April 12, 2017

Network monitoring

The University of Alabama at Birmingham provides network and Internet access for faculty, staff, students, and guests.

Due to Federal requirements such as the Communications Assistance for Law Enforcement Act (CALEA), the Family Educational Rights and Privacy Act (FERPA), the Higher Education Opportunity Act (HEOA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the University employs various measures to protect the security and availability of its information resources.

Users should be aware that their uses of University computer and network resources are not private.  While the University does not routinely monitor individual usage, it does monitor the normal operation and maintenance of the University's computing and networking resources including backup, logging of activity, the monitoring of general and individual usage patterns, and other such activities that are necessary for information security and the delivery of service.  In addition, the University reserves the right to review, monitor and/or capture any content residing on, or transmitted over, its computers or network at its sole discretion without prior notification or approval.

Vulnerability Management

A vulnerability is defined in the ISO 27002 standard as “a weakness of an asset or group of assets that can be exploited by one or more threats.”

Vulnerability Management (VM) is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization). Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc.

UAB’s Vulnerability Management (VM) program conducts routine scans of any devices connected to the UAB campus network resources to identify system and application vulnerabilities. Using the results of these scans, the Vulnerability Management team works with information security liaisons, business units, and system owners to implement remediating actions defined by the UAB Vulnerability Management Rule.

UAB Vulnerability Management Team performs routine vulnerability scans on all campus IP addresses at a minimum of once a month unless the UAB Chief Information Security Officer has approved a do-not-scan exception. Vulnerability scans occur at a minimum on a monthly basis for all production and Internet facing systems, or systems processing data classified as sensitive or restricted.

UAB Vulnerability Management Team additionally performs vulnerability scans at any time when an information system or application has major changes, coding changes, network architecture changes, or upgrades.

Vulnerability scans occur prior to implementing firewall rules that permit a system or application to become Internet facing. Further, vulnerability scans occur in support of the UAB incident response and recovery process prior to permitting Internet access to a previously compromised system.

The below table describes many of the pre-defined circumstances where vulnerability management and penetration testing activity is required and the minimum frequency of these activities.

 Minimum Frequency
CircumstancesVMPT
All campus IPs as normal production operation Monthly Annually
Any systems containing or processing sensitive/restricted data Monthly Annually
New system prior to become Internet facing As Needed As Needed
Major change with existing information system As Needed As Needed
Emerging threat due to newly discovered vulnerability As Needed N/A
Incident response and recovery As Needed As Needed
Required by applicable regulations or standards As Prescribed As Prescribed

Penetration Testing

Penetration Testing (PT) is an internal, non-destructive hacking and exploitation process designed to identify and use vulnerabilities in information technology (IT) to simulate how hostile actors may seek to gain access to resources on the UAB network or affiliated systems. The results of this testing are then used to correct vulnerabilities and harden systems against tampering. Penetration Testing includes network probing, port scanning, exploitation, web application testing, and other techniques, depending upon the needs of the individual test.

UAB’s PT program works with information security liaisons, business units, and system units to plan and schedule targeted security testing of specific devices. The results of the testing are used to reduce or remove potential attack vectors and evaluate the security strength of the system.

The UAB PT team performs penetration tests on a scheduled basis. The timing, methodology, targets, and objectives of the penetration test are dependent upon the Rules of Engagement and scope as defined, drafted and agreed upon by the system owners and PT team.

Penetration tests are executed annually for critical systems or those hosting Restricted and/or Sensitive data. Penetration testing occurs on all production and Internet facing systems no less frequently than on an annual basis. Additionally, penetration tests may be requested as needed, and are mandatory before the deployment of new systems and applications or following major changes, service rollouts, or system upgrades to existing systems and applications.

Remediation

While conducting university business on the UAB network, vulnerabilities must be remediated. For new systems, vulnerability scan and penetrations tests with remediation must occur prior to production authorization. Any existing system must have vulnerability scanning and penetration testing after major changes in configuration (network, system, or application) and all identified issues must be remediated prior to task closure.

This includes technical vulnerabilities related to security configuration of devices, and security updates for the operating system and all software applications. Take steps as advised by the Enterprise Information Security Office (EISO) VM/PT Program Team to remediate the vulnerabilities identified.

Remediation may include one or more of the following:

  • Patching or upgrading vulnerable software (the plan should include testing the patch/upgrade)
  • Replacing the vulnerable software with a different product
  • Consolidating or moving to a more controlled environment
  • Changing the system configuration:
    • Uninstalling, disabling or turning off the vulnerable service
    • Uninstalling or disabling a specific vulnerable feature or capability within the service
  • Setting, changing or using a more complex password
  • Limiting access using a firewall or filter
  • Increasing monitoring to detect anomalies
  • Raising awareness of the vulnerability with your users

Depending on the urgency with which the vulnerability needs to be addressed, the actions taken should be carried out as directed by the EISO, according to university security policies, rules, standards, procedures, and other escalation processes. UAB Information Security follows any specific requirements of any applicable regulations or standards to ensure that all issues are addressed appropriately.

Requesting Vulnerability Management or Penetration Testing Services

To request the services of the Vulnerability Management Program or the Penetration Testing Program, please submit a service ticket through the UAB IT service catalog at uab.edu/askit. These requests are reviewed and initial engagement should begin within two business days. Fulfillment occurs based upon accepted scoping, rules of engagement, and deliverables to be reported by the authorized requestor.

September 22, 2016

Passphrase vs. Password

Passwords are the first line of defense against cyber-attacks.

Creating a safer password
Here are some general rules for creating a safer password:
  • Change your password frequently. People hate to hear this tip, but the fact is, most passwords will not be “cracked” or “guessed”, they will be stolen from an infected machine or a compromised website.  Changing your password often gives a shorter period of time for an attacker to use your compromised password.
  • Make passwords unique. When you change your password, consider it retired; attackers typically keep collections of old passwords that they routinely test in the hopes that someone reused them.
  • Make passwords unique. Add something to your password that customizes it and makes it different for each website or service account you use so a compromised password only works on the compromised site.
  • Create strong passwords. The longer a password is, the longer it takes an attacker to guess it; with current technology, an attacker can guess EVERY combination of an eight character password in 6 hours.  You should use passwords that use different character types including upper/lower-case, numbers and symbols.
  • Avoid obvious dictionary words. Anything related to your normal life (job, hobbies, pet names, etc.) should be excluded from your passwords.  An attacker might build a dictionary that is custom tailored to contain words related to information they gathered about you.

Creating a passphrase

One way to use these rules is by using passphrases versus a password. Here is one way to create one:
  • Start with a long phrase that you'll remember. This can be anything — such as a favorite song, poem or title. For example, we'll use a line from the UAB Alma Mater:
          Praise to thee our UAB
  • Make some memorable changes to the passphrase. In our example below, we removed the spaces, added a symbol, and replaced the word "to" with the number "2."
          praise2theeourUAB!
  • Make the password unique and memorable. Returning to our example, we'll add the first three letters of the web site where the passphrase will be used and something different like the number of letters in the name.
          apple.com = App5praise2theeourUAB!
          facebook.com = Fac8praise2theeourUAB!

Important links:
September 22, 2016

PhishMe

PhishMe LogoOne of the most effective ways for a cyber-attacker to compromise an organization’s cyber resources is to gain unauthorized access by compromising an account through phishing emails. In fact, industry experts report that 91 percent of all breaches start with phishing emails.  If such an email lands in a UAB inbox, we are just a few clicks away from having UAB’s security compromised.  This means UAB students, faculty and staff are all an integral part of our information security posture.

In an effort allow our users to become familiar and more resilient to tactics used in real phishing attacks, UAB Information Security will be working with PhishMe Inc. to send out fake phishing emails to our students, faculty and staff that imitate real attacks. These emails are designed to give you a realistic experience in a safe and controlled environment.

Please note, that we will not be receiving nor storing any passwords, there is no penalty to falling victim to one of the simulations, and victimized users will not be singled out.  However, we do ask the users who have fallen victim to the phishing email to take 30-60 seconds to review the education material that is presented after falling victim to one of the simulated attacks.
September 22, 2016

Keeper password manager

Keeper LogoKeeper is a password management application. It stores your login credentials for different websites so they are easily accessible to you while still being stored securely when not needed. Instead of having to remember all of your login credentials, you only need to remember the one master password for your Keeper Vault.

Keeper is available to UAB staff, students and faculty. It is not available to UAB Hospital staff at this time.

Register with Keeper.
To create a Keeper account and start your vault:
  • Register with Keeper here.
  • Create a master password that is not the same as your BlazerID password. When creating your Master Password, Keeper requires a 15-character password length with one special character (e.g. !@#%), one uppercase letter, one lowercase letter and at least one number. Ideas for secure passwords are available here. Note: Your browser may prompt you to save your Keeper Master Password. NEVER allow the browser to save your Keeper password.
  • To complete the registration process, you will need to enter your @uab.edu email address, and set a Master Password along with a "Security Question and Answer."  Keeper offers you the ability to choose between one of their security Q&A or you can create your own.
  • Next you must accept the terms of use and click "Create Account."
NOTE: You must use your BlazerID@uab.edu email address, not ALIAS@uab.edu. Verify you are entering the correct information by checking Blazer 411 here.

Browser extensions
Install the browser extensions available for Chrome, Firefox, Safari & Internet Explorer here. These extensions allow Keeper to automatically create entries in your vault for credentials you enter into different websites. It also allows Keeper the ability to automatically enter credentials for sites for which you have saved entries. For example: If you have saved credentials for Facebook in your Keeper Vault, Keeper will offer to enter those credentials when you visit Facebook.com.

Keeper Vault
Download the Keeper Vault for your Desktop (Mac, Windows, Linux) from here

Keeper App
Download the Keeper App for your mobile devices.

  • Tutorials, Quick Start Guides, and 24/7 support & live chat are available here.
  • The UAB Keeper User Guide is available here.
January 31, 2013

IT Security Newsletters

Monthly Training Newsletters

UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats.  Each month a newsletter will be released focusing on new and different cyber security threats.  Contact the UAB IT Information Security office for more specific training options that can increase the protection of your information systems. 

 

If you experience any issues with PGP, please report them to the help desk, AskIT, by email at AskIT@uab.edu" target="_blank">AskIT@uab.edu, or by phone at 205-996-5555.  Please be sure to provide the following information:

  • Issue/symptoms
  • Error messages
  • Computer make and model
  • Internet connection type
  • PGP installer version
  • Estimated time of occurrence (if possible)

Common Solutions to Installation Issues

  1. Verify that you are an administrator of the system on which you are attempting to install PGP. 
  2. Open your web browser and ensure that you have Internet connectivity by opening a website.
  3. Be sure that you have a current installation package for PGP Desktop.  Visit www.uab.edu/it/software for the latest installation files.
  4. Ensure that you are using your BlazerID and strong password for the PGP Enrollment credentials.

Common Solutions to Password Related Issues

  1. Verify that Caps Lock is not on while authenticating.
  2. If you recently changed your account password, you may have to provide the old password until you log in to the system with your new password.
  3. If the previously mentioned steps do not resolve your issue, you should call the AskIT Help Desk to request a PGP recovery token for the system or portable device.  A recovery token is a one-time password that will allow you to bypass PGP, but it will not bypass the operating system password; you are still required to log in.

Common Solutions to Boot/Startup Related Issues

  1. Ensure that a keyboard is connected to the system.  Systems such as tablets without physical keyboards will not be able to authenticate on the PGP boot screen.
  2. Remove any CDs, DVDs or USB drives from the system.  Many of these devices have features that allow them to start before the system hard drive.
  3. Does the system have multiple operating systems or Dell Media Direct?  If so, then you will need to contact your support personnel to assist you with the recovery of your hard drive.  Please note that PGP should never be installed on systems with multiple operating systems, as it will render the system inoperable.
  4. See the PGP Recovery documentation for further support.