Skip to navigation content (Press Enter).

System Security

Risk

Software is imperfect; very often, operating systems and other applications are released with flaws in the code which may expose the intended confidentiality, integrity or availability of systems. These flaws are known as Common Vulnerabilities and Exposures, or CVE for short.

The Mitre Corporation maintains a database of CVE. This database is updated as new vulnerabilities and exposures are discovered in existing software. All software is susceptible to vulnerabilities, thus exploitation due to these vulnerabilities and exposures is a risk.

Impact

The severity of a CVE is measured using the common vulnerability scoring system (version 2), and is expressed as exploitability and impact type as it relates to confidentiality, integrity and availability. It is necessary for system administrators to measure the severity of a CVE against the value of the system affected to fully understand the impact, or potential for impact, to McMaster University systems.

Control

In response, software manufacturers will release "patches" to repair their software. Systems without the patches installed remain vulnerable to the threat defined within the CVE document.

In the past, maintaining currency of software on servers and systems was a cumbersome task. Updates and patches had to be tested extensively to ensure that they would not interfere with another part of the system or application, as was often the case. Today, the architecture of modern operating systems and the rigour applied to testing patches before they are released have greatly reduced the risk of interference when an update is installed. There are still occasions that a patch may interfere with other applications, although these are rare.

Recommendations

Perform regular risk assessments...

System Administrators should perform the following risk assessments:

  • Malware scans
  • System risk assessment
  • Perimeter risk assessment

Enable and maintain local technical controls...

  • Uninstall software and disable services that are not in use and/or not required by the server
  • Monitor CVE for those that affect systems
  • Configure the server to automatically install security updates and/or patches
  • Install, maintain and use anti-virus and/or anti-malware software
  • Install SSL certificates unique to the system and/or service
  • Enable, configure and monitor server firewall, host-based IPS and/or local access control lists such as .htaccess file
  • Collect, maintain and review system audit logs regularly

Service Bulletins

Citrix Receiver Client Update

UTS asks Citrix users to upgrade Citrix Receiver Client to the most current version by February 28, 2017. See UTS Citrix website for installation and removal information.


Mosaic Upgraded Interface

Service Desk

Client Self Service:
https://servicedesk.mcmaster.ca
Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Email: uts@mcmaster.ca
Location: Main Campus BSB Rm. 245
Service Catalogue:
http://www.mcmaster.ca/uts
-->

Great Idea Site

Great Idea