Versions Compared

Old Version 4

changes.mady.by.user vvogel@educause.edu

Saved on

compared with

New Version Current

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Where practicable, do not grant administrative or root/superuser privileges to end-users.
    1. Commonly called LUA (least user access)
  2. Know where your data are.
    1. The tools listed below can help you locate sensitive data on your systems:
      1. Identity Finder, Spider, SENF, Find_SSNs
    2. Securely erase data if it is no longer needed.
      1. Information from the Electronic Frontier Foundation, DBAN
    3. Concentrate security resources on systems containing sensitive data.
  3. Microsoft Windows continues to be a major target - focus your efforts here first. Having said that, ensure the rest of your technology environment is also well managed.
    1. Install important security updates on all affected systems (Microsoft Windows, Apple Mac OS, Linux, Unix, etc.) as soon as practicable.
      1. The following tools can help you deploy updates: Secunia(.edu specific information), Bigfix, WSUS, Shavlik, VT WSUS
    2. Harden passwords to prevent password guessing worms from infecting your system via File Sharing, RDP, etc
      1. ADpasswordfilter
    3. Watch systems for new unexplained listening network ports
      1. Portinator
    4. Follow established best-practices for securing mission-critical systems or systems that store, process or transmit sensitive information.
      1. EDUCAUSE/Internet2 Information Security Guide
  4. Regularly participate in security training and awareness events.
    1. For IT staff:
      1. SANS Institute
      2. SANS Partnership Series (discounts for higher-ed)
      3. EDUCAUSE/Internet2 Security Professionals Conference
    2. For everyone else:
      1. EDUCAUSE Cybersecurity Awareness Resource Library
  5. Install and appropriately maintain end-point defenses.
    1. Use centrally managed anti-virus and anti-spyware software where appropriate.
      1. Microsoft System Center 2012 Endpoint Protection
    2. Enable and appropriately configure host-based firewalls where practicable. This is particularly important for out-bound traffic.
      1. Enable Windows advanced firewall and push In/Out rules via group policy (if possible) for consistent application: link
    3. Install host-based intrusion prevention software where practicable.
      1. eEye Blink, Mcafee Host Intrusion Prevention for Desktop,Symantec Critical System Protection,Checkpoint Endpoint Security, Cisco Security Agent
    4. Where feasible, make available protection software licensed for home use.
  6. Use an intrusion detection/prevention system where practicable.
    1. Snort, Bro, Fireeye, eEye, Tippingpoint
  7. Use DNS based protection where practicable.
    1. Sink-holes, OpenDNS, guidance from the MAAWG, host file
  8. Use web filtering software, services or appliances where practicable.
    1. Websense, Squid, Microsoft Forefront Threat Management Gateway
  9. Implement application white-listing where practicable.
    1. Bit9,CoreTrace,Savant, Windows 7 built-in AppLocker
  10. Know where you are vulnerable.
    1. Nessus, Nmap, Metasploit, Core, Canvas, Rapid7, SafetyNet
    2. Review status reports from available patch-management systems.
  11. Gather vulnerability and threat information from online sources.
    1. For vulnerabilities in software
      1. Secunia, National Vulnerability Database, SANS Top Cyber Security Risks
    2. For current threats
      1. SANS Internet Storm Center, F-Secure, Web Sense Security Labs, FireEye, M86 Security Labs, Malware Intelligence, Arbor Networks, Microsoft Security Response Center
  12. Monitor available logs and network activity for indicators of malicious software.
    1. Regularly check anti-virus logs.
    2. Regularly check DNS traffic for queries to known malware hosting domains.
    3. Subscribe to Shadowserver notifications for networks you manage.
    4. Centralize event log management and apply appropriate logic to identify out-of-spec results
      1. Microsoft System Center Operations Manager
  13. Have a back-up strategy for your endpoints.
    1. Ensure backup stream is encrypted over the wire.
  14. Make sure people can report problems to you.
    1. Are all your points of contact in whois current (e.g., for your domain, and for your IP blocks, and for your ASN)?
    2. Do you have RFC2142 standard abuse reporting addresses?
    3. If someone checks for your domain at www.abuse.net, will they find reasonable abuse reporting contacts listed?
  15. Know where to get help.
    1. Online malicious software analysis tools
      1. ThreatExpert, Anubis, CWSandbox, JoeBox
    2. Your local network team.
    3. Your local desktop support and/or server support team.
    4. Report domain names with bad whois information.
    5. Sign up for Google's hostmaster tools to scan your sites and report malware infections: link
    6. REN-ISAC
    7. US-CERT
    8. EDUCAUSE
  16. Share your knowledge.
    1. Submit new malware samples to your anti-virus vendor. Doing so may result in early/beta signature files to help with current problems.
      1. Learn what the submission process is for your vendor as soon as possible so you don't waste precious time during a crisis figuring out who to talk to and how to submit your sample.
    2. Submit new malware samples to VirusTotal.
    3. Participate in the REN-ISAC.
    4. Participate in EDUCAUSE.
    5. Participate in DSHIELD
  17. Ensure your incident management/response process is current.
    1. The following guidance is available from the Internet2 Computer Security Incidents working group: Security Incident Management Essentials

...