Internet-Facing Systems & Services

 
 

29. Secure Transmission

What percentage of forms/applications/services that transmit Medium, High or Very High-Risk UBC Information within my unit that comply with the following requirements?

• any application or service that requires some type of authentication, or that is used to collect or transmit information from User to server or between servers, must be encrypted using HTTPS with TLS version 1.2 at a minimum (or the equivalent, for non-web-based applications);
• information transmitted via SSH must be encrypted using a minimum of AES-256 bit encryption with mutual authentication between the server and User; and
• known weak network protocols (e.g. all versions of SSL, and TLS versions prior to 1.2) should be disabled.

Why is this Essential?

UBC Systems and services that are internet-facing (i.e. visible or accessible from the internet) are prime targets for exploitation. Without adequate security, these systems and services provide an avenue for malicious activity such as theft of UBC Electronic Information or the denial of service to UBC resources. To ensure there are adequate controls to preserve confidentiality and integrity of the data in motion, to improve confidence in end users of the service offering and brand reputation.

Reference Links​

Information Security Standards – M10 Internet-facing Systems and Services
To engage Cybersecurity team

Instructions​

N/A

What is Acceptable?

The list of application and/ or services has been reviewed to confirm compliance either manually or using suitable tools.

 

---

30. Demilitarized Zones (DMZ) - Inclusion

Are all remote access servers (e.g. terminal server, VDI, Remote Access Gateways, etc.)

• a. located in a DMZ;
• b. using strong encryption for remote access transmission e.g. RDP with Network Level Authentication, SSH with AES-256 bit encryption)

Why is this Essential?

Users frequently access desktops, laptops and servers remotely. Remote Access covers a broad range of technologies, protocols and solutions (e.g. RDP, SSH, VNC, VDI, terminal services, etc.). Remote Access must comply with the requirements where possible to prevent takeover of a system, unauthorized access, and preserve confidentiality and integrity of the data, system and system settings.

Reference Links​

Information Security Standards – M10 Internet-facing Systems and Services

Instructions​

N/A

What is Acceptable?

All remote access servers (e.g. terminal server, VDI, Remote Access Gateways, etc.) must be located in the DMZ and use strong encryption for server-to-User transmissions, e.g. RDP with Network Level Authentication, SSH with AES-256 bit encryption, etc.

---

31. Demilitarized Zones (DMZ) - Exclusion

Can you confirm that all host desktop, laptops and database servers, as well as any servers that should not be internet accessible, are not in the demilitarized zone (DMZ)?

Why is this Essential?

A DMZ is a zone where there are systems that are accessible from internet and is usually considered a low trust - high risk zone due to the exposure. The systems in this zone are constantly scanned and fingerprinted over internet by threat actors, crawlers, scanners, security researchers alike. It is important to minimize exposure of all host desktop, laptops and database servers, as well as any servers that don't have to be internet facing. This reduces the attack surface and likelihood of compromise.

Reference Links​

Information Security Standards – M10 Internet-facing Systems and Services

Instructions​

N/A

What is Acceptable?

The DMZ does not contain database servers that store or process High or Very High Risk Information, host desktops, laptops or other servers that should not be internet accessible.

---

32. Multi-Factor Authentication for Remote Access

Does all remote access to host desktops, laptops or servers require multi-factor authentication (MFA) over the technology used to access (like Remote Access Gateway, VPN or SSH)?

Note, it is acceptable to have a single MFA point rather than requiring for every authentication e.g. by only accessing SSH via a MFA protected VPN pool.

Why is this Essential?

Every day, UBC is experiencing an increase attempts to guess/ breach user credentials. The adversaries are building a repository of breached passwords, commonly used passwords and are using the data against our environment to scan for weaknesses in user passwords and gain access to the compromised accounts remotely.

Multi Factor Authentication (MFA) provides another layer of security on top of the login credentials. By properly configuring and implementing MFA, it immediately neutralizes the risks associated with compromised passwords. If a password is guessed, or even phished, that's no longer enough to give an intruder access.

Reference Links​

Information Security Standards – M10 Internet-facing Systems and Services

Instructions​

N/A

What is Acceptable?

Multi‑Factor Authentication (MFA) is enabled for remote access services such as Remote Access Gateway, VPN or SSH, etc. for accessing UBC's host desktops, laptops or servers.

---

33. Secure Internet Facing Devices

Can you confirm that there are no server applications under my control running on desktops or laptops (e.g. web or FTP servers) that are internet-facing?

Why is this Essential?

UBC's desktops or laptops are primarily configured for end users to conduct University business. In order to minimize exposure of such devices over internet, users must not run server applications (e.g. web or FTP Servers) that are Internet-facing on desktops or laptops. Direct exposure of end user systems in any capacity on internet may put other systems on the network at risk of being exploited.

Reference Links​

Special Requirements for Servers

Instructions​

N/A

What is Acceptable?

Server applications running on desktops or laptops should never be internet facing. Instances should be evaluated and if necessary compensating controls defined.

---