Security

Host Intrusion Prevention (RIT-owned/leased computers only)

Host Intrusion Prevention (RIT-owned/leased computers only)

Note: This requirement applies only to RIT-owned and leased computers. There is currently no requirement for personally-owned machines to run host intrusion prevention.

Currently, personal networking devices used on the RIT residential network (such as routers, switches, etc.) do not need to meet the Network Security Standard. Resnet has created separate guidelines for Using a Router/Wireless Router on the RIT Network.

The following products have all been tested by the Information Security Office and approved for use on RIT-owned/leased computers.

Recommended Host-based Intrusion Prevention Software

Server

Program

Description

OSSEC

Open source intrusion detection (multiple platforms) (ISO-tested). Active protection feature must be enabled.

McAfee HIPS

Desktop and server intrusion prevention (Windows) (ISO-tested)

Bit9

Application whitelisting (Windows) (non ISO-tested)

Cimcor

Protects against unauthorized changes (Server and Network) (non ISO-tested)

Tripwire (commercial version)

Configuration assessment and change auditing (Desktops and Servers; VMware coming) (non ISO-tested)

Desktop

Program

Description

OSSEC

Open source intrusion detection (multiple platforms) (ISO-tested). Active protection feature must be enabled.

McAfee HIPS

Desktop intrusion prevention (Windows) (ISO-tested)

Comodo

Internet Security Suite (ISO-tested)

Online Armor - Tall - Emu

Firewall (ISO-tested)

E-mail us at infosec@rit.edu if you have any questions or suggestions.

Mobile Devices

Mobile Devices

Mobile devices are not always designed with security in mind and, as a result, are not as secure as most computers.

There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing", and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential information. 

Private Information and Mobile Device Use

We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.

To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest. 

Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard.

General Guidelines for Mobile Device Use at RIT

Understand your device

  1. Configure mobile devices securely. Depending on the specific device, you may be able to:
    1. Enable auto-lock. (This may correspond to your screen timeout setting).
    2. Enable password protection.
      1. Use a reasonably complex password where possible.
      2. Avoid using auto-complete features that remember user names or passwords.You may want to use a password safe application where available.
    3. Ensure that browser security settings are configured appropriately.
    4. Enable remote wipe options (third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).
  2. Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
  3. Ensure that sensitive websites use https in your browser url on both your computer and mobile device.
  4. Know your mobile vendor's policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
  5. Use appropriate sanitation and disposal procedures for mobile devices.

Use added features

  1. Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  2. Install an antivirus/security program (if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
  3. Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.

General tips                

  1. Never leave your mobile device unattended.
  2. Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.
  3. Include contact information with the device:
    1. On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853."Engraved on the device. Inserted into the case.
  4. For improved performance and security, register your device and connect to the RIT WPA2 network where available.

Media Disposal Recommendations

Media Disposal Recommendations

Media

Disposal Method

Paper

Use a shredder. Crosscut is preferred over a strip shredder.

CD, DVD, diskette, etc.

Use the media shredder (located at the ITS HelpDesk, 7B-1113).

Hard Drives

If the hard drive is to be reused, contact your support organization for recommendations for secure erasure.

If the hard drive is damaged or will not be reused, render the hard drive unreadable by using the degausser (located at the ITS HelpDesk, 7B-1113).

Tapes

Use the degausser (located at the ITS HelpDesk, 7B-1113).

Other

Use an industry standard means of secure disposal.

 

 

Printer Best Practices

Printer Best Practices

Printers often handle RIT Confidential information, but they can easily be overlooked when securing a network. Use the following best practices to secure any printers you support.

  • Update the firmware
  • Assign a password for web access to the printer
  • Change the SNMP community strings (these are the equivalent of printer "passwords." "Public" and "private" are the defaults and are widely known)
  • Disable any unused protocols (Do you really need Novell IPX enabled, etc?)
  • If possible, change the default TCP port from 9100 to another port number (Specific exploits target the default port and may cause the printers to print blank pages. However, some printers may not be capable of changing this port number)
  • If you have a firewall in front of your printers, only allow trusted IP’s (i.e. print server, etc.) to talk directly to the printer
  • Disable FTP or assign a password
  • If the printer is only used for on-campus printing, consider changing it to a private net 10 IP address. (This is a good security measure to prevent malicious attacks from the Internet. If you need assistance enabling this, contact ITS HelpDesk.)
 

E-mail us at infosec@rit.edu if you have any questions or suggestions.

 

Encryption at RIT

Encryption at RIT

Several RIT Security Standards refer to ISO-approved encryption. ISO-approved encryption is divided into two categories: Preferred and Acceptable. Preferred encryption methods were chosen based on standard industry usage and their ability to support RIT business processes. RIT's current product is McAfee FDE.

Preferred Encryption

Purpose

Encryption Algorithms

RIT Security Standard

Comments

Network Connections (including web browsers)

Currently only SSL 3.0 and TLS 1.0 are supported at 128-bit and above.

Web, Network

 

Laptop/Desktop Encryption

AES 256-bit is recommended, although AES 128-bit or higher is adequate. 3DES has also been approved.

Desktop and Portable Computer

Centrally-managed whole disk encryption is required to meet the 2009 Desktop and Portable Computer standard.

Server

AES is recommended only at 256-bit. RC4 is currently supported until June 2009.

Server

 

Portable Media

AES 128-bit and above, 256-bit is recommended. 3DES and Twofish are adequate.

Portable Media

 

Public/Private Key Encryption and Signing

PGP 2048-bit or greater and RSA 1024-bit or greater.

   

Cryptographic Hashes/Checksums

SHA-2, RIPEMD-320, and the Tiger hash are all adequate for hash comparison.

 

SHA-1 and RIPEMD 128 & 160 are considered strong algorithms, but there is reason to suspect that they may be susceptible to frequency collisions (hash duplications) and their use is not recommended in situations where collision resistance is required. In such cases, SHA-2 or RIPEMD-320 is recommended.

Acceptable Encryption

Use of non-preferred encryption methods is discouraged. However, we recognize that there may be times when business or other requirements may be better served with an alternative algorithm. In those cases, developers should reference the Educause Encryption Strength Support Matrix. (This matrix and accompanying explanatory text was developed by Jim Moore, RIT Information Security Office.) Algorithms with a strength rating of High are acceptable for use at RIT. Use of algorithms with a strength rating of Low or Medium are not permitted.

Encryption Strength

Encryption strength is a relative concept. Both the algorithm used and the length of the key used to encrypt data determines the strength of encryption. Encryption services also perform various cryptographic functions beyond data encryption.

Key Management Requirements

Security of the key management process for encryption keys is especially important. Security of encrypted content (ciphertext) may be compared to a physical lock and key. The algorithm provides the lock. The encryption key unlocks the ciphertext. If the key is weak or compromised, the encryption can be broken. Key revocation provides a means to disallow or change a compromised key and "re-key" the lock.

Many encryption algorithms have the potential to lock access to data permanently if the key is lost. Key escrow provides a "copy" of the key to enable access to the data.

Centralized encryption/key management ensures that data will remain both encrypted and accessible. Non centralized or individual encryption without key escrow may disallow access to the encrypted RIT information if the key is lost. Use of non-centralized or individual encryption of RIT information assets would be allowed only through a granted exception and would require an ISO-reviewed key escrow and revocation process.

 

Pages

Subscribe to RSS - Security