S-13 Update FAQ
The most significant changes are additional requirements to sections on Authentication, General Security Controls and Remote Access Controls. Additionally, Endpoint Protection Software.
The following is a summary of added requirements:
- Privileged Access to Purdue IT Resources must utilize Multi-factor Authentication method(s) approved by the CIO.
- University servers, end user computers (e.g., laptops and desktops) and other applicable Devices (e.g., virtual machines), unless exempted by the CISO, must have appropriate working Endpoint Protection Software installed prior to any new or continued connection to University IT Resources.
- Mass storage systems, unless exempted by the CIO or CISO, must be periodically backed up in a way that creates indelible copies with verified integrity.
- Networked systems, unless exempted by the CIO or CISO, must send appropriate logs (as defined in IT Resource Logging (S-11) standard) to the central university logging service/aggregator.
- Remote Access to Purdue IT Resources must use one of the following:
- An encrypted virtual private network (VPN) approved by the CIO or CISO, or
- Another encrypted connection approved by the CIO or CISO.
Information about the security policy exception process can be found at the following: Security Policy/Procedures Exceptions - Secure Purdue - Purdue University
Privileged access and privileged accounts are defined in the S-13 and S-15 standards respectively. Privileged access is defined as:
Elevated or administrative access privileges beyond those of a general user Career Account. For example, accounts such as root, local administrator, domain administrator, OU admin, super user, and emergency or “break glass” have Privileged Access.
The Privileged Account definition is similar and includes applicability to system or application accounts.
Any questions regarding privileged access or accounts can be sent to itpolicyreq@purdue.edu.
Will existing privileged accounts need to be changed to require Muti-Factor Authentication, or will a VPN that requires it satisfy the requirement?
Limiting remote access paths through MFA administrative only use gateways (e.g., VPN, jump server, etc.), in some form, will likely be determined acceptable. This is being discussed and more details will be provided at a later date.
The current approved methods are Duo (BoilerKey) and Microsoft multi-factor authentication. The following are links to more information about these methods:
Microsoft MFA: Microsoft multi-factor authentication | Purdue University
BoilerKey: BoilerKey: Two-Factor Authentication | Purdue University
Acceptable methods for enforcement:
- VPN that enforces MFA
- Avoid allowing general use profiles like WebVPN/WebVPN2 to your servers
- These should only be used if the system being accessed enforces MFA
- Restrict to just what is necessary
- IT Admins should still connect to the VPN from a University owned machine
- The best approach is separate terminal server, jump host, administrative workstation, or administrative VDI so you can separate your general user activity (email, web browsing, etc.) from your administrative IT duties.
- The terminal server/jump host/VDI could enforce MFA or a VPN requiring MFA could be used to get to the terminal server/jump host/VDI.
The current standard for university machines is Cisco Secure Endpoint (formerly known as Cisco AMP).
Please send questions to security@purdue.edu if alternative endpoint protection is in use.
Yes, if the device will be connecting to Purdue university network. The list of recommended endpoint protection products for the University is:
- Microsoft Defender (Already built into Windows 10 & 11 devices)
- Immunet
- Sophos
- Malware Bytes
The University does not provide support for non-University devices, including the installation of endpoint protection.
The following controls are recommended when cisco secure endpoint can't be used:
- Remove from the network where possible
- Purchase extended security updates if available
- Apply application patches even if OS patches aren’t available
- Move to private VLAN or heavily restrict with network and local firewalls
- Ensure vulnerability scanning is happening
- Mitigations should be confirmed for any critical vulnerabilities.
- Determine if an open source or free anti-virus version might support the outdated or unsupported OS (ex. ClamAV, Immunet, MalwareBytes, ect.)
- Limit USB ports, disk drives or hardware that can be used to transfer files
- Document a mitigation and migration plan to include with the Security Exception
- Verify that centralized logging is taking place for the system and applications
The following devices should send logs:
- Any device that can export logs, should send them to the centralized collectors
- Logs sent to the centralized PSS collectors can be forwarded to Splunk as needed
- Review the logging standard for a definition of what to send: https://www.purdue.edu/policies/information-technology/s11.html
- Questions can be sent to security@purdue.edu
This FAQ was published November 1st, 2022. It was last updated on January 5th, 2023.
January 5th, 2023 changes:
- Added "What are acceptable methods for enforcing MFA when it comes to administrative access?"
- Added "What controls should be in place if we have a system that can’t run Cisco Secure Endpoint?"
- Added "What are acceptable options for allowing vendors access to systems they are contractually obligated to support?"
- Cybersecurity Awareness
- Threats
- Cybersecurity Updates
- Cybersecurity FAQ