- IUP system administrators need to comply with all IUP IT security policies, procedures, and guidelines. University policies, procedures, and guidelines provide the foundation and framework for IUP IT security. They must be followed, and the mechanisms for compliance must be documented.
- Administrators should refrain from removing or circumventing any university installed software or security controls.
- It is important to physically secure PCs, servers, and devices. Keep rooms with servers, PCs, and network equipment locked when unattended. Do not leave portable devices (such as smartphones or notebook PCs) or media (such as DVDs or flash drives) vulnerable to theft. Apply BIOS passwords and/or use computer locks if a server or PC resides in an untrusted room (such as a public lab). Secure, disable, or physically block access to external ports if they are not needed (like USB ports).
- Implement and use authentication
All university computers, servers, network devices, and network applications must have some form of authentication system using a strong password or certificate. All users should use authentication when accessing these resources and sessions should be closed when not in use. Systems and services should use authorization groups/roles to control access level.
Encryption must be utilized for all user logins, especially if the system/service is being accessed from outside IUP (over the Internet).
- Do not allow anonymous access or guest access
PCs, servers, network devices, and network applicationsshould be configured and managed so that anonymous and guest access is disabled unless specifically required. - Do not share passwords, use default/blank passwords, or use weak passwords
Sharing of user credentials (username and password), not changing default passwords, or using blank passwords is strictly prohibited. All systems, network devices, and network applications should use unique, strong, complex, passwords. A strong password should be at leastfifteen (15) characters long and should include numbers and non-alphanumeric characters. Passwords should be regularly changed and not reused.
Passwords should be changed immediately if they are accidentally exposed or suspected to be compromised. Passwords should be changed immediately on the effective date when an administrator leaves the university, or a position in the university that required use of the password.
- Use least-privilege accounts
Do not use accounts that have administrative privileges (such as administrator or root) except when no other alternative exists. Using lower privilege accounts, either interactively or for services, can greatly reduce the ability of malicious code to cause damage or compromise a system's security.
Administrators can reduce risk by using a non-privileged account when using a computer to browse the web, read e-mail, and open documents. Administrative-level accounts should not be used to browse the web, especially on a server. The use of explicitly defined authorization groups and roles can help with limiting privileges.
Modern versions of Microsoft Windows contain UAC (User Access Control), which can prompt users before attempting to run administrative executables.
More information on IUP accounts and passwords
- Always secure a systembeforeplacing it on the IUP network
Many security vulnerabilities exist in default installations of operating systems such as Windows and Linux. Newly installed systems placed on the IUP network before they are properly secured and hardened are a security risk, and can often results in the system becoming compromised. A compromised system will need to be re-installed and properly secured before placing it back on the IUP network.
- Review and changethe default configuration of software packages so that it only contains what is needed for the task at hand
Many exploits use vulnerabilities found in unneeded or unused features in various computer software. Most exploits are created to compromise as many systems as possible, relying on systems with default configurations and/or systems with various features turned on by default. Minimizing the default configurationcan limit exposure to automated brute-force hacker scripts/kits, worms, and attacks on unknown vulnerabilities.
- Disable or uninstall any unneeded services or software
Uninstalling unused software eliminates exposure to vulnerabilities since the potentially vulnerable software is no longer present. Some components are often unable to be uninstalled, such as network services. You can disable unneeded network services to eliminate their potential abuse and exposure of vulnerabilities.
- Documented System Setup and Configuration
All system setup and configuration should be documented as it plays an important role in a system's lifecycle and security. Systems should be setup with a standardized configuration and security policy. Changes made to the configuration and security of a system after initial setup should also be documented.
- Securelocal data and network share
All electronic media, files, data and information should be protected by the file system security such that access control is set for specific accounts or authorization groups that require access to the resource.
If data is to be shared via the network (network share, ssh server, website), share access control should be applied in the same manner as file system security.
User datashould be stored on central network storage when possible as it is backed up and protected. Datasaved on local PCs and devices is at greater risk of unauthorized exposure, destruction, getting lost or being stolen. - Storing and transmitting sensitive data
Sensitive data should not bestored on local PCs. Sensitive data should be stored securely using encryption. Systems transmitting sensitive data must utilize protocols that use transport layer encryption, such as TLS, SSH, or IPEC.
Any university system used to process credit cards or perform bank transactions must be sanctioned, authorized, secured, and properly configured on the secure client network. Please contact the IUP IT Support Center for assistance. The IT Security Office will need to review and get involved.
- Patch operating systems and applications in a timely manner
Un-patched or out-of-date computer software is one of the primary reasons computer viruses, worms, and hackers are able to compromise a system. It is critical that systems (both operating system and applications) are patched regularly and on demand when a critical vulnerability is announced. Some applications such as Java and Flash are frequently updated to resolve security vulnerabilities. Most attacks are performed on known vulnerabilities in situations where a vendor has already provided a patch but the patch has not been applied to the system. Keeping systems updated in a timely manner reduces risk. Information on software vulnerability notification from a variety of vendors can be found on the IT Security Resources page. Vendors typically provide instructions on obtaining and installing patches. - Update firmware
PCs and servers are not the only systems that need updated. Devices that store their code in firmware also need updated. This includes things like printers, copiers, smart devices, displays, conference phones, web cams, and other various network devices. - Install and maintain current antivirus software
There are millions of known malware (viruses, worms, bots, and Trojans) in existence, and new ones are discovered every second. It is imperative that antivirus and/or anti-malware software be installed and updated on all computer systems. - Do not install or use unsupported, unknown, or un-trusted software
Software that is no longer supported by a vendor or developer may have vulnerabilities that will not get fixed. Oldunsupported software should not be used, especially on the network. This is a security risk.
IT support for software components beyond what is provided in base PC images will be limited.
Freeware, shareware, and public domain software should only be installed when obtained from a reputable source. Open source software should be downloaded from the project website or trusted mirrors.
- Use host-based firewalls
IUP's network is routable to the Internet. Systems and networks across the Internet are scanned constantly by potential attackers seeking vulnerabilities. While IUP has security controls at its border, using a host firewall can serve as another layer of security and can help protect the server or PC from internal attacks or unauthorized access. Firewalls can limit the network scope of an exposed service of application, which reduces potential threats. Many network operating systems come with a host-based firewall (Windows, macOS, Red Hat Linux, etc.) - Network services
Servers and devices with services that need exposed to the Internet (inbound services such as a web server) will need to contact the IT Support Center to have the IUP Security Office allow these services to be exposed through the border firewall.
Services exposed on the Internet that require a username and password will need to make sure the credentials and/or session are encrypted.
It is strongly recommended all web servers use https (TLS). The IUP IT Security Office can provide SSL certificates. Please contact the IT Support Center to request them. Administrators should also use encrypted services like SSH and SFTP for shell access and file transfers instead of insecure plain-text legacy protocols like FTP and Telnet. - Wireless Devices
WiFI devices must support WPA2 Enterprise and be connected to the IUP WiFi network. More information on wireless network requirements.
- Monitor and review log files
Log monitoring can detect malicious activity and/orunauthorized access to the system. Use of an audit trail is recommended.
Administrators should keep log files for three years.
Any unexplained security events or repeated unsuccessful log-on attempts found in logs should be reported to the IT Support Center for review.
- Backup systems regularly
Systems should be backed up to removable media in the case of system compromise, accidental deletion of files, hardware failure, theft, etc.
All managed servers require a written backup and Disaster Recovery procedure. Even if the procedure is "no backups and the system will be rebuilt from media," this needs to be written to ensure management and users are aware.
- Report any compromised system, malicious activity, or virus infected system
The IT Support Center must be contacted immediately in cases where a system compromise and/or malicious activity is suspected
A system that is thought to be compromised should be immediately removed from the network to protect the rest of the network and to reduce risk of data exfiltration. Users of this system should immediately discontinue use of it and change all of their passwords from another secure system.
Once a system's security is compromised in any way, it should no longer be trusted. The system will need to go through incident response procedures before it can be used again.