• USU home
• A-Z index
• calendars
• MyUSU
• contact
• people/web search

search:

Browse IT Sites Information Technology Home Organizations Administration Classrooms Computer Labs FACT Networking and Security Programming & Design Project Management Service Desk Resources Aggiemail Blackboard Vista Cellphone Changes Disabled McAfee Rate Cards Software Licensing Thingy WebMail

User-Defined Navigation:

• Downloading Music, Videos and Games
• IT Home
• Office Risks
• Be an Internet Skeptic
• 2008 USBR Security Audit
• Recommended Software

Main Navigation:

• Reconnect Fee
• File Sharing
• Passwords
• Free Credit Report

2008 USBR Security Audit

Utah State University

Information Resources Audit

 

To: Utah State Board of Regents

From: Steve Scott (CISSP, CISA) – Security Audit Team Lead

Date: March 24, 2008

Re: Information Security Assessment Report – Utah State University

 

---

 The Utah System of Higher Education Security Team performed an assessment of the systems, networks and documentation owned, operated and/or created by Utah State University (USU) in Logan, Utah. The review period began on February 20, 2008 and concluded with 3 days of onsite assessment ending Friday, February 29, 2008.

 The purpose of the assessment was to review Utah State University’s information security program, identify potential risks to the institution and provide recommendations to mitigate these risks. The assessment consisted of interviews with key IT personnel, a review of policies and procedures, an examination of the network infrastructure, vulnerability scans of the network devices and services, and limited but targeted penetration testing. This assessment was minimal in scope, focusing on critical infrastructure and processes; some areas not investigated include physical security, social engineering, extensive penetration testing, privilege escalation, etc.

The following individuals participated as part of the Security Team:

Patrick Bergen Sr. Systems Security Analyst, UEN (CISSP)
Matt Brace Information Security Officer, USHE
Corey Roach IT Security Analyst, University of Utah (CISSP, CISA)
Jason Tracy Information Security Analyst, SLCC

 Core IT systems at Utah State University contain sensitive and private information about students, employees and operations at USU, including, but not limited to Social Security numbers, credit card numbers and financial account information. The IT systems also support technology enabled business processes of the University. A disruption of USU IT resources could result in a significant amount of lost employee time due to recovery efforts and downtime, and lost student time because of lack of IT resources, resulting in both financial loss and damage to the institution's image. An intrusion into USU IT resources that contain sensitive information could cause a significant amount of lost employee time due to recovery efforts, cause harm to the reputation of the University, and create a significant amount of worry and work for those constituents whose personal, private data was compromised.

 The following is a brief summary of the key IT security issues and recommendations to address these issues, and recognition of strengths as identified by the audit team. Scan results and other sensitive data are not shared in this report, but can be provided at the request of the Board of Regents.

Areas of concern:

 

There is a need for policies that address data identification and classification, and IT roles and responsibilities.

 USU is making strides in getting policy written, but there isn’t an overriding policy that defines who is ultimately responsible for data, how data is classified and how critical and sensitive needs to be protected. It is very difficult to secure data if there isn’t a clearly defined role that is identified in policy as being responsible. The policy being pushed by the Board of Regents should be a good start for this, but policy more specific to USU and their needs should be created. This policy will help in transforming from a reactive to a proactive security stance.

 Protocols that transmit usernames, passwords and data without encryption are being used internally and across the connection to the Internet.

The use of “clear text” protocols is of great concern, especially when allowed across the border to the Internet as there is no way to know who might be able to see unencrypted information once it leaves the USU campus. Usernames and passwords are typically the keys to personal information and access to protected resources. We would recommend not allowing the use of clear text protocols (IMAP, POP, Telnet, FTP, etc.) across the Internet border and in as limited a manner as possible within the USU network. USU has pushed for a more stringent password requirement and all users have had to change their passwords; these passwords are put in jeopardy when they are not used with encrypted/secure protocols. Many of these protocols are subject to brute force password guessing attempts as the associated applications are typically not watched as closely as others, so limiting internal services that are available to the outside will help the overall security posture at USU.

 
Credit card processing changes.

 USU is implementing a new credit card processing system. There are many things that need to be considered during this implementation including, but not limited to, identification of a person that is ultimately responsible for the data that is collected and used (see first area of concern), compliance with Payment Card Industry (PCI) standards, network segmentation (for PCI compliance and as a best practice) and identifying all credit card processing that occurs on the USU campus. We would suggest that a detailed project plan involving all interested parties be created and adhered to and that PCI compliance issues are addressed in the planning stage. Network segmentation is critical and may not be trivial to accomplish; time and resources need to be allocated to ensure a successful and compliant implementation of this change.

 
Centralized logging.

 USU needs to implement a centralized logging scheme so that all systems and network logs can be aggregated, analyzed and stored in a secure manner. Currently there is some logging and reaction to events that are being logged, but there could be more insight into network behavior if more data is logged and analyzed. Internal network flow data is critical and would be a recommended place to start. Systems logs that are shipped and then stored in a separate system give credible clues and evidence in the case of a compromise as local system logs can’t be trusted. There are logging requirements for PCI and other regulatory compliance and those requirements need to be identified and addressed.

 
Remove unused and unneeded services from the network.

 The audit team was able to identify and attack several systems that didn’t appear to be providing any needed services. The systems appeared to be legacy and were not watched or maintained. Systems like this, that provide network services to the world and are not watched, can provide a convenient jumping off point to the inside of the network, rendering the well maintained firewall useless. Miscreants have an easy time exploiting these systems as operating systems and services aren’t patched and access attempts aren’t monitored.

 
Old versions of web software are in use.

 There were quite a few departmental servers that were running old and vulnerable versions of PHP and Apache. These web services need to be kept updated, and back to the first identified issue, a role identified in policy that is accountable for ensuring that systems are maintained securely. A “services registration” is recommended, meaning that there is a central authority that contains information about all known services running on campus, who the services need to be accessible to and who is responsible for maintaining said services.

 
Unneeded sensitive information is being requested.

 The audit team identified several websites that were requesting social security numbers from students and other affiliates of USU. Most of these sites didn’t appear to have a legitimate reason for requesting this information, especially as the SSN isn’t used as an identifier anymore. We recommend modifying forms so that sensitive data that isn’t needed is never requested.

 

 

Recognition of strengths:

 
Policy is starting to take shape.

Keep up the push for new and relevant policy. Create overriding policy that will define roles and responsibilities.

 
There is a security department that is very aware and innovative.

The existing security team is aware of critical issues. They need to be backed by policy that gives them enough clout to make them agents for change. The team is creating and using innovative tools that help them identify and mitigate intrusions into the network. Continue with the border intrusion mitigation efforts and continue and enhance the vulnerability scanning that is done.

 
Access to the network is well regulated.
The network and security teams have created a system that makes it easy for them to only allow known users on the network, and to know where these users are at any given time. This is excellent work and makes network management significantly easier.

 
Banner system seems to be well protected.

 The mission critical Banner system has been identified and securely locked down. Other systems that store or have access to sensitive data need to be identified and locked down in the same manner.

The audit team would like to sincerely thank everyone at USU for their hospitality and willingness to work with us. It was a treat to be so well received and so well taken care of. We look forward to visiting within the next year to check for progress on the recommendations that we’ve made.

 Steve Scott -- Security Audit Team Lead