Skip to main content

Cornell University

Manage Quarterly Security Assessments

This article applies to: Security Essentials for IT Professionals

To better safeguard the university's IT and data resources, the IT Security Office strongly recommends that all Cornell departments and units implement the following practices.

Departmental servers

  • Limit network access to servers with Edge ACLs, IPSec filtering, or some other mechanism. The rules should deny all inbound traffic except that which is explicitly permitted.
  • Employ regular back-ups. Back-ups should be encrypted and stored in a secure manner.
  • Harden any services (Apache, IIS, MS-SQL, etc.) and disable any that are not necessary
  • There should be no shared usernames and passwords for any applications or servers.
  • Develop and utilize an operating system update (patch) management solution. Consider whether daily auto-update should be active for operating systems.
  • Perform regular reviews of file and system privileges. Develop account provisioning procedures for new hires and terminations.
  • Implement password-protected screen savers that activate after no more than fifteen minutes of inactivity.
  • Consider the following as well:
    • Place servers on separate server subnets, preferably in the CIT Server Farm or in space specifically designed to house servers.
    • Maintain an appropriate level of logging for server operating systems and applications (such as web servers). These logs should be reviewed regularly looking for indications of malicious activity.
    • Implement integrity checking software, such as Tripwire, to monitor files, authentication mechanisms, and processes for unauthorized or unscheduled changes.

Desktops/laptops/end-users

  • Restrict user privileges to the filesystem and system processes. Not every user requires full administrator access.
  • Develop and utilize an operating system update (patch) management solution. At very least, daily auto-update should be active for operating systems.
  • All systems should have antivirus software installed, running, and set for daily automatic updating. Consider whether running a managed AV solution might be an appropriate approach for your area.
  • All systems should have personal firewalls (Symantec, Windows XP firewall, MacOS X firewall, etc.) installed and running. Consider whether running a managed personal firewall solution might be an appropriate approach for your area.
  • All systems should have anti-spyware tools installed, running, and set for daily automatic updating. Consider whether running a managed anti-spyware solution might be an appropriate approach for your area.
  • Users should not be allowed to create local shares on their desktops. They should only use fileserver shares.
  • Sensitive Word and Excel docs should be password protected.
  • Accounts with administrative privileges that are common among a group of systems should not have the same password on all the systems. All too often, the compromise of one system will lead to a domino effect of compromised systems through a common administrator username and password. Every system should have a unique password for its administrator accounts. This can be based on a scheme to simplify password generation.
  • Implement password-protected screen savers that activate after no more than fifteen minutes of inactivity.

Network

  • Implement packet filtering to protect departmental resources. This should include, at a minimum, default Edge ACLs restricting incoming connections. Firewalls can be used as well.
  • For wireless networks, MAC address registration should be mandatory. No unregistered systems should be allowed on a wireless subnet.
  • Departments should carefully consider whether it's appropriate to allow unregistered systems on their networks. University Policy dictates that all systems on our networks should be registered and tied to a user or network administrator.
  • Consider the following as well:
    • For wireless use, all traffic should be encrypted and have user authentication with either WPA or a VPN solution.
    • Separate systems into different subnets based on function. Servers should be on different subnets than desktop users, and internal servers should be separated from hosts that serve data to the world.

Data Sharing outside your department or outside Cornell

  • Review security of the external agency
    • Consider the security of the transport and storage of data when it is shared.
    • Have documentation from any external agencies that shows commitment to the security of the data being shared.

Consider the following as well

Reviews and assessments

  • Develop a self-assessment methodology. Assessments should occur no less frequently than quarterly. The assessment should include checks such as:
    • nmap/getbanner scans looking for open ports and services available on hosts
    • network and host-based vulnerability scans
    • network application reviews (checking for vulnerabilities in web sites, databases, etc.)
    • content inventories on desktops and servers to account for the location of all sensitive University data
    • password audits looking strong passwords on all accounts

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.