Appendix III: Frequently Asked Questions

Frequently asked questions about the Responsible Computing policy, it's enforcement and how to ensure you are in compliance.

Enforcing the Policy

1. Who determines when to take action?

Information Technology and Communication (ITC) and Health System Computing Services (HS/CS) are neither investigative nor disciplinary entities in their primary responsibilities. However, in cases where University network resources and privileges are threatened by improperly maintained computing devices, these departments must take appropriate steps. Before taking action, however, ITC and HS/CS will attempt to resolve the problem in collaboration with the device owner or overseer, unless the situation is so urgent that immediate action is required and there is no time for collaboration. In the latter case, ITC and HS/CS will inform the owner or overseer as soon as practical and provide advice as needed to resolve the problem.

2. How will ITC and HS/CS identify vulnerabilities?

Security vulnerabilities on a given device are usually discovered as the result of an investigation of a problem reported from someone within or outside the university who is being attacked from that device or during an audit conducted by the University's Audit Department or other auditing organizations. Also, ITC offers a proactive network scanning service that can report vulnerabilities to the person requesting the scan before the security holes actually cause problems. As already stated, ITC and HS/CS will make an attempt to resolve the problem in collaboration with the device owner or overseer before taking action, unless the situation is so urgent that immediate action is required.

3. If somebody's PC propagates a virus mailing, will that PC be unplugged?

The policy will not be used to punish anyone. Its purpose is to help protect the university's networked environment as a whole. Before taking action, an attempt will be made to resolve the problem in collaboration with the device owner or overseer. The availability of PC virus software makes remedies for mail viruses usually simple to apply. For this reason it seems highly likely that, in the event of a virus mailing problem, collaboration with the device owner or overseer will result in quick and satisfactory resolution.

4. Will an operating system not formally supported by ITC or HS/CS be deemed unacceptable, if someone in ITC or HS/CS believes it not to be secure?

It is not the intent of the policy to deem operating systems as a whole, either supported or not, to be unacceptable. Key vulnerabilities will be listed on a website maintained by ITC and HS/CS and most will be drawn from a consensus list developed by the highly regarded SANS Institute in collaboration with the Department of Justice and the FBI. The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face. Suggested remedies take the form of applying software patches, changing configuration settings, changing passwords, and the like. None of the remedies suggest replacing one operating system with a totally different one. ITC and HS/CS will not, however, be able to provide the same level of assistance and advice to unsupported environments as it does to supported ones.

Addressing the Policy

5. Who will provide information (and in what form?) to deal with such vulnerabilities? Who determines what vulnerabilities are key?

As mentioned in under question 5, ITC and HS/CS will maintain a website describing critical vulnerabilities and remedies relevant to our environment. The source of some of this information will be the SANS Institute consensus list of key vulnerabilities.

6. What are some examples of key vulnerabilities?

Key security gaps that need to be closed may vary depending upon the type of device. Some examples follow

  1. All device owners should ensure passwords used on their devices are not easily guessable by attackers.
  2. Owners of personal computers should install and run anti-virus software on these devices and apply updates from the software vendor as they become available.
  3. Owners of personal computers and servers should apply security-related updates to the operating system running on their devices as these updates become available from operating system vendors. Examples of a few operating systems found at UVa are Windows 2000, Windows NT, and Red Hat Linux.
  4. Owners of UNIX and Linux servers should switch off unneeded services to eliminate the risk of these being exploited.

It is important to note that the above are examples only and do not represent a complete list of known security vulnerabilities.

Vulnerabilities that are considered "key" will change over time as new threats and risks surface.

7. What, if any, assistance can device owners expect, aside from a list of vulnerabilities?

The website will provide explanations of remedies as well as vulnerabilities. ITC and HS/CS also offer installation and maintenance services for department-owned computing devices, consulting services, and help desks for assistance with problems. Additionally, presentations on security topics have been and will continue to be given at LSP meetings, and work on other security awareness education and training strategies is ongoing.

8. What are the responsibilities of device owners who contract with ITC or HS/CS to administer their machines?

The policy states compliance is the responsibility of ITC or HS/CS if the devices are under ongoing support contracts with these organizations. Users are responsible for approving and allowing necessary security upgrades to be made rapidly by ITC or HS/CS. Users are responsible for not circumventing security configurations installed by ITC or HS/CS.

9. Does the University provide adequate resources to the departments and schools to administer and operate their technical infrastructure?

Additional resources are always welcomed, but there are at least three things departments and schools could do to improve their ability to administer and operate their technical infrastructure:

  1. ITC offers a free scanning tool service that will automatically detect and report to the requestor security vulnerabilities on computing devices. Departments and schools could request that scans be run on a regular basis.
  2. Researchers should always include the cost of maintaining and operating new equipment that is funded by grants. This could take the form of purchasing support from ITC or HS/CS or hiring a skilled system administrator.
  3. ITC offers a free scanning tool service that will automatically detect and report to the requestor security vulnerabilities on computing devices. Departments and schools could request that scans be run on a regular basis.

The Concern

10. Why is this policy needed?

Although malicious intent is possible, the lack of attention to security vulnerabilities is the target of this policy. Inattention to security vulnerabilities is a realistic concern as evidenced by a number of high profile attacks on computing environments of universities and other organizations.

Security breaches at highly visible computing sites have become commonplace today, and universities are favorite targets for attacks. Critical university computing resources, such as research, patient care, and student data, are at risk, and university computing devices are being commandeered by cybercriminals to launch attacks on corporations and other entities outside the university.

While it is not possible to anticipate and intercept all attacks -- cybercriminals are continuously devising new ways to wreak havoc -- there are specific steps that can be taken to significantly reduce vulnerability. These steps are effective, however, only if they are taken for all devices on the University of Virginia's network. The saying that "we are only as strong as our weakest link" most definitely applies in this case.

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.