UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving requirement 3.1, Secure Device Configuration.
Requirement
Resource Custodians must utilize well-managed security configurations for hardware, software, and operating systems based on an industry standard.
Description of Risk
Overly permissive default configuration settings provide an attacker with the ability to access data without authorization.
Recommendations
A critical defense mechanism against malicious activities is a securely-configured covered device, which includes the device operating system, as well as installed applications able to run as background services or daemons that allow remote access to covered device. Examples of applications that would require secure configuration include database, web server, file host. In addition, web browsers are commonly targeted by malware and malicious actors, therefore web browsers and associated add-on software component should also be configured securely.
The following processes should be implemented to meet secure device configuration requirement:
Secure Configuration Baseline
- Develop configuration baseline based on expert sources such as Center for Internet Security (CIS) and the National Security Agency (NSA). These sources have detailed guides and procedural documents that explain security configuration options for a wide range of operating systems and applications. Hardening would typically include removal of unnecessary accounts, disabling or removal of unnecessary services, and enabling security conscious configurations.
- Once a baseline is tested to meet security requirements while working within operational parameters and constraints, it should be used to create a template from which similar systems and applications can be built.
- In addition to expert sources for configuration recommendations, campus security standards such as MSSND and MSSEI should be consulted to ensure the configuration baseline complies with applicable campus security requirements.
- Establish consistent and secure configuration baselines for all development, testing and production environments hosting covered data.
Configuration Review and Approval
- Once a configuration baseline is established, a review and approval process should be established to review requests that deviate from the baseline. There may be legitimate institutional needs that require software to deviate from baseline. Deviations should be documented, and the approval process should allow resource custodians to weigh both risks and rewards of such requests.
Configuration Change Detection
- Configuration changes on covered devices should be logged automatically or via established change management processes.
- Resource custodians should be alerted when configuration changes are made on covered devices to allow for identification of malicious activities on covered devices.
Additional Resources
- Campus IT Security's article on Recommended Resources for System Hardening
https://security.berkeley.edu/resources/best-practices-how-to-articles - Center for Internet Security Configuration Benchmarks
https://www.cisecurity.org/cis-benchmarks/