CLASnet: Risk Analysis

UF policies recommend that each unit conduct a risk analysis at least once a year. Repeating the analysis will show where new technologies, new facilities, and new understanding of the the unit have created or highlighted risks which weren't included previously. The Fiscal Year turnover may be a good time to schedule this work, since there is usually a freeze on purchases which provides down-time from constant hardware deployments and upgrades.

Map your network, both physically and logically. In order to find and correct problems, you must know what things are connected where and how. A simple logical network map can usually be drawn in a couple of minutes seconds and looks like this:

List your assets, from servers to printers and all of the desktops and laptops in between. Property Services' database has all of the items of $1000 which belong to your organization's account, but there are usually many more items which are under $1000, or purchased as add-ons to decalled ordere, which aren't listed. Also, unless you work with Property Services on updates, the descriptions and serial numbers may range from non-existant to misleading.

Know your vulnerabilities. Everyone is vulnerable to a variety of attacks. You have to know what they are in order to mitigate (you can never fully eliminate) the risks from those attacks. Below are common vulnerabilities and mitigation techiques, not all of which apply to every network.

Vulnerability	Mitigation Technique(s)
Logged-in user	Log off, or lock your machine, every time you leave the machine alone. Failure to do so can allow any person to send email as you, or modify your files.
No password	Every machine should be configured to require a username and password to log in after every restart.
Password guessing	Use a password checking script and dictionaries on newly generated passwords and when users change their passwords.
Network sniffing	Don't use plain-text authentication. Replace telnet with ssh, ftp with ftps, plain IMAP and POP with SSL-IMAP. Use encrypted hash passwords with our Windows server logins as well.
Shared passwords	Make an acount for every user, and enforce Florida laws prohibiting the sharing of account information.
Stale Accounts	Accounts which are not actively in use are targets for attacks which can go unnoticed for long periods of time. Each department needs to determine how to classify account holders as departed, and perform at least semesterly checks for unneccesary accounts. The university policy recommends removing accounts whenever a user is no longer affiliated with your department.
Privileged access	Administrator privileges and special-access accounts should be given only on an as-needed basis. Many departments do not even allow priveleged rights to the user's office desktop computer. Any login or activity by a privileged user should be logged and auditable.
Remote access	Only servers should have any remote access services running, and they should be secured against common attacks. Any client machine which runs remote-access software is in violation of the network connection policy unless they have both declared their machine as a server, and comply with the CLAS Server network connection policy
Operating system bugs	Subscribe to notification lists and apply new patches for bugs in your operating system.
Viruses & trojans	Install anti-virus software on every machine, and the email server, and keep the engine and definitions up to date.
Social engineering	Train users never to give their account information to anyone; IT staff don't need it, and no one else should even ask.
Physical access	Lock the offices, labs and other spaces when no one is present.
Physical security	See the CLASnet physical security page.
Disasters	Create a disaster recovery plan which includes data backup and retention policies, off-site data storage, and plans for working without access to all of your normal personnel and equipment.
Hard disk failure	Clients store data on the server. Servers make backups of data to tape or other drives.
Loss (theft, damage, etc.) of computers	Make backups of data and preferences, and keep installation media for operating systems and software in a secure location.
Malicious employees	Make backups of data, and have policies which require independant verification of the backup by multiple people. Institute asset and data management policies which require oversight and redundant personnel to manage both data and assets. Audit your policies and procedures, and compare them to what is actually being done.
Software licensing	The university and CLAS have policies prohibiting the use of unlicensed software, Departments should adopt similar written, published policies and inform all users. If feasible, perfom software audits on individual computers and compare the results agains centrally managed license records. While some users may install unlicensed software despite these policies, they should protect the administrator from liability as long as there is a pattern of trying to do the right thing. Conversely, if it comes out that administrators knew and turned a blind eye to pirated software, they can and have been held liable during software audits.
Laptops	Because laptops travel frequently, they are more exposed to viruses and less likely to stay on the network for regular patches and updates. CLAS has an ePolicy Orchestrator server and a Windows patch server which laptops can connect to for updates whenever they're on the network. Laptop users need additional training on safety and updates for their machines, since they will have to be more active in the upkeep.
Private machines	Personally owned machines may be allowed onto CLAS networks at the discretion of individual departments. Owners must be apprised of the requirements for keeping their machines secure, per the CLAS network connection policy. As with laptop users, private computer owners will have a heavier onus on them to keep their machines secure.

Last updated: Apr 28, 2006 (12:16:29 PM EDT)
URL: http://www.clasnet.ufl.edu/security/ism/templates/risk-analysis.shtml