The University continually develops, maintains and improves its information technology (IT) infrastructure and applications to support the creation, storage, modification and sharing of data. These IT systems are essential to the efficient and effective operation of the University. The University, therefore, has a responsibility to institute appropriate safeguards to keep its IT systems and information assets secure. In addition, the University must comply with various regulatory requirements that are also designed to keep certain types of data secure and confidential.

The security of IT systems and information assets is dependent on the individuals managing as well as the individuals utilizing such resources. The University is committed to supporting the principles of academic freedom and the free exchange of ideas and the University's information security policies and programs are intended to support those principles while still maintaining an appropriate level of security.

The goals of this security program are to:

  • Protect the University's IT systems and information assets from unauthorized access, alteration, disclosure or destruction.
  • Ensure the reliability and availability of the University's IT systems and information assets.
  • Ensure the privacy of faculty, staff and student information and that of other University customers or associates.
  • Identify and prevent identity theft.
  • Protect the reputation of the University and ensure compliance with federal and state laws and regulations.
  • Establish resources and guidelines that allow all individuals within the University community to practice good data stewardship.

The components of this security program include:

  • Policies – reviewed and approved through the Information Security Advisory Committee  and the University-Wide Policy Development Process
  • Standards, guidelines, and procedures which support and carry out the related Policies – reviewed and approved by the Information Security Advisory Committee
  • Awareness & Communication – ensuring the policies and related standards, guidelines, and procedures are adequately shared and communicated to the University community.
Published in Policies

Purpose

Computer systems running vendor-unsupported or end-of-life operating systems are potential security threats to the UAB campus network. Vendors do not provide security patches for unsupported systems, and these unpatched systems can be exploited by attackers. Such exploitations can result in disrupted experiments, corrupted research data and/or completely compromised systems.  UABIT reserves the right to disconnect these computers from the campus network to mitigate this data breach risk (see UAB’s Acceptable Use of Computer and Network Resources policy). UAB system administrators are responsible for maintaining the security of all information systems, per the campus Data Protection and Security Policy, which includes updating applications and operating systems.

Any operating system prior to Windows Vista, Server 2008, and Mac OS X 10.8 should be considered unsupported. 

Scope

The information in this guidance statement applies to all constituents internal to UAB.

Guidance

We recommend that systems running legacy, unsupported operating systems should not be used. They should be disconnected from the network because of the significant security risk to the university’s network and environment. If the device is critical and cannot be turned off or disconnected, the device should be physically isolated from the university network. If disconnection and/or isolation are not possible, then an exemption and risk acceptance form will need to be completed, signed by the appropriate dean or vice president, and filed with Enterprise Information Security.

Unsupported legacy operating systems:

Windows Family

Windows 95/98/ME

Windows 2000

Windows 2003

Windows XP as of April 2014

Windows 2000 server

Windows Server 2003 as of July 2015

Mac OS X Family

Mac OS X 10.7 (Lion)

Mac OS X 10.6 (Snow Leopard)

OS X 10.5 (Leopard)

OS X 10.4 (Tiger)

OS X 10.3 (Panther)

OS X 10.2 (Jaguar)

Mac OS 9.x

Linux Distributions

Ubuntu 14.10

Ubuntu 13.10

Ubuntu 13.04

Ubuntu 12.10

Ubuntu 11.10

Ubuntu 11.04 and Prior

Ubuntu 10.10

Ubuntu 10.04

Ubuntu 10.04.4 LTS and Prior

Debian 5.0 (lenny)

Debian 4.0 (etch)

Debian 3.1 (sarge)

Debian 3.0 (woody) and Prior

Red Hat Enterprise Linux 6.5 after Nov. 30, 2015

Red Hat Enterprise Linux 6.4 and Prior

Red Hat Enterprise Linux 5.9 and Prior

Red Hat Enterprise Linux 4.7 and Prior

Oracle Linux 4.4 and Prior

Other Unix OS

AIX prior to 6.1

Solaris prior to 9 (SunOS 5.9)

 FreeBSD 8.4 and Prior (as of Aug. 1, 2015)

 

Questions can be directed to datasecurity@uab.edu or, by calling (205) 975-0842.

 

References

http://sppublic.ad.uab.edu/policies/pages/LibraryDetail.aspx?pID=38

http://support.microsoft.com/gp/lifeselect

http://www.debian.org/releases/

https://wiki.ubuntu.com/Releases

http://www-01.ibm.com/software/support/aix/lifecycle/index.html

http://www.sun.com/service/eosl/eosl_solaris.html

http://www.computerworld.com/s/article/9229784/Mac_users_left_wondering_if_OS_X_Snow_Leopard_s_retired

https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates

http://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf

http://www.oracle.com/us/support/library/elsp-lifetime-069338.pdf

http://www.freebsd.org/security/

UAB Information Security recently discovered a new spam campaign where users are tricked into opening an email attachment that contains a virus aimed at stealing passwords and financial information.  As with any suspicious email messages you may receive, please report them to askit@uab.edu for inspection.

The recent spam email messages are crafted to look like they came from one of several legitimate companies such as Chase Bank, the Better Business Bureau (BBB), Department of Treasury, Dun & Bradstreet Financial Services or a wire transfer company. You should be aware that these emails are forged and that none of the information included in the email can be trusted including embedded links, e-mail addresses or phone numbers.

Here are some of the common email subject lines we have seen in this spam campaign:

•  FW: Company 2013 Report

•  Incoming Wire Transfer Notification

•  D&B iUpdate: Company Order Requested

•  Department of Treasury Notice of Outstanding Obligation – Case ######

•  Better Business Bureau Complaint Case #######

•  Merchant Billing Statement

•  ACTION REQUIRED: A document has arrived for your review/approval (Document Flow Manager)

Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.

UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.

BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP.  UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.

Non-Enterprise BitLocker Setup

Recommendations for using BitLocker

    • Password set system BIOS
    • TPM chip in the device
    • You must take ownership of the TPM chip
    • Before updating the BIOS, BitLocker must be suspended
    • Escrow the key in some manner
    • Professional/enterprise version of Windows
    • Use a TPM + PIN authentication method
    • System must be formatted NTFS with two volumes

 Escrowing the key

With Windows 8, you may escrow the key in one of the following ways:

  • Save the recovery key to a USB flash drive
This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
  • Save the recovery key to a file
This method saves the recovery key to a network drive or other location.
  • Print the recovery key
This method prints the recovery key, but it is not recommended.

It will be up to the department to maintain the escrow recovery keys.

Installation instructions can be found here

Published in FAQ - Infrastructure
January 31, 2013

IT Security Newsletters

Monthly Training Newsletters

UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats.  Each month a newsletter will be released focusing on new and different cyber security threats.  Contact the UAB IT Information Security office for more specific training options that can increase the protection of your information systems. 

UAB & National Cybersecurity Awareness Month 2012

During National Cybersecurity Awareness Month this year, UAB IT is sponsoring a series of presentations on cybersecurity topics of interest.  Please join us for any or all of the four sessions throughout the month of October.  Our hope is that you gain a better understanding and awareness of cybersecurity as it pertains to UAB, our country and the world.

The following sessions are open to all faculty, staff and students at UAB, and their invited guests.  All will begin at noon, with the exception of October 31st, which will begin at 1 p.m.

Registration is currently available for all sessions.  Please bring your lunch; cookies and soft drinks will be provided at each session. 

Date

Time

Location

Topic

Presenter

October 3, 2012 Noon Center for Teaching & Learning (EB238, room 243) Cybersecurity Law and Current Issues Jim Phillips, AUSA (retired)
October 10, 2012 Noon Hill University Center Alumni Auditorium Countering the Cyber Threat with Intelligence Analytics John Grimes, J.D., Assistant Professor, UAB
October 24, 2012 Noon West Pavillion, room D To Be Announced To Be Announced
October 31, 2012 1 p.m. Cudworth Hall (CEC) Auditorium Tales from the FBI on Cybersecurity Todd Berryman, FBI Special Agent & Cybersecurity Squad Leader
Posted on 9/20/2012 10:50:00 AM
Published in Events