May 9, 2013
Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems. UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy). UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.
Windows XP will not be supported after April 2014. Windows versions prior to Windows XP and any version of Mac OS X prior to version 10.6 should be considered unsupported.
The information in this guidance statement applies to all constituents internal to UAB.
We recommend that systems running legacy, unsupported operating systems should not be used. They should be disconnected from the network because of the significant security risk to the university’s network and environment. If the device is critical and cannot be turned off or disconnected, the device should be physically isolated from the university network. If disconnection and/or isolation are not possible, then an exemption and risk acceptance form will need to be completed, signed by the appropriate dean or vice president, and filed with Enterprise Information Security.
Unsupported legacy operating systems:
Windows XP after April 8, 2014
Mac OS X Family
Mac OS 9.x
OS X 10.5 (Leopard)
OS X 10.4 (Tiger)
OS X 10.3 (Panther)
OS X 10.2 (Jaguar)
Ubuntu 11.10 after May 9, 2013
Ubuntu 11.04 and Prior
Ubuntu 10.04.4 LTS
Debian 5.0 (lenny)
Debian 4.0 (etch)
Debian 3.1 (sarge)
Debian 3.0 (woody)
Other Unix OS
AIX prior to 6.1
Solaris prior to 9 (SunOS 5.9)
The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.
Here are some of the common email subject lines we have seen in this spam campaign:
• FW: Company 2013 Report
• Incoming Wire Transfer Notification
• D&B iUpdate: Company Order Requested
• Department of Treasury Notice of Outstanding Obligation – Case ######
• Better Business Bureau Complaint Case #######
• Merchant Billing Statement
• ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)Tweet
Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.
UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.
BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP. UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.
Non-Enterprise BitLocker Setup
Recommendations for using BitLocker
- Password set system BIOS
- TPM chip in the device
- You must take ownership of the TPM chip
- Before updating the BIOS, BitLocker must be suspended
- Escrow the key in some manner
- Professional/enterprise version of Windows
- Use a TPM + PIN authentication method
- System must be formatted NTFS with two volumes
Escrowing the key
With Windows 8, you may escrow the key in one of the following ways:
- Save the recovery key to a USB flash drive This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
- Save the recovery key to a file This method saves the recovery key to a network drive or other location.
- Print the recovery key This method prints the recovery key, but it is not recommended.
It will be up to the department to maintain the escrow recovery keys.
- Contracts for software and/or software maintenance, including renewals
- Professional services agreements for installation of software/systems
- Contracts where University data/information will be processed, hosted, or stored as part of the vendor's services (regardless of whether system is located at University or at the vendor's site)
- Contracts involving acceptance/processing of credit card transactions
- Contracts involving design, creation, maintenance, support, and/or hosting of any website/webpage
- Contracts involving personally identifiable information (PII) or personal health information (PHI) - does not include Health System Agreements which are managed by HSIS
- Cloud-based services of any kind
- Other similar contracts/agreements
- For most agreements the following two addendums will be added during the routing process. You can provide those addendums to your vendor in advance for their review and acceptance/signature prior to routing at UAB and include them in the routing packet.
- The general UAB Addendum (found on the Financial Affairs contract website) which covers information related to State, University, and Legal issues/clarifications. Any changes to the UAB addendum must be approved by University Contracts.
- The UAB Information Technology Addendum which covers additional confidentiality, information security, liability, and warranty language. Portions of the IT Addendum may be applicable to only certain agreements and that applicability is detailed in the various sections of the addendum. Any changes to the IT addendum must be reviewed and approved by UAB IT.
- For agreements that include HIPAA (health related information) a Business Associate Agreement (BAA) may also be required. For information related to the BAA see the UAB HIPAA website.
- For RENEWAL agreements: please ensure that a copy of the original, underlying, governing agreement that was previously executed between UAB and the vendor is included with the routing packet, including any subsequent addendums. If that original agreement included the IT Addendum and UAB Addendum, no additional language may be necessary as long as the renewal document references the original agreement and not a new document. If the original agreement did not include the IT Addendum, please have it reviewed/executed by your vendor and attach to the renewal agreement when routing.
- For NEW agreements: please ensure that a copy of the full, underlying, governing agreement (license, EULA, professional services, etc) and any documents referenced in such agreement such as separate maintenance, support, privacy, statement of work, etc. (on a website or otherwise) are included with the routing packet. Submission of an order form, quote, schedule, etc. without the full underlying terms/conditions document will cause delays in the review process as those documents will be requested before the review can be completed. In addtion, please have your vendor review/execute the UAB Addendum and UAB IT Addendums and attach them to the new agreement when routing.
- Standard Master Product/Services Agreement (and/or appropriate SOW)
- Professional Services Agreement (and/or appropriate SOW)
- Statement of Work - no hosting or processing of data
- Statement of Work - with hosting or processing services
The IT Administrator's view of Secunia is via the "Secunia CSI" Console. There are two subcomponents available.
- Deploying Secunia CSI Agents (Scan systems for software vulnerabilities)
- Deploying Secunia PSI Agents (Scan systems for software vulnerabilities, provide some automatic patching and give reporting to end user).
- UAB has a site license (currently through Fall 2013) for this software though there are license counts associated with the software and administrator accounts.
- Secunia PSI can only have 1 linkID per reporting subaccount!
- Secunia PSI can be configured to report to a CSI instance or be standalone. Personally owned devices should generally use the non-reporting PSI.
UAB IT's initial deployment does not include pushing patches via WSUS. How to accomplish this on top of our existing WSUS processes and coming Forefront-based processes is being examined.
2. PSI Usage
If you are only worried about one or two systems (like a workstation), use the end user install of secunia PSI.
3. CSI Usage
Full documentation is available at http://secunia.com/vulnerability_scanning/corporate
- Establishing Subaccounts. Each subaccount is a unique set of reporting views and licensing counts. Accounts can either be subordinate or they can be a "shadow" of an existing account.
- Reporting (AdHOc or Scheduled Email); Several are available including static URLs that you can include in existing webpages as a dashboard for system status.
- Integration with Secunia PSI;
- Patch deployment Integration with WSUS or SCCM; This requires your own WSUS infrastructure. UAB IT is currently examining how to offer third party patches beyond Microsoft.
3.1 Getting Started with CSI
- Download and install the CSI Management console from http://secunia.com/vulnerability_scanning/corporate
- Login to the CSI Console with your assigned username and password. You can change your password at anytime.
3.2 Downloading CSI Agent
Please note that a csia.exe download is bound to an account. If you end up with multiple accounts, please make sure to keep your csia.exe unique.
- Go to Scan > Scheduled Scanning > Download Agent; There is also a manual available on this screen.
- Choose an installation methodology. At the end of this document is an example script that will run csia.exe using the
-NAME of the hostname as the "group" .
3.3 Downloading a Linked PSI Agent
PSI agents are nice for situations where end users take some responsibility for the software they install and keep up to date. Please refer to end-user documentation for dealing with some of the caveats associated with PSI, especially with Java.
- Go to Scan > PSI Integration > Download Custom PSI
- Create a unique LinkID for your area. This cannot be changed.
- Save the custom installer as PSISetup!
.exe; The name of the installer should not be changed.
3.4 Creating a shadow account
This is an account with the same reporting scope as an existing account.
- Navigate to User Management > Shadow Accounts
- Click New Shadow Account
- Name: Real Name
- Click "Generate Password"
- Select the level of access they need to have to your main account
- Read/Write (Can make changes/delete hosts/regroup systems)
- Read (Can view reports/system status)
3.5 Creating a subaccount
This is an account with a new reporting scope. This will not roll up into your main set of reports. This is useful for delegated responsibility situations such as labs. If you want someone else to have the same rights as you, create a shadow account!
- Navigate to User Management > Accounts
- Click New Account
- Name: Real Name
Click "Generate Password"
4. Secunia CSI Login Scripts
This script is suitable for being used as a login script or as a scheduled task. Please share any suggested changes to this script.
' NAME: runsecunia.vbs
' DATE : 2/2/2011
' DATE : 5/1/2012 (updated)
' Runs the Secunia csia agent (different visibility scopes per user) and
' sets the site to the active OU|
' 5/1/2012 - Updated Script to work with Secunia 5.0 Agent
' 2/2/2011 - Made csia execute in background.
' This default configuration assumes that the csia.exe file is
' in the "C:\Secunia\" folder and that logs are to be placed
' in the "C:\Secunia\logs" folder.
' It also configures the agent to check-in every two days
' This can be modify by adjusting the flag after the -i in SecuniaCmd
' Change these values where needed.
' SEC (AKA Chris Green) Login Script
'On Error Resume Next
'' full path to CSI Program
''const CsiaPath = "%ProgramFiles%\Secunia\csia.exe"
const CsiaPath = "C:\Secunia\csia.exe"
'' Output log directory, Log will be username.sec
''const LogPath = "%ProgramFiles%\Secunia\logs\"
const LogPath = "C:\Secunia\logs\"
'' Run in foreground?
const bInteractive = False
Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Overwrite the last instance of the logs
Dim objLogPath, ouGuess, idxDash, secuniaCmd
objLogPath = LogPath & objNetwork.UserName & ".sec"
Set objLog = objFSO.OpenTextFile(objLogPath,2,true)
TimeStamp = Year(now) & "-" & Month(now) & "-" & Day(now) & "-" & Hour(now) & Minute(now)
ouGuess = "ADLogonScript"
idxDash = InStr(1,objNetwork.computername, "-", 1) - 1
If idxDash > 0 Then
ouGuess = Mid(objNetwork.computername, 1, idxDash)
objLog.WriteLine("[*] Secunia " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)
secuniaCmd = CsiaPath & " -i 2D -L -g " & ouGuess & " -v --skipwait -d " & LogPath & TimeStamp & "_csia.log"
objLog.WriteLine("[*] Secunia Executing with " & secuniaCmd)
If bInteractive Then
set oExec = objShell.Exec(secuniaCmd)
' Wait for the scan to complete
Do While Not oExec.StdOut.AtEndofStream
strText = oExec.StdOut.ReadLine()
objLog.WriteLine("[*] Secunia Exited with " & oExec.Status & " on " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)
'' Close the output file, hide csia in the background
objShell.Run "cmd /c " & secuniaCmd & ">>" & objLogPath, vbHide
UAB & National Cybersecurity Awareness Month 2012