Office of Information Security

Equifax Data Breach:  Information for the OSU Community

The Office of Information Security is your contact for questions about OSU's Information Security Policies and Procedures. Our mission is to raise OSU's standards and practices for secure computing.

To do this, the OIS coordinates with academic and administrative units to develop policy, benchmark and assess our level of risk, and educate and inform our community on best practices.

Security Policy

OSU's IT "security policy" is derived from two individual polices:

  • The Acceptable Use of Computing Resources policy, which describes the expectated behavior for individuals using OSU network and computing resources, and,
  • The University Data Management, Classification, and Incident Response policy identifies the various types of information at OSU, the means by which information is identified as requiring protection, the protections required, and the process that happens when a failure of those protections occurs. Additional information on the University Data Management, Classification, and Incident Response policy can be found here.

 

Reporting Security Issues
If you are the victim of a security-related issue, please use the following form to report it to the Office of Information Security.

Report an Incident

In-Person Security Awareness Training

The Office of Information Security provides security training for departments on campus that deal with Confidential and Sensitive Information, including Personally Identifiable Information (PII). To learn more about this training, or to schedule a training event for your department, please contact Dave Nevin, Chief Information Security Officer.

Resources for IT Professionals

The Office of Information Security is here to assist you in your efforts to keep your network resources protected. We offer Risk Assessment and Forensics services as well as vulnerability scanning. To learn more about the resources available for IT Professionals, please contact Bob Henry, Senior Security Analyst.

Baseline Standards of Care

This document defines the baseline standards of care for Information Systems in use at Oregon State University. Baseline standards of care are system configuration and operational practices and procedures designed to protect the confidentiality, integrity, and availability of data housed on those systems.

These classifications are additive, meaning that a device needs to meet the standards of its classification level and those from any less restricted level also. Confidential information has the most restrictions, and unrestricted has the least. The classifications can be viewed here: http://is.oregonstate.edu/ois/data-classification-data-element

Standards of Care for Unrestricted Information:

Access to Unrestricted Information: No restriction for viewing, copying or printing. Departments determine protocol for modification of information.

Mobile Devices

(systems utilizing an operating system designed specifically for mobile devices. Examples would include Android, iOS, Windows Phone, Firefox OS, Sailfish OS, Tizen, Ubuntu Touch OS, Blackberry)

Recommended: Current operating system with updates turned on.

iPhone:

To make sure that your iPhone has the most current operating system you’ll want to go into the Settings app and choose the General settings. Within that you want the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is one simply follow its instructions to download and install it, which may require a restart your phone.

iPad:

Android:

To make sure that your Android has the most current operating system you’ll want to go into the Settings app and choose About phone. Then under that you, select the Software Update menu. Then from within Settings > General > Software Update you can see if you have the current version or if there is an update available. If there is an update simply follow its instructions to download and install it, which will restart your phone.

systemupdate_menu.png

Windows Phone:

Updating

When a software update is available for you to download, Microsoft will notify you so you can download it directly to your phone over a Wi-Fi or cellular data connection. (Your phone will need 3G or greater to download updates over a cellular data connection.)

Before you download and install an update:

  • Charge your phone. We won't perform the update unless your phone has sufficient power.
  • How can I minimize my data usage? to learn more.
  • If you don't have enough storage space on your phone to get an update and you have an SD card inserted in your phone, we might be able to update your phone using the SD card. Support for using your SD card for updating your phone depends on your phone model and manufacturer.
  • Make room on my phone to update it .
How to download updates automatically
  1. > Phone update.
  2. check box.
Note:

Updates won't download if data settings on your phone prevent it. For example, both Data Sense and Battery Saver can limit how your phone uses data. To learn more, see Battery: making it last. (Not all mobile operators offer Data Sense.)

How to check for updates manually
  1. > Phone update.
  2. Tap Check for updates.
Note:

Windows Phone will let you know when new updates are available. If you check manually for an expected update and your phone appears to be up to date, it may be that it isn't available yet for your specific phone, mobile operator, or market.

Tip:

Have a Lumia phone? Check out the Microsoft Mobile Devices websiteto see if there's updated software for your phone model.

How to install an update:
  1. > Phone update, and then tap Download when prompted after checking for updates or receiving an update notification.
  2. Do one of the following:
  • Tap Show details, and then tap Install. Your phone will restart, and then install the update.
  • >Phone update later to install the update.
  • Tap Preferred install time, and then choose a time to install the update. (Scheduling an update is available after updating to Windows Phone 8.1 Update build 8.10.14203.206.)
  1. Note:

  2. It usually takes 5 to 10 minutes to install an update, but it could take longer depending on the number of apps you've got installed on your phone.
  3. After your phone restarts, wait for it to migrate your settings, and then tap Done to finish the update.

http://www.windowsphone.com/en-us/how-to/wp8/basics/how-do-i-update-my-phone-software

Apple OS X systems

Recommended: Patched and officially supported version of the operating system, current antivirus client, and user name and password required for all accounts.

Updating the OS:

To ensure that your operating system is up to date click on the apple icon in the upper left corner of your screen and select “About This Mac”. The following window will open up, in which you then click on “Software Update…”

This will then launch the App Store, where a software update will appear if there is one. Simply hit “Update” next to it to begin the update process. Be aware that this may require your computer to restart.

You can then check that it was successful by opening “About This Mac” again and seeing the new version listed.

Password protection:

To enable or update your password protection settings hit the apple icon in the upper left corner of your screen and select “System Preferences…”. This will open the window below, on which you then want to click “Security & Privacy”.

Within that you want to click on the lock icon in the bottom left corner of the menu, which will prompt you to enter your password, and unlock all of the options.

Now you can change your password, change the time before it’s required, and disable automatic lock.

Antivirus:

If your computer is University owned it should already have System Center Endpoint Protection installed. You can manage the settings and preferences by clicking on the icon in the upper right corner of your screen.

If your computer is not university owned then simply purchase an antivirus software of your choice and follow their instructions to get it set up.

Linux (or similar) systems (end-user workstations)

Recommended:

Patched/current version

Updating the System

There is one thing to understand about updating Linux: Not every distribution handles this process in the same fashion. In fact, some distributions are distinctly different down to the type of file types they use for package management.

  • Ubuntu and Debian use .deb
  • Fedora, SuSE, and Mandriva use .rpm
  • Slackware uses .tgz archives which contain pre-built binaries
  • And of course there is also installing from source or pre-compiled .bin or .package files.

We will cover the Ubuntu and Fedora systems using both the GUI as well as the command line tools for handling system updates.

Ubuntu Linux

Ubuntu uses two different tools for system update:

  • apt-get: Command line tool.
  • Update Manager: GUI tool.

Figure 1: Ubuntu Update Manager.

The Update Manager is a nearly 100% automatic tool. With this tool you will not have to routinely check to see if there are updates available. Instead you will know updates are available because the Update Manager will open on your desktop (see Figure 1) as soon as the updates depending upon their type:

  • Security updates: Daily
  • Non-security updates: Weekly

If you want to manually check for updates, you can do this by clicking the Administration sub-menu of the System menu and then selecting the Update Manager entry. When the Update Manager opens click the Check button to see if there are updates available.

Figure 1 shows a listing of updates for a Ubuntu 9.10 installation. As you can see there are both ImportantSecurity Updates as well as Recommended Updates. If you want to get information about a particular update you can select the update and then click on the Description of updatedropdown.

In order to update the packages follow these steps:

  1. Check the updates you want to install. By default all updates are selected.
  2. Click the Install Updates button.
  3. Enter your user (sudo) password.
  4. Click OK.

The updates will proceed and you can continue on with your work. Now some updates may require either you to logout of your desktop and log back in, or to reboot the machine.

Once all of the updates are complete the Update Manager main window will return reporting that Your system is up to date.

Figure 2: Updating via command line

Now let's take a look at the command line tools for updating your system. The Ubuntu package management system is called apt. Follow these steps to run it:

  1. Open up a terminal window.
  2. Issue the command sudo apt-get update.
  3. Then the command sudo apt-get upgrade.
  4. Enter your user's password.
  5. Look over the list of available updates (see Figure 2) and decide if you want to go through with the entire upgrade.
  6. To accept all updates click the 'y' key (no quotes) and hit Enter.
  7. Watch as the update happens.

That's it. Your system is now up to date. Let's take a look at how the same process happens on Fedora (Fedora 12 to be exact).

Fedora Linux

Fedora is a direct descendant of Red Hat Linux, so it is the beneficiary of the Red Hat Package Management system (rpm). Like Ubuntu, Fedora can be upgraded by:

  • yum: Command line tool.
  • GNOME (or KDE) PackageKit: GUI tool.

Figure 3: GNOME PackageKit.

Depending upon your desktop, you will either use the GNOME or the KDE frontend for PackageKit. In order to open up this tool you simply go to the Administration sub-menu of the System menu and select the Software Update entry. When the tool opens (see Figure 3) you will see the list of updates. To get information about a particular update all you need to do is to select a specific package and the information will be displayed in the bottom pane.

To go ahead with the update click the Install Updatesbutton. As the process happens a progress bar will indicate where GNOME (or KDE) PackageKit is in the steps. The steps are:

  1. Resolving dependencies.
  2. Downloading packages.
  3. Testing changes.
  4. Installing updates.

When the process is complete, GNOME (or KDE) PackageKit will report that your system is update. Click the OK button when prompted.

Now let's take a look at upgrading Fedora via the command line. As stated earlier, this is done with the help of the yum command. In order to take care of this, follow these steps:

Figure 4: Updating with the help of yum.

  1. Open up a terminal window (Do this by going to the System Tools submenu of the Applications menu and select Terminal).
  2. Enter the su command to change to the super user.
  3. Type your superuser password and hit Enter.
  4. Issue the command yum updateand yum will check to see what packages are available for update.
  5. Look through the listing of updates (see Figure 4).
  6. If you want to go through with the update enter 'y' (no quotes) and hit Enter.
  7. Sit back and watch the updates happen.
  8. Exit out of the root user command prompt by typing "exit" (no quotes) and hitting Enter.
  9. Close the terminal when complete.

Your Fedora system is now up to date.

https://www.linux.com/learn/tutorials/234011-linux-101-updating-your-system

Current antivirus client (or equivalent)

Open Source Antivirus

  • ClamAV Antivirus

Free (gratis) version of proprietary Antivirus

  • Comodo Anti-Virus for Linux . 32 and 64-bit releases for 12.04 available.
  • UbuntuGeek . Avast's product key didn't work so we contacted the company & are awaiting their response.
  • Avg in Ubuntu .
  • Avira Linux product will be terminated in June of 2016 for prior existing users.
  • here .
  • here for the updated Panda Cloud Cleaner that is still very useful.)
  • XFProt . I have not tried the GUI front-ends.
  • http://en.wikipedia.org/wiki/Linux_malware#Anti-virus_applications

Username and password required for all accounts.

You can change/make a password with the “passwd” command in a terminal window.

Microsoft Windows (PCs/Workstations)

Recommended: Patched and supported version of the operating system, current antivirus client, username and password required for all accounts.

Patches :In order to make sure your windows workstation is patched open up the start menu. In the search field type in “Windows Update” and click on the program

Patching

Updates_Windows.png

In here you will either see that Windows is up to date or what updates are available to be installed.

Supported versions: As of this writing, anything above windows XP is still supported by Microsoft. Windows Vista support will be dropped 4/11/2017

Antivirus:

Windows 7: On Windows 7 to find out if you have antivirus installed click the start button and enter the control panel. Then click System and Security. There will then be an option to click “Review your computer’s status” in there you will be able to see if you have virus protection or not. NOTE: Some antivirus products don’t report themselves to windows. If you believe that you have antivirus installed simply search for it on your computer and make sure that it runs if it isn’t being reported to windows.

windows_antivirus.png

Server Operating Systems

Linux (or similar), OS X:

Required: Patched and supported version of the operating system, username and complex password required for all accounts, all unused services disabled, system dedicated to server functions only (no web browsing, etc.)

Microsoft Windows:

Required: Patched and supported version of the operating system, current antivirus client, login required by GPO, use of service accounts only, complex passwords with minimum length, system dedicated to server functions only (no web browsing, etc.)

Standards of Care for Sensitive Information:

Required Standards of Care for Sensitive Information includes all recommended and required standards for Unrestricted Information plus:

Access to Sensitive Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Sensitive Information is limited to legitimate need, with copies limited to individuals with a business need to know.

Access to Sensitive Information is assigned by role pursuant to standards approved by the OSU Data Trustee

Mobile Devices

Required: Passcode required, lock screen enabled, notifications on locked screen disabled, device encryption enabled, data on removable devices (SIM, SD card, etc.) encrypted.

Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.

Android:

Lock screen

To set a lock screen and passcode perform the following steps. Open the settings app and then enter the security menu. In there select Screen lock. Choose anything other than “None” or “Swipe” this will both enable the lock screen and provide a sufficient passcode.

settings_security.png

Disable notifications on locked screen:

To disable notification on the lock screen enter the settings app and then tap on Sound & notification. In here scroll down until you find the Notification section. Tap on “When device is locked and switch to “Don’t show notifications at all”

notifications.png

Encrypting device

Note: This only applies to devices running Android 5.0 (Lollipop) and above. Some older devices also support encryption but it will be device specific.

To encrypt your device open the settings app and tap on security. There will be an “Encrypt phone” option. Tap on this and then read through the information. Tapping the encrypt phone button will begin the encryption process.

security_menu.png

Encrypting SIM

To encrypt your sim card enter the settings app and then tap on Security. You will find a section called “SIM card lock” Tap this. In this menu tap Lock sim card. You will then be able to change the pin to your choosing.

sim_lock.png

iPhone:

Setting a lock screen and passcode:

To set or change your passcode go into the Settings app and select “Touchscreen & Passcode”. Within that hit “Turn Passcode On” to create one. Of you already had one you’ll be prompted to enter it first. When you choose to turn it on or change it you can choose which type of passcode you’d like. You can do the simple 4-digit numeric code, or opt for a more secure option of setting your own passcode of the length you choose. After setting your new password we recommend testing it out a few times to make sure you remember it.

Notifications on Lock Screen disabled:

To disable notifications on the Lock Screen simply toggle the “Notifications View” switch to deactivate it and any others you’d like turned off.

Encrypting the SIM:

To encrypt the SIM go into the settings app, select Phone, and then SIM PIN. IMPORTANT: The PIN number is network provided and you should not activate the switch without already knowing the PIN!

Windows phone

Required: Passcode required,

Setting or changing a password

Windows Phone 8

  1. From the home screen, tap Settings, and then select lock screen.
  2. Scroll down to "Password". To set a password for the first time, slide the "Password" bar to On.
  3. To change your password, tap change password. Enter your current password in the "Current password" field.
  4. Enter your new password in the "New password" field, and then reenter it in the "Confirm password" field. Tap done.

To set a time limit for the screen timeout, on the "lock" screen, tap the "Screen times out after" field, and then select the time limit you want.

https://kb.iu.edu/d/bcja


lock screen enabled,

notifications on locked screen disabled,

To see notifications when your phone is locked

  1. > Notifications + actions.
  2. Select the Show notifications in action center when my phone is lockedcheck box
device encryption enabled:

To enable the encryption on a Windows Phone 8 or Windows Phone 8.1 device you first have to enable it within a "mobile device mailbox policy" on the Exchange server.

Perform the following steps on your Exchange Server:

  • Connect to the Exchange admin console
  • On the left hand side Go to "mobile"
  • In the windows on the right click on "mobile device mailbox policies"
  • Edit the "Default" policy or create a new one
  • When pressing the "Edit" button a pop up windows appears
  • Click on "security"
  • Enable the checkbox for "Require encryption on device"
  • Save the changes

Perform the following steps on your SMC Server:

  • Connect to the Sophos Mobile Control admin web console
  • Log in to your SMC customer with an administrative user
  • Go to "Profiles | Windows Phone 8"
  • Edit a profile containing your Exchange configuration
  • Press the "Add configuration" button
  • Select "Restrictions" and click "Next"
  • Select the checkbox for "Forbid unencrypted device"
  • Click "Apply"
  • Press "Save"

Now you have configured everything on your Exchange and Sophos Mobile Control server to make sure a Windows Phone 8 device is using the built-in encryption functionality.

Please be aware that there won't be any progress shown indicating the encryption on the mobile device.

How to verify if encryption is turned on on the mobile device

  • On the Windows Phone 8 device, open "Settings"
  • Open "storage sense"
  • An overview will be shown regarding your storage usage
  • Below the "phone" section the amount of used space is shown e.g. like this "2.80 GB used, encrypted"
  • The "encrypted" indicates that encryption is active. If "encryption" is missing the encryption functionality is not used

https://www.sophos.com/en-us/support/knowledgebase/122752.aspx

data on removable devices (SIM, SD card, etc.) encrypted.

Recommended: factory OS intact (jailbreaking or rooting not allowed), Bluetooth file sharing disabled.

Apple OS X

Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and applications configured for auto update unless centralized patch management is implemented by the cognizant OSU IT support team, password complexity enabled, remote access restricted.

Recommended: Gatekeeper enabled and configured to allow applications from App Store and Identified Developers only,

For all of the following you’ll want to click the apple icon in the upper left corner and select the “System Preferences…” menu.
Firewall:

To turn the firewall on select “Security & Privacy” and click the Firewall tab. The click the lock in the bottom corner and enter your password to allow changes. Once that’s done you can select “Turn On Firewall” and the icon should turn green, indication it is now on.

Disabling Unused startup services:

To disable services you don’t need to launch upon startup, select the “Users & Groups” menu and uncheck any ones you don’t want.

Disabling Printer and File Sharing:

To disable the sharing of devices and data, go to the “Sharing” menu and deselect any that may be turned on.

Auto-update:

To configure auto-updates choose the “App Store” menu and make sure that “Automatically check for updates” is checked.

Gatekeeper to allow App Store and Identified Developers only:

Under the “Security & Privacy” menu, in the “General” tab, make sure that the “Mac App Store and identified developers” radio button is selected.

Linux (or similar) workstations

Required:

Host-based firewall active,

About iptables

iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts to the default action.

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

sudo apt-get install iptables

Firestarter , but iptables isn’t really that hard once you have a few commands down. You want to be extremely careful when configuring iptables rules, particularly if you’re SSH’d into a server, because one wrong command can permanently lock you out until it’s manually fixed at the physical machine.

Types of Chains

iptables uses three different chains: input, forward, and output.

Input– This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

Forward– This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.

There’s one sure-fire way to check whether or not your system uses/needs the forward chain.

iptables -L -v

The screenshot above is of a server that’s been running for a few weeks and has no restrictions on incoming or outgoing connections. As you can see, the input chain has processed 11GB of packets and the output chain has processed 17GB. The forward chain, on the other hand, has not needed to process a single packet. This is because the server isn’t doing any kind of forwarding or being used as a pass-through device.

Output– This chain is used for outgoing connections. For example, if you try to ping howtogeek.com, iptables will check its output chain to see what the rules are regarding ping and howtogeek.com before making a decision to allow or deny the connection attempt.

The caveat

Even though pinging an external host seems like something that would only need to traverse the output chain, keep in mind that to return the data, the input chain will be used as well. When using iptables to lock down your system, remember that a lot of protocols will require two-way communication, so both the input and output chains will need to be configured properly. SSH is a common protocol that people forget to allow on both chains.

Policy Chain Default Behavior

Before going in and configuring specific rules, you’ll want to decide what you want the default behavior of the three chains to be. In other words, what do you want iptables to do if the connection doesn’t match any existing rules?

To see what your policy chains are currently configured to do with unmatched traffic, run the iptables -L command.

As you can see, we also used the grep command to give us cleaner output. In that screenshot, our chains are currently figured to accept traffic.

to deny all input connections and manually specify which ones you want to allow to connect, you should change the default policy of your chains to drop. Doing this would probably only be useful for servers that contain sensitive information and only ever have the same IP addresses connect to them.

iptables --policy INPUT DROP

iptables --policy OUTPUT ACCEPT

iptables --policy FORWARD ACCEPT

Connection-specific Responses

With your default chain policies configured, you can start adding rules to iptables so it knows what to do when it encounters a connection from or to a particular IP address or port. In this guide, we’re going to go over the three most basic and commonly used “responses”.

Accept– Allow the connection.

Drop– Drop the connection, act like it never happened. This is best if you don’t want the source to realize your system exists.

Reject– Don’t allow the connection, but send back an error. This is best if you don’t want a particular source to connect to your system, but you want them to know that your firewall blocked them.

The best way to show the difference between these three rules is to show what it looks like when a PC tries to ping a Linux machine with iptables configured for each one of these settings.

Allowing the connection:

Dropping the connection:

Rejecting the connection:

Allowing or Blocking Specific Connections

With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.

Note: In these examples, we’re going to use iptables -A to append rules to the existing chain. iptables starts at the top of its list and goes through each rule until it finds one that it matches. If you need to insert a rule above another, you can use iptables -I [chain] [number] to specify the number it should be in the list.

Connections from a single IP address

This example shows how to block all connections from the IP address 10.10.10.10.

iptables -A INPUT -s 10.10.10.10 -j DROP

Connections from a range of IP addresses

This example shows how to block all of the IP addresses in the 10.10.10.0/24 network range. You can use a netmask or standard slash notation to specify the range of IP addresses.

iptables -A INPUT -s 10.10.10.0/24 -j DROP

or

iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP

Connections to a specific port

This example shows how to block SSH connections from 10.10.10.10.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead.

This example shows how to block SSH connections from any IP address.

iptables -A INPUT -p tcp --dport ssh -j DROP

Connection States

As we mentioned earlier, a lot of protocols are going to require two-way communication. For example, if you want to allow SSH connections to your system, the input and output chains are going to need a rule added to them. But, what if you only want SSH coming into your system to be allowed? Won’t adding a rule to the output chain also allow outgoing SSH attempts?

That’s where connection states come in, which give you the capability you’d need to allow two way communication but only allow one way connections to be established. Take a look at this example, where SSH connections FROM 10.10.10.10 are permitted, but SSH connections TO 10.10.10.10 are not. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT

Saving Changes

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:

Ubuntu:

sudo /sbin/iptables-save

Red Hat / CentOS:

/sbin/service iptables save

Or

/etc/init.d/iptables save

Other Commands

List the currently configured iptables rules:

iptables -L

Adding the -v option will give you packet and byte information, and adding -n will list everything numerically. In other words – hostnames, protocols, and networks are listed as numbers.

To clear all the currently configured rules, you can issue the flush command.

iptables -F

http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/

lock screen installed/enabled,

auto login disabled,

1.Open /etc/profileand append TMOUTvariable. See my below example

ExportTMOUT=600 # 10 minutes in seconds

typeset -r TMOUT

This will set time-out to 600 sec(ie 10mins)and I have given typeset -rwhichread-onlyand will not allow users to change this.Save the file and exit.

2.By creating /etc/profile.d/sessiontimout.sh file then keeping above mention entries in it.

Export TMOUT=600 # 10 minutes in seconds

typeset -r TMOUT

Now save and exit the file

As this is a script we have to change the permissions too.

#chmod +x /etc/profile.d/sessiontimout.sh

How to accomplish this for individual users?

Ans :We can edit ~/.bashrc file as given below.

Open ~/.bashrc file for a given user and write below two line into it.

TMOUT=600

export TMOUT

Save the file and source it as given below.

source ~/.bashrc

http://www.linuxnix.com/how-to-auto-logout/

any unused services disabled,

check for unused services in init.d with ls /etc/init.d

systemctl list-unit-fileson systemd systems.

file and print sharing disabled

File sharing is disabled by default on most Linux OSs but if samba is installed you may disable it with sudo /etc/init.d/samba stop or sudo systemctl stop samba

OS and apps configured to auto update unless centralized patch management is implemented by the cognizant OSU IT support team,

remote access restricted.

See confidential section

Microsoft Windows (PCs/Workstations)

Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and apps configured to auto update (or suitable alternative), remote access restricted.

Firewall:

To check if your firewall is active in windows enter the Control Panel and type in “Windows Firewall” Under the Control Panel section select Windows Firewall. You will then be presented with the present state of your Windows firewall. If you have a firewall provided by another antivirus product you will need to look up with that product how to check if your firewall is active.

windows_firewall.png

Lock screen enabled:

To make sure the authentic windows login screen appears turn on requiring ctrl-alt-delete to be pressed. To do this Bring up the startmenu and go into control panel. Then click on user accounts, then again on user accounts. As an admin you will then be presented with the option to manage user accounts, click on this. Under the advanced tab you can then enable secure logon by clicking on the check box that says “Require users to to press Ctrl+Alt+Delete”

ctrl_alt_delete.PNG

Auto Login:

To disable autologin on a windows machine first open the start menu and then enter the control panel. Then in the Control Panel click on User Accounts. Again click on User Accounts and then Manage User Accounts. In this window if there is the option for autologin there will be a check box near the top of the screen with the text “Users must enter a username and password to use this computer”. Check this box to disable autologin. If this checkbox doesn’t exist autologin is already permanently disabled.

auto_login.PNG

File and Printer sharing:

To disable file and printer sharing Go to Start > Control Panel > Network and Internet > Network and Sharing Center and click the link for Advanced sharing settings. On this page make sure to Turn off file and printer sharing. Also make sure to turn off public folder sharing and network discovery.

sharing.PNG

Windows auto-update:

To enable windows autoupdating: Start> Control Panel > Turn automatic updating on or off (Under Windows Update). In here change the value to Install updates automatically

auto_update.PNG

Remote access:

In order to change settings related to remote acces: Start > Control Panel > System and Security > System > Remote Settings. To Disable Remote assitance you can uncheck the box at the top and then also select “Don’t allow connections to this computer to disable Remote Desktop. If remote access is a must you must then select Allow connection only from computer running Remote Desktop with Network Level Authentication and then select the users that can use remote access, limiting selections to only those that need it.

remote_desktop.PNG

Server Operating Systems

Linux (or similar), OS X:

Required: Remote access restricted, remote root login disabled, insecure connection services (Telnet, FTP, etc.) restricted, latest stable service software installed (SSH, TLS, etc.), host-based firewall active with unneeded traffic disabled (IPTables or equivalent), access lockout if available from off campus (fail2ban or equivalent), password age and complexity enabled, authentication and security logs enabled with logs retained for a minimum of one month (use of logrotate encouraged), specific logs for server application (mail, web server, dbase) enabled and retained, quarterly vulnerability scan performed and found vulnerabilities addressed. Transmission of sensitive information requires the use of TLS v 1.1 or higher.

Recommended: located behind physical firewall or equivalent device.

Microsoft Windows:

Required: Network Level Authentication for Remote Desktop Services (via GPO), Local admin account (and any other well known SIDs) disabled, host-based firewall active with unneeded traffic disabled, password complexity/age enforced by local or GPO, unused services disabled, automated security updates subject to GPO, auditing enabled and security and system logs retained for a minimum of one month, specific logs for server applications (exchange, mssql, etc.) enabled and retained, quarterly vulnerability scan and found vulnerabilities addressed. Transmission of sensitive information requires the use of TLS v 1.1 or higher.

Recommended: located behind physical firewall or equivalent device.

Standards of Care for Confidential Information:

Standards of Care for Confidential Information includes all recommendations and requirements for Unrestricted Information and Sensitive Information plus:

Access to Confidential Information:Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Confidential Information is limited to legitimate need, with copies limited to individuals with a business need to know, and must be labeled “Confidential.” A signed confidentiality agreement is required, both for accessing and viewing confidential information in any format.

Access to Confidential Information is assigned by role pursuant to standards approved by the OSU Data Trustee

Storage of Confidential Information on Paper or other physical media:Physical access to paper documents containing confidential information must be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.

Network Security:Systems housing or regularly accessing Confidential Information must be in isolated network segments, protected with a physical firewall or equivalent using a “default deny” rule set; firewall rule sets, including changes, must be approved by the Office of Information Security. An Intrusion Detection System (IDS) hosted by the Office of Information Security must monitor this segment. Systems within these segments cannot be visible to the entire Internet, nor to unprotected subnets. An inventory of systems authorized to be on that subnet will be kept and the subnet regularly scanned/monitored for unauthorized systems. The Office of Information Security will perform authenticated vulnerability scan of these networks quarterly and will inform cognizant support teams of scan results requiring corrective action; vulnerabilities will be addressed during the next normal patching cycle unless other remediation is established or an exception granted.

Transmission of Confidential Information: Under no circumstances shall Confidential Information be transmitted across an unsecured network in clear text. In particular, it should be noted that email is not by default an encrypted means of transmission and any Email containing confidential information is subject to this restriction.

For the occasional transfer of data via email, file attachments should be encrypted using, at a minimum, an 128-bit symmetric-key algorithm, such as the Advanced Encryption Standard (AES). Microsoft Office encryption meets this standard. Key (password) sharing must be through a different mechanism than that used for transmission, such as a phone call.

For departments that have a business need to transfer confidential information on a regular basis via email, the use of a program that utilizes both symmetric and asymmetric key encryptions, such as PGP or equivalent, is strongly recommended.

Mobile Devices

Required: University-owned device, Locked screen after 5 minutes of inactivity, long passcode, 256-bit symmetric-key device encryption, device must wipe data after 10 failed attempts, the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found, use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device, SIM card lock/PIN, location services off, disable cloud synchronization for passwords and data, syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited.

iPhone:

Wipe Data after 10 Attempts:

Simply toggle the “Erase Data” switch.

Location Services Off:

To turn off Location services select the “Privacy” menu in the Settings app. Then hit “Location Services” at the top of that menu. Then simply toggle the switch to turn off all location services.

Android:

Lock screen after 5 minutes of inactivity:

In order to set your lock screen timeout launch the settings app. Then tap Display. In display you can set the Sleep setting. This must be after 5 minutes or less.

timeout.png

Wipe after failed login attempts:

This functionality is not built into android. However some devices like the samsung galaxy S5 have this built in but any device can install the app Locker and set it up to wipe after failed logins with the following tutorial http://nexus5.wonderhowto.com/how-to/make-your-android-auto-wipe-your-data-when-stolen-0157407/

Turn off location services:

To turn off location services enter the settings app and then Tap Location. You will be presented with a screen with a toggle on top. Toggle to off to disable location on the device.

timeout.png

Turn off cloud synchronization:

To turn off cloud syncronization on an android device open the settings app and then tap on Backup & reset. In here you can tap on “Back up my data” and turn it to off in order to disable the synchronization.

backup.png

Enabling remote lock:

Following the instructions at :https://support.google.com/accounts/answer/3265955?hl=enyou can use Android device manager to setup and manage remote wiping of your device

256-bit symmetric key encryption: Android encryption currently only support 128-bit encryption (https://source.android.com/security/encryption/)

Windows phone

Required: University-owned device,

Locked screen after 5 minutes of inactivity:

http://ccm.net/faq/35158-windows-phone-8-configure-the-screen-timeout-settings

long passcode, 256-bit symmetric-key device encryption

See

device must wipe data after 10 failed attempts,

By default

the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found,

use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device,

SIM card lock/PIN

To turn on SIM security

  1. > Call settings.
  2. Turn on SIM security.
  3. When prompted to Enter SIM PIN, enter the PIN for your SIM card by doing one of the following:
  • If this is the first time a PIN has been set for the SIM card in your phone, try typing 1234, and then tap Enter. 1234is a common default PIN for some SIM cards. If that PIN doesn't work, contact your mobile operator for the correct default PIN.
  • If you previously set a PIN for the SIM card in your phone (even if the SIM card was in another phone when you did it), type your PIN, and then tap Enter. The message SIM PIN enableddisplays briefly.

http://www.windowsphone.com/en-us/how-to/wp7/basics/use-a-pin-to-lock-my-sim-card

Location services off

To turn location services on or off

  1. > Location.
  2. on or off.

http://www.windowsphone.com/en-us/how-to/wp8/apps/location-awareness-and-my-phone

disable cloud synchronization for passwords and data,

syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited.

Enabled with exchange

Apple OS X

Required: University-owned device, 256-bit symmetric-key full-disk encryption (FileVault or equivalent), Locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, remote management for authorized accounts (OSU IT) only, Firmware password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.

Full disk encryption:

Administrator password to access system preferences and install software AND logout after 15 minutes:

To require the admin password select the “Advanced…” button at the bottom of the “Security & Privacy” page and check the box for it. Do the same for the automatic logout, and be sure to set it to at most fifteen minutes.

Linux (or similar) workstations

Required: University-owned device, 256-bit symmetric-key full-disk encryption

Full disk encryption is enabled at the time of installation, and cannot be enabled after the OS install has completed.

Locked screen saver after 15 minutes of inactivity, all sharing disabled

infrared port disabled
  1. Open a terminal
  2. run: for device in $(ls /sys/bus/usb/devices/*/product); do echo -n $device " ";cat $device;done
  3. look for the line containing "IR Receiver", in my case: /sys/bus/usb/devices/2-1.1/product IR Receiver The string you need from this step is "2-1.1"
  4. sudo emacs /etc/rc.local
  5. add this line right before "exit 0", repacing "2-1.1" with whatever you found in step 3): echo "2-1.1" |tee /sys/bus/usb/drivers/usb/unbind
  6. save and reboot
remote management for authorized accounts (OSU IT) only

BIOS password

  1. Power on the system. As soon as the first logo screen appears, immediately press the F2 key, or the DEL key if you have a desktop, to enter the BIOS.
  2. Use the arrow keys to navigate to Security or BIOS Security Features.
  3. Highlight Set Supervisor Password or Change Supervisor Password and press the ENTER key.
  4. You will be prompted to enter a password, and a second time to verify it. To create the password, use only alphanumeric characters like A-Z, a-z, 0-9.
  5. Press ENTER to confirm password creation.
  6. A message will appear stating Changes have been saved. Press ENTER to continue.
  7. Press the F10 key to save changes and restart the system.

Remote access restricted

Use public/private key pairs for authentication instead of passwords.

Generate a passphrase-protected SSH key for every computer that needs to access the server:

ssh-keygen

Permit public-key SSH access from the allowed computers:

Copy the contents of ~/.ssh/id_rsa.pub from each computer into individual lines of ~/.ssh/authorized_keys on the server, or run ssh-copy-id [server IP address] on every computer to which you are granting access (you'll have to enter the server password at the prompt.)

Disable password SSH access:

Open /etc/ssh/sshd_config, find the line that says #PasswordAuthentication yes, and change it to PasswordAuthentication no. Restart the SSH server daemon to apply the change (sudo service ssh restart.)

Now, the only possible way to SSH into the server is to use a key that matches a line in ~/.ssh/authorized_keys. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.

use of administrator account for day-to-day access prohibited

Never login as Root, always use sudo for anything that requires administrative access.

require administrator password to access system preferences and install software

password complexity and length (min. of 14 characters)

To change your password in Linux execute the following command:

passwd

Password rotation

To require password changes every 180 days (6 months) you can run this command on any Linux machine.

sudo chage -M 180 [username]

Quarterly vulnerability scan and found vulnerabilities addressed:

Install Lynis and run a check on the system, address all warnings and errors. Adhere to all of the suggestions at the end of the report.

Microsoft Windows (PCs/Workstations)

Required: University-owned device, 256-bit symmetric-key full-disk encryption (Bitlocker or equivalent), locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, centralized remote management for authorized accounts (OSU IT) only, BIOS password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.

Encryption:

The recommended way to encrypt a windows machine is with Bitlocker. If you are using a Professional version of Windows Bitlocker is included in Windows.

To see if you have bitlocker already search for “Bitlocker” in the startmenu. If it is there click on it. You will be brought to a page where you can turn on bitlocker for any particular drive.

clicking turn on bitlocker will begin the process of encrypting the drive.

Locked Screensaver:

To turn on a locked screensaver after 15 minutes perform the following steps.

Open the start menu and go to the control panel. Go to Appearance and Personalization and the Personalization. Then click on screensaver in the bottom right

Sharing:

To disable all sharing on windows follow the same steps as for disabling file and printer sharing on windows but also in the same window turn off public folder sharing and media streaming.

BIOS password:

Enabling a BIOS password on a machine is different for every bios. But in order to get to those settings you have to convince windows to let you boot into the BIOS. To do this typically you need to be pressing F2 during boot although the key could change based on the manufacturer.

screensaver.PNG

After clicking there you will be presented with options. Make sure to select the time to be 15 minutes and make sure to check the box that prompts for a login when resuming.

timing_saver.PNG

Server Operating Systems

Virtual Server Environments: All security controls apply both to the host and guest virtual machines in a virtual server environment. Cannot share the same virtual host environment with guest servers of other security classifications.

Physical Security: Must be hosted in a secure Data Center with Physical Access monitored, logged and limited to authorized individuals 24x7.

Backup Media:All backup media must be encrypted. If stored off-site, a secure location is required.

Linux (or similar), OS X:

Required: Field level encryption for protected fields in database, removable back-up media encrypted using 256-bit symmetric-key encryption, monthly authenticated vulnerability scans performed by Office of Information Security, authentication and security logs retained for six months and made available to Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner (based on criticality,) annual security audit. Transmission of confidential information requires the use of TLS v 1.2 and cannot use self-signed certificates.

Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use. Host-based software IDS/IPS.

Microsoft Windows:

Required: Field level encryption for protected fields in database, removable backup media encrypted using 256-bit symmetric-key encryption, use of Best Practice Analyzer, security and system logs retained for six months and made available to Office of Information Security, monthly authenticated vulnerability scans performed by Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner, based on criticality, annual security audit. Transmission of confidential information requires the use of TLS v 1.1 and cannot use self-signed certificates.

Recommended: system administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use, host-based software IDS/IPS.

Equifax Data Breach

Equifax Data Breach: Information for the OSU Community

Updated: September 11, 2017

On Thursday, September 7th, the credit monitoring company Equifax announced that it had been the victim of a data breach and that personally identifiable information—including social security numbers, birth dates, and addresses—of 143 million Americans was accessed.

The impact is great: nearly half of the current US population’s data was leaked. The number exceeds the number of US households. If you’ve applied for any credit in the digital age, you’re likely included in that number.

What should I do to protect myself?

  1. Expect an increased amount of Phishing emails about the Equifax breach.

    Do not click on any links, or open any attachments, in emails about the breach. If you do, please contact your IT support team immediately.

    Also, please send all phishing emails you receive (using forward as attachment) to phishing@oregonstate.edu. This will help us take down/block any malicious sites used in the phishing scheme.
  2. Sign up for an online account with the Social Security Administration

    The information about you contained in the Equifax Leak provides enough information for a criminal to open an account in your name. Do it before they do!

    Go to https://www.ssa.gov/myaccount/ to sign up.
  3. Place a security freeze on your credit file with each of the major credit bureaus

    This is the single most effective thing you can do to prevent identity theft that is financially motivated. A security freeze blocks creditors from being able to view your credit file unless you take action to unfreeze your file beforehand.

    Yes, there is a small fee associated with it (some do it for free.) Yes, it is a bit of a pain. But it is a lot less painful than having to deal with a destroyed credit rating, having collection agencies hound you for payments, and dealing with all the other problems associated with having your identity stolen.

    To place a freeze, visit these sites: Note: You’ll get a PIN from each of the sites to unfreeze your credit. Do not forget that PIN! Write it down and store it in a safe place.
  4. Check your credit report at least annually.

    Each of the major credit reporting bureaus are required to provide you a free copy of your credit report each year. You can get a copy of yours by visiting http://annualcreditreport.com/

    Mark a date on your calendar, check it when you do your taxes, or on your birthday. But at least once a year.

    We’ll keep this page updated as we learn more information.

  5. File your taxes before a fraudster does.

    The Equifax data breach contains enough information to allow someone to file a tax return in your name. We’re suggesting that you file your return as early as you possibly can next year.

  6. Check to see if your information has been compromised and sign up for free credit monitoring.

    Update: Today, the Oregon Department of Justice issued a news release which advises people to not visit the Equifax site and to not enroll in their offer for credit monitoring.

    https://www.doj.state.or.us/media-home/news-media-releases/equifax-data-breach-need-know/

    The Washington Post article linked below has been updated with the following information:

    Update, Sept. 10, 2:25 p.m.: Equifax issued a new statement Sunday further clarifying its stance on the arbitration clause. "To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action," Equifax said. The company said it has now removed the arbitration language from the terms of use on its data breach notification site, equifaxsecurity2017.com. It also said Sunday that the terms of use on Equifax's main site, equifax.com, do not cover the TrustedID Premier service, which has its own terms of use. "Again," Equifax continued, "to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.”

    Equifax has a website, https://www.equifaxsecurity2017.com/ dedicated to this event. There you can check to see if your information was impacted. Regardless of if your information was accessed in the breach, take them up on the offer to provide free credit monitoring through TrustedID Premier. Follow the instructions exactly, and be sure to record the enrollment date. And enroll your family members as well. On your enrollment date, you will have to return to the link they gave you and continue through the enrollment process. Once enrolled, Equifax will monitor your credit and alert you if there is a problem.

    Please be advised the Washington Post has an article discussing the terms and conditions of the free credit monitoring offer may limit future legal action you could take against Equifax. Please make an informed decision: https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-kno...

The Federal Trade Commission offers the following recommendation for how to respond to the data breach. https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do

Network Security

There is no charge for this service.

Campus Firewall Project

The campus firewall is designed with the following goals in mind:

  • High availability, performance and redundancy
  • Usability of the network preserved without creating barriers to information sharing
  • Distributed control of firewall rulesets to colleges/departments

Please see the Campus Firewall page for more information.

Client-Side Security

Helpdocs has information on client-side solutions such as SSH and key encryption.

Network Abuse Reporting

Security Reports (investigation)

 

Third Party Service Guide

There are a variety of distributed computing offerings on the Internet that offer good value and ease of use for those without the available resources and staffing to run their own systems. Commonly referred to as "cloud" computing, services such as Infrastructure as a Service (Iaas), Platform as a Service (PaaS), Software as a Service (SaaS) and off-site storage and backup services have become an important part of the Internet. Other service offerings marketed for widespread use by individuals, such as Dropbox, Cloud Drive, and iCloud offer similar abilities.

OSU doesn't discourage the use of these tools, but it has established policy to assist in compliance with the many laws and regulations we face. This guide will help you determine if the information you are using is suitable for storing in or processing through a third party service and what steps need to be performed for certain types of information.

How To Use This Guide

  1. First, become familiar with OSU's Information Systems - Data Classification and Stewardship Policy and with the specific data elements for Protected and Sensitive Information listed in Appendix A.
  2. Next, determine whether the information you wish to use on a Third Party Service is included in Appendix A.
    • If the information you wish to use on a Third Party Service is not included in Appendix A, and there are no contractual obligations preventing you from storing it outside of OSU-maintained systems, that information is classified as Unrestricted; there are no restrictions from storing it in any third-party service. We would encourage you to use caution when selecting a third-party service provider, and to avoid those without an established reputation for good, secure service.
    • If the information does include any of the data elements listed in Appendix A, please contact the Office of Information Security to see if a review of the service is required. In most cases, the completion of a Security Questionnaire by the vendor will be required as part of this review.

Note that data elements listed as Protected in Appendix A have the highest restrictions. Third Party Services should be avoided for these data elements if at all possible. Please contact the Office of Information Security for assistance.

What we do

Security Tools Used by the Office of Information Security

OSU’s Network contains data that, should it fall into the wrong hands, could cause harm to individuals within our community. The Office of Information Security is tasked with identifying threats to that data, such as hackers and the malicious software they use, and to assist IT units in taking steps to protect it. And, unfortunately, we’re also asked to track down the source of threats of violence against members of our community.

The Office of Information Security uses a variety of tools and multiple sources of data to perform these tasks. We are very much aware that we have the potential to impact the privacy that is an important part of our community. We feel that we’ve designed systems and processes to protect your data so that we can strike the best possible balance between protecting individual privacy and securing our data.

A part of striking that balance is our desire to be very transparent about our operations. This paper outlines the tools we use, the information collected using those tools with examples of how that information is used, and the policies and procedures surrounding the gathering of data.

Network Security Monitoring and Analysis Tool

We utilize a network security analysis and monitoring tool. This tool is located on the outside edge of our network and receives a copy of all inbound and outbound network traffic. This traffic, in the form of data packets, contains information on which computer the data came from, to which computer it is headed, and the data being sent. Our tool strips the data portion from the packet, performs a one-way cryptographic hash function on that data, saves the key generated by this algorithm, logs the destination, source, and time, then disposes the entire packet.

Because it is one-way hash, the Office of Information Security is unable to decrypt the data portion to view the contents – so, for example, we cannot access the text or images or attachments sent in an email.  The remaining packet information (destination|source|time|hash value) is stored for analysis.

An example of how this information would be used is in our response to phishing emails. Due to our outreach efforts, people frequently send us a copy of phishing emails they receive. Using the tool, we would check to see if anyone else went to the link contained in the phishing email, and notify the individual or their IT support team to ensure that nothing bad resulted from clicking on that link.

This tool also analyzes network traffic, looking for abnormalities to help identify malicious behavior. Advanced attacks, such as those used by organized crime or nation states, frequently occur at low thresholds that defy conventional, signature based detection. We will also be able to compare hashed values of suspected malicious software against hash libraries to aid in detection. This tool is an essential part of our incident response toolkit, and helps us meet federal requirements for the protection of Controlled Unclassified Information. This tool also helps us to meet the Payment Card Industry’s Data Security Standards.

Network Security Monitoring and Analysis Tools are also used to offer protection in high-speed research networks, which frequently exceed the performance capacity of firewalls. In this role, the tool is placed in-line, where it performs a quick examination of the first few packets within a file and, if non-malicious, then allows all traffic to take place at full speed between the two systems without further interruption.

Analyzing network flows for malicious activity does have the potential for abuse. We feel that by designing the tool to store only one-way cryptographic hashes of data is the best balance of meeting the capabilities we need to detect attacks while preserving the privacy of the members of the OSU community. As with all our other tools, we’ve applied the appropriate technical safeguards, as well as implemented policies and procedures around the use of the data from this tool.

Log Collection and Aggregation

Information Services is in the process of deploying a Log Aggregation and Correlation tool. This tool will allow us to gather log data from a variety of sources and allows us to look for patterns of behavior.

During our testing of this tool, we used it to identify compromised user accounts. This was done by looking at the time and location of login. If an individual logged into an account on the Corvallis Campus at 8:00 am, and that same account was logged into from China 2 hours later, that caused an alert since there is no way for the same person to travel that far in that time period.

It would be difficult to perform the same task manually, as there are thousands of logins a day. We also believe that by automating this process we improve privacy, as we’re not looking at all records, just the ones that match a certain criterion that represents a risk to the institution.

Log data does contain information of a personal nature, such as the IP address of the computer used to visit one of the OSU websites and which web pages were visited. It contains the date and time a system was accessed and which files were downloaded. This information could be used, in certain situations, to track activities to a geographic location. We’re very cognizant that such a tool could be abused, and we have policies, procedures, and technical safeguards in place to prevent misuse of this information.

Vulnerability Scanning

Vulnerability Scanning tools scan devices on the network to see if they are running outdated software that has a known vulnerability. These tools can also identify insecurely configured devices. Hackers frequently use these types of vulnerability to gain access to systems.

The Office of Information Security has two vulnerability scanning systems. One system has been placed just outside our network, and so gives us a view of what an external hacker would see. Because of the large number of systems on our network, we only perform limited scans, looking for new vulnerabilities. The other is placed within our firewalled infrastructure and performs more intensive scans. Result of the scans are forwarded to IT units across campus so they can fix any problems found.

The operation of vulnerability scanning tools represent a minimal risk to privacy.

Firewalls and Network Segmentation

Due to the size and complexity of our network, network firewalls are only deployed where needed. We use network segmentation to divide the network into functional areas and network firewalls are placed in front of segments where confidential data is processed.

The operations of firewalls represent a minimal risk to privacy.

Network Malicious Program (Malware) Detection

Similar to the antivirus programs found on personal computers, Network Malware Detection tools scan network traffic to spot harmful programs. Network Malware Detection tools use two methods to detect harmful programs: signature based and virtualized testing. Signature based detection compares observed network traffic against a database of known malware. During virtualized testing, the tool creates a virtual model of an operating system and runs the suspected malicious file in that model to see if it is harmful.

Network Malware Detection tools capture and store complete packets, including the data component, for every item they alert on. Because the tools are not perfect, this creates a slight risk to privacy for packets which are captured in the event of a false alarm.  Fortunately, false alarms are rare. To mitigate this risk, access to Network Malware Detection tools are limited to OIS employees and alerts are reviewed before sharing any data with technical staff for resolution.

Intrusion Detection Systems

Similar to Network Malware Detection tools, Intrusion Detection Systems look for patterns of behavior in network traffic to flag threats. Intrusion Detection Tools are signature based.

The Office of Information Security is in the process of deploying Intrusion Detection Systems within network segments of high risk as an additional layer of security. Like Network Malware Detection, Intrusion Detection Systems capture the packets for traffic that generates an alert. False alarms are very rare, but possible, and so there is a slight risk to privacy if packets that are not a threat are captured. This risk is mitigated by removal of the captured packets for any event that is determined to be a false alarm.

 

Data Classification by Data Element

Confidential Information:

Social Security Number

Driver’s License/State-issued Identification Number

Visa/Passport Number

Credit Card Number

Bank Account Number

Health Insurance Policy Number

Income Tax Records

Personally Identifiable Health Information, including Personally Identifiable Genetic Information

Classified Research Data

Personal Finance Disclosure/Information

Information collected for FAFSA

Identifiable Human Subjects Research Data designated as Level 3 by the Institutional Review Board (IRB)

Research Data with Export Control/ITAR limitations

 

Sensitive Information:

Data defined as confidential by the Family Educational Rights and Privacy Act (FERPA)

Employment Applications

Employee Performance Evaluations

Confidential Donor Information

Identifiable Human Subjects Research Data designated as Level 2 by the IRB

Minutes from Confidential Meetings

Accusations of Misconduct and records from investigations

Common Identifiers: Date of Birth, Place of Birth, Mother’s Maiden Name

Demographic Information such as race, ethnicity, gender, sexual orientation or identity when personally identifiable

Admission applications

Privileged Attorney-Client Communications

ID Photos

Data Management and Classification Overview

shield icon

Data Management and Classification

A Commitment to Data Security

OSU’s Network contains data that could cause harm to individuals within our community should it fall into the wrong hands. The Office of Information Security is tasked with identifying threats to that data, such as hackers and the malicious software they use, but it is up to those who work with this data at Oregon state University to help us maintain our commitment to the safety and privacy of our data.

Data Overview

Working with OSU Data

While working with OSU data, you must protect the data you access. Following policies, procedures, standards and guidelines is the best way to ensure data remains safe. Get trained on the appropriate use and protection of university data and report unauthorized access or misuse. Additionally, it is important to understand how to classify the information you handle, so you know how best to secure it.

Reporting

If you suspect that someone has stolen confidential or sensitive information, hacked into your computer, or suspect your computer has a virus, immediately notify the Office of Information Security.

Minimum Standards

You are responsible for making sure the system you store information on meets OSU minimum standards. There are different standard for diffferent classifications of data and types of environments.

Security Assessment

Before using confidential data with a cloud-based (third-party) service, contact the Office of Information Security for a security assessment.

If OSU Data is Compromised

Follow these steps immediately if you suspect your data’s been compromised (the data was out of your control, someone accessed it who wasn’t supposed to, etc.).

  1. Figure out its data classification. What type of information is it? Which of the categories above does it fit into?
  2. Report it to your IT support group (departmental computer administrator – DCA). Give the DCA as much information as you can, including how you think the data would be classified.
  3. Follow the directions they give you, even when that means you’ll lose changes to files.
  4. Report it to your supervisor and to the Office of Information Security (call 541-737-9800)
  5. The CISO will decide what needs to happen next. The Office of Information Security will lead the investigation of the possible breach and will let the appropriate data custodians know what’s happened.

The less activity that occurs on your computer after you realize information may have been compromised, the more likely it is that the security team will be able to tell whether or not it actually was compromised and what data was accessed.

Data Classification

How secure should this data be?

We have three data classifications (categories of data) based on the level of security the information needs. Understanding the relative sensitivity of that information helps you understand which category the data fits in.

unrestricted

Unrestricted

This data is intended for general use, and can be found on websites, news releases, and in various publications. While no harm would befall the university if Unrestricted Information were accessed without permission, we are still concerned that the information
be presented unchanged, and be available when needed; as such, there are specific standards of care required around the presentation of that information.

sensitive

Sensitive

Some data, while not as restrictive as confidential, still are by their very nature or regulation private and must not be openly disclosed. There are typically four types of data that fall into this category.

  • Student data
  • Employee data
  • Confidential Donor Information
  • Privileged Attorney-Client Communications and Minutes from Confidential Meetings

confidential

Confidential

Confidential information is the most restrictive classification. Four types of data fall into this category.

  • Personal information that could be used in identity theft or exposure of personal health information if it’s not secured.
  • Research data that a funding agency or other research partner has identified as highly private.
  • Financial, legal and other data of a highly confidential nature.
  • Specific technical information detailing how we restrict access, or otherwise secure data, in this classification.

Data Storage

What data can I keep where?

Use the table below to determine what classifications of data can be maintained on various services and platforms. This list includes Oregon State and 3rd-party services.

Services/Platforms Data Classifications
Unrestricted Sensitive Confidential
Audio and Video Conferencing Yes Yes No
AWS Infrastructure Yes Requires Review/Approval Requires Review/Approval
Banner Yes Yes Yes
Box Yes Yes Requires Review/Approval
Canvas Yes Yes No
Core Yes Yes No
Data Warehouse Yes Yes Yes
Docusign Yes Yes Yes
Drupal Yes No No
Email (with and without Secure: in the subject line) Yes No No
Exchange Yes Yes No
Google Drive/Docs Yes Yes No
Office 365 Yes Yes No
Qualtrix Yes Yes Requires Review/Approval
Slack Yes No No
VPN Not Required Recommended Required
Wordpress Yes No No

OSU Phishing Derby

osu 2nd annual phishing derby has ended but you can still help us catch phish

Even though our Phishing Derby is over, we still want you to catch phish! 

When you send us phishing attepts that came to your oregonstate.edu email, you help us shut down the scammers who sent them. So, when a phishing attempt lands in your inbox, forward it to us (directions at http://is.oregonstate.edu/phishing-derby/submit). 

Not quite sure how to spot a phishing attempt or how to distinguish it from spam email? Keep reading for more information.

fish symbolSo what is phising?

It's an attempt to get you to give up sensitive information. 

A phishing email looks like it comes from a trustworthy organization. It tries to get you to submit information like your username, password and credit card details.

It used to be easy to spot a phishing email. You could pretty much count on bad grammar, poor spelling and too-good-to-be-true offers.

Not so, anymore.

These days, lots of phishing attempts have gotten more sophisticated. Sure, you’ll still see some that fall into that old, easy to spot style. But more and more of them look professional. Because more and more phishing scammers are getting professional, spending real money to fool you, just as a professional fisher spends money on good bait.  [Read more about phishing at Wikipedia.org]

email on a fish hookCheck the Bait.

In this case, the bait is any email you receive. A simple phish will try to create anxiety, typically saying something like there is a problem with your account and asking you to reply to the email and provide your username and password so they can resolve the problem. Those are easy to spot. Trickier phishes include a link (often disguised) that will take you to a webpage where you will be asked to complete a form. The trickiest ones are crafted to look just like an official notification from OSU. They use our logo, often capture language used in previous official emails, and are "signed" by real departments or people.

You may also see phishes that pretend to be from a bank or other online business.

Remember, if an email makes you feel that you need to take action immediately, be suspicious. Also know that IT support people will never ask you for your password; instead, they'll change your password to a temporary one that you both know to fix any account issues that require it. These instances are rare and will never be resolved over email.

If an email makes you suspicious, but you're not sure it's phishing, call the sender and ask if it's legitimate. Be sure to use a number you already have or one you can look up, not the one provided in the email.

Recent Developments: Did you know that phishing isn't limited to just email? You may receive a phone call using the same anxiety creating techniques. Don't give any personal information, such as social security number, credit card or bank account numbers, health insurance information, or passwords over the phone.

Examples of strong wording include:

  • IMMEDIATELY
  • NOW!
  • YOUR ACCOUNT WILL BE TERMINATED
  • ALERT

 Here are examples of phishing emails that we have received.

cursor hand hovers over a linkHover over the spot

In this case, the spot is a link in the email. When you place your cursor over that link and hover without clicking, the actual link will be shown, usually at the bottom of the window. In a phish you'll find that this link really goes to a different site than is shown in the link text. Check that link carefully -- the bad guys will frequently include portions of the authentic address to try to fool those who know the hover trick. Make sure that you inspect the entire address: if the portion before the first / in the address (after the http://) doesn't end in oregonstate.edu, don't click!

You can also hover using a mobile device. Simply touch the link and hold it. A window will pop up asking what you will want to do -- at the top of that window will be the actual link.

Be especially wary of URL shortening services such as tinyurl.com and bitly.com, since hovering doesn't work on them.

Try it out! Hover over the spot.

email symbolHow's this different from Spam?

Spam email, another type of unsolicited email, is typically advertising. The sender of a spam message wants to get you to visit a website where they'll receive a small compenstation for every visit. Their goal is to get as many people to visit as possible, so they flood a network with thousands of email messages, hoping a few people will click on it.

You've seen lots of them: advertisments for pharmaceutical products, bargain hotels, special deals on travel -- if you can think of it, someone has sent a spam email about it.

Spam isn't just annoying though; often the websites linked in a spam email contain malicious software like viruses and adware. It is best to avoid them altogther.

Now that you know how to detect phishing emails, and how to distinguish it from spam email, are you ready to test your skills and "Catch a Phish?"

Winners of the Phishing Derby - Congratulations! 

Congratulations to the winners of our Phishing Derby!

Everyone who entered helped make OSU a safer place. We collected 1,425 entries - that's 1,425 phishing attempts that got caught by our Derby participants. You rock! From those entries, we randomly selected 8 winners.

Winners of the $50 gift certificate to the Beaver Store

Harrod, H.

Johnston, K.

Larson, M.

Michels, A.

Rieth, M.

Schlonga, C.

Sumida, G.

Valenzuela, L.

Congratulations! 

 

Phishing Examples

Here are some examples of phishing emails we've recevied recently:

If you click on the images below, they'll show an image of the website linked in the phishing email.

Example 1:

Example 2:

Example 3:

Fake OSU Exchange Mail Page

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu
  • This has three boxes to fill in which the acutal page has a different number
  • The title is New Item, which is incorrect

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu not wix.com
  • The title and picture of the webpage is wrong on the tab

How to know this page is fake:

  • The URL is incorrect the domain should be oregonstate.edu
  • The title and picture of the webpage is wrong on the tab
  • The site is asking for Username, Email, and Password instead of Username and Password
  • The site has a different college on the page Chabot College

Submit Your Phish

welcome to O.S.U.'s 2015 phishing derby

Rules and Submission Guidelines

fish symbolRules for Phishing Derby:

Our phishing derby is over this year, but you can still help shut down scammers by sending us phishing attempts that come to your oregonstate.edu email.

  1. To participate in the contest you must be a valid Oregon State University student or employee.
  2. Submission of phishing emails must come from an official OSU email address.
  3. Only one (1) prize will be awarded per individual.
  4. An entry into this contest is counted as one (1) unique phishing attempt submission. For a definition of a phishing email please refer to http://is.oregonstate.edu/phishing-derby. Any re-submission of the same phishing attempt by the same person will be disallowed and not counted as a submission for the contest.
  5. Submitting a spam email will not be counted as an entry into the phishing derby.

Our phishing derby is over, but we still want you to submit phishing attempts that come to your oregonstate.edu email.

email on a fish hookHow to prepare your phish email for submission

To submit your phish email you will have to export the message from your mail client; please use the directions provided below. 

Once you have created the attachment, please email it to phishing@oregonstate.edu. If you have problems please contact the OSU Computer Helpdesk at 541.737.3474


Staff Directory

We're sorry but there currently are no results for your selection. Please try filtering on a different value.