You are here

Computer and network security

Computers that offer services to the Internet beyond ENCS run a risk of being remotely attacked and compromised if they have known vulnerabilities. The consequences range from mere inconvenience to the loss of confidential research data. In order to minimize this risk, AITS regularly checks for known vulnerabilities and takes action to protect the computer (and its neighbours) against compromises based on the assessed level of risk.

The action taken to protect the vulnerable machine may be the immediate removal of the infected machine from the network, or just a warning that the machine will have its external services cut off if it is not appropriately patched after a grace period determined by the risk level. External access to the machine will be restored as soon as a new scan establishes that the vulnerability is no longer present.

Note, having an operating system that is "end-of-life'd" by its vendor and is no longer receiving update and security patches (e.g., Windows XP and below, OS X 10.{1-5}) is considered a vulnerability and such machines would be quarantined.

In all cases, the owner of the machine, its administrator and its known privileged user(s) will be notified by e-mail that will include a personalized and password-protected URL providing full information about the scan as well as details about the action needed to solve the problem.

Policy on vulnerability management.

The procedures outlined below regulate machines allowed to receive network traffic initiated by devices outside the ENCS network:

  • All security holes will be reported by e-mail to the responsible person (RP, e.g., computer owner), Admin (technical admin contact/lab admin, e.g., a designated graduate student) and User recorded in the network database.
  • Machines with already exploited holes will have their network connection blocked, or will be placed in "network quarantine", depending on the severity of the case.
    • If a machine/port has a remotely exploitable hole allowing the execution of arbitrary code and for which an exploit is known to be publicly available, it will be blocked at the firewall immediately. Accessibility will only reestablished when the vulnerability no longer exists.
    • If a machine/port has a remotely exploitable hole allowing execution of arbitrary code and for which no exploit is known to be publicly available, the RP/Admin/User will be allowed a grace period of 5 working days to fix the problem. If after the grace period, the vulnerability still exists, the RP/Admin/User will be notified by e-mail and the access to the vulnerable port(s) will be blocked at the firewall, with accessibility only reestablished when the vulnerability no longer exists.
    • If a machine/port has a vulnerability that is NOT remotely exploitable, or does NOT permit the execution of arbitrary code, the RP/Admin/User will be allowed a grace period of 30 days to fix the problem. If after the grace period, the vulnerability still exists, the RP/Admin/User will be notified by e-mail and the access to the vulnerable port(s) will be blocked immediately at the firewall, with accessibility only reestablished when the vulnerability no longer exists.
  • Outward-facing ports must permit Nessus vulnerability scans; if no Nessus scan is accepted for 30 days, the firewall exception for that port is removed.
  • In individual cases, full-time AITS network administration staff and full-time faculty members may together negotiate modifications to the terms, conditions, of procedures above, with the modifications recorded in an RT ticket to support ongoing research projects.
    • Notwithstanding any of the points above, AITS staff may, as permitted in their mandate, take any special action required to protect the security and integrity of the ENCS network.
  • A dispute regarding the application of policy as expressed above may be brought by a faculty member to the Director or the Associate Director of AITS for timely resolution.