People

Being aware of risks and defenses is the first step in responding appropriately. Many of the risks to our computers, our networks, and the information that flows through our systems can be minimized by increasing the general awareness of security issues among the user population. The awareness effort begins as soon as a person joins the Colorado State University community, during New Employee Orientation or the variety of events welcoming students to campus. Further security awareness efforts include topic sessions during the annual Professional Development Institute, as well as periodic awareness campaign activities.

Some of the most effective awareness training is targeted at small groups. If you would like to have someone from ACNS come to speak to your class or group about IT security, please contact the security team at soc@colostate.edu.

Information security is a multidisciplinary topic, and that is reflected in the breadth of departments, research groups, and student interest groups looking at security issues.

DEPARTMENT OF COMPUTER SCIENCE:
Network security research group
Computer Science courses:

  • CS 356: Systems Security
  • CS 556: Computer Security
  • CS 656: Advanced Topics in Computer Security

COLLEGE OF BUSINESS:

  • CIS 413: Advanced Networking and Security

DEPARTMENT OF JOURNALISM AND MEDIA COMMUNICATION:

  • JTC 415: Communications Law

DEPARTMENT OF MATHEMATICS:

  • MATH 360: Mathematics of Information Security

STUDENT ORGANIZATION:

Additionally, a member of the ACNS security team would be happy to talk to any course instructor about how security issues fit into specific curricular areas.

Process

IT security practices are specified in policies approved by the ITEC Advisory Council (IAC), updated at least annually and posted at the Office of Policy and Compliance:

Standards and procedures are set and periodically reviewed in consultation with IT governance and advisory groups:

Technology

Viruses, worms, Trojans, bots, rootkits, keystroke loggers… these are all maliciously written and distributed applications you don’t want running on your computer. This class of software is called malware — literally, bad software.

Virus Prevention tips:

  • Practice safe computing. Run antivirus software (like Microsoft’s System Center Endpoint Protection, or Microsoft Security Essentials for home users). Run periodic virus scans of external disks, your hard drive, and downloaded files. Keep your antivirus product up to date.
  • Treat all email attachments as potential virus threats. Never open an attachment by double-clicking it. Always save it to your hard drive and open it from within the corresponding application, such as Microsoft Word for .doc/.docx files.
  • If you’re not expecting an attachment, call or reply to the sender before opening it to make sure they intended to send it to you and know what it is. Delete any attachment you cannot verify with the sender. Many viruses can mail themselves using a person’s email address book.
  • If you have any doubts at all, delete the mail message and ask the sender to give you the attachment on disk or via the Web.
  • Back up regularly. Even the rules above cannot keep you completely safe. When a new virus appears it can take a day or more for antivirus manufacturers to respond to the threat and make a fix available.

Tools:
Colorado State University offers Microsoft System Center Endpoint Protection (SCEP) for use on University Computers.

  • For University Owned Computers: Microsoft’s SCEP is supported on domain-joined computers with the appropriate Client Access License (in the Enterprise or Core CAL bundle). Installation of this product is managed by departmental domain administrators. For individual CALs, please contact RamTech.
  • For Personally Owned Computers: CSU does not centrally support an antivirus client for faculty, staff or students to use on personal devices. Microsoft’s free version for Windows Vista and 7 is called Microsoft Security Essentials; Windows 8 and 10 have a built-in antivirus component called Defender. For Mac OS, there are good-quality free products such as ClamAV and Sophos.

Questions & Support:
If you have problems, questions, or concerns regarding any of these procedures, please contact the Help Desk at the Morgan Library.

Improving web site security with html response headers

So you’ve made sure that your web server has a good certificate, strong keys, is listening only with recent TLS versions (ideally just v1.2). What next?

HTML security headers!

When a browser requests an HTML page, the server can have some control over the conversation. Best practice has been evolving, and the W3C now specifies ways to help browsers make good decisions by having the server reply with a list of response headers. The categories required and optional are from the W3C. The CSU Security Technology Advisory Committee (STAC) recommends getting started by enabling four of the simplest headers, listed below with recommended defaults, caveats, and quick explanations of what they do.

X-Content-Type-Options: nosniff
W3C: required for http and https
This header has only one valid value (nosniff). It tells the browser not to attempt to tell what kind of content is being served, but merely to believe what the server says it is serving. This gets around attacks in which the browser can be made to try opening downloaded content as something else (with a potentially compromised plugin).

Strict-Transport-Security: max-age=31536000
W3C: required for https
Tells the browser, once connected over https, to only connect to the server using https in the future, for as long as specified by the max-age setting. For servers that can potentially serve both http and https, this is particularly important in preventing a variety of attacks. Requires that elements like style sheets and graphics also be served over https, which is best security practice. The recommended time is 1 year (in seconds). While testing, max-age can be set very low.

X-XSS-Protection: 1; mode=block
W3C: optional for http and https
The values displayed are the simple recommended default. This enables browsers to use their built-in protection mechanisms against cross-site scripting.

X-Frame-Options: sameorigin
W3C: optional for http and https
Almost all sites should use the ‘sameorigin’ value, which tells the browser to only accept framing of the site’s content from the same site. This prevents attackers from creating a surreptitious web frame and displaying the page’s contents inside it, hiding the ultimate destination of any information submitted and potentially capturing credentials. If you need framing for a specific purpose, sourced from some server not on your domain, contact the ACNS security team for advice.

A good external source for more in-depth information on security response headers and configuration syntax for each major server platform is on the Mozilla developer site.

Authentication

Authentication is the process of identifying yourself to an application. Credentials used for authentication include a username, which identifies you uniquely, and some sort of an authentication token to prove that you are the person the username refers to. This token is most commonly a password.

At CSU, this set of credentials is normally your eID: a name and password allowing you to access central services such as email, RamWeb, and HR. The following two links give answers to common questions about CSU password policy, as well as suggestions on ways to create strong passwords that are also easy to remember.

Two-factor authentication (2FA) is the process of adding an additional piece of information, so that a password alone is not enough to access a protected resource. At CSU, the application called Duo Security is used to provide a second piece of information via mobile app or phone call. Duo is currently being used by ACNS staff, and is gradually being enabled on systems throughout CSU. For questions about Duo, contact the ACNS security team at soc@colostate.edu.

Contact Us:

Morgan Library IT Helpdesk:

ACNS Security Team


Resources:

Pulse Connect Secure Gateway/VPN

BACKGROUND

CSU provides secure access to on-campus resources via a Juniper Secure Access gateway, also known as an SSL VPN. When connecting to the CSU Secure Access gateway the user will be presented with a web page. This page can have both predefined links and user-defined links to resources such as web pages, terminal sessions (both SSH and Windows Remote Desktop) and file shares (if set up in advance by the department). Individual users may or may not be able to define links on their own page based on departmental security policies.

CONNECTION PREREQUISITES

There are system requirements to use the Secure Access gateway, such as having the correct combination of Java version, web browser version and operating system. The Help button on the login page has extensive information about these subjects. If you have problems connecting, please look there for assistance first. If you still need help or cannot connect to the help file at https://secure.colostate.edu, please call the CSU Help Desk at 970-491-7276.

Google Chrome v42 does not support Java. If the Secure Gateway doesn’t work, use Internet Explorer, Firefox or Safari.

HOW TO CONNECT TO THE SECURE ACCESS GATEWAY

  1. The link to the Secure Access gateway is: https://secure.colostate.edu. Once there you will be presented with a realm to login to, such as the eID system or a particular domain like CNR.
SSL VPN Login

2. The first time you access the Secure Access gateway in Windows you may be presented with a request to install an ActiveX control from Juniper called JuniperSetupSP1.cab.

Install ActiveX Control

3. We suggest installing the ActiveX control.

Install ActiveX Control

4. Additionally you may be presented with a request from Juniper to install software; we suggest always trust or allow / remember this decision. If you choose not to always trust/allow, you will be presented with this prompt each time you access the Secure Access gateway.

Internet Security


USING THE SECURE ACCESS GATEWAY

The main navigation buttons are:

Navigation Menu

  • Home – Returns you to the main page
  • Preferences – Manage the general layout of the main page
  • Session Timer – The Session timer is a countdown timer from one hour at the end of which you will have to re-login to the Secure Access gateway
  • Help – The Secure Access gateway comprehensive online help
  • Sign Out – Leave the Secure Access gateway

Web Bookmarks

Web Bookmarks

The Web Bookmarks panel on the Secure Access gateway main page provides a centralized location for links to CSU and external resources. A resource can be any web page or web application that can be accessed through the Secure Access gateway. The Secure Access gateway rewrites the links in this panel in order to secure traffic between your computer and the resource. When you click a link or use the Browse field at the top of the Secure Access gateway main page, the transmitted page content is rewritten.

On the right-hand side of this field there are three options:

  • Panel Preferences
  • Add a bookmark
  • Expand or Collapse

How to add a bookmark (this option may not available in all realms):

  1. Click the + icon to add a web bookmark link:
    • Add Web Bookmark
  2. Use a descriptive name for the bookmark
  3. Complete the URL (e.g. http://www.google.com)
  4. Choose your desired display options.
  5. Click the add bookmark button at the bottom of the page.

Note: after adding a web bookmark, it appears under the gray bar in the web bookmarks section. The gray bar separates the preset links from user-defined links.

Files

Files

The Files panel on the Secure Access gateway main page provides a centralized location for links to files that reside on an internal-to-CSU network. If your system administrator enables the option for personal bookmarks, you can create your own links in the Files panel.

On the right-hand side of this field there are four options:

  • Panel Preferences
  • Add a Windows Directory
  • Add a Unix/NFS Directory
  • Expand or Collapse

Note: You may have a file server already mapped on the main page depending on the realm that you logged into and the security policies of your department.

How to create a Windows/Unix/NFS Directory (This option is not available in the eID realm):

  1. Click the appropriate icon to add the Windows directory or Unix/NFS directory link (the icon with the four solid white boxes for Windows; the icon with the X for Unix/NFS):
    • Add File
  2. Servers that have already been mapped by departmental policy will appear as a list. To add a directory on a server that is not already listed (if allowed by policy), you will have to browse to it via the Browse button just under the Navigation menu.
    • Server List
  3. Browse to the folder that you want to bookmark and add it to the current bookmarks by checking the box beside the folder name then click the Bookmark Selected button.
    • Windows File Sharing
  4. The resulting screen will allow you to provide an optional description for the bookmark; click the Add Bookmark button to finish adding the bookmark. A link to this file share will be available for future use whenever you login to the Secure Access gateway.
    • Add Bookmark
    • Note: after adding a file share it appears as a link under the gray bar in the web bookmarks section. The gray bar separates the preset shares from the user-defined shares.
  5. Lastly, when connecting to a predefined file server you may need to provide extra credentials if the server authenticates to a different realm than you logged in to. For example, you logged in using eID credentials but want to access a file server on the CSUDOM domain. In this case, you will be challenged to provide CSUDOM credentials.Credentials

Terminal Sessions

Terminal Sessions

Services in the Terminal Sessions panel enable a user to connect to a Windows remote desktop or to Telnet/SSH to a UNIX/Linux server. When you run an application on the terminal server, most actions are performed on the server itself rather than on your workstation.

On the right-hand side of this field there are three options:

  • Panel Preferences
  • Add a Terminal Session
  • Expand or Collapse

Note: you may have a terminal session already mapped on the main page depending on the realm that you logged in to and the security policies of your department.

How to create a Terminal Service Session link (This option is not available in the eID realm):

  1. Click the Add a Terminal Session icon on the right-hand side of the Terminal Sessions bar.
    • Add Terminal Sessions
  2. Choose the terminal session you want to create from the Session Type drop-down list. The options are:
    • Windows Terminal Services
    • Citrix
    • Telnet
    • SSH Secure Shell
    • For Telnet and SSH Sessions, one must only configure the Host and Username entries, e.g.:
      • Settings
      • Authentication
    • For Windows Terminal Services/Remote Desktop Sessions, first define the Host (by IP address or fully qualified domain name) and the Server Port (generally 3389):
      • Settings
    • One may also consider the settings located in the Connect Devices section at the bottom of the screen – these will allow printers or drives connected to the remote system to be visible in the terminal session:
      • Settings
  3. Click the Add button at the bottom of the page, and the link will be added to the Terminal Sessions section on the main page.Add Terminal Services Session

Client Application Sessions

Client Application Sessions

While many services can be reached by links in the above Web, Files, or Terminal Sessions sections, some campus resources require more permissive access to the CSU network. The Client Application Session panel includes a tool to enable this kind of connection. For Windows and Mac OS X machines, this tool is called the Pulse Secure client (Linux machines still need to use the older Network Connect application).

The Pulse Secure client re-directs traffic coming from applications on the computer requesting the remote connection. It sends this traffic through an encrypted tunnel to the CSU network. In this sense, the Pulse Secure client is similar to older-style full-tunnel VPN (Virtual Private Network) clients.

To launch the Pulse Secure client:

  1. Click the Start button on the right side of the panel opposite the name of the tool.
    Pulse Secure Start
  2. The first time you use the Pulse Secure client, you will have to accept one or more downloads. Note that the download manager may use Java, which is not supported in the most recent versions of the Chrome browser.
  3. The Pulse Secure client will launch, and a status icon will appear in the system notification area. When the client is active (tunneling traffic to the CSU network), the icon includes a green arrow:
    Pulse Connected
  4. Once the icon is displayed with the green arrow, the connection should be ready. You may launch the applications that require connectivity to CSU resources.
  5. If the client is present but not active (not tunneling traffic to the CSU network), the icon does not have the green arrow:
    Pulse Disconnected
  6. If you have successfully downloaded the client using these instructions, no further configuration is required. If, however, you wish to interact with the Pulse control panel to connect, disconnect, quit the application, or edit the configuration of the client, you can launch the Pulse client from the icon in the system notification area, or from the Pulse Secure program group in your Programs or Applications directory.
  7. By default, the Pulse Secure client has one defined connection: “SA (secure.colostate.edu)”. If your IT support staff have installed the Pulse Secure client manually, they will have to configure the client for this connection with “Server URL: secure.colostate.edu”.

Pulse Secure is the VPN client that enables Apple iOS devices (iPad, iPhone, iPod) to connect remotely to the CSU network, through the SSL VPN. Requires iOS version 4.1 or greater.

  1. Open the App Store on the iPhone/iPod/iPad and search for Pulse Secure.
    • Finding Pulse Secure on the App Store
  2. Select the app and select “Install App”
    • Install Pulse Secure
  3. Locate the Pulse Secure app on your device, and click to launch
    • Launch Pulse Secure
  4. Accept the End-User Licence Agreement
    • Accept the End User License Agreement
  5. Enable Pulse Secure. Note that, as written on the screen at this stage, if you have the older “Junos Pulse” application still installed, you should uninstall that app before going any further with these instructions.
    • Enable Pulse Secure after deleting Junos Pulse if necessary
  6. After installing, start the Pulse Secure app and select “Configuration”.
    • Start Pulse Secure and select Configuration
  7. Click “Add new configuration”
    • Add new configuration
  8. Enter a name for the connection: CSU VPN
    Enter the URL of the VPN: https://secure.colostate.edu
    Click “Save”
  • Enter URL for CSU

 

  • That’s all you have to do to configure the connection! The next few steps are what you’ll do each time you want to connect:
    First, select “Connect” to open a connection to the CSU Pulse Connect Secure gateway (VPN) sign-in page.

 

  • Select Connect
  • Enter your CSU eID name and password and select “Sign In.”
    • Sign in with eID credentials
  • Once successfuly connected, you’ll see this page (notice the VPN icon in the notification area in the upper left corner of the screen):
    • Successfully connected
  • Click the Home button on your device and use other apps to connect to on-campus resources. To disconnect from the VPN select the app from the list of running apps (or select it from the home screen) and then click “Disconnect.”
    • Disconnect

Pulse Secure is the VPN client that enables Android devices to connect remotely to the CSU network, through the SSL VPN.

  1. Open Google Play on the iPhone/iPod/iPad and search for Pulse Secure.
    • Finding Pulse Secure on Google Play
  2. Select the app and select “Install App”
    • Install Pulse Secure
  3. Locate the Pulse Secure app on your device, and click to launch
    • Launch Pulse Secure
  4. Accept the End-User Licence Agreement
    • Accept the End User License Agreement
  5. After installing, start the Pulse Secure app and select “Configuration”.
    • Start Pulse Secure and select Configuration
  6. Click “Add new configuration”
    • Add new configuration
  7. Enter a name for the connection: CSU VPN
    Enter the URL of the VPN: https://secure.colostate.edu
    Click “Save”

    • Enter URL for CSU
  8. That’s all you have to do to configure the connection! The next few steps are what you’ll do each time you want to connect:
    First, select “Connect” to open a connection to the CSU Pulse Connect Secure gateway (VPN) sign-in page.

    • Select Connect
  9. Enter your CSU eID name and password and select “Sign In.”
    • Sign in with eID credentials
  10. Once successfuly connected, you’ll see this page (notice the VPN icon in the notification area in the upper left corner of the screen):
    • Successfully connected
  11. Click the Home button on your device and use other apps to connect to on-campus resources. To disconnect from the VPN select the app from the list of running apps (or select it from the home screen) and then click “Sign Out.”

Please note: for most users, everything needed to use the Pulse Secure Connect gateway (formerly the Juniper SSL Gateway) will be dynamically downloaded when connecting to the web server (https://secure.colostate.edu). However, since some departments lock Windows computers down such that users cannot install dynamic downloads, the following installers are provided as an alternative. The Pulse Secure Installer Service will allow subsequent dynamic downloads and code upgrades to happen normally. In cases where that option does not suffice, the remainder of the features can be installed manually, in which case versions will have to be manually updated each time the gateway is upgraded.