[Micronet] MSSND Revisions Effective March 15, 2012

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] MSSND Revisions Effective March 15, 2012

Lisa Ho
Changes to the UC Berkeley Minimum Security Standard for Networked Devices (MSSND) have been approved by the Campus InformationSecurity and Privacy Committee (CISPC) and the campus Chief Privacy and Security Officer (CPSO) and will become effective campuswide on March 15, 2012. This version supersedes MSSND: Appendix A.

The intent of the revision was to better distinguish between mandatory and optional controls, and to reflect the current campus environment while avoiding specific references to frequently changing technology.

One significant change to the standard is the addition of the requirement that privileged and super-user accounts (Administrator, root, etc.) must not be used for non-administrator activities. (For details, see MSSND Requirement #9: Privileged Accounts.)

Compliance with the MSSND helps protect not only the individual device, but also other devices connected through the electronic communications network. The standard is intended to prevent exploitation of campus resources by unauthorized individuals, including the use of campus resources by unauthorized individuals to attack other systems on the campus electronic communications network or the Internet.

Questions about the MSSND may be directed to [hidden email]

Happy Holidays!
-- 
Lisa Ho
IT Policy Manager
Office of the CIO: Security, Privacy & Policy


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

Bruce Satow
It's a good idea, but there are software and hardware out there, which research engineers and scientists use that require administrator or root privilege.    Does the new version of the MSSND take into account circumstance?

E.g.  let's say I am developing a device that needs to be monitored or controlled by a computer directly.  I have an I/O card in a PCI slot or USB port which  is directly wired to the apparatus.   The software that I am writing or using usually requires administrative privilege for such I/O interaction.  I still use internet connectivity (secure) to monitor or control the unit from home or on travel. 


On 12/15/2011 10:22 PM, Lisa Ho wrote:
Changes to the UC Berkeley Minimum Security Standard for Networked Devices (MSSND) have been approved by the Campus InformationSecurity and Privacy Committee (CISPC) and the campus Chief Privacy and Security Officer (CPSO) and will become effective campuswide on March 15, 2012. This version supersedes MSSND: Appendix A.

The intent of the revision was to better distinguish between mandatory and optional controls, and to reflect the current campus environment while avoiding specific references to frequently changing technology.

One significant change to the standard is the addition of the requirement that privileged and super-user accounts (Administrator, root, etc.) must not be used for non-administrator activities. (For details, see MSSND Requirement #9: Privileged Accounts.)

Compliance with the MSSND helps protect not only the individual device, but also other devices connected through the electronic communications network. The standard is intended to prevent exploitation of campus resources by unauthorized individuals, including the use of campus resources by unauthorized individuals to attack other systems on the campus electronic communications network or the Internet.

Questions about the MSSND may be directed to [hidden email]

Happy Holidays!
-- 
Lisa Ho
IT Policy Manager
Office of the CIO: Security, Privacy & Policy



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

Gabriel Gonzalez
Hi Bruce,
  Do you think this exception in section 9 may fit the case you bring up?

"The following case is exempted from this requirement:
Devices that do not support separation of privileges

Devices that do not provide separate facilities for privileged or
unprivileged access (e.g., some network appliances and printers with
embedded operating systems) are exempt from this requirement."


Gabriel Gonzalez
School of Law

On 12/16/2011 10:11 AM, Bruce Satow wrote:

> It's a good idea, but there are software and hardware out there, which
> research engineers and scientists use that require administrator or root
> privilege. Does the new version of the MSSND take into account circumstance?
>
> E.g. let's say I am developing a device that needs to be monitored or
> controlled by a computer directly. I have an I/O card in a PCI slot or
> USB port which is directly wired to the apparatus. The software that I
> am writing or using usually requires administrative privilege for such
> I/O interaction. I still use internet connectivity (secure) to monitor
> or control the unit from home or on travel.
>
>
> On 12/15/2011 10:22 PM, Lisa Ho wrote:
>> Changes to the UC Berkeley Minimum Security Standard for Networked
>> Devices
>> <https://security.berkeley.edu/MinStds/AppA.min.htm?destination=node/42>(MSSND)
>> have been approved by the Campus InformationSecurity and Privacy
>> Committee (CISPC) and the campus Chief Privacy and Security Officer
>> (CPSO) and will become effective campuswide on March 15, 2012. This
>> version supersedes MSSND: Appendix A
>> <https://security.berkeley.edu/node/167>.
>>
>>
>>   The intent of the revision was to better distinguish between
>>   mandatory and optional controls, and to reflect the current campus
>>   environment while avoiding specific references to frequently
>>   changing technology.
>>
>>   One significant change to the standard is the addition of the
>>   requirement that privileged and super-user accounts (Administrator,
>>   root, etc.) must not be used for non-administrator activities. (For
>>   details, see MSSND Requirement #9: Privileged Accounts.)
>>
>>   Compliance with the MSSND helps protect not only the individual
>>   device, but also other devices connected through the electronic
>>   communications network. The standard is intended to prevent
>>   exploitation of campus resources by unauthorized individuals,
>>   including the use of campus resources by unauthorized individuals to
>>   attack other systems on the campus electronic communications network
>>   or the Internet.
>>
>>   Questions about the MSSND may be directed to [hidden email]
>>   <mailto:[hidden email]>.
>>
>> Happy Holidays!
>> --
>> Lisa Ho
>> IT Policy Manager
>> Office of the CIO: Security, Privacy & Policy
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
>
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

Rune Stromsness
In reply to this post by Lisa Ho
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15-Dec-11 22:22, Lisa Ho wrote:
> Changes to the UC Berkeley Minimum Security Standard for Networked
> Devices
> <https://security.berkeley.edu/MinStds/AppA.min.htm?destination=node/42>(MSSND)
>
>
have been approved by the Campus InformationSecurity and Privacy

> Committee (CISPC) and the campus Chief Privacy and Security
> Officer (CPSO) and will become effective campuswide on March 15,
> 2012. This version supersedes MSSND: Appendix A
> <https://security.berkeley.edu/node/167>.
>
>
> The intent of the revision was to better distinguish between
> mandatory and optional controls, and to reflect the current campus
> environment while avoiding specific references to frequently
> changing technology.
[...]

My understanding is that the MSSND are supposed to be baseline, lowest
common denominator security standards that we believe are appropriate
for any device that uses the campus network -- including the student's
personal laptop that they use to connect to AirBears while in a class
or the mythtv server that a resident sets up in their dorm room or the
iPhone of a custodian who connects to AirBears on campus at night.

While some parts of the updated Appendix A look better to me than the
original, others still seem to me to be poorly written and not based
on what should be the lowest bar that any device on campus should have
to meet.

For instance, the passphrase requirement says:

] When passphrases are used, they must meet the following complexity
specifications:
]
] Passphrases MUST:
]
] * Contain eight characters or more
] * Contain characters from two of the following three character classes:
]   1. Alphabetic (e.g., a-z, A-Z)
]   2. Numeric (i.e. 0-9)
]   3. Punctuation and other characters (e.g.,
!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

Whether those sorts of requirements actually make sense is the subject
of significant debate in the IT security world.  At a USENIX
conference last year in a talk about password/passphrase security and
research on when it works and doesn't work I got the honor of seeing
UC Berkeley mentioned as a perfect example...of an organization with
passphrase requirements that their research showed were
counter-productive.  (And the requirements that the presenter showed
were the CalNet requirements that are better written and seem to me to
make a little more sense:
https://wikihub.berkeley.edu/display/calnet/Passphrase+Requirements ).

Without being very literal at all I believe that this passphrase would
not meet the new MSSND standards:
        wind cartoid plague spot genus
and yet it is quite strong (I chose 5 words at random from a 50,000
word dictionary).

However, the MSSND standard appears to be completely satisfied by
these passphrases:
        p@ssw0rd
        1q2w3e4r
        1qaz2wsx
        passw0rd
        !monitor
        admin123
        asdf1234
        letmein!
        passwd123
        r00tr00t
        q1w2e3r4
        q1w2e3r4t5
(All of those chosen from a list from some security researchers of the
100 most commonly used passwords.)

I'm sure many of us have seen that xkcd has covered this topic
recently as well:  http://xkcd.com/936/


So why does our minimum standard for all devices completely allow
        asdf1234
and forbid
        wind cartoid plague spot genus
?

I would argue that in MSSND we should have a standard that would
prohibit 'asdf1234' but allow 'wind cartoid plague spot genus'.


] Multi-user systems must be configured to enforce these complexity
requirements and require that users change any pre-assigned
passphrases immediately upon initial access to the account.

And here we've gotten a requirement that the complexity standards have
to be enforced by the system for multiuser systems.

One system that I've helped design on campus for an application that
can't use CalNet has a self-service web interface where users can
authenticate by CAS and then set or re-set their password for this
application.  We wrote it so that they could choose any passphrase
from 8 - 255 characters and we would accept it if we couldn't crack it
using cracking tools that try decent-sized dictionary (including
common passwords, a decent english word list, some smaller word lists
from other languages, all the strings in the person's ldap entry, and
all the strings found walking the department's website every week)
with common substitutions.  The crack routine took < 30 seconds
against the unencrypted password.  We just explain the password
requirements to users something along the lines of "We will try to
guess your passphrase using common tools used by attackers -- if we
are able to guess your passphrase then they probably can too, and
we'll ask you to choose something that is harder for them to guess."

That seems like a password requirement that is pretty effective, but
does not meet the requirement in MSSND.


Rune



P.S.

Being literal and a bit nit-picky the standard requires two of the
three character classes to be used (not at least two).  That  makes it
unclear whether a passphrase like this:
        Zfyoy<5cdkp?B0(f4Ukfuxrj
meets the literal requirement since it contains three of the character
classes.  (Arguably it does meet the requirement since it is also a
true statement that the passphrase contains two of the character
classes, but the requirement could be easily made much more clear by
explicitly stating "at least two".)


> Happy Holidays! -- Lisa Ho IT Policy Manager Office of the CIO:
> Security, Privacy & Policy
>
>
>
>
> -------------------------------------------------------------------------
>
>
The following was automatically added to this message by the list server:

>
> To learn more about Micronet, including how to subscribe to or
> unsubscribe from its mailing list and how to find out about
> upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and
> world-viewable, and the list's archives can be browsed and searched
> on the Internet.  This means these messages can be viewed by (among
> others) your bosses, prospective employers, and people who have
> known you in the past.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7rj1UACgkQTEPhH6HBuKBoOwCg7YMtdkTLCfIipuLzEn1FJzWA
aakAniLMdYzL69e77CIKzK7pv0vUmDCG
=tkLV
-----END PGP SIGNATURE-----

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

Rune Stromsness
In reply to this post by Gabriel Gonzalez
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16-Dec-11 10:24, Gabriel Gonzalez wrote:

> Hi Bruce, Do you think this exception in section 9 may fit the case
> you bring up?
>
> "The following case is exempted from this requirement: Devices that
> do not support separation of privileges
>
> Devices that do not provide separate facilities for privileged or
> unprivileged access (e.g., some network appliances and printers
> with embedded operating systems) are exempt from this
> requirement."
>
> Gabriel Gonzalez School of Law
>
> On 12/16/2011 10:11 AM, Bruce Satow wrote:
>> It's a good idea, but there are software and hardware out there,
>> which research engineers and scientists use that require
>> administrator or root privilege. Does the new version of the
>> MSSND take into account circumstance?
>>
>> E.g. let's say I am developing a device that needs to be
>> monitored or controlled by a computer directly. I have an I/O
>> card in a PCI slot or USB port which is directly wired to the
>> apparatus. The software that I am writing or using usually
>> requires administrative privilege for such I/O interaction. I
>> still use internet connectivity (secure) to monitor or control
>> the unit from home or on travel.

For a full-featured OS like recent Windows or *nix I would think that
the "do not provide separate facilities for privileged or unprivileged
access" loophole would not apply.

But I would argue that where talking to the I/O card or USB device
requires administrative privileges that such activity is by definition
not a "non-administrator" activity.

> Privileged and super-user accounts (Administrator, root, etc.) must
> not be used for non-administrator activities.

And it seems like

> A secure mechanism to escalate privileges (e.g., via User Account
> Control or via sudo) with a standard account is acceptable to meet
> this requirement.

would make a setup where one logs into the Windows or *nix system as a
non-administrative user and then uses UAC or sudo (or Sudo for Windows
[ http://sourceforge.net/projects/sudowin/ ] ) to access the device
would completely meet the MSSND requirement as written without much
difficulty.


Rune

>> On 12/15/2011 10:22 PM, Lisa Ho wrote:
>>> Changes to the UC Berkeley Minimum Security Standard for
>>> Networked Devices
>>> <https://security.berkeley.edu/MinStds/AppA.min.htm?destination=node/42>(MSSND)
>>>
>>>
have been approved by the Campus InformationSecurity and Privacy

>>> Committee (CISPC) and the campus Chief Privacy and Security
>>> Officer (CPSO) and will become effective campuswide on March
>>> 15, 2012. This version supersedes MSSND: Appendix A
>>> <https://security.berkeley.edu/node/167>.
>>>
>>>
>>> The intent of the revision was to better distinguish between
>>> mandatory and optional controls, and to reflect the current
>>> campus environment while avoiding specific references to
>>> frequently changing technology.
>>>
>>> One significant change to the standard is the addition of the
>>> requirement that privileged and super-user accounts
>>> (Administrator, root, etc.) must not be used for
>>> non-administrator activities. (For details, see MSSND
>>> Requirement #9: Privileged Accounts.)
>>>
>>> Compliance with the MSSND helps protect not only the
>>> individual device, but also other devices connected through the
>>> electronic communications network. The standard is intended to
>>> prevent exploitation of campus resources by unauthorized
>>> individuals, including the use of campus resources by
>>> unauthorized individuals to attack other systems on the campus
>>> electronic communications network or the Internet.
>>>
>>> Questions about the MSSND may be directed to
>>> [hidden email] <mailto:[hidden email]>.
>>>
>>> Happy Holidays! -- Lisa Ho IT Policy Manager Office of the CIO:
>>> Security, Privacy & Policy
[...]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7rkM4ACgkQTEPhH6HBuKCezwCg1YSkp1pXhz/JP2KQ5/+SQrVN
OMsAoIZD93ayO5tOpKawAkeA8HvnLX6P
=a19O
-----END PGP SIGNATURE-----

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

Rune Stromsness
In reply to this post by Rune Stromsness
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16-Dec-11 10:35, Rune Stromsness wrote:
> On 15-Dec-11 22:22, Lisa Ho wrote:
[...]

> Whether those sorts of requirements actually make sense is the
> subject of significant debate in the IT security world.  At a
> USENIX conference last year in a talk about password/passphrase
> security and research on when it works and doesn't work I got the
> honor of seeing UC Berkeley mentioned as a perfect example...of an
> organization with passphrase requirements that their research
> showed were counter-productive.  (And the requirements that the
> presenter showed were the CalNet requirements that are better
> written and seem to me to make a little more sense:
> https://wikihub.berkeley.edu/display/calnet/Passphrase+Requirements
> ).
[...]

I couldn't send a copy of the slides from the talks I attended at the
USENIX conference because they're restricted to people who paid to
attend.  But there is a copy of slides online from one of the best
presenters for a substantially similar talk:
        http://www.cheswick.com/ches/talks/rethink.pdf
(Or google for "bill cheswick passwords" and Google will offer you an
HTML version.)

He skips listing UC Berkeley explicitly in the examples of
counter-productive policies, but otherwise these are slides from
substantially the same talk.


Rune


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7rt+UACgkQTEPhH6HBuKAEVQCgjJ9U5dM/lElxFBzDXDNcdPNl
xrgAoOTDQzBI4NX7DvssV5YIsS6jU9+L
=icdE
-----END PGP SIGNATURE-----

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

Bruce Satow
In reply to this post by Gabriel Gonzalez
Hi Gabriel,

I think the problem maybe due to how the University sees what computers
are used for.
I believe that the use of computers can be broken down into three basic
groups:

1.)  Administrative and academic
2.)  Public access
3.)  Research and development

The MSSND seems to be tailored or directed toward computers for
administrative and academic use as well as for public use, but not
necessarily adequate for research and development.

Where I work, the lab designs and build research spacecraft as well as
components.  We use computers to control vacuum chambers for testing -
some so large that you can put your car in it.  The software and
hardware we use usually requires administrative privileges to run
properly.  Maybe an exception or clause can be added to the MSSND for
research and development computers using hardware and software which
require administrative or root access for operation.

-Bruce



On 12/16/2011 10:24 AM, Gabriel Gonzalez wrote:

> Hi Bruce,
>  Do you think this exception in section 9 may fit the case you bring up?
>
> "The following case is exempted from this requirement:
> Devices that do not support separation of privileges
>
> Devices that do not provide separate facilities for privileged or
> unprivileged access (e.g., some network appliances and printers with
> embedded operating systems) are exempt from this requirement."
>
>
> Gabriel Gonzalez
> School of Law
>
> On 12/16/2011 10:11 AM, Bruce Satow wrote:
>> It's a good idea, but there are software and hardware out there, which
>> research engineers and scientists use that require administrator or root
>> privilege. Does the new version of the MSSND take into account
>> circumstance?
>>
>> E.g. let's say I am developing a device that needs to be monitored or
>> controlled by a computer directly. I have an I/O card in a PCI slot or
>> USB port which is directly wired to the apparatus. The software that I
>> am writing or using usually requires administrative privilege for such
>> I/O interaction. I still use internet connectivity (secure) to monitor
>> or control the unit from home or on travel.
>>
>>
>> On 12/15/2011 10:22 PM, Lisa Ho wrote:
>>> Changes to the UC Berkeley Minimum Security Standard for Networked
>>> Devices
>>> <https://security.berkeley.edu/MinStds/AppA.min.htm?destination=node/42>(MSSND)
>>>
>>> have been approved by the Campus InformationSecurity and Privacy
>>> Committee (CISPC) and the campus Chief Privacy and Security Officer
>>> (CPSO) and will become effective campuswide on March 15, 2012. This
>>> version supersedes MSSND: Appendix A
>>> <https://security.berkeley.edu/node/167>.
>>>
>>>
>>>   The intent of the revision was to better distinguish between
>>>   mandatory and optional controls, and to reflect the current campus
>>>   environment while avoiding specific references to frequently
>>>   changing technology.
>>>
>>>   One significant change to the standard is the addition of the
>>>   requirement that privileged and super-user accounts (Administrator,
>>>   root, etc.) must not be used for non-administrator activities. (For
>>>   details, see MSSND Requirement #9: Privileged Accounts.)
>>>
>>>   Compliance with the MSSND helps protect not only the individual
>>>   device, but also other devices connected through the electronic
>>>   communications network. The standard is intended to prevent
>>>   exploitation of campus resources by unauthorized individuals,
>>>   including the use of campus resources by unauthorized individuals to
>>>   attack other systems on the campus electronic communications network
>>>   or the Internet.
>>>
>>>   Questions about the MSSND may be directed to [hidden email]
>>> <mailto:[hidden email]>.
>>>
>>> Happy Holidays!
>>> --
>>> Lisa Ho
>>> IT Policy Manager
>>> Office of the CIO: Security, Privacy & Policy
>>>
>>>
>>>
>>>
>>> -------------------------------------------------------------------------
>>>
>>> The following was automatically added to this message by the list
>>> server:
>>>
>>> To learn more about Micronet, including how to subscribe to or
>>> unsubscribe from its mailing list and how to find out about upcoming
>>> meetings, please visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and
>>> world-viewable, and the list's archives can be browsed and searched
>>> on the Internet.  This means these messages can be viewed by (among
>>> others) your bosses, prospective employers, and people who have
>>> known you in the past.
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>>
>> The following was automatically added to this message by the list
>> server:
>>
>> To learn more about Micronet, including how to subscribe to or
>> unsubscribe from its mailing list and how to find out about upcoming
>> meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable,
>> and the list's archives can be browsed and searched on the Internet.  
>> This means these messages can be viewed by (among others) your
>> bosses, prospective employers, and people who have known you in the
>> past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

paul rivers

Hi Bruce,

It doesn't sound as if you disagree with the reason this control put
forward as a minimum standard.  It sounds as if your concern is that it
is not always possible to meet for good reason, more than a matter of
whether it is a research or an administrative machine.

If this is a fair summary of your view here, then it would be reasonable
to expect you'd have some other control to mitigate the risk, whether
procedural or technical, to the lab setup.

Given that, an exception to MSSND would probably be easily obtained.

It's hard to have a basic policy cover the wide array of devices and
uses for these devices on our network.  I suppose we could always look
to draw the lines a different way, but in the end I wonder if we'd end
up with something as direct and simple (which I think are good things
for a policy with this kind of scope) as the MSSND.

My $0.02
Paul


On 12/16/2011 01:45 PM, Bruce Satow wrote:

> Hi Gabriel,
>
> I think the problem maybe due to how the University sees what computers
> are used for.
> I believe that the use of computers can be broken down into three basic
> groups:
>
> 1.)  Administrative and academic
> 2.)  Public access
> 3.)  Research and development
>
> The MSSND seems to be tailored or directed toward computers for
> administrative and academic use as well as for public use, but not
> necessarily adequate for research and development.
>
> Where I work, the lab designs and build research spacecraft as well as
> components.  We use computers to control vacuum chambers for testing -
> some so large that you can put your car in it.  The software and
> hardware we use usually requires administrative privileges to run
> properly.  Maybe an exception or clause can be added to the MSSND for
> research and development computers using hardware and software which
> require administrative or root access for operation.
>
> -Bruce
>
>
>
> On 12/16/2011 10:24 AM, Gabriel Gonzalez wrote:
>> Hi Bruce,
>>  Do you think this exception in section 9 may fit the case you bring up?
>>
>> "The following case is exempted from this requirement:
>> Devices that do not support separation of privileges
>>
>> Devices that do not provide separate facilities for privileged or
>> unprivileged access (e.g., some network appliances and printers with
>> embedded operating systems) are exempt from this requirement."
>>
>>
>> Gabriel Gonzalez
>> School of Law
>>
>> On 12/16/2011 10:11 AM, Bruce Satow wrote:
>>> It's a good idea, but there are software and hardware out there, which
>>> research engineers and scientists use that require administrator or root
>>> privilege. Does the new version of the MSSND take into account
>>> circumstance?
>>>
>>> E.g. let's say I am developing a device that needs to be monitored or
>>> controlled by a computer directly. I have an I/O card in a PCI slot or
>>> USB port which is directly wired to the apparatus. The software that I
>>> am writing or using usually requires administrative privilege for such
>>> I/O interaction. I still use internet connectivity (secure) to monitor
>>> or control the unit from home or on travel.
>>>
>>>
>>> On 12/15/2011 10:22 PM, Lisa Ho wrote:
>>>> Changes to the UC Berkeley Minimum Security Standard for Networked
>>>> Devices
>>>> <https://security.berkeley.edu/MinStds/AppA.min.htm?destination=node/42>(MSSND)
>>>>
>>>> have been approved by the Campus InformationSecurity and Privacy
>>>> Committee (CISPC) and the campus Chief Privacy and Security Officer
>>>> (CPSO) and will become effective campuswide on March 15, 2012. This
>>>> version supersedes MSSND: Appendix A
>>>> <https://security.berkeley.edu/node/167>.
>>>>
>>>>
>>>>   The intent of the revision was to better distinguish between
>>>>   mandatory and optional controls, and to reflect the current campus
>>>>   environment while avoiding specific references to frequently
>>>>   changing technology.
>>>>
>>>>   One significant change to the standard is the addition of the
>>>>   requirement that privileged and super-user accounts (Administrator,
>>>>   root, etc.) must not be used for non-administrator activities. (For
>>>>   details, see MSSND Requirement #9: Privileged Accounts.)
>>>>
>>>>   Compliance with the MSSND helps protect not only the individual
>>>>   device, but also other devices connected through the electronic
>>>>   communications network. The standard is intended to prevent
>>>>   exploitation of campus resources by unauthorized individuals,
>>>>   including the use of campus resources by unauthorized individuals to
>>>>   attack other systems on the campus electronic communications network
>>>>   or the Internet.
>>>>
>>>>   Questions about the MSSND may be directed to [hidden email]
>>>> <mailto:[hidden email]>.
>>>>
>>>> Happy Holidays!
>>>> --
>>>> Lisa Ho
>>>> IT Policy Manager
>>>> Office of the CIO: Security, Privacy & Policy
>>>>
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>>
>>>> The following was automatically added to this message by the list
>>>> server:
>>>>
>>>> To learn more about Micronet, including how to subscribe to or
>>>> unsubscribe from its mailing list and how to find out about upcoming
>>>> meetings, please visit the Micronet Web site:
>>>>
>>>> http://micronet.berkeley.edu
>>>>
>>>> Messages you send to this mailing list are public and
>>>> world-viewable, and the list's archives can be browsed and searched
>>>> on the Internet.  This means these messages can be viewed by (among
>>>> others) your bosses, prospective employers, and people who have
>>>> known you in the past.
>>>
>>>
>>>
>>>
>>> -------------------------------------------------------------------------
>>>
>>> The following was automatically added to this message by the list
>>> server:
>>>
>>> To learn more about Micronet, including how to subscribe to or
>>> unsubscribe from its mailing list and how to find out about upcoming
>>> meetings, please visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable,
>>> and the list's archives can be browsed and searched on the Internet.  
>>> This means these messages can be viewed by (among others) your
>>> bosses, prospective employers, and people who have known you in the
>>> past.
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] MSSND Revisions Effective March 15, 2012

Bruce Satow
Hi Paul,

Actually I totally  agree  with having minimum computer use standards,
but I feel that having a "one shoe fits all" type policy wouldn't be
very enforceable, especially when there are certain situations which
require privileged access.

Maybe a clarification on what defines "non-administrator activities",
would be helpful in the MSSND.

-Bruce


On Sunday - Dec 18, 2011 2:56 PM, paul rivers wrote:

> Hi Bruce,
>
> It doesn't sound as if you disagree with the reason this control put
> forward as a minimum standard.  It sounds as if your concern is that it
> is not always possible to meet for good reason, more than a matter of
> whether it is a research or an administrative machine.
>
> If this is a fair summary of your view here, then it would be reasonable
> to expect you'd have some other control to mitigate the risk, whether
> procedural or technical, to the lab setup.
>
> Given that, an exception to MSSND would probably be easily obtained.
>
> It's hard to have a basic policy cover the wide array of devices and
> uses for these devices on our network.  I suppose we could always look
> to draw the lines a different way, but in the end I wonder if we'd end
> up with something as direct and simple (which I think are good things
> for a policy with this kind of scope) as the MSSND.
>
> My $0.02
> Paul
>
>
> On 12/16/2011 01:45 PM, Bruce Satow wrote:
>> Hi Gabriel,
>>
>> I think the problem maybe due to how the University sees what computers
>> are used for.
>> I believe that the use of computers can be broken down into three basic
>> groups:
>>
>> 1.)  Administrative and academic
>> 2.)  Public access
>> 3.)  Research and development
>>
>> The MSSND seems to be tailored or directed toward computers for
>> administrative and academic use as well as for public use, but not
>> necessarily adequate for research and development.
>>
>> Where I work, the lab designs and build research spacecraft as well as
>> components.  We use computers to control vacuum chambers for testing -
>> some so large that you can put your car in it.  The software and
>> hardware we use usually requires administrative privileges to run
>> properly.  Maybe an exception or clause can be added to the MSSND for
>> research and development computers using hardware and software which
>> require administrative or root access for operation.
>>
>> -Bruce
>>
>>
>>
>> On 12/16/2011 10:24 AM, Gabriel Gonzalez wrote:
>>> Hi Bruce,
>>>   Do you think this exception in section 9 may fit the case you bring up?
>>>
>>> "The following case is exempted from this requirement:
>>> Devices that do not support separation of privileges
>>>
>>> Devices that do not provide separate facilities for privileged or
>>> unprivileged access (e.g., some network appliances and printers with
>>> embedded operating systems) are exempt from this requirement."
>>>
>>>
>>> Gabriel Gonzalez
>>> School of Law
>>>
>>> On 12/16/2011 10:11 AM, Bruce Satow wrote:
>>>> It's a good idea, but there are software and hardware out there, which
>>>> research engineers and scientists use that require administrator or root
>>>> privilege. Does the new version of the MSSND take into account
>>>> circumstance?
>>>>
>>>> E.g. let's say I am developing a device that needs to be monitored or
>>>> controlled by a computer directly. I have an I/O card in a PCI slot or
>>>> USB port which is directly wired to the apparatus. The software that I
>>>> am writing or using usually requires administrative privilege for such
>>>> I/O interaction. I still use internet connectivity (secure) to monitor
>>>> or control the unit from home or on travel.
>>>>
>>>>
>>>> On 12/15/2011 10:22 PM, Lisa Ho wrote:
>>>>> Changes to the UC Berkeley Minimum Security Standard for Networked
>>>>> Devices
>>>>> <https://security.berkeley.edu/MinStds/AppA.min.htm?destination=node/42>(MSSND)
>>>>>
>>>>> have been approved by the Campus InformationSecurity and Privacy
>>>>> Committee (CISPC) and the campus Chief Privacy and Security Officer
>>>>> (CPSO) and will become effective campuswide on March 15, 2012. This
>>>>> version supersedes MSSND: Appendix A
>>>>> <https://security.berkeley.edu/node/167>.
>>>>>
>>>>>
>>>>>    The intent of the revision was to better distinguish between
>>>>>    mandatory and optional controls, and to reflect the current campus
>>>>>    environment while avoiding specific references to frequently
>>>>>    changing technology.
>>>>>
>>>>>    One significant change to the standard is the addition of the
>>>>>    requirement that privileged and super-user accounts (Administrator,
>>>>>    root, etc.) must not be used for non-administrator activities. (For
>>>>>    details, see MSSND Requirement #9: Privileged Accounts.)
>>>>>
>>>>>    Compliance with the MSSND helps protect not only the individual
>>>>>    device, but also other devices connected through the electronic
>>>>>    communications network. The standard is intended to prevent
>>>>>    exploitation of campus resources by unauthorized individuals,
>>>>>    including the use of campus resources by unauthorized individuals to
>>>>>    attack other systems on the campus electronic communications network
>>>>>    or the Internet.
>>>>>
>>>>>    Questions about the MSSND may be directed to [hidden email]
>>>>> <mailto:[hidden email]>.
>>>>>
>>>>> Happy Holidays!
>>>>> --
>>>>> Lisa Ho
>>>>> IT Policy Manager
>>>>> Office of the CIO: Security, Privacy&  Policy
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------
>>>>>
>>>>> The following was automatically added to this message by the list
>>>>> server:
>>>>>
>>>>> To learn more about Micronet, including how to subscribe to or
>>>>> unsubscribe from its mailing list and how to find out about upcoming
>>>>> meetings, please visit the Micronet Web site:
>>>>>
>>>>> http://micronet.berkeley.edu
>>>>>
>>>>> Messages you send to this mailing list are public and
>>>>> world-viewable, and the list's archives can be browsed and searched
>>>>> on the Internet.  This means these messages can be viewed by (among
>>>>> others) your bosses, prospective employers, and people who have
>>>>> known you in the past.
>>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>>
>>>> The following was automatically added to this message by the list
>>>> server:
>>>>
>>>> To learn more about Micronet, including how to subscribe to or
>>>> unsubscribe from its mailing list and how to find out about upcoming
>>>> meetings, please visit the Micronet Web site:
>>>>
>>>> http://micronet.berkeley.edu
>>>>
>>>> Messages you send to this mailing list are public and world-viewable,
>>>> and the list's archives can be browsed and searched on the Internet.
>>>> This means these messages can be viewed by (among others) your
>>>> bosses, prospective employers, and people who have known you in the
>>>> past.
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.