HomeDepartment IT Security Guidelines

Monitoring and Maintenance

Fri, 03/13/2009 - 14:02 — mcoyle

 
Make sure that your work in implementing security does not go to waste and is instead watched and maintained.

In this case, the best is truly saved for last. It would be foolish to put in all that time and effort in setting up a secure environment without actually maintaining it or monitoring how well a job you are doing keeping it secure! Monitoring and maintenance makes it possible to judge the effectiveness of the current paradigms in use and react to the problems you do discover. By extension, it also helps you plan for the future when changes may be proposed to the operating environment. 
 
Patching is key.

Nothing is perfect, software included. Software and operating systems often need to be patched on a very regular basis. Likewise, if a particular piece of software or an operating system is no longer being patched or supported, it is likely a very bad idea to still be running that piece of software or operating system. Many operating systems have automated methods of providing patches and for checking for vulnerable software which is standard. Unfortunately, this kind of methodology can be unwieldy when trying to manage a great many machines at once. Further, it can often be very difficult to check for security vulnerabilities on software which is merely a component in another piece of software. As an example, you might have installed an openssl library to support a particular application, but then may only think to check the dependent application for vulnerabilities. A vulnerability appearing in openssl may never get treated and end up being a liability. Patching can be complex or even subject to cost-benefit analysis, but cannot be ignored in any case. The RU Scarlet Page service provides help to groups with patching.  
 
Logging is one of the most basic methods of monitoring. As any network or systems administrator knows, it can also become quite harrying once you have a variety of machines and services on your network, all in great numbers. Logging can provide notification, give you an audit trail, show you how extensive a security problem may have infiltrated, or even point out if there was any information loss in the first place. Logs should be reviewed regularly for all your devices and services in an intelligent manner in almost all cases. There exist a tremendous number of tools and services which help to aggregate, correlate, and provide alerts from logs. 
 
Disaster recovery isn't just for fires!

Disaster recovery, while typically associated with fires, floods and bombs, also applies directly to Information Protection and Security. Often the only solution for a compromised system is to rebuild that system. Or, even a destructive act such as a fire could be considered to be a highly effective and low-tech denial-of-service attack. A research group may even be conducting some widely controversial research which could be subject to sabotage. Having a proper disaster recovery plan is essential in order to maintain business continuity in the event of any kind of calamity. The scope of creating a disaster recovery plan may be beyond the scope of this simple document, but there exists many resources on the web and at Rutgers for developing one.
 
Pursue continued education for IT staff development and departmental awareness.

It is very difficult to secure something you do not understand. Knowing where technology is going and what developments have already been made is key to developing situational awareness with regards to security. It's not just the technologists in a group which may require regular education, it may very well be the entire department! It is important that everyone understand and agree with any policies or methods which are adopted. This helps insure cooperation with those people who will ultimately have to live with all the design decisions made. Attempting to force restrictions upon business operations is rarely viewed as a forward-thinking move by anyone. But if individuals can be lead to fully understand the reasoning behind many of these decisions, often greater collaboration can be achieved and newer, more innovative solutions previously not thought of can be discovered! Many resources are available at the university; IPS offers many materials help with security awareness on this website. 

 
What to do in the event of an intrusion?

Finally, it should be assumed that despite the greatest of intentions, compromises will still occur. If the problem can't be solved through your own professional volition, please send an email to abuse@rutgers.edu with headers and describe the problem. Please familiarize yourself and others with the NPPI portion of this website describing the responsibilities of departments for the confidentiality and protection of data they hold.  Please email rusecure@rutgers.edu with any questions.