The best way to protect the network is to proactively prevent malware or hackers from gaining access. At HSU, this is tackled at two levels:
By protecting the perimeter of the network, any and all connections between HSU's internal networks and the Internet can be configured and managed for optimum user value and efficiency while minimizing risk.
A robust password policy goes a long way towards deterring data thieves. ITS enforces strong passwords, regular password expiration cycles, and limits the number of times anyone may attempt to log into an HSU system before access is blocked. We've provided some helpful hints and tips on creating strong passwords that you won't forget.
The routers that connect the campus to the outside world are configured to block the top 20 ports designated by the SysAdmin, Audit, Networking, and Security (SANS) Institute as the most open to exploitation. This can sometimes result in problems installing and using new applications; in such instances, the campus Information Security Officer (ISO) will undertake a risk analysis before permitting a port to be unblocked.
Routers connecting to the central servers are configured to block any port that ITS has not specifically authorized for incoming network traffic. Personally-identifiable and other confidential information stored on other servers may be considered vulnerable under HSU's data protection obligations, so efforts should be make to move these servers into the secure central server group.
ITS uses third-party blacklists to block an extensive number of websites known to be used for the distribution of viruses, spam, phishing attacks, and other security threats. This can sometimes result in valid messages being blocked from campus networks (called “false positives”). Users who believe valid messages are being blocked by the campus filters should contact the Technology Help Desk at (707) 826-HELP (4357).
Occasionally, a large number of emails will be sent to the HSU campus for a valid reason, such as the distribution of an approved survey, and the emails will be blocked as spam. Anyone working with an outside group that will be sending a large number of emails to humboldt.edu addresses should contact Telecommunications & Network Services (TNS) at x5000 to ensure the emails can be delivered.
Information transfer via remote control desktop programs such as Windows Remote Desktop Protocol (RDP) is tightly controlled. On Windows machines, RDP must be disabled for user accounts and should be enabled for administrator accounts only if a real need to use it exists. Any machine that is configured to allow RDC connections must have client-side firewall settings that only allow connections from a specific host, set of hosts, or VLAN, and must be protected with a strong password.
Additional information on using RDP securetly may be found on the Windows Terminal Services website. Remote control desktop software other than RDP must provide security at least equivalent to that provided by RDP.
Vulnerability management is an ongoing process to ensure that information assets are protected and should only be performed by authorized personnel. Scanning activities should be planned and authorized in advance in order to avoid negative performance impact. CSU policy forbids CSU campuses from performing vulnerability assessments or running penetration tests and port scans on systems or networks outside of their immediate purview. At HSU, this also applies to campus units other than TNS scanning the assets of the other campus units or assets of the campus as a whole without prior authorization; any unauthorized scanning will be treated as a hostile attack and the entire network closed down.
Any device connected to an HSU network must meet the following security requirements:
Additional best practice recommendations for connecting securely:
When practical, servers should be set up in a hardened (secure) systems configuration:
It is recognized that the “start hardened and relax to functional” approach may be impractical with Windows servers for some server roles. System administrators should check with ITS for the latest “best practices”.
If you have questions, the campus Information Security Officer can be reached at (707) 826-3815 or email@example.com.