UC Davis central security initiatives

In October 2011, the Ethics and Compliance Risk Committee (ECRC) requested a proposal for a central information security program that would reduce risk to the campus. The ECRC Privacy and Security subcommittee gathered input from administrative, academic and technology representatives during spring 2012. Based on this feedback, as well as its own analysis of risks posed by privacy and security threats to electronic systems and data, the subcommittee recommended that the campus implement five security initiatives to address the highest risk areas to the campus, using a managed-cost approach. These five initiatives are:

  • Identify and correct severe computer vulnerabilities
  • Protect electronic personal identity information
  • Implement system integrity monitoring for early detection and prevention of security breaches
  • Identify and correct serious Web application privacy and security vulnerabilities
  • Protect campus systems from malicious activity via VLAN firewalls

This page contains information about the central campus security initiative that began in 2012. Look for more information here as the campaign develops. For a timeline for the individual projects, please see this schedule.

Campus vulnerability scanning

The campus implemented an automated vulnerability scanning and alerting system in 2005. The system uses input, from multiple scanning tools and network intrusion sensors, to alert campus unit technologists to compromised computers, or to computers with serious security vulnerabilities, that they need to inspect. The University of California recognized this service, unique among the UC campuses, as a best practice. All campus units, to the greatest extent possible, must participate in this system. Weak security links on the campus network could expose other university computing systems to unauthorized access. Campus units are responsible for responding to scanning system alerts and warnings.

Project implementation as of summer 2013:

  • The central security program will help campus units configure unit VLAN firewalls to support daily network vulnerability scans.
    • Email notifications to VLAN administrators and their escalation contacts (MSOs) to resolve the issue or engage ITPS recharge for assistance.  Completed November 2012
    • Subsequent notifications identified the risk for failing to bring the VLAN firewall into compliance, including removal from the network.  Completed December 2012 – March 2013
  • The campus Computer Vulnerability Scanning Policy, PPM 310-021, is being updated to allow senior administrators to exempt a VLAN under their purview from network vulnerability scans. The campus IT security coordinator will review such exemptions. If this review indicates the exemption might present excessive risk to the university, then the exemption will be forwarded to the Privacy and Security Subcommittee of the campus Ethics and Compliance Risk Committee for evaluation. The subcommittee might raise the approval of an exemption to the ECRC.
    • The policy update is pending approval.
  • The monitoring process will be updated to include:
    • A database application and scanning process to capture the results of the scans, in order to track the history of notifications and escalations.
Personal identity information

Identity theft is a significant issue, especially among institutions of higher education. The Privacy Rights Clearinghouse reported 535 breaches involving 30.4 million sensitive records (www.privacyrights.org/data-breach-year-review-2011) during 2011. This figure is likely conservative, given suspected underreporting. Universities are convenient targets for identity thieves, due to universities’ historical use of identity information, and the challenge of securing large numbers of computing systems and data resources.

The law requires organizations, such as UC Davis, to protect identity owners from unauthorized access to their personal information. This campus PII initiative will serve that purpose, and will also reduce the cost of investigating, reporting and cleaning up incidents; and reduce the need for embarrassing public communications that detract from the university’s mission of research, teaching and public service.

  • Personal Identity Information (PII) is a specific type of particularly sensitive data. It is unencrypted electronic information that includes an individual’s first name or initial, last name, credit card information, Social Security number, health information, or driver's license number, plus additional information that could be used to identify that person.

  • Individuals should take steps to protect their PII, and campus units are obliged by law and policy to do so.

Project implementation as of summer 2013:

  • The central security program will work with the campus technical community to identify areas of high risk (including systems administered by faculty) and assist with PII scanning and remediation. Units must scan computing systems with a high risk of PII storage (e.g., computers used for personnel administration) annually to ensure PII is protected from unauthorized access. As appropriate, whole-disk encryption may be used to mitigate risks when PII data must be retained on portable devices.
  • This initiative also includes extensive campus outreach, including the PII website.

    • IET has made available Identity Finder Home Edition, a software program that scans personally owned computers and alerts the owner to the presence of high-risk personal identity information. Staff and faculty can buy the software at a 75% discount, or $10. Students can get the software for free. Completed March 2013 
    • The software is available from the Security Web site (see the “How do I protect PII?” section) and was announced via TechNews and Friday Update. Completed March 2013
  • The initial phase of the project will be a pilot with ITPS (Information Technology Professional Services, an IET service unit). The security team will develop the reporting to help identify the presence of PII data, and record the results and remediation of the scanning efforts. The security team will assist ITPS with the scanning results.

    • A PII assessment to survey students, faulty, and student/employees to determine computers likely to contain PII (paper initially, with plans to use an online survey for campus implementation). Completed March 2013
    • Installation of scanning software and data scanning on systems identified by the survey as likely to contain PII. In progress April – early December 2013
  • The second phase of the project will include ongoing program modifications, and possibly automating the recording process from manual forms to a web application, for a rollout to campus technical support coordinators who will conduct the scans for their units.

    • Determine the validity of the PII assessment protocol, and decide next steps to work with units that have not completed recent scanning using the protocol. Expected start: December 2013
  • The central security program will work with the campus technical community to identify areas of high risk (including systems administered by faculty) and assist with PII scanning and remediation. Units must scan computing systems with a high risk of PII storage (e.g., computers used for personnel administration) annually to ensure PII is protected from unauthorized access. As appropriate, whole-disk encryption may be used to mitigate risks when PII data must be retained on portable devices.

    • Based on the validity of the PII Assessment protocol, begin development of the online PII assessment survey for use by other campus units. Expected start: December 2013
Security information and event management (SIEM)

Organizations need to collect, aggregate and correlate log data for security and event analysis and reporting, so that they can recognize anomalous or malicious network behavior. Assessing this information helps the security team prevent attacks that transit the campus data network. Security information and event management (SIEM) systems support early detection of malicious activity targeting UC Davis computing systems and data; attack termination; and incident response.

Deploying SIEM will help the campus prevent privacy and security breaches, as well as help remove inefficiencies through automation; avoid infrastructure expansion costs; prevent expenditures for compliance penalties; reduce loss through fraud; and avert losses due to system outages.

  • Units participating in this system will meet the cyber-safety audit log security requirements defining log use, inspection, analysis and retention.

  • In consultation with the campus technical community, requirements for a SIEM system will be developed and released for acquisition in FY12-13. The initial priority for SIEM deployment is log management and event correlation and analysis within IET systems, with subsequent expansion to campus unit logging systems in FY13-14. 

  • Tripwire will continue to be licensed for campus unit use.

Project implementation as of summer 2013:

  • Develop SIEM request for proposals (RFP).

    • Develop requirements for a SIEM system. Completed September - October 2012
    • Work with Purchasing to release the RFP. Completed October – December 2012
    • Evaluate and score RFP responses and select semi- finalist vendors. Completed January - February 2013
    • Conduct an onsite confidence test. In progress March – June 2013
    • The campus security coordinator will work with Purchasing to finalize the selection and contract. June – July 2013
  • The first phase of SIEM deployment, focusing on IET-managed systems.
    • Security staff will complete planning and implementation of the SIEM system for use by the campus Data Center. July 2013 – TBD
Web application vulnerabilities

Industry estimates that 60 percent of Internet attacks are launched against Web applications; also, 71 percent of websites owned by the education sector were exposed to a serious vulnerability in 2010 (White Hat Website Security Statistic Report, 2011). These vulnerabilities subject web data to information theft, misuse of resources, interruption of business processes, and/or fraud. Because the campus relies on Web applications and content, websites that provide access to data protected by law and/or policy--and other sensitive information--must be free of serious and commonly exploited security vulnerabilities.

  • All campus unit Web applications, if they host data protected by law or policy, will be scanned for Web application vulnerabilities.

  • Websites will also be scanned if they host information that–if altered without authorization–could put lives or safety at risk, damage the university’s reputation, or increase its liability.

Project implementation as of summer 2013:

  • The security program will provide use specifications for dynamic application versus application code vulnerability scanning. An application test or development environment, provided by the campus unit, is required to conduct dynamic scanning. The campus unit hosting the Web application is responsible for working with central security staff to conduct the scan(s).

  • Units will provide developers to conduct the Web application vulnerability scanning. Recharge resources are available if the campus unit needs them, to run scans and/or configure a virtualized test environment for scans.

  • Campus unit application owners are responsible for timely mitigation of any vulnerability.

  • The campus central security program will offer training and guidance for use of Web application vulnerability scanning tools. The central security program will also offer, to campus Web developers, instructions on secure coding for Web applications.

  • The initial phase of the project will be a pilot with selected departments. The security team will assist pilot departments with the scanning efforts, and focus on identifying high-risk vulnerabilities for applications that use PII data. The second phase of the project will include ongoing program modifications, to ensure that campus units have the information they need to scan their applications.

    • A pilot was conducted with nine campus units to provide one-on-one training and guidance on the use of the AppScan scanning software. During the pilot, central security staff worked closely with campus units to run the scans. Completed December 2012 – April 2013
    • Participating campus units have found that the one-on-one approach allowed them to make greater progress in their scanning efforts. Units include CoE, IET, CAES, Graduate Studies, Student Affairs, and Student Housing. Completed December 2012 – April 2013
    • Security staff offers instructions for secure coding practices via quarterly training courses for campus. Ongoing
  • Starting in May 2013, the pilot was be converted to an ongoing service. Other campus units that need application scanning services (identified from the past year’s campus Cyber-safety reports) will be contacted for training and scanning consultation.

    • Continue to provide one-on-one training and consultation to campus unit developers. Ongoing
VLAN firewalls

In order to support the university’s mission, the campus data network border must remain relatively free of aggressively restrictive policies that control network traffic permitted to enter and exit the campus. Using network firewalls at the campus unit VLAN (virtual local area network) level permits the use of more granular customized policies that help protect unit computing systems and data behind the firewalls. In addition, preventing malicious network traffic from transiting among campus unit VLANs strengthens the privacy and security of the overall campus data network.

  • The campus technical community, consulting with Information and Educational Technology, will identify VLANs (virtual local area networks) that either have no VLAN firewall, or else have one that is poorly supported.

  • Campus policy requires VLAN administrators to install and maintain effective ingress and egress rules on VLANs.

Project implementation as of summer 2013:

  • The security program will identify solutions for improperly firewalled VLANs (including hardware, software, maintenance, and policy management).

  • The security program will consult with campus VLAN firewall administrators to implement a VLAN firewall and, where needed, provide a one-time subsidy for VLAN firewall hardware.

  • The campus unit is responsible for the ongoing costs of VLAN firewall support.

  • If the campus unit VLAN administrator cannot meet campus cyber-safety requirements for using VLAN firewalls, then the security program will work with the unit administrators (such as the MSO or chair) to understand the firewall requirements and long-term costs.

  • If all other measures fail to bring the VLAN into cyber-safety compliance, the central security program will implement a VLAN firewall with a standard ruleset on behalf of the unit.

  • The security program will provide a one-time subsidy for the installation. If a unit engages IET to perform ongoing firewall maintenance, there will be a recharge fee to the campus unit (up to $700 per month).

  • The security team will assist departments with the firewall implementation efforts, and track compliance and/or the recharge work required to ensure the installation of the VLAN firewall.
    • Contacted VLAN administrators to understand the requirements for the VLAN firewall implementation and costs. Completed February – May 2013.
    • Efforts may extend to spring 2014, to give VLAN administrators and IET consultants time to complete the consultations and any work required.
  • Campus units that do not have VLAN firewalls or approved exceptions will be subject to disconnection from the campus network.

  • If a campus unit requests, the central security program will conduct penetration tests on a recharge basis, when security program resources are available.

    • The security program will create a process for the campus security coordinator to review and track exceptions for risk and, if necessary, forward exception questions to the ECRC privacy and Security Subcommittee for evaluation. The subcommittee may forward to the ECRC for approval. In progress February – August 2013.

Where to find help, ask questions, or send comments
  • For department-level questions, contact your department tech support (directory)
  • IT Express Computing Services Help Desk, 7 a.m.-9 p.m. M-F, (530) 754-HELP (4357)
  • Send comments or questions about the central security initiative, campus cybersecurity in general, or about this website, to security@ucdavis.edu