You probably saw this in Ann's all-OIT email last week, but it's important and I wanted to repeat it here:
OIT’s senior management team has charged a committee from various areas across the department to address necessary OIT workstation security improvements. It is the senior management team’s position that OIT should be a leader in upholding University computer security standards.
OIT Security has identified several practices currently being used on OIT computers that could lead to security breaches:
- Use of secondary applications such as Flash, QuickTime, Acrobat, and Java that are not up-to-date with security patches are a leading contributor to computer infections.
- Excess old data files
- Unlocked and unattended workstations
- Machines routinely run with administrative privileges when not needed
- Non-encrypted laptops
- Excess personal use of University computers can lead to susceptibility from unsecured Web sites and malware
By becoming early adopters and leaders of responsible and secure computing practices at the University, OIT is positioned to set the example for the rest of the University. What can you as an individual do to help raise computer security awareness and keep University computers and data more secure? Here are just a few ways:
- Lock your computer when you leave your work area
- Delete your temporary and cached files
- Reduce the amount of private data stored on desktop and laptop computers
- Managers should make sure that all laptops in their areas are encrypted
- Reduce the time running your computer as administrator and other high-risk practices
In addition, the committee is working on plans to address these issues. Much of the work to be done as identified by the committee will be performed by FAST staff. FAST staff also will continue to encrypt Mac laptops, and plans to push more secondary application updates to Windows clients are being developed, as well. The plan is to have the identified issues significantly mitigated by March 15.
We need to realize that, as part of Operations and Infrastructure, we support the most critical components of the University enterprise: databases, production services, data center, systems administration, storage, backups, disaster recovery planning. As such, it is even more important for us to protect access to our systems. Please take a moment this week to review your security settings. In particular, set your screensaver to lock your screen if you are away. That way, your computer should be safe even if you forget to lock your screen or logout when you go to meetings.
I'd like to follow up on the "Machines routinely run with administrative privileges when not needed" item.
There's a great article in Computer World that mentions how over 90% of vulnerabilities in Microsoft Windows could have been reduced (or in some cases, eliminated) by simply not being logged in with Administrator access.
Further, of the 154 bugs (critical or not) published and patched by Microsoft in 2008, up to 69% would have been blocked or reduced by running without local Administrator rights.
The report concludes that restricting the number of users who can log in with these privileges will "close the window of opportunity" for attackers. This is particularly true for users of Internet Explorer and Microsoft Office.
Just a followup on workstation security, which I wanted to bring to your attention - Paul Honsey (AC) sent the following note to all supervisors this week:
If you believe that an upgrade to one of these components will severely affect or break your ability to do work, please notify your manager this week.
I hope everyone understands the importance of improving the security of the University network, and the workstations that are attached to it. As Ann mentioned in her weekly email: it is the senior management team’s position that OIT should be a leader in upholding University computer security standards.