Systems Status

Announce RSS Feed RSS

Blog RSS Feed RSS

Help Topics

Deschutes Facilities

Campus Facilities

User Account Info

Roundcube Mail

Contact Systems

ipv6 ready

National Cyber Alert System

             Technical Cyber Security Alert TA11-200A

Security Recommendations to Prevent Cyber Intrusions

  Original release date: July 19, 2011
  Last revised: --
  Source: US-CERT

Overview

  US-CERT is providing this Technical Security Alert in response to
  recent, well-publicized intrusions into several government and
  private sector computer networks. Cyber thieves, hacktivists,
  pranksters, nation-states, and malicious coders for hire all pose
  serious threats to the security of both government and private
  sector networks. A comprehensive security program provides the best
  defense against the full spectrum of threats that our computer
  networks face today. Network administrators and technical managers
  should not only follow the recommended security controls
  information systems outlined in NIST 800-53 but also consider the
  following measures. These measures include both tactical and
  strategic mitigations and are intended to enhance existing security
  programs.

Recommendations

  * Deploy a Host Intrusion Detection System (HIDS) to help block and
    identify common attacks.

  * Use an application proxy in front of web servers to filter out
    malicious requests.

  * Ensure that the "allow URL_fopen" is disabled on the web server
    to help limit PHP vulnerabilities from remote file inclusion
    attacks.

  * Limit the use of dynamic SQL code by using prepared statements,
    queries with parameters, or stored procedures whenever possible.
    Information on SQL injections is available at
    <http://www.us-cert.gov/reading_room/sql200901.pdf>.

  * Follow the best practices for secure coding and input validation;
    use the secure coding guidelines available at:
    <https://www.owasp.org/index.php/Top_10_2010> and
    <https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html>.

  * Review US-CERT documentation regarding distributed
    denial-of-service attacks:
    <http://www.us-cert.gov/cas/tips/ST04-015.html> and
    <http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf>.

  * Disable active scripting support in email attachments unless
    required to perform daily duties.

  * Consider adding the following measures to your password and
    account protection plan.* Use a two factor authentication method
    for accessing privileged root level accounts.

  * Use minimum password length of 15 characters for administrator
    accounts.

  * Require the use of alphanumeric passwords and symbols.

  * Enable password history limits to prevent the reuse of previous
    passwords.

  * Prevent the use of personal information as password such as phone
    numbers and dates of birth.

  * Require recurring password changes every 60-90 days.

  * Deploy NTLMv2 as the minimum authentication method and disable
    the use of LAN Managed passwords.

  * Use minimum password length of 8 characters for standard users.

  * Disable local machine credential caching if not required through
    the use of Group Policy Object (GPO). For more information on this
    topic see Microsoft Support articles 306992 and 555631.

  * Deploy a secure password storage policy that provides password
    encryption.

  * If an administrator account is compromised, change the password
    immediately to prevent continued exploitation. Changes to
    administrator account passwords should only be made from systems
    that are verified to be clean and free from malware.

  * Implement guidance and policy to restrict the use of personal
    equipment for processing or accessing official data or systems
    (e.g., working from home or using a personal device while at the
    office).

  * Develop policies to carefully limit the use of all removable
    media devices, except where there is a documented valid business
    case for its use. These business cases should be approved by the
    organization with guidelines for there use.

  * Implement guidance and policies to limit the use of social
    networking services at work, such as personal email, instant
    messaging, Facebook, Twitter, etc., except where there is a valid
    approved business case for its use.

  * Adhere to network security best practices. See
    <http://www.cert.org/governance/> for more information.

  * Implement recurrent training to educate users about the dangers
    involved in opening unsolicited emails and clicking on links or
    attachments from unknown sources. Refer to NIST SP 800-50 for
    additional guidance.

  * Require users to complete the agency's "acceptable use
    policy" training course (to include social engineering sites and
    non-work related uses) on a recurring basis.

  * Ensure that all systems have up-to-date patches from reliable
    sources. Remember to scan or hash validate for viruses or
    modifications as part of the update process.

____________________________________________________________________

  The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA11-200A.html>

____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA11-200A Feedback INFO#706140" in
  the subject.

____________________________________________________________________

  For instructions on subscribing to or unsubscribing from this
  mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

  Produced 2011 by US-CERT, a government organization.

  Terms of use:

    <http://www.us-cert.gov/legal.html>

____________________________________________________________________

Revision History

 July 19, 2011: Initial release




Comments, additions or corrections to systems@cs.uoregon.edu

Edited: July 09, 2014, at 04:22 PM
Copyright © 2017, University of Oregon, All rights reserved
Privacy Policy