it.ucsf.edu

IT Security Townhall FAQs

Patrick Phelan's picture

General Questions

Why are devices required to register?

What is considered the UCSF network?

Is registration required for devices using the Guest WiFi network?

How do I register my systems?

What are the deadlines for device registration?

What happens after those deadlines?

Do IP-aware, embedded OS devices (e.g., CO2 monitors, temperature monitors, etc.) need to be registered?

Are phones and tablets required to install BigFix? What about printers?

Do systems on internal non-routable networks (private networks) need to install BigFix?

Will you require BigFix installation for devices connected to the WiFi network in UCSF Housing units?

What is the process for exemption from installing BigFix?

How will you require guests/collaborators who visit for short periods infrequently (a few weeks a year etc.) to register their devices?

How will you communicate technical information to IT partners?

Is it possible to create a separate network for research/basic science since we don’t touch PHI data?

BigFix

What is BigFix?

Is it possible to see the information BigFix collects about my systems?

What operating systems are supported by BigFix?

By requiring BigFix on all UCSF systems, aren’t we creating an extremely attractive target to hackers? How are you protecting BigFix?

Will BigFix cause any harm to my computer? Will it uninstall any of my existing programs?

Does BigFix require root access? Is there any option to install BigFix without providing root access?

What will IT be using BigFix for on my workstation?

What will IT be using BigFix for on my server?

What is a locked configuration status in BigFix? Who has control over whether a system is locked or unlocked?

For Linux workstations and servers, are they deployed in a locked or unlocked state?

What is the testing and quality assurance process for actions sent via BigFix?

Is it possible to disable BigFix during experiments, at critical times, or maintenance windows to prevent disruption?

As departmental IT support staff, is it possible to manage my own systems in BigFix?

What’s the difference between a BigFix patch level check and a Nessus scan?

Are you financially liable if a critical experiment or business process is interrupted by BigFix?

Scanning

Why have you increased network scans?

The scanning tool, SecurityCenter is an extremely attractive target to hackers? How are you protecting it?

Why do the authenticated scans need to use a privileged account? Wouldn’t it be safer if a less privileged account was used for scanning?

 

General Questions

1. Why are devices required to register?

As described in the Chancellor’s email on July 17, 2015, recent cyber-attacks in the news are striking closer to home and as a result, UCSF IT is taking accelerated steps to secure the network. Any computer (laptop or desktop; UCSF-owned or individually owned) that you use to conduct UCSF business must have the BigFix program installed on it immediately. BigFix is a tool that allows us to track a computer to determine if a system meets UCSF minimum IT security requirements.

2. What is considered the UCSF network?

Having a computer directly plugged into an Ethernet port (port in the wall, or switch port in a data center), connecting remotely (VPN), or connecting to UCSF-WPA wireless network.

3. Is registration required for devices using the Guest WiFi network?

No, registration is not required.

4. How do I register my systems?

All desktops, laptops and servers need to be registered. This is accomplished in one of two ways:

1. Install BigFix http://it.ucsf.edu/services/bigfix-endpoint-manager

2. For the limited number of cases where BigFix cannot be installed, register your systems manually here: https://ucsf.service-now.com/ess/device_registration.do. To bulk register devices, use the spreadsheet available on that page.

5. What are the deadlines for device registration?

  • By August 14, 2015 all desktops and laptops must install BigFix.
  • By August 31, 2015 all servers must install BigFix
  • By September 30, 2015 all IP-aware/embedded OS devices must be registered (networked lab equipment; proprietary data collection/analysis equipment, temperature sensors, alarms, etc.)

6. What happens after those deadlines?

We will target the highest risk devices for removal – unregistered machines without BigFix generating malicious traffic or showing multiple vulnerabilities. Machines managed by departments who are engaged (e.g. machines running BigFix or manually registered) will not be disconnected. IT will contact those system owners to resolve issues without disconnection. For unregistered devices, IT will attempt to determine the machine owner before disconnecting. The list of devices that will be removed will be posted to a wiki page requiring MyAccess login one business day prior to removing them from the network.

7. Do IP-aware, embedded OS devices (e.g., CO2 monitors, temperature monitors, etc.) need to be registered?

Yes, please register anything that cannot have BigFix installed here: https://ucsf.service-now.com/ess/device_registration.do

8. Are phones and tablets required to install BigFix? What about printers?

No. Those devices are exempt from installing BigFix.

9. Do systems on internal non-routable networks (private networks) need to install BigFix?

No, please follow the manual registration process here: https://ucsf.service-now.com/ess/device_registration.do

Systems that process UCSF data, and can reach any other devices on the UCSF network (e.g. head nodes, storage, gateways, firewalls, addressable systems behind firewalls, etc.) should have BigFix installed where practical. Those that operate large private network should engage with UCSF IT to identify a practical solution.

10. Will you require BigFix installation for devices connected to the WiFi network in UCSF Housing units?

UCSF IT and CLS are currently working on segregating the residence network to not require device registration. Housing users on UCSFwpa must register; users on UCSFguest do not.

11. What is the process for exemption from installing BigFix?

The manual registration process fulfills the requirement of registration and exempts you from installing BigFix.

12. How will you require guests/collaborators who visit for short periods infrequently (a few weeks a year etc.) to register their devices?

Guests that are here for a brief visit should mostly plan on using UCSFguest wireless to access resources like email at their home institution or to browse the internet. Solutions for common problems like printing (for example emailing a file to a printer) will be developed to minimize the need to connect to the internal network. If a visitor or collaborator will need to access internal resources during their visit, their device must meet minimum security requirements, including BigFix.

13. How will you communicate technical information to IT partners?

Announcements will continue to be sent to IT-FORUM (opt-in listserv with 600+ members), SEC-AUTO (everyone at UCSF with an IT-related payroll classification), and the Data Security Compliance Program champions (each school/large organization has two or more DSCP champions). We need your help identifying groups of people we’re not reaching – please send suggestions to IT-Questions@ucsf.edu.

14. Is it possible to create a separate network for research/basic science since we don’t touch PHI data?

Segregating networks is technically possible, but network segregation would not be a simple or quick solution. The complexity and cost of implementing a segregated network across all campuses within our institution, the difficulty in keeping protected data off of a research network on a health science campus, and the barriers segregated resources could present to collaborations across basic and translational research projects suggest that a thorough evaluation process would need to be conducted before this approach could be adopted.

BigFix

15. What is BigFix?

BigFix is very lightweight software that runs on your computer. Using BigFix we can track a computer, associate the computer with a user, and collect hardware and software information (OS, CPU, RAM, hard drive space, software installed). Using BigFix we can ensure your computer is patched, encrypted and protected from viruses and malware. More information is available here:

https://it.ucsf.edu/services/bigfix-endpoint-manager

16. Is it possible to see the information BigFix collects about my systems?

BigFix only collects hardware and software information. We can provide access to web based reports so that you can review the information collected. Please submit a ticket to request access by calling the IT Service Desk at 415-514-4100 or online https://ucsf.service-now.com/ess/home.do

17. What operating systems are supported by BigFix?

  • Windows
  • Macintosh 10.6 and greater
  • RHEL 5-7: Ubuntu 10, 12, 14: Debian 6, 7: SUSE Enterprise Linux 10,11,12
  • Solaris 10, 11
  • AIX 5-7

18.By requiring BigFix on all UCSF systems, aren’t we creating an extremely attractive target to hackers? How are you protecting BigFix?

BigFix security measures in place today:

  • Requires DUO two-factor authentication for access
  • Regular vulnerability scanning
  • Monthly patching
  • Monitoring and auditing of access
  • Rigorous change control
  • All changes require authentication from console administrators
  • Data published via web reports for IT support teams; no direct access to console

Additional measures under consideration:

  • Limiting the ability to unlock systems
  • Host-based IPS (e.g. TripWire)

19. Will BigFix cause any harm to my computer? Will it uninstall any of my existing programs?

The BigFix client will not harm your PC or uninstall your applications. In a very small number of incidents (less than 1%), BigFix may be incompatible with an application and cause some minor issue. We will work with you to resolve these as issues as necessary.

20. Does BigFix require root access? Is there any option to install BigFix without providing root access?

We are consulting with IBM to explore the viability of using BigFix without root access.

21. What will IT be using BigFix for on my workstation?

BigFix will collect system configuration data such as operating system, CPU, RAM, hard drive space, patch status, and list of local accounts on the server. BigFix will not collect any personal data or information, such as browser history or user data, stored on the computer. UCSF IT will install patches on Windows and Macintosh computers to protect them from vulnerabilities. One vulnerable computer puts all other systems and the network at risk.

UCSF IT WILL NOT patch Linux workstations without first consulting with the system owners.

22. What will IT be using BigFix for on my server?

BigFix will collect system configuration data such as operating system, CPU, RAM, hard drive space, patch status, and list of local accounts on the server. BigFix will not collect any personal data or information, such as browser history or user data, stored on the server. UCSF IT will not install patches, or alter files, without consulting with the system owner. However, IT reserves the right to disconnect servers from the network or install patches if the system owner has not responded in a timely manner.

23. What is a locked configuration status in BigFix? Who has control over whether a system is locked or unlocked?

Locking a system means that it excluded from any actions like patching or installing software. Only data gathering operations can take aplace apart from changing settings for the client itself, including updates of the BigFix client.. Currently, only the BigFix administrators, a small team of IT professionals have the ability to lock and unlock systems. We are currently exploring additional technical and process controls to further restrict locked system changes.

24. For Linux workstations and servers, are they deployed in a locked or unlocked state?

Both Linux workstation and server clients are defaulted to a locked state.

25. What is the testing and quality assurance process for actions sent via BigFix?

Actions that are supplied by BigFix including patching packages for operating systems and applications undergo IBM’s QC processes. All packages are signed digitally by IBM and only accepted by the UCSF server after it validates the digital signature. Packages that are developed at UCSF undergo peer review, and the change control process. Only packages signed by the UCSF private key are accepted as valid and executed by BigFix clients.

26. Is it possible to disable BigFix during experiments, at critical times, or maintenance windows to prevent disruption?

Yes, please contact us by submitting a ticket to coordinate. Please submit a ticket to by calling the IT Service Desk at 415-514-4100 or online https://ucsf.service-now.com/ess/home.do

27. As departmental IT support staff, is it possible to manage my own systems in BigFix?

Yes. BigFix is structured that we can delegate access to a container where you manage your own systems. UCSF IT will provide the necessary access and training.

28. What’s the difference between a BigFix patch level check and a Nessus scan?

BigFix is looking for missing patches on Windows and Mac desktop and laptops (not on servers or any Linux machines), which are only one type of vulnerability. A Nessus scan looks for all vulnerabilities present on a system, which includes missing patches as well as vulnerable configurations, default passwords, vulnerabilities for which there is not yet a patch, and other system weaknesses.

29. Are you financially liable if a critical experiment or business process is interrupted by BigFix?

No. Similar to telephone failures, or power outages, there is not a process for recovering costs associated with interrupting experiments or business. Please coordinate with UCSF IT to ensure critical systems are categorized appropriately to minimize chance of disruption. Please submit a ticket to by calling the IT Service Desk at 415-514-4100 or online https://ucsf.service-now.com/ess/home.do

Scanning

30. Why have you increased network scans?

In order to protect the UCSF network, UCSF IT needs to identify devices with vulnerabilities that put the network at risk. This includes:

  • To identify vulnerable, misconfigured, or compromised hosts
  • To help system administrators validate proper configuration and patching of their systems
  • To prioritize addressing the highest risk systems first

31. The scanning tool, SecurityCenter is an extremely attractive target to hackers? How are you protecting it?

SecurityCenter servers are patched and hardened according UCSF policy:

http://it.ucsf.edu/policies/servers and http://it.ucsf.edu/policies/information-security-checklist

32. Why do the authenticated scans need to use a privileged account? Wouldn’t it be safer if a less privileged account was used for scanning?

  • SecurityCenter stores credentials in an encrypted state. Administrators do not need access to the credential itself to initiate an authenticated scan.
  • Credentials can be managed by credential owners; UCSF IT does not need to know the username and passwords.
  • We recommend that all credentials be changed and updated in the SecurityCenter system every 90 days and meet or exceed UCSF password complexity standards.