May 10, 2010


SUBJECT:    Security Exposures Growing-Immediate Actions Needed to
Prevent More Breaches

The issues of information privacy and security continue to be a global and local challenge as the amount of digital information grows and as hackers keep on improving their malicious techniques. Although we continue to improve our detection and prevention technologies, we cannot assure sufficient protection without the help and support of each one of you. Over the last two years, we've observed dramatic changes to tactics the hackers are using to attack our network and systems here at UCSD. The new focus is web applications vulnerabilities and web browser attacks. We have done proactive scanning of many web sites hosted here as well as reviewed your current network connectivity. Many of you have made appropriate changes to separate the private/sensitive data into appropriately configured network segments. Many of you still need to do that work.

As an example of how big this problem has become, since August 2009, approximately 75 web sites are known to have serious SQL injection problems. That means the hackers can get to our protected and sensitive data in many cases, even if this data isn't part of the application itself. Additionally, at least 15 occurrences of actual penetration have occurred and been detected. As a result, systems have been taken offline anywhere from 1 day to 5 weeks and, in some cases, after extensive forensic work, notifications have been sent to those whose private data was exposed. When exposures like this happen, it puts the entire University at risk, jeopardizing funding for projects, damaging our reputation,reducing future donations, and can cost the department responsible millions of dollars in lawsuits, fines, and notification expenses.

As a reminder, each of you has an obligation to protect the campus resources including its data and network as part of the Electronic Communication Policy, IS-3 and PPM135-3. In order to maintain the integrity and security of our campus systems, we need all management who oversee or operate these systems to take the following specific measures:

1. Fully comply with the UCSD minimum network standards. Noncompliant systems will be removed from the campus network until they conform to the standards.

This includes employee-owned systems that connect remotely to the campus. See for more information.

2. Scan for and eliminate all sensitive data unless it must be stored by law or UC policy. Most of the letters sent in recent breaches have been because of legacy storage of sensitive data or compromised email stores. Such systems include databases, spreadsheets, Word/PDF documents, e-mail, and other types of files. See for definitions and examples of sensitive data. If sensitive data must be present, work with campus security experts to protect the data. Infrastructure housing sensitive data must be physically separated from other systems and all the sensitive systems standards must be applied as outlined in the UCSD network minimum standards. Create a list of where the sensitive data lives and review it periodically for accuracy and make sure new data doesn't get generated someplace without your knowledge.

3. Email is considered sensitive data. Email servers and email storage should be separated from other IT infrastructure. If this is not the case, then contact the security team for assistance. Other areas where sensitive data resides should be logically separated from other networked devices (e.g. public facing web servers) to isolate the data.

4. Review web applications that belong to your unit or research group for security vulnerabilities. Have your systems support create a plan to resolve any found vulnerabilities, missing patches, etc. and hold them accountable for fixing the problems in a timely manner. Programming code examples (see and other web application examples (see are ways to validate your application code using "best practices". Take advantage of the expertise of your departmental computing experts if you have them, or seek assistance from other resources within the links mentioned, the Sysadmin meetings held on campus or the ACT Security team. Development processes for new application coding should ensure that known vulnerabilities are avoided; and change management procedures should provide appropriate quality assurance.

5. Training classes are available via Enrollment Central at and are free. These classes are part of a certification program that supervisors should require when hiring systems staff, ensuring that they have basic security knowledge. Everyone (including students), working on your computer systems or creating applications must be knowledgeable about data and network security.

6. Make sure that your department has a formal internal procedure to elevate security incidents to management. Be ready to tolerate transitional problems as we limit access and modify systems that put us at risk.

7. Other policies and guidelines can be found at Security for Business Managers -

These policies and guidelines apply to all activities in support of the University's mission and all members of the UCSD community are expected to understand and support them. In particular, each one of us is obligated to respect and protect private information and we are all responsible for the protection of information under our control. As you may be aware, the campus recently formed an Information Security and Privacy Council (see to provide campus wide guidance on security issues and the application of State and Federal privacy and breach notification laws. Each Vice Chancellor area has a representative on that council. We urge you to review the provided materials, identify ways by which you can enhance the security of information to which you have access, and communicate your concerns with your Council representative as warranted. If you have questions or need additional information please contact Gabe Lawrence (UCSD Security Director) at: or the Security Team at:

Steven W. Relyea
Vice Chancellor -
External and Business Affairs