forschungszentrum karlsruhe in der helmholtz-gemeinschaft authors: andreas lorenz and thomas brandel...

Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft

Authors: Andreas Lorenz and Thomas BrandelRevised for the ISSeG Project by Ursula Epting, Bruno Hoeft and Tobias Koenig

The following presentations have been used for System Administrator training at FZK and are thus specific to their environment. However many features will be common to most institutes and thus the slides could make a good basis for producing customized training material

IT Security - Regulations and Technical Aspects

Desktop and mobile devices

© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/


• Desktop operation

• Mobile devices

Agenda



• Password regulations and management

• Anonymous user accounts

• Security update management

• Antivirus service

• Desktop standards

• How are standards set at FZK?

• Service logon/logoff

Desktop Operation



Passwords (1)

• Password regulations (excerpt):– Minimum length in characters: 8– Complexity: At least 3 of 4 categories

• (A…Z) large letters• (a…z) small letters• (0...9) digits• (!$%#) special characters

• Reasons:– Prevention of brute force attacks

• A password of 7 characters in length with large and small letters and digits (62 different characters) can be cracked within a maximum of 13 hours with a PowerPC G5-2500 x 4 (access to hash values)

• 8 characters take a maximum of 33.5 days• 9 characters take a maximum of 5.7 years



Passwords (2)

– Prevention of lexicon attacks• Extensive lists of words are freely accessible on the

internet• Password crackers test combinations of these words with

digits and special characters• More rapid success than in case of brute force

• “Bad“ passwords (although they agree with the regulations):– Susy333– summerday1

• „Good“ passwords:– 4s1pynBF! (For such a password you need Brute Force!)– #Wsw3ma? (#When shall we three meet again?)



Passwords (3)

• Important: No transmission of passwords in clear text!– Possibility of “sniffing“ on hubs and switches

– No telnet, rlogin, ftp

– Use current ssh2 on UNIX!

– Use SSL coding on web servers

• Safe transmission of initial passwords of users– No uncoded mail

– Personally or via phone

– Receiver must be authenticated without any doubts



Passwords (4)

• Immediately change default passwords of newly purchased devices– Extensive lists of passwords for various devices are available on the

internet (routers, switches, storage, ...)

– Default passwords are usually mentioned in the (frequently freely accessible) documentation of the devices

• Do not use any “department-wide“ passwords (the same root password for all servers)– Use password manager, if applicable (important: Coded storage)

– Store passwords in a sealed enveloped in the safe, if necessary



Passwords (5)

• Miscellaneous:– No transmission of passwords

– Password hashes must not be accessible to users (/etc/shadow under UNIX)

– Group regulations in the active directory

– Deactivation of LM hashes by group regulation



Anonymous User Accounts

• As a rule, user accounts must be assigned to one person• If this is not the case, it is an anonymous account• Regulations (excerpt):

– User group can be identified by the name (e.g. course013, laboratory, measurement computer)

– Anonymous user accounts may only possess a minimum of functionalities and must be justified

– Establish local accounts in the Windows area

– Name a responsible person

• Common use of files is no reason to establish anonymous accounts, as this may be done by access rights



Tasks of the Antivirus Service

Antivirus Service



Antivirus Service (1)Daily Tasks

• Observation of all messages from distribution lists, with virus information:

CERT list BSI list Symantec list• Check of the websites of antivirus software suppliers:• If new viruses are existent, the following steps have to be taken:• Check, whether antivirus software suppliers make available the

respective virus definitions• If virus definition is available: Immediately check AV servers and update, if necessary Immediately protect the mail entry and exchange servers



Antivirus Service (2)Exceptional Cases: Critical Viruses

In case of critical viruses, from category 3: Send information describing the virus and possible impacts. Inform about the signature status needed. Send information to organizational units and working groups.



Antivirus Service (3)No Current Virus Definitions Are Available

• Immediately contact the AV software suppliers by phone and mail.• Immediately contact the Federal Office for IT Security (BSI) by phone

and mail.• (Inform all administrators of the decentralized AV servers.)• Increase permanent telephone support, if necessary, virus phone and

staff.• Constant check of AV software suppliers and BSI websites.• Check, whether service packs or hotfixes may protect.• Send the information about this to persons above.• Activate hotfix service.



Antivirus Service (4)Other Actions

• Check, whether firewall may intercept the impacts.• Possibly switch off the mail servers.• Possibly switch off the internet.• Possibly switch off network segments.



Operation Systems

Software

Processes

Hardware

Network Services

Installation Methods

Desktop Standards



Rules Related to Desktop PCs

Hardware ProcurementThere is a framework contract partner for PCs, monitors, laptops, and accessories. Orders are integrated automatically in the procurement system, and the administrative expenditure is minimized. Delivery, onsite setup, and installation of the systems with basic system adapted to the site requirements are included in the procurement price.

Software ProcurementThe procurement portal is integrated completely in the purchasing system, and the administrative expenditure of the site is minimized.

Desktop Standards (1)



Rules Related to Desktop PCs Operation System

A working group defines operation system standards. This considerably minimizes the installation and maintenance expenditure.

OfficeOffice communication standards are also defined by the IT working group. This considerably minimizes the installation and maintenance expenditure.

BrowsersA working group defines browser standards. Web applications shall work perfectly with both standards. For reasons of economic efficiency, exceptions can be made.





Active Directory IntegrationA central directory service exists for the Windows PCs. Office communication offers are based on this service.

Antivirus SoftwareAll desktops and laptops are integrated in the central antivirus domain. This allows for a central distribution of virus definitions.

Security Update ManagementAll Windows desktops and laptops are or shall be integrated in the central security update management. Thus, it is ensured that security update and other tested safety-relevant programs can be rolled out promptly. This service complements the central antivirus service.





Local FirewallPCs and laptops which are on the intranet and sometimes in “foreign“ networks have to be provided with a personal firewall. It has to be configured, such that only incoming and outgoing links required and explicitly requested by the user are permitted. This regulation applies to computers in “foreign” networks. In case of uncertainties concerning the product and configuration, the products supported by the site have to be applied.

Password RegulationsThe valid password regulations shall apply to all person-related user accounts, i.e. also to local users in all operation systems.




Rules Related to Desktop PCs LAN Coordination

The allocation and deletion of IP addresses are subject to regulations. Name Conventions

The computer names (host names) and DNS names are subject to regulations, such that unambiguous identification of the computer is ensured.

PC Service and RepairsRepairs and installations are performed centrally. This reduces the costs and the expenditure associated with new installations and software maintenance.




On behalf of the Data Processing Commission of the Scientific-Technical Council

On behalf of the IT Expert Group

On behalf of the IT Expert Group

PC Working Group

IT Expert Group

Linux Working Group

Works Council, HR, data protection commissioner, and IT security commissioner

Data Processing Commission

+

Administrators of organizational units, security commissioner, data protection commissioner

The Linux Working Group is an information and discussion platform for central or other Linux topics

Report to the IT Expert Group

Administrators of the organizational units, IT security commissioner, data protection commissioner

Specification of standards for each organizational unit (HW&SW)Platform of information on and discussion of central or site-wide matters

Preparation of decision papers for the IT Expert Group

Report to the IT Expert Group

Specification of IT solutions and IT standards based on the report of various working groups taking into account the interests of the

organizational units

General decisions on the basis of the decision paper

Report to the Data Processing Commission

Appointed and elected members +

Composition:

Composition:

IT experts from the organizational units, IT Security and Data Protection Commissioners

Tasks:

Tasks:

Tasks:

Tasks:Definition of site-wide regulations and recommendations based on the

report

In cooperation with:

Composition:

Composition:

In-house agreement on … Art. 1 SubjectSubject of the agreementIs … Art. 2 Purpose… Regulations for:

• Private e-mails• Access from outside• Remote support• …

Head: N.N.

Head: N.N.

Head: N.N.

Head: N.N.

Provide advice in the preparation of IT-related in-house agreements

How Are IT Standards and IT Solutions Developed?



Account, authorized

All (employees and others)

Data inventory Central database (based on process lists and information from the organizational units, also on external companies)

Account distribution

Directory service for mail, radius, SFU, export to various individual systems

Create account Manual

Name convention Family name (-V)

Decentralized administration

Allowed

Delete account Log-off and change of registration, logical deletion after permit

Log-on concept Synchronization of log-on data among various systems (one log-on for various services)

Log-on / Log-off Services



The central database contains relevant customer information:The central database is coupled to the directory service, the Exchange mail system, telephone database, and the IP administration QIP

Central Database



• Desktop operation

• Mobile devices

Agenda



Mobile Devices (1)

• Mobile devices (notebooks, PDAs) are frequently linked to various networks– Intranet (directly or via VPN)– Internet (at home)– Intranet of another institution

• Risk of the intranet being infected by– worms– viruses– trojans

The infection is “carried across the firewall”



Mobile Devices (2)

• Protection of mobile devices by:– Anti-virus client

– Personal firewall• ”Sand box“ for the selective isolation of certain applications from the

network • Partly IDS functionality• Specific blocking or clearing of ports

– Constant updating with security patches



Mobile Devices (3)

• Protection of confidential data in case of a theft of the mobile device– Hard disk encryption

– Use of encrypted “containers”

– Safe deletion of confidential data

• Take care when using USB sticks– Potential infection of the computer with viruses (autostart, etc.)

– Risk of copying all data from the stick onto the computer



Mobile Devices (4)

• Miscellaneous:– Activate wireless links only, if necessary:

• WLAN

• Bluetooth

• Infrared interface

• GSM / UMTS



Thank you for your attention

Final Remark



Copyright © Members of the ISSeG Collaboration, 2008.Licensed under the Apache License, Version 2.0 (the

"License"); you may not use this material except in compliance with the License.

You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, Work distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and limitations under the License.


forschungszentrum karlsruhe in der helmholtz-gemeinschaft authors: andreas lorenz and thomas brandel...

Documents