Monthly News, updates, and tips from the SecureCarolina project team July 2015

advertisement
Division of Information Technology
University of South Carolina
Monthly
News, updates, and tips from the SecureCarolina project team
July 2015
SecureCarolina Meeting
On July 8th, faculty and staff joined the University
Information Security Office (UISO) to discuss the
SecureCarolina project and technologies. The project team
announced two major products: including an endpoint
whole disk encryption solution and a secure file sharing
solution. SecureDoc by WinMagic renders data unreadable
to unauthorized individuals. This solution reduces exposure
from loss and theft. The UISO is offering training on
July 28th and 29th. Please call (803)777-1800 for more
information.
OneDrive for Business is being prepared for widespread
use by faculty and staff. It will be available to early adopters
as part of a pilot on August 1st. OneDrive for Business
offers secure file sharing and collaboration to faculty and
staff, even when working with those outside the university.
The service also provides 1 TB of secure, US-based cloud
storage to users.
For more information, you can view the July 8th meeting
here.
CISO’s Corner
The university chartered the
SecureCarolina project in 2013. At that
time, the UISO’s documents provided
the foundation for information security
decisions. Now, our office is working to adopt the standards
produced by the South Carolina Division of Information
Security. This initiative, called “Adopt & Adapt,” will
simplify decisions after the SecureCarolina project has
completed. Ultimately, we want to help departments find the
right way to secure university resources.
- James D. Perry
http://security.sc.edu
The University of South Carolina is an equal opportunity institution.
Security Advisories: Staying Informed
The UISO must often decide whether to notify
the university community of a late-breaking security
vulnerability. Due to the sheer volume and velocity of
notifications, only those that pose an active threat are
broadcast. For example, the National Vulnerability Database
(NVD) has announced more than 270 high severity flaws
since June of this year. In extreme cases, administrators need
to act before an application or product vendor provides a fix.
It is important that our office call attention to issues when it
is most necessary—and most beneficial—to do so.
The Security Operations Center examines industry
updates for information on the latest exploits. The team
may then review system logs to verify the existence or
likelihood of the exploit in question. If something catches
the eye of Senior Security Engineer Jeff Whitson, he goes
straight to the NVD to research its Common Vulnerability
Scoring System (CVSS) rating. “Anytime a CVSS rating
is considered high or critical, there is a good chance we
will issue an advisory,” Whitson says. He also said an
announcement is possible for lower-scoring vulnerabilities,
especially when they uniquely threaten the university.
The team gathers as much knowledge about
a vulnerability as possible to draft a message for
administrators. This may include patches (system updates),
a recommended work around, and other resources. This
way, the community can quickly learn about security
vulnerabilities that endanger university data. The UISO
delivers security advisories to the Network Managers’ and
SecureCarolina mailing lists. You can find a list of active
advisories by visiting http://security.sc.edu.
Download