Effective: June 1, 2002
Enforcing the Policy
1. Who determines when to take action?
Information Technology and Communication (ITS) and Health System Computing Services (HSCS) are neither investigative nor disciplinary entities in their primary responsibilities. In cases where University network resources and privileges are threatened by improperly maintained computing devices, however, these entities must take appropriate steps. Before taking action, ITS and HSCS will attempt to resolve the problem in collaboration with the device owner or overseer, unless the situation is so urgent that immediate action is required, and there is no time for collaboration. In the latter case, ITS and HSCS will inform the owner or overseer as soon as practical, and provide advice as needed to resolve the problem.
2. How will ITS and HSCS identify vulnerabilities?
Security vulnerabilities on a given device are usually discovered as the result of an investigation of a problem reported from someone within or outside the University, who is being attacked from that device, or during an audit conducted by the University's Audit Department or other auditing organizations. ITS also offers a proactive network scanning service, that can report vulnerabilities to the person requesting the scan, before the security holes actually cause problems.
As already stated, ITS and HSCS will make an attempt to resolve the problem in collaboration with the device owner or overseer before taking action, unless the situation is so urgent that immediate action is required.
3. If somebody's PC propagates a virus mailing, will that PC be unplugged?
The policy will not be used to punish anyone. Its purpose is to help protect the University's networked environment as a whole. Before taking action, an attempt will be made to resolve the problem in collaboration with the device owner or overseer. The availability of PC virus software makes remedies for mail viruses usually simple to apply. It seems highly likely for this reason, that in the event of a virus mailing problem, collaboration with the device owner or overseer will result in quick and satisfactory resolution.
4. Will an operating system not formally supported by ITS or HSCS be deemed unacceptable, if someone in ITS or HSCS believes it not to be secure?
It is not the intent of the policy to deem operating systems as a whole, either supported or not, to be unacceptable. Key vulnerabilities will be listed on a website maintained by ITS and HSCS, and most will be drawn from a consensus list developed by the highly regarded SANS Institute in collaboration with the Department of Justice and the FBI. The SANS (System Administration, Audit, Networking, and Security) Institute is a cooperative research and education organization, through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning, and find solutions for challenges they face. Suggested remedies take the form of applying software patches, changing configuration settings, changing passwords, and the like. None of the remedies suggest replacing one operating system with a totally different one. ITS and HSCS will not, however, be able to provide the same level of assistance and advice to unsupported environments, as it does to supported ones.
Addressing the Policy
5. Who will provide information (and in what form?) to deal with such vulnerabilities? Who determines what vulnerabilities are key?
As mentioned in Question 4, ITS and HSCS will maintain a website, which describes critical vulnerabilities and remedies relevant to our environment. The source of some of this information will be the SANS Institute consensus list of key vulnerabilities.
6. What are some examples of key vulnerabilities?
Key security gaps that must be closed may vary depending upon the type of device. Some examples follow.
- All device owners should ensure that the passwords used on their devices are not easily guessable by attackers.
- Owners of personal computers should install and run anti-virus software on these devices, and apply updates from the software vendor as they become available.
- Owners of personal computers and servers should apply security-related updates to the operating system running on their devices, as these updates become available from operating system vendors. Examples of a few operating systems found at UVa are Windows 2000, Windows XP, Windows Vista, Macintosh, and Fedora Linux.
- Owners of UNIX and Linux servers should swITSh off unneeded services, in order to eliminate the risk of these being exploited.
It is important to note that the above are examples only and do not represent a complete list of known security vulnerabilities.
Vulnerabilities that are considered "key" will change over time, as new threats and risks surface.
7. What, if any, assistance can device owners expect, aside from a list of vulnerabilities?
The website will provide explanations of remedies as well as vulnerabilities. ITS and HSCS also offer highly subsidized maintenance services for department-owned computing devices, consulting services, and help desks for assistance with problems. Additionally, presentations on security topics have been and will continue to be given at LSP meetings, and work on other security awareness education and training strategies is underway.
8. What are the responsibilities of device owners who contract with ITS or HS/CS to administer their machines?
The policy states compliance is the responsibility of ITS or HSCS, if the devices are under ongoing support contracts with these organizations. Users are responsible for approving and allowing necessary security upgrades to be made rapidly by ITS or HSCS. Users are responsible for not circumventing security configurations installed by ITS or HS/CS.
9. Does the University provide adequate resources to the departments and schools to administer and operate their technical infrastructure?
Additional resources are always welcomed, but there are at least three things departments and schools could do to improve their ability to administer and operate their technical infrastructure:
- ITS and HSCS offer maintenance contracts for computing devices in departments. Taking advantage of these services could be less expensive overall for departments and schools, than maintaining the devices on their own.
- Researchers should always include the cost of maintaining and operating new equipment that is funded by grants. This could take the form of purchasing support from ITS or HSCS, or hiring a skilled system administrator.
- ITS offers a free scanning tool service that will automatically detect and report to the requester security vulnerabilities on computing devices. Departments and schools could request that scans be run on a regular basis.
10. Why is this policy needed?
Although malicious intent is possible, the lack of attention to security vulnerabilities is the target of this policy. Inattention to security vulnerabilities is a realistic concern, as evidenced by a number of high profile attacks on computing environments of universities and other organizations.
Security breaches at highly visible computing sites have become commonplace today, and universities are favorite targets for attacks. Critical university computing resources, such as research, patient care, and student data, are at risk, and university computing devices are being commandeered by cybercriminals to launch attacks on corporations and other entities outside the university.
While it is not possible to anticipate and intercept all attacks - cybercriminals are continuously devising new ways to wreak havoc - there are specific steps that can be taken to significantly reduce vulnerability. These steps are effective, however, only if they are taken for all devices on the University of Virginia's network. The saying that "we are only as strong as our weakest link" most definitely applies in this case.
Revisions: June 1, 2008