Goal II. Provide a comprehensive program to bolster the University's defenses against network security threats and to prepare for remediation of potential problems

Every day the Internet becomes more integral to the productivity of faculty, students, and staff, and the security of the network that underpins the academic enterprise is increasingly the focus of potential malicious attack. A network that is vulnerable to cyber security attacks can seriously compromise scholarship, communication, and commerce. Cyber attacks also have the ability to compromise sensitive student and patient care data. Breaches in digital security include the proliferation of intruder programs via e-mail attachments, Web site defacement, and the use of servers to launch attacks on other computer systems. To combat cyber attacks, ITC pursues several multi-faceted security programs in partnership with others across the Grounds. Well-targeted educational efforts, streamlined remediation of affected machines, and leading-edge programs that provide technical barriers are helping to reduce the incidents of cyber security problems at U.Va.

Network Security

ITC's seven-year-old digital security program offers a comprehensive approach to strengthening U.Va.'s defenses against computer security attacks. ITC's Director of Security Coordination and Policy Shirley Payne leads the program, which educates users about threats and their personal responsibilities for minimizing them, implements technical solutions to mitigate threats, and facilitates University compliance with federal security regulations. Ms. Payne and others also are actively involved in the review and adoption of U.Va. policies related to digital security.

Security awareness and education were an especially strong focus of the work during 2005-06. Ms. Payne and others from ITC routinely discuss cyber security issues with groups of Local Support Partners, administrators, students, and faculty. During National Cybersecurity Awareness Month in October 2005, persons from ITC's security office assembled a slate of publications and activities for the University. Staff handed out security flyers, wallet cards, and promotional cloth flying disks at locations around Grounds. They also redesigned the security Web site, adding new pages on data security, identity theft protection, and other security guidance. On the Web site, users can now view security-related videos, including those in which identity theft experts and victims are interviewed. Security education efforts also were focused on system administrators. Ms. Payne and her staff worked with Local Support Partners to develop and publish "Community Security Baselines," recommended configuration settings for Windows, Macintosh, and Linux/UNIX devices.

Each year, new IT security programs are introduced, many of which are described in this section. Several ongoing projects also reached important milestones during the year. In June 2006, ITC completed the Grounds-wide network registration program that began in spring 2005. During 2005-06, the University's More Secure Network continued to expand, and ITC staff completed designs for a faculty- and staff-only encrypted wireless network providing access to the More Secure Network. An online security training module developed by ITC has been completed by some 10,000 employees as of June 2006.

The University shares its growing expertise in digital security matters with the Commonwealth through the leadership of Ms. Payne and others in the Virginia Alliance for Secure Computing and Networking (VA SCAN), a partnership among U.Va., Virginia Tech, James Madison University, and George Mason University. VA SCAN, which was formed four years ago to bolster the Commonwealth's defenses against network security problems, received the Award for Excellence in Information Technology Solutions from Educause in fall 2005. The alliance provides colleges and universities and others with IT security assessments, training programs, consultation, and Web-based security-enhancing tools.

IT Security Risk Management Program

Progress continues on implementation of the University-wide IT Security Risk Management Program, which began in summer 2004. Dozens of departments have completed the program, which includes ongoing security assessments and standardized continuity planning for critical business functions during restoration of any compromised services. Departments are provided Web-accessible templates for such steps as risk assessment and plan development. The templates also include guidance and standardized practices across the Grounds. Developed by a team of persons from ITC, the Audit Department, Health System Computing Services, and other offices, the programs is led by ITC's Security and Policy Office.

First to be targeted are departments with the most critical assets to protect. Departments that handle sensitive data, such as legally protected medical and student records, must execute more thorough plans than other units. Once a department has completed the assessment and planning steps, it submits a final report to the Security and Policy Office. Units must re-evaluate and update their plans at least once every three years. All U.Va. departments, including those in the Health System and the College at Wise, are required to complete their first assessments and plans by June 30, 2007, and undergo the same process once every three years thereafter.

Abuse of Networked Resources

The University continues to make progress in thwarting cyber-security attacks and other digital abuse problems. During calendar year 2005, ITC's abuse team processed some 2,200 incidents, down from 2,800 incidents in 2004 and 4,500 in 2003. Major virus incidents have decreased in number, as have reported violations of the Digital Millennium Copyright Act. These problems and others are being reduced through ITC's comprehensive programs to combat digital security threats.

The security of the U.Va. networks has been tightened with firewalls and filters, automated programs that detect and block machines with specific security problems, anti-spam and anti-spyware capabilities, and award-winning educational programs aimed at students, faculty, and staff. The deployment of mandatory network registration across the Grounds (described in this section) is greatly enhancing the ability of technical staff to identify and contact persons responsible for compromised machines. This enables staff to more quickly remove affected computers from the network, reducing the ripple effect of damage. Network monitoring tools, which track volume but not content, also have proved valuable in the early identification and remediation of compromised machines.

Although the University experienced only one major virus situation in 2005-06, a large number of machines were compromised during the year. These problems often were due to the lack of timely updating of operating systems and the download or installation of third-party software that alters computers' security settings. Reports of incoming spam and viruses were roughly equal to those received during the previous year. Automated anti-spam tools help to keep the problem manageable for most users. The U.Va. Credit Union was the target of a phishing scam during the year, and ITC's security and policy team worked with the credit union to minimize the impact on the University.

More Secure Network

To help buttress its technical defenses against IT security breaches, ITC implemented a three-tiered secure network architecture in 2003. Level 1 offers the standard, existing security protection measures, such as blocks for ports associated with well-known vulnerabilities. Level 2 offers heightened security through the use of redundant firewalls and a Virtual Private Network (VPN) connector between University users and the Internet. University computers behind the firewall are able to communicate freely with machines on the outside, but external computers must first authenticate successfully through the VPN gateway. Level 3 networks offer customized, special-purpose architectures with higher-level security and are designed in accordance with a department's special requirements.

The Level 2 network, referred to as the More Secure Network, is now available in most buildings on Grounds and in off-Grounds expansions. ITC developed and made available to departmental support staff tools that allow them to move their users to the More Secure Network. Additional tools have been provided that permit such things as switching Ethernet speeds, turning ports on and off, and running certain diagnostics. Many departments have migrated the majority of their users to the More Secure Network, and the eventual goal is to have most faculty and staff computers on it.

Wireless Availability on the More Secure Network

During 2005-06, ITC staff completed design work for a faculty- and staff-only encrypted wireless network providing access to the More Secure Network. Access control tools for Local Support Partners were made available along with setup documentation. Initial department-based testing has succeeded, and the network is being rolled out during summer 2006 to people authorized to access the More Secure Network. The new network augments an encrypted wireless network using PKI based-authentication that was introduced in 2004-05 for all U.Va.-affiliated individuals.

During 2005-06, ITC also completed the design work and initial testing of a system that enables faculty and staff mobile computing users to have their computers connected to the More Secure Network while using the University's wireless LAN network. Presently users need to leave the added security provided by the More Secure Network when using the wireless LAN. This new service functions by leveraging central directory services to determine if a user wishing to connect to the Wireless More Secure Network is authorized to do so. If the user is authorized, the connection is permitted. A set of tools - similar to those presently used to manage wired network connections to the More Secure Network - was created to enable Local Support Partners to authorize faculty and staff to use the wireless More Secure Network.

Joint Virtual Private Network/Oracle Special Services

The Joint Virtual Private Network (VPN) was developed by ITC staff to meet the needs of users who access multiple protected resources that reside on networks protected by different VPNs, such as those needing simultaneous access to the Integrated Systems Oracle applications and the Clinical Network. The Joint VPN is not limited to off-Grounds. It resides on a hardware identity device that is configured by ITC after receiving a signed request from a user. Because the servers and services protected by the Joint VPN system contain sensitive and privileged data, two-factor authentication is required for access. This is accomplished through possession of the hardware identity device (a Rainbow iKey) and the password for that device. To assist departmental users, ITC publishes the installation and configuration of the VPN client on the Web along with the operating instructions. During 2005-06, the service was expanded to enable users to simultaneously access Oracle applications and the Data Warehouse servers using the Oracle VPN servers.

Network Registration

The Grounds-wide network registration program that began in spring 2005 was completed in June 2006. The new system replaces and combines the previous voluntary wired network registration system, the wireless registration system, and the mandatory system in the student residence areas. It increases the security of the U.Va. network by enabling ITC to contact and assist users experiencing problems and, if necessary, disconnect affected devices from the network until the issues are resolved. The new system also provides enhanced tools for department administrators and individual customers, including U.Va. guests. A small subcommittee is continuing to meet to update wording and flow of the main network registration Web page, and work continues on database validity checking, reporting, and abuse tools.

Blocking of Infected Computers

ITC's three-year-old policy of blocking infected computers from the University's network has helped to contain the spread of infection to other U.Va. machines and to assure that the network is available for use by others. Once virus- and worm-infected computers are disconnected from the University network, users can cleanse their machines of infections and unblock the machines themselves, using a process developed by ITC's Network Systems Group. Instructions for the process, which greatly eases the workload of the University's technical support staff, are provided online. Once a machine has been cleaned of infections and meets all the criteria for being unblocked, users are directed to an ITC Web site with a link for restoring Internet access.

ITC Windows Critical Patch Management Service

To help ensure that faculty and staff computers are as protected as possible against security vulnerabilities, ITC began offering its Windows Critical Update Service two years ago. Through the free, voluntary program, participating computers are updated with new operating system updates and patches as they are released by Microsoft. Before releasing updates to U.Va. computers, staff in ITC's Micro Systems Group test them to assure that they are compatible with all commonly used applications. The service alleviates the need for individuals or Local Support Partners to update machines individually. The service works only on Windows 2000 and XP, not on 95, 98, ME, or NT. Users running unsupported operating systems and those who are not members of the Windows Critical Patch Management Service must configure their computers to automatically run Windows Update daily.

Middleware Initiatives & Authentication

ITC staff are creating and deploying several projects related to middleware support. They have made numerous upgrades to the electronic directory services to improve services and to lay the foundation for use of the electronic Lightweight Directory Access Protocol (LDAP) directory as a key resource for application authorization decisions. Authorization attributes have been added to the user database to control wireless access to the More Secure Network. Beginning July 2006, users are able to use LDAP groups to create on-demand mailing lists, share disk storage, facilitate enhanced Web authorization control, and deploy new directory group-enabled applications. Additional work on U.Va. NetBadge, an electronic identification badge that is issued to users' Web browsers when they log into the service, is described in Goal V of this report.

Symantec Anti-virus Service

One of the tools that ITC offers faculty and staff to combat computer viruses is the Symantec Anti-virus Service. Managed by the Micro Systems Group, the program provides computers with automatic updates as new anti-virus definitions are released to combat known electronic viruses. The program, which uses the ITC-supported Symantec anti-virus software, eliminates the need for members of the University community to manually update their anti-virus software as new definitions are released. To use the service, staff and faculty download the latest Symantec Anti-virus software from ITC's Software Central and convert their Symantec client to a Managed Symantec client, enabling automatic updates to their machines as new anti-virus definitions are released.

Internet Security Scanner

Another security tool used by the University for several years is Internet Security Systems' Internet Security Scanner (ISS). ISS examines a network's devices, services, and interrelationships for security vulnerabilities. The system then generates a report with detailed information about each problem found, including the susceptible host, a description of the danger, and actions recommended to remediate the problem. The system's database is updated regularly and can test for several hundred potential problems. ITC systems are set to routinely scan machines for most high- and medium-risk vulnerabilities. Departmental staff also can request ITC to tailor the scanning to suit specific needs, including scanning for denial of service vulnerabilities. The department's system administrator is responsible for deciding how to address any vulnerabilities that are found.

Disaster Recovery

During 2005-06, ITC began leasing a server that will provide critical emergency information should an event occur that disconnects all network access to U.Va. The server is housed at the vendor's out-of-state location. To further prepare for such an emergency, ITC has arranged for satellite phones so that select University staff could communicate with one another and have access to the server.

BMC Remedy Service Desk

ITC is currently in the process of acquiring and testing the newly released BMC Remedy Service Desk module. This product replaces the BMC Remedy Help Desk module that ITC has been testing during fiscal year 2006. The new module will replace the current system used by ITC's Help Desk and by the Integrated Systems Customer Support Center. When fully deployed, the module will offer the following benefits:

• enables Web browser access to the application and service ticket data to students, faculty, and staff
• enables students, faculty, and staff to submit service tickets into the system during business hours and after hours
• delivers ability to differentiate between problem management and incident management
• enhances customer support and responsiveness
• enables management to monitor service desk performance.

Online Security Training for Employees

As part of its security-education program, the University developed and began staged implementation in early 2005 of a new online training module to build awareness of computer security and responsible use issues among U.Va. employees. The interactive educational program requires 15-20 minutes to complete and covers such areas as computer attacks, identity theft, and exposure of confidential data. The module explains the most critical threats to the University's computing environment and the actions individuals must take to safeguard against those threats. At the end of the training session, users must answer several questions about the preceding information, and they must acknowledge their responsibility to abide by University computing policies and applicable laws. As of June 2006, some 10,000 employees have completed the security training module.

Educause Award for VA SCAN

In fall 2005, the Virginia Alliance for Secure Computing and Networking (VA SCAN) received the Award for Excellence in Information Technology Solutions from Educause. A partnership among several Virginia universities, VA SCAN is chaired by Shirley Payne, ITC's Director of Security Coordination and Policy. VA SCAN services include educating staff at higher education institutions about digital security threats and responsibilities for minimizing them, assisting with implementation of technical solutions to mitigate known threats, providing IT security training and consultation, and maintaining Web-based security-enhancing tools. The alliance's charter was expanded during the year to support collaboration among Virginia college and university IT auditors. All services are offered free or on a cost-recovery basis. The alliance was founded in 2003 by information technology leaders from James Madison University, George Mason University, the University of Virginia, and Virginia Polytechnic Institute and State University. In addition, Virginia Commonwealth University became a full partner in the Alliance during 2005-06. In late October 2006, as part of National Cybersecurity Month, VA SCAN hosted a cybersecurity conference at James Madison University.

Security Conferences

ITC's Security Coordination and Policy Office vigorously pursued its education mission during 2005-06, hosting two large-scale conferences about current security issues. One event, the Office of Information Technology's Security Awareness Conference, was held in October as part of the national Cybersecurity Awareness Month. The conference targeted U.Va.'s IT professionals and was offered in tandem with the Local Support Partners conference. Nationally recognized computing security expert and author Kevin Mandia was featured speaker at the conference, which also included sessions conducted by ITC staff members. Mr. Mandia spoke about identity theft; additional presentations included such topics as passwords, community security standards, and securing hardware, among others.

In June, ITC hosted a six-day SANS Institute training course entitled "Security 505: Securing Windows." The course was fully subscribed, with attendees from throughout central Virginia, including 61 U.Va. system administrators and 78 additional system administrators from various other institutions, state and local government agencies, and K-12 systems. The event was offered at a tuition cost savings of more than 70 percent. Among the specific topics covered during the hands-on conference were: active directory design, security templates, PKI installation and management, wireless security, and smart cards and tokens. Sessions were aligned with topics required for the SANS Global Information Assurance Certification exam. Course participants were eligible to sit for the exam following the conference's final day. The course was led by U.Va. alumnus Jason Fossen, founder and president of Fossen Networking & Security, which provides consultation for Microsoft Windows 2000/XP/2003 solutions and security. Mr. Fossen speaks and writes extensively on Web and network security matters.

Goal II Appendix