Division of Information Technology University of South Carolina Monthly News, updates, and tips from the SecureCarolina project team July 2015 SecureCarolina Meeting On July 8th, faculty and staff joined the University Information Security Office (UISO) to discuss the SecureCarolina project and technologies. The project team announced two major products: including an endpoint whole disk encryption solution and a secure file sharing solution. SecureDoc by WinMagic renders data unreadable to unauthorized individuals. This solution reduces exposure from loss and theft. The UISO is offering training on July 28th and 29th. Please call (803)777-1800 for more information. OneDrive for Business is being prepared for widespread use by faculty and staff. It will be available to early adopters as part of a pilot on August 1st. OneDrive for Business offers secure file sharing and collaboration to faculty and staff, even when working with those outside the university. The service also provides 1 TB of secure, US-based cloud storage to users. For more information, you can view the July 8th meeting here. CISO’s Corner The university chartered the SecureCarolina project in 2013. At that time, the UISO’s documents provided the foundation for information security decisions. Now, our office is working to adopt the standards produced by the South Carolina Division of Information Security. This initiative, called “Adopt & Adapt,” will simplify decisions after the SecureCarolina project has completed. Ultimately, we want to help departments find the right way to secure university resources. - James D. Perry http://security.sc.edu The University of South Carolina is an equal opportunity institution. Security Advisories: Staying Informed The UISO must often decide whether to notify the university community of a late-breaking security vulnerability. Due to the sheer volume and velocity of notifications, only those that pose an active threat are broadcast. For example, the National Vulnerability Database (NVD) has announced more than 270 high severity flaws since June of this year. In extreme cases, administrators need to act before an application or product vendor provides a fix. It is important that our office call attention to issues when it is most necessary—and most beneficial—to do so. The Security Operations Center examines industry updates for information on the latest exploits. The team may then review system logs to verify the existence or likelihood of the exploit in question. If something catches the eye of Senior Security Engineer Jeff Whitson, he goes straight to the NVD to research its Common Vulnerability Scoring System (CVSS) rating. “Anytime a CVSS rating is considered high or critical, there is a good chance we will issue an advisory,” Whitson says. He also said an announcement is possible for lower-scoring vulnerabilities, especially when they uniquely threaten the university. The team gathers as much knowledge about a vulnerability as possible to draft a message for administrators. This may include patches (system updates), a recommended work around, and other resources. This way, the community can quickly learn about security vulnerabilities that endanger university data. The UISO delivers security advisories to the Network Managers’ and SecureCarolina mailing lists. You can find a list of active advisories by visiting http://security.sc.edu.