
  used	
  to	
  provide	
  additional	
  security	
  for	
  data	
  in	
  transit	
  and	
  data	
  at	
  
           rest.	
  Note	
  that	
  encryption	
  may	
  not	
  be	
  applicable	
  or	
  desired	
  in	
  all	
  situations.	
  If	
  at	
  all	
  possible,	
  
           data	
  in	
  transit	
  that	
  contains	
  PHI	
  or	
  PII	
  should	
  be	
  encrypted.	
  E.g.:	
  Using	
  SFTP	
  or	
  SSH	
  rather	
  than	
  
           FTP.	
  Using	
  HTTPS	
  instead	
  of	
  HTTP.	
  
           	
  
           Backups	
  of	
  data	
  should	
  always	
  be	
  encrypted	
  and	
  never	
  stored	
  in	
  plaintext.	
  Files	
  that	
  contain	
  
           sensitive	
  data	
  in	
  shared	
  storage	
  locations	
  should	
  be	
  encrypted	
  in	
  order	
  to	
  limit	
  access.	
  
           	
  
           If	
  a	
  server	
  is	
  in	
  a	
  location	
  that	
  cannot	
  be	
  physically	
  secured	
  then	
  all	
  data	
  residing	
  on	
  the	
  server	
  
           should	
  be	
  encrypted.	
  
           	
  
           Certain	
  fields	
  in	
  databases	
  that	
  contain	
  sensitive	
  information	
  should	
  be	
  encrypted	
  in	
  order	
  to	
  
           prevent	
  access	
  to	
  the	
  information	
  by	
  users	
  not	
  authorized	
  to	
  view	
  that	
  data.	
  
           	
  

           I.           Backup	
  
           	
  
           Regular,	
  Scheduled	
  backups	
  of	
  each	
  server’s	
  configuration,	
  files	
  and	
  schema	
  should	
  be	
  
           preformed.	
  These	
  backups	
  should	
  be	
  stored	
  remotely.	
  
           	
  
           Scheduled	
  backups	
  of	
  all	
  user	
  data	
  should	
  be	
  performed	
  on	
  a	
  regular	
  basis.	
  All	
  backups	
  (disk	
  or	
  
           tape)	
  should	
  be	
  stored	
  in	
  an	
  encrypted	
  format	
  to	
  prevent	
  access	
  to	
  sensitive	
  data	
  in	
  case	
  of	
  
           theft	
  of	
  the	
  backup	
  media.	
  
           	
  




                                            ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                      CUMC	
  IT	
  Security	
                                                                                       	
  
                                                                     7	
  
                                                 This is trial version
                                                 www.adultpdf.com
http://laptop1.blogbus.com/
           J.          Vulnerability	
  Scanning	
  and	
  remediation	
  
           	
  
           All	
  servers,	
  regardless	
  of	
  function,	
  must	
  be	
  assessed	
  prior	
  to	
  being	
  placed	
  in	
  a	
  production	
  
           environment.	
  A	
  Network	
  Vulnerability	
  Scanner	
  such	
  as	
  Nessus	
  
           [http://www.tenablesecurity.com/solutions/]	
  can	
  be	
  used	
  for	
  this	
  purpose.	
  	
  
           	
  
           Additionally,	
  the	
  Information	
  Security	
  Group	
  can	
  perform	
  these	
  scans	
  on	
  request	
  or	
  if	
  
           revalidation	
  is	
  required.	
  
           	
  
           Scans	
  should	
  be	
  performed	
  after	
  each	
  upgrade	
  or	
  any	
  major	
  changes	
  or	
  installs	
  in	
  order	
  to	
  
           ensure	
  that	
  no	
  vulnerabilities	
  were	
  introduced	
  into	
  the	
  environment	
  by	
  the	
  changes	
  or	
  
           upgrades.	
  
           	
  

           K.          Web	
  Applications	
  &	
  Websites	
  
           	
  
           All	
  websites	
  and	
  applications	
  that	
  collect,	
  store	
  or	
  display	
  sensitive	
  data	
  should	
  be	
  appropriately	
  
           secured.	
  This	
  should	
  include,	
  but	
  is	
  not	
  limited	
  to,	
  secure	
  access	
  (user/password	
  authentication),	
  
           encrypted	
  access	
  (SSL/HTTPS),	
  secure	
  data	
  storage	
  and	
  transmission.	
  The	
  website	
  should	
  not	
  be	
  
           hosted	
  on	
  a	
  shared	
  resource.	
  
           	
  
           Regardless	
  of	
  the	
  function	
  of	
  the	
  website,	
  secure	
  coding	
  practices	
  should	
  be	
  followed	
  and	
  the	
  
           site	
  should,	
  at	
  a	
  minimum,	
  have	
  measures	
  in	
  place	
  for	
  the	
  prevention	
  of	
  the	
  OWASP	
  Top	
  10	
  
           Web	
  Attacks	
  and	
  Vulnerabilities.	
  [http://www.owasp.org/index.php/Top_10_2007]	
  
           	
  
           Vulnerability	
  assessments	
  of	
  existing	
  or	
  new	
  websites	
  can	
  be	
  requested	
  and	
  will	
  be	
  performed	
  
           by	
  the	
  Information	
  Security	
  Group.	
  
           	
  
           	
  


    IV.    Workstation	
  and	
  End	
  User	
  Security	
  
    	
  

           A.          Workstation	
  Security	
  
           	
  
           Workstations	
  or	
  PCs	
  require	
  similar	
  if	
  not	
  stricter	
  controls	
  than	
  servers	
  to	
  be	
  in	
  place.	
  Today	
  
           workstations	
  have	
  network	
  access,	
  are	
  used	
  to	
  access	
  critical	
  data,	
  read	
  email,	
  and	
  browse	
  the	
  
           web	
  and	
  more.	
  They	
  have	
  multiple	
  3rd	
  party	
  applications	
  installed	
  and	
  generally	
  perform	
  
           multiple	
  functions.	
  	
  
           	
  
           This	
  creates	
  a	
  far	
  greater	
  attack	
  surface	
  than	
  that	
  of	
  a	
  server.	
  	
  
           	
  




                                         ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                   CUMC	
  IT	
  Security	
                                                                             	
  
                                                                  8	
  
                                              This is trial version
                                              www.adultpdf.com
http://laptop1.blogbus.com/
                  1.        Baseline	
  Workstation	
  Build	
  
                  	
  
                  All	
  managed	
  workstations	
  or	
  consoles	
  should	
  make	
  use	
  of	
  a	
  standard	
  build	
  image	
  that	
  
                  has	
  been	
  tested	
  and	
  secured	
  accordingly.	
  	
  This	
  image	
  should	
  lockdown	
  user	
  privileges	
  
                  and	
  administrator	
  access,	
  contain	
  Antivirus	
  and	
  firewall	
  software	
  amongst	
  other	
  
                  controls	
  in	
  place.	
  
                  	
  
                  The	
  Center	
  for	
  Internet	
  Security	
  Guide	
  and	
  Benchmark	
  for	
  Windows	
  can	
  be	
  found	
  here:	
  	
  
                  	
  
                  [http://www.cisecurity.org/bench_windows.html]	
  	
  
           	
  

                  2.             Security	
  Patching	
  and	
  Software	
  Updates	
  
                  	
  
                  All	
  software,	
  whether	
  vendor	
  applications	
  or	
  operating	
  systems,	
  needs	
  to	
  be	
  checked	
  at	
  
                  least	
  once	
  a	
  week	
  for	
  the	
  availability	
  of	
  security	
  updates	
  and	
  patches.	
  Check	
  frequently	
  
                  with	
  the	
  vendor	
  of	
  any	
  software	
  that	
  is	
  installed	
  and	
  sign	
  up	
  for	
  updates	
  from	
  the	
  
                  vendors	
  if	
  possible.	
  	
  
                  	
  
                  Software	
  and	
  security	
  updates	
  should	
  be	
  automated	
  to	
  whatever	
  extent	
  is	
  possible.	
  A	
  
                  regular	
  patching	
  schedule	
  should	
  be	
  implemented	
  and	
  all	
  installed	
  patches	
  should	
  be	
  
                  tested	
  and	
  documented.	
  
                  	
  
                  If	
  the	
  system	
  is	
  not	
  part	
  of	
  a	
  managed	
  domain	
  and	
  is	
  not	
  receiving	
  updates	
  from	
  a	
  
                  central	
  location	
  (WSUS,	
  SMS)	
  then	
  automatic	
  updates	
  should	
  be	
  turned	
  on	
  for	
  the	
  
                  operating	
  system	
  all	
  applications.	
  
                  	
  
                  All	
  workstations	
  accessing	
  the	
  CUMC/NYP	
  network	
  must	
  meet	
  the	
  minimum	
  standards	
  
                  required	
  for	
  access.	
  This	
  includes	
  Anti	
  Virus,	
  Anti	
  Spyware	
  and	
  the	
  latest	
  operating	
  
                  system	
  patches.	
  
                  	
  
                  Workstations	
  can	
  be	
  checked	
  at	
  the	
  following	
  URL	
  to	
  ensure	
  that	
  they	
  meet	
  this	
  
                  baseline:	
  
                  	
  
                  [https://access-­‐portal.cpmc.columbia.edu/authentication/_remotescan.html]	
  
    	
  

                  3.            Access	
  Control	
  
                  	
  
                  Workstations	
  should	
  not	
  be	
  run	
  with	
  either	
  Domain	
  or	
  Local	
  Administrator	
  privileges.	
  
                  	
  
                  Passwords	
  should	
  meet	
  minimum	
  complexity	
  requirements	
  and	
  should	
  include	
  
                  uppercase,	
  lowercase,	
  non	
  ascii	
  characters	
  and	
  numbers	
  at	
  a	
  minimum.	
  
                  	
  If	
  remote	
  access	
  to	
  network	
  resources	
  is	
  required	
  then	
  a	
  VPN	
  should	
  be	
  required	
  to	
  
                  tunnel	
  and	
  protect	
  all	
  communications.	
  	
  CUMC/NYP	
  make	
  VPN	
  access	
  available	
  through	
  
                  the	
  following	
  link:	
  


                                    ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                              CUMC	
  IT	
  Security	
                                                                              	
  
                                                             9	
  
                                         This is trial version
                                         www.adultpdf.com
http://laptop1.blogbus.com/
                           	
  
                           [https://ssl.cpmc.columbia.edu]	
  	
  
                           	
  	
  

                           4.          Firewalls	
  and	
  Antivirus	
  Software	
  
    	
  
                           Use	
  of	
  software	
  firewalls	
  and	
  Antivirus	
  software	
  can	
  further	
  lock	
  down	
  and	
  secure	
  the	
  
                           server	
  from	
  Malware	
  and	
  outside	
  attacks	
  and	
  compromise.	
  	
  
                           	
  
                           Activate	
  or	
  configure	
  the	
  default	
  firewall	
  or	
  install	
  a	
  3rd-­‐party	
  firewall	
  on	
  each	
  
                           workstation.	
  Windows,	
  Linux	
  and	
  Mac	
  operating	
  systems	
  all	
  have	
  firewall	
  software	
  built	
  
                           in	
  today,	
  though	
  it	
  will	
  still	
  need	
  to	
  be	
  activated	
  and	
  properly	
  configured.	
  This	
  helps	
  to	
  
                           prevent	
  unwanted	
  and	
  malicious	
  traffic.	
  	
  	
  
                           	
  
                           Antivirus	
  or	
  Antispyware	
  software	
  should	
  be	
  installed	
  and	
  configured.	
  	
  	
  
                           	
  
                           Columbia	
  University	
  provides	
  a	
  license	
  for	
  Symantec	
  Antivirus	
  and	
  makes	
  the	
  software	
  
                           available	
  as	
  a	
  free	
  download	
  from	
  the	
  Columbia	
  University	
  website.	
  
    	
  

                           5.          Encryption	
  [Folder,	
  Disk	
  and	
  USB]	
  
    	
  
                           Any	
  workstation	
  that	
  stores	
  or	
  accesses	
  HIPAA	
  related	
  or	
  PII	
  data	
  should	
  make	
  use	
  of	
  
                           encryption.	
  
                           	
  
                           Data	
  being	
  transferred	
  or	
  stored	
  on	
  USB	
  drives	
  should	
  be	
  encrypted	
  and	
  secured.	
  
                           The	
  following	
  document	
  provides	
  a	
  list	
  of	
  encryption	
  products	
  that	
  may	
  be	
  used	
  to	
  meet	
  
                           the	
  encryption	
  requirement.	
  
                           	
  
                           [http://www.cumc.columbia.edu/it/about/security/encryption.html]	
  
                           	
  

                           6.         Backup	
  
                           	
  
                           Users	
  should	
  backup	
  and	
  archive	
  any	
  critical	
  or	
  personal	
  data.	
  This	
  can	
  be	
  performed	
  by	
  
                           backing	
  up	
  the	
  data	
  to	
  a	
  network	
  share,	
  an	
  external	
  drive	
  or	
  online	
  storage	
  service.	
  
                           	
  
                           Special	
  care	
  should	
  be	
  taken	
  not	
  to	
  store	
  any	
  HIPAA	
  or	
  PII	
  data	
  in	
  an	
  unencrypted	
  
                           format.	
  	
  


    V.         User	
  Awareness	
  Training	
  
    	
  
    More	
  and	
  more	
  attacks	
  are	
  directly	
  targeting	
  the	
  user	
  though	
  fake	
  websites,	
  spam	
  email	
  and	
  targeted	
  
    phishing	
  attacks.	
  
    	
  
    Phishing	
  Attacks	
  can	
  be	
  general	
  and	
  target	
  a	
  user’s	
  banking	
  organization	
  or	
  can	
  be	
  targeted	
  towards	
  the	
  

                                             ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                       CUMC	
  IT	
  Security	
                                                                                    	
  
                                                                      10	
  
                                                   This is trial version
                                                   www.adultpdf.com
http://laptop1.blogbus.com/
    organization	
  itself.	
  For	
  example	
  an	
  email	
  could	
  request	
  a	
  user	
  provide	
  a	
  username	
  and	
  password	
  to	
  
    update	
  their	
  email	
  quota.	
  	
  
    	
  
    NOTE:	
  CUMC/NYP	
  WILL	
  NEVER	
  ASK	
  FOR	
  A	
  USERS	
  PASSWORD	
  IN	
  AN	
  EMAIL.	
  
    	
  
    Malicious	
  websites	
  linked	
  to	
  through	
  spam	
  emails	
  are	
  used	
  to	
  compromise	
  user	
  workstations	
  and	
  gain	
  
    access	
  to	
  critical	
  data	
  through	
  the	
  use	
  of	
  keystroke	
  loggers	
  and	
  other	
  such	
  methods.	
  	
  


    VI.        Training	
  and	
  Education	
  Resources	
  
    	
  
    General	
  Security	
  Training:	
  
    SANS401	
  Security	
  Essentials	
  
    [http://www.sans.org/security-­‐training/sans-­‐security-­‐essentials-­‐bootcamp-­‐style-­‐61-­‐mid]	
  
    	
  
    Windows	
  and	
  Linux/Unix	
  Security	
  Training:	
  
    SANS505	
  Securing	
  Windows	
  	
  
    [http://www.sans.org/security-­‐training/securing-­‐windows-­‐77-­‐mid]	
  
    	
  
    SANS506	
  Securing	
  Linux/Unix	
  
    [http://www.sans.org/security-­‐training/securing-­‐linux-­‐unix-­‐76-­‐mid]	
  
    	
  
    Web	
  Application	
  Security	
  Training:	
  
    SANS422	
  Defending	
  Web	
  Applications	
  Security	
  Essentials	
  
    [http://www.sans.org/security-­‐training/defending-­‐web-­‐applications-­‐security-­‐essentials-­‐1042-­‐mid]	
  


    VII.       Additional	
  Resources	
  and	
  Links	
  
    	
  
    HIPAA	
  
    Information	
  and	
  policies	
  about	
  the	
  Health	
  Information	
  and	
  Portability	
  Act.	
  
    [http://www.cumc.columbia.edu/hipaa/]	
  
    	
  
    New	
  York	
  State	
  Information	
  Security	
  and	
  Breach	
  Notification	
  Act	
  
    [http://www.oag.state.ny.us/bureaus/consumer_frauds/tips/id_theft_law.html]	
  
    [http://www.cscic.state.ny.us/security/securitybreach/]	
  
    	
  
    ARRA	
  Breach	
  Notification	
  Information	
  
    Information	
  about	
  the	
  Breach	
  Notification	
  Portion	
  of	
  the	
  American	
  Recovery	
  and	
  Reinvestment	
  Act.	
  
    [http://frwebgate.access.gpo.gov/cgi-­‐bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf]	
  
    Subtitle	
  D—Privacy,	
  Sec.	
  13402.	
  Notification	
  in	
  the	
  case	
  of	
  breach.	
  
    	
  
    Red	
  Flag	
  Rules	
  
    Rules	
  requiring	
  financial	
  institutions	
  and	
  creditors	
  to	
  develop	
  and	
  implement	
  written	
  identity	
  theft	
  
    prevention	
  programs,	
  as	
  part	
  of	
  the	
  Fair	
  and	
  Accurate	
  Credit	
  Transactions	
  (FACT)	
  Act	
  of	
  2003.	
  
    [http://ftc.gov/redflagsrule]	
  
    	
  
                                            ISG3_Sysadm_Infosec_Guidance_20March2010.Docx	
  
    	
                                                      CUMC	
  IT	
  Security	
                                                                     	
  
                                                                     11	
  
                                                This is trial version
                                                www.adultpdf.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:5/16/2010
language:English
pages:11