Thoughts on 403

Emphasis on self-managed servers

Project 403 asks for training materials to teach users about security.

In this project we want to focus on users who manage a self-managed machine, and especially on those who have a self-managed server. Self-managed servers do need looking after. Sitting in a corner of a room for years, not being anyone's main everyday machine, these machines can be particularly vulnerable to being quietly hacked and infected with malware.

Someone needs to be in charge of them. That person has responsibilities. This project is about:

  1. identifying which of these responsibilities concern security.
  2. identifying the most basic and important of these.
  3. finding a way to teach them effectively to everyone responsible for such a machine.

If there is time, a Learn course will be produced, and it's envisaged that passing such a course would be compulsory for the managers of self-managed servers. If there isn't time, we'll knock up some explanatory web pages, hoping to grow them into a Learn course later on.

What do we want to say?

These, more or less, are the responsibilities laid on the machine manager by the self-managed policy:

  • Everyone using the machine is bound by the computing regulations.
  • If the machine is disruptive or compromised it'll be disconnected from the network.
  • Users must abide by the School's policies.
  • You must obey the law. (Notable laws: GDPR, freedom of information, RIPA.)
  • External networks come with Acceptable Use Policies.
  • You must keep its OS and software fully updated with security fixes.
  • You must configure the OS and software to be secure enough, too.
  • You must not create a wireless network without explicit permission.
  • You must agree to the University's periodical electrical safety tests.
  • If a vulnerability is identified, you must fix it in a timely manner.
We can add some more:
  • Keep it somewhere that's secure enough that it won't be either stolen or physically interfered with.
  • Somebody should be officially in charge of it - to take responsibility for the machine's security and for its basic management (managing user accounts and OS upgrades, for instance).
  • That somebody has to be currently in the School of Informatics!
  • They should document their management of the machine, such that someone else could take over the job if needed.
  • If/when the machine's manager leaves, someone else should take over the role.
  • Are you aware of how frequently disks can fail?
  • Given this, are you happy with the data backup arrangements?
  • Are you keeping offsite backups? Are they secure enough?
  • RAID?
  • If you're managing several machines, consider automating the configuration.
  • Does your machine need to be accessible by people outside Informatics, outside the University?
  • Are you aware of the constant, relentless hacking attempts which our externally visible machines are subjected to every day?
  • Who has access to the machine? Is everyone's login password adequately secure? Is everyone with access still meant to have it? Do you lose access to the machine when you leave the research project?
  • Was the machine externally funded? Did that funding come with security requirements, whether explicit or implied?

Security?

Not all of these points are particularly about security. Some are simply things which the computing staff would prefer that the managers of such machines do - complying with the law, for instance, or making regular backups.

The dictionary defines security as being free from danger or threat, but it's conventional to think of computer security as being concerned with vulnerability to malicious attack.

If we use this latter sense, we should focus on these topics:

Edit | Attach | Print version | History: r18 | r12 < r11 < r10 < r9 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r10 - 16 Jan 2020 - 13:56:36 - ChrisCooke
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies