Q1. Is there a way that I can confidentially submit a system for review?

A1. Contact the BSD ISO directly via security@bsd.uchicago.edu for anonymous & confidential submissions and questions.

Q2. What type of systems should complete the BSD Security Assessment and Authorization process?

A2. Any planned, new or existing information systems that supports the BSD academic and research activities are expected to complete the SAA process.

Q3. How long will the security assessment and authorization process take?

A3. The SAA process could take approximately 2-4 weeks depending on the complexity of the system and assuming information is provided in a timely fashion.

Q4. Will I still be able to operate my system if it is not authorized?

A4. Yes, this SAA process will not hinder any research systems from operating. The BSD ISO will work with the system owners to develop a risk reduction plan with a timeline to bring the system within the organizational risk thresholds.

Q5. Will my system be HIPAA compliant after completing SAA process?

A5. The SAA process utilizes the NIST Cyber Security Framework which aligns to HIPAA controls. Although, this process does not certify for HIPAA compliance.

Q: What are CIS Security Benchmarks?

A: The CIS Security Benchmarks Division provides well-defined, unbiased, and consensus-based industry best practices to help the BSD assess and improve security. Resources include secure configuration benchmarks and automated configuration assessment tools (CIS-CAT).

The CIS Security Benchmarks Division develops and distributes:

• Security Configuration Benchmarks – 94 Benchmarks which describe best practices for the secure configuration of target systems and are developed via extensive collaboration with the CIS volunteer consensus community.
• The CIS-CAT Benchmark Assessment Tool – provides systems administrators with a fast, detailed assessment of target systems’ conformance to CIS Benchmarks. The CIS-CAT Assessment Tool is available only to CIS Security Benchmarks Members. Members can download CIS-CAT from the CIS Members Website. You can try out CIS-CAT lite here.

Q: Why should we use CIS Security Benchmarks?

A: The Security Configuration Benchmarks are globally used and accepted as the de facto user-originated standard for IT security technical controls. Configuring systems in compliance with these Benchmarks has been shown to eliminate 80-95 percent of known security vulnerabilities. The BSD Information Security Office is developing system-hardening standards down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at University of Chicago, and will use the assessment tool to validate that systems meet the established system-hardening and security configuration standards.

Q: How do I get started?

• To register, go to http://workbench.cisecurity.org/registration/ and complete the registration form. You must have a valid BSD email address. After a simple account validation step, you will receive an email indicating that your registration has been activated, along with a temporary password.
• Log in to https://workbench.cisecurity.org/ to download and review CIS benchmarks for your platforms. Benchmarks are available as PDF reference worksheets for system hardening.
• Download the CIS-CAT Benchmark Assessment Tool (available on the member website) and run against a representative hardened system. This cross-platform app examines your system and produces a report comparing your settings to the published benchmarks.
• Participate in the CIS member forums to provide feedback, make suggestions, and discuss the CIS tools with other members.

Q: How do I use the tools?

A: The following tutorials are available:

• Tutorial: CIS-CAT in Windows (GUI) (video)
• Tutorial: CIS-CAT in Linux (GUI) (video)

Q: Where can I find more information?

A: If you have any questions about registration or accessing the tools, you can contact the BSD Information Security Office at security@bsd.uchicago.edu.

 

Q1. I received an email about training and phishing emails. What is this all about?

A1. The UCM and BSD Information Security Offices have launched a Phishing Email Assessment and Prescriptive Education Initiative to raise awareness on phishing emails and increase your knowledge of spotting a phishing email. The email contains instructions on how to access training.

Q2. Why are the BSD and UCM Information Security Offices sending “test” phishing emails to employees?

A2. Every day, more than 15 million phishing attacks are launched around the world, and 80,000 email users fall victim to these attacks.  This initiative will show you first-hand how easy it is to fall for a phishing attack.  The “test” phishing emails are sent to reduce the risk of cyber-attacks and the loss of sensitive information, and avoid possible regulatory fines and penalties by providing immediate training to those who click on the links within the test emails.

Q3. How can I opt-out of receiving the “test” phishing emails and participating in the Phishing Email Assessment and Prescriptive Education Initiative?

A3. This initiative was sanctioned and approved by a variety of leadership throughout the BSD/UCM, including:  Dean Polonsky, Sharon O’Keefe, executive leadership of both the BSD and UCM,  shared Cyber Security Governance committees, BSD and UCM HR, and the University and UCM Legal Offices, and will include all employees at this time.  The purpose of this initiative is to raise our organization’s awareness of phishing email scams and provide training to all employees.

Q4. How do I access the “Anti-Phishing Training?”

A4. You can access the training either from clicking on the training link from  this page above at https://uchicagomedicine.securityeducation.com/ . You will be asked to enter in their CNet or UCHAD credentials to log into the training system. (Note, if you have both a CNetID and UCHADID, you will have to use your CNet credentials to log on.)

Q5. I cannot sign in with my UCHAD credentials. Why not?

A5. If you have both a CNetID and UCHADID, you must log into the system with your CNet credentials.

Q6. Do I have to view the training video?

A6. No. This training is not mandatory, but it is recommended in order to increase your awareness of phishing emails.

Q7. What if I start watching the training video and do not complete it?

A7. That is okay. You can always go back to https://uchicagomedicine.securityeducation.com and finish watching the training video at your convenience. You can pick up where you last left off.

Q8. I received a suspicious-looking email that I think was sent as part of this campaign. Should I delete this email? Should I report the email to the Information Security Office?

A8. You are always encouraged to report any suspicious email to the Service Desk or Information Security Office before replying or clicking on any links. It is safe to delete the email.

Q9. What will happen if I opened the email, but did not click on any links?

A9. Nothing. You can simply delete the email. You should not click on the link in the email.

Q10. I hovered my mouse over the link in the email, and the URL looks suspicious/weird. What should I do?

A10. Nothing. One of the ways to identify a real phishing email is to hover (but not click) your mouse over the link within an email to see what URL you would be directed to if you were to click on the link. You can now delete the email.

Q11. What will happen if I clicked on the link in the email?

A11. The link in the phishing email is harmless and nothing will happen to you or your computer. The Information Security Offices will be tracking how many employees click on the link, but not who clicked. You will be sent an email that contains instructions on how to access the training video.

Q12. Will I be reported to my manager if I clicked on the link?

A12. No. Managers will have no knowledge of who clicked the phishing email link.

Q13. I clicked on the link and was re-directed to the BSD Information Security Office’s webpage (http://security.bsd.uchicago.edu/phish/). Now what do I do?

A13. Employees are instructed to follow the link on the BSD webpage to access training: https://uchicagomedicine.securityeducation.com

Q14.I received a training email from security@bsd.uchicago.edu. What is this?

A14. Employees will receive an email from security@bsd.uchicago.edu when they click on the phishing link. The email will provide instructions on how to access the training video to reinforce how to identify a phishing email.

Q15. I already watched the training video, so why do I need to watch another video?

A15. This additional training video is used to reinforce how to spot a phishing email and is only assigned to employees who click on the “test” phishing email sent as part of this initiative.

Q16. Is this training mandatory?

A16. No. This training is not mandatory, but is encouraged. Managers will have no knowledge of who has/has not completed training. The Information Security Offices will only be tracking how many employees have watched the training videos to gauge the effectiveness of training.

Q:  What’s considered confidential data?

A: There are various types of confidential information. For details on what is considered confidential information please review University of Chicago policy, HR601 – Treatment of Confidential Information.

Q: What Hardware-Encrypted USB Flash Drives are permitted for use?

A: The following Hardware-Encrypted USB Flash Drives models are permitted for the storage of confidential information:

• Apricorn Aegis – All models

• Kingston USB Storage – DataTraveler models

• IronKey – D300 or S1000 models

Q: If I’m in Basic Sciences department and do not have confidential information, do I need to purchase a Hardware-Encrypted USB Flash Drive?

A: No, you do not need to purchase a hardware-encrypted USB Flash Drive unless you are storing confidential information on an insecure USB Flash Drive.

Q: If I’m in a Clinical department and utilize USB Flash Drives, but do not have confidential information, do I need to purchase Hardware-Encrypted USB Flash Drives?

A: Yes, Enforcement of secure hardware-encrypted USB Flash drives for Clinical departments will begin on 3/31/2018 and  non-secure USB Flash Drives will no longer be permitted for use.

Q:  I don’t know what type of department I’m in.  Should I get a hardware-encrypted USB Flash Drive?

A: As a general rule of thumb, if you work with or might potentially receive confidential or confidential data, then please use a hardware-encrypted USB Flash Drive.  If you don’t know, please refer to your department’s IT Custodian.

Q:  If I don’t get a drive through the Secure USB Flash Drive Exchange how do I purchase one?

A:  A better way to store your data is on UChicago Box which can be used to store and access files remotely without the need for USB Flash Drives. All USB Flash Drives must be purchased through Buysite.

Q:  I have a number of USB Flash Drives.  Should I replace them all?

A:  Yes.  All your USB Flash Drives should be replaced.  Non-compliant USB Flash Drives will no longer work after 03/31/2018.

Q:  Someone gave me a non-compliant USB Flash Drive.  Will I be able to download data from that drive?

A: Yes. You will be able to download data from non-compliant USB Flash Drives.  However, you will not be able to write/upload to non-compliant USB Flash Drives after 03/31/2018.

If you have any additional questions, please reach out to your local departmental IT for support.

Q1.  What is a security incident?

A1. A security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Incidents are typically identified through the continual review and analysis of events.  The BSD ISO will determine an event is an incident if the event affects the security (i.e. Confidentiality, Integrity, and/or Availability) of an IT system.

Q2.  How is a security incident identified?

A2.  During the Detection and Analysis phase, a potential incident event has been observed and reported to the BSD Information Security Office. The BSD Security Analyst gathers information related to the event to make a determination whether the observed event should be classified as an incident. If enough evidence exists to classify the event as an incident, the Security Analyst will work with the appropriate IT Custodians assigned to the affected systems in order to develop a valid Containment, Eradication, and Recovery (CER) strategy.

Q3.  What are the IT Custodians expectations during the Incident Response (IR) program?

A3.  The IT Custodian has the following responsibilities during the IR program.

1) Reporting Responsibility–As a contributor to the BSD IR process, it is expected that potential incidents are reported to the BSD ISO as soon as possible.  If unsure whether, a suspicious event meets the threshold for reporting please contact the BSD ISO for clarity.

2) Expected Support–It Custodians are an integral role within the BSD IR Workflow.  It is through the IT Custodian that Security Analyst are able to properly investigate incidents and later remediate these incidents. IT Custodians will be contacted by Security Analysts at several points throughout the IR Workflow. it is expected that the IT Custodian will contribute to the investigation by:

• Answering information requests from the Security Analyst
• Executing assigned tasks within the CER strategy
• Documenting CER execution progress and lessons learned within the GRC

Q1:  Who should be participating in this survey?

A1:  This survey is optimally designed for the department’s IT Manager with support from a small group of IT staff that have been with the department for long enough to have an understanding of its IT practices.

Q2:  What should be done if a question doesn’t seem to directly apply to the department?

A2:  Each question must be answered in order to generate results.  If it appears that the question does not apply to your department, still select the answer you think most closely describes your department for that capability and leave a note with comments about why it does not apply to your department  If it is because another department handles the activity for you, please refer to FAQ #4.

Q3:  What if none of the ratings describe the department or if the department falls between several options?

A3:  Select the rating closest to what describes the department.  When in doubt, err on the low side.  Feel free to leave a comment in the notes column about the question justification for why you selected that option.

Q4:  What should we do if another department is handling an activity for us?

A4:  Do not automatically assume that the other department is performing the task in a complete and secure manner.  Ask yourself if you have a documented Transitional Service Agreement (TSA) with the department, and what security practices you KNOW they have in place.  When in doubt, err on the low side and leave a comment in the notes column.

Q5:  Are the questions in the People domain rating individuals or departmental people resources as a whole?

A5:  The questions in the People domain are asking if the department has the appropriate quantity of people with the appropriate skill base for completing an activity and is not meant to single individuals out.

Q6:  In the Process domain of the survey, what should be selected if the activity is consistently performed and communicated, but not documented?

A6:  When this is the case, err on the low side.  If no documentation of the process exists, even if the activity is being performed completely, select ad-hoc.  This will allow your department to show quick improvement once documentation has been created.

 

Q1.  What is cVPN?

A1.  The University of Chicago virtual private network (cVPN) provides faculty, students, and staff with secure access to University network resources that are not available to you when you’re off-campus. The cVPN should also be used when you are working on an unknown network such as a hotel or coffee shop wireless network.

Q2. How do I access cVPN?

A2. You can access cVPN by logging in to cvpn.uchicago.edu with your CNetID and password. Your identity will be verified using two-factor authentication (2FA) in order to access the cVPN.

Q3. Where can I go for more information and installation instructions for cVPN?

A3.  More information can be found on the cVPN page here.

 

Q: Is this program right for my department?

A: The BSD ISO Logging and Threat Detection program is designed to create actionable alerts on credible threats to your department’s sensitive systems. While the threat management program is designed to detect possible avenues of attack, the Security Event and Log Management program is designed to detect and alert on suspicious behavior while they are happening.

Q: What is required of my department in order to participate?

A: In order to participate in the Logging and Threat Detection program, the technical support contact for your systems will need to make several minor configuration changes to your Windows or Linux servers. These changes will allow your server to send its log files to the BSD’s log collector. From there, BSD Security will be able to monitor your systems for illegal logins and other threats.

Q: What happens if a problem with my system is discovered?

A: The goal of the Logging and Threat Detection program is to identify risks and help your department become more secure. If an offense is triggered, our automated Security Intelligence Platform will notify us as the event is taking place. BSD ISO will then determine the severity of the offense and inform your department’s technical contact if the problem needs immediate attention.

Q: What’s the difference between this program and the “Threat Assessment” program?

A: While the BSD ISO Threat Assessment program concentrates on finding, cataloging, and remediating server weaknesses before they can be exploited, the Logging and Threat Detection program will concentrate on finding anomalies in real-time server behavior with the goal of identifying threats as they happen.

Q: How do I use the tools?

A: The QualysGuard video series gives you immediate access to a large video library of tutorials (https://community.qualys.com/docs/DOC-1323).

Q: Will the scan have a negative impact on my network?

A: Scanning should not affect your infrastructure or cause any devices to stop responding. Most vulnerability detections are non-intrusive, meaning that the scanner never exploits vulnerability if it could negatively affect the host in any way.

Q: How does the scanner find vulnerabilities?

A: The scanning engine performs scans in a very dynamic manner to optimize speed and performance. The following is a simplified description of the main steps of a scan:

• Checking if the remote host is alive – This detection is done by sending ICMP Echo Request (ping) packets, as well as probing some well-known TCP and UDP ports.
• Firewall detection – This test enables the scanner to gather more information about the network infrastructure and will help during the scan of TCP and UDP ports.
• TCP / UDP Port scanning – Detect all open TCP and UDP ports to determine which services are running on this host. The number of ports is configurable, but the default scan is approximately 1900 TCP ports and 180 UDP ports.
• OS Detection – The scanner tries to identify the operating system running on the host. This detection is based on sending specific TCP packets to open and closed ports.
• TCP / UDP Service Discovery – The scanner tries to identify which service runs on each open port by using active discovery tests.
• Vulnerability assessment based on the services detected – The scanner performs the actual vulnerability assessment. The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version.

Q: The scan found vulnerabilities, how do I fix them?

A: In the scan report, a detailed description of each vulnerability will be provided as well as the steps required to resolve the vulnerability. Additionally, external links to security resources such as CVE, OWASP, and other security sites are suggested for more details. After the vulnerabilities have been fixed, rescan to confirm if the vulnerability has been addressed.