- Get help
- Services
- Announcements & alerts
- Service outages
- Security alerts
- Major initiatives
- Jovanna Sauro wins SFU Personal Achievement Award
- Improve your cellular coverage by enabling WiFi Calling
- New committee guides transformative changes at SFU
- Expanded identity options for students within SFU applications
- SFU works toward keeping devices out of landfills
- A journey to improved WiFi
- Help us, help you, connect to better WiFi
- IT Services' new support system: ServiceHub
- Information Security Essential Courses
- IT Services leadership announcement
- University Wide Password Change Initiative
- April 2021 technical issue
- Telephone System Core Infrastructure Upgrade
- Decommissioning fraser.sfu.ca
- About
- Information security
- Information Security Standards
- New Information Security Essentials Course
- Anti-Spam (CASL) Compliance
- Data security standard
- Desktop Security
- Security and Privacy Guidance: Social Media Apps
- Identity Protection
- Phishing Scams
- How to stay safe online
- Security hygiene
- Tips for safe computing
- Travelling with technology
- Keeping Your Personal Information Safe During the Holidays
- Don't get caught by a phishing scam
Security hygiene
Good information systems security hygiene is a foundational security concept, and is defined as keeping systems in good repair to reduce the risk of preventable compromise. This is accomplished by maintaining software - ensuring versions are supported and fully patched - and by hardening common operating systems and applications to eliminate dangerous default configuration settings.
To assist Simon Fraser University with these tasks, the Information Security and Compliance (ISC) group within IT Services runs regular vulnerability scans to detect software vulnerabilities and provides guidance on system and application hardening through the tools and instructions provided by the nonprofit Center for Internet Security (CIS).
As we are members of the CIS SecureSuite, all SFU community members may create an account and gain access to the resources there.
What is System Hardening?
System hardening is the process of eliminating dangerous default configuration within common operating systems and applications. Although each application and operating system has unique configuration guidelines, these requirements fall into several common categories:
- Ensure software is supported and patched.
- Change or remove default accounts and passwords.
- Disable unused or broken encryption algorithms and keys.
- Uninstall or disable unnecessary or unused filesystems, software, and services.
- Restrict remote access to administrator accounts and audit privileged use.
- Configure local security controls such as a web application firewall (WAF) and system firewall to control system access at the application layer.
- Ensure prudent file permissions are set on system configuration files, sensitive applications, and data.
- Ensure network time synchronization and logging of important events is enabled and monitored.
- Harden the network stack against protocol anomalies and abuses, and disable unnecessary protocols.
Note: this list does not replace the detailed hardening guides at the Center for Internet Security, but rather gives an idea of the types of things that hardening resolves.
What is Software Maintenance?
Keeping software up-to-date and replacing unsupported software can greatly reduce the risk of compromise. The National Institute for Standards and Technology (NIST) maintains a list of common application vulnerabilities and rates them using the Common Vulnerability Scoring System (CVSS) for how easily they can be exploited and how severe the impact would be to the system on a scale of one to ten. This rating is used to help organizations identify and prioritize security risks and ensure resources are allocated efficiently.
Simon Fraser University (SFU) maintains a vulnerability management program that helps system administrators identify system vulnerabilities and address them in a timely fashion. Regular system scanning and email notifications are used to communicate these risks.
Scanning is also performed by well-meaning external entities and malicious sources like attackers and botnets. Vulnerabilities that are easy to exploit and/or have high impact (CVSS high/critical vulns) are built into malicious software to enable compromise at scale for botnet controllers and other criminals. SFU has developed a standard to set expectations around the level of effort and timing that should be dedicated to eradicating these types of issues.