The OIT Information Security team collaborates with UCI Privacy and the UCI Information Security & Privacy Committee (ISPC) to ensure that UCI’s cybersecurity detection and protection practices properly balance UC Privacy Values and Principles, conform with the UC Electronic Communications Policy (ECP), and do not implicate either academic freedom or freedom of speech.
Academic Freedom and Freedom of Speech
Academic Freedom is the right of faculty members to teach, research and publish without being interference or discipline from their institution. Freedom of Speech is the right of all individuals to articulate opinions and ideas without interference or retaliation from the government.
The information security practices described here do not implicate either academic freedom or freedom of speech.
-
- UCI is not disciplining faculty or others for the content (subject matter) of their electronic communications.
- UCI is not manually monitoring the content of faculty or others electronic communications; automated processes are used to detect and protect against malicious content (cybersecurity related threats).
- UCI is meeting its obligation to address cyber risks.
UC Electronic Communications Policy (ECP)
The basic privacy principle of the ECP is that no inspection of one’s electronic communications is allowed without one’s consent (ECP IV.A., page 10).
However, there are the following exceptions:
-
- Personal Use and California Public Records Act (ECP III.D.8., page 8)
- Use of University resources for “incidental personal purposes” is allowed but cannot interfere with the operation of electronic communications resources and not burden the University with incremental costs (such as causing a security incident).
- All University records are subject to California’s Public Records Act wherever they are stored. When personal records are mixed with University records, it may be necessary to examine some personal records to determine whether they are public records and subject to disclosure.
- Access Without Consent Process (ECP IV.B., page 10)
- In limited circumstances, the policy allows for access without prior consent to certain records. The process for this access requires strict reviews, and documentation via UCI Privacy process and defined by 800-15: UCI guidelines for the UC Electronic Communications Policy.
- If an account is accessed without prior consent, the account holder will be notified.
- System Monitoring Provision (ECP IV.C.2.b., page 14)
- Routine monitoring for reliability and security is allowed by University employees who are responsible for operating and supporting resources and services.
- Limited to “least invasive degree” of inspection of content and transactional information required to perform the work.
- System monitoring data use is restricted to security operations and shall not be disclosed or used for any other purpose.
- Security Practices Provision (ECP V.B., page 15)
- Inspection of traffic allowed to confirm malicious/unauthorized activity.
- Limited to “least perusal of content” necessary to resolve the situation.
- Consent (or Access Without Consent Process) required for anything beyond routine practices.
- General information about monitoring practices should be documented and made available to users (this page).
- Personal Use and California Public Records Act (ECP III.D.8., page 8)
Practices
University employees who operate and support electronic communications resources, such as the OIT Information Security Team, regularly monitor transmissions for the purpose of ensuring the reliability and security of University electronic communications resources and services.
The majority of that work is done via automated processes tuned and configured for our environment. A subset of alerts generated from those automated processes are reviewed by University employees (or third parties contracted to treat data with the same level of security and privacy as University employees do) to validate potential indicators of compromise and perform analysis following our UCI Incident Response Process.
Any attempts to circumvent these security measures are in violation of the UCI Computer and Network Use Policy 714-18.
Network
Intrusion Detection and Prevention
The OIT Information Security team uses a combination of automated technology and manual review to identify systems that are attacking campus information resources, may be infected with malware, or fail to meet the minimum security requirements. The automated systems use a combination of pre-determined signatures and traffic analysis. These systems may capture and store a relevant portion of electronic communications for systems or user accounts potentially being used to threaten the campus network. Security staff may manually review these stored captures, in accordance with privacy policies and law, to validate the findings or tune the automated systems.
The information may include: source and destination IP addresses, source and destination ports, URLs, and user names. Stored network traffic is usually 1-2kb of data.
Threat Detection and Identification
The University of California has deployed a common Threat Detection and Identification (TDI) system for the purposes of coordinated analysis and response to systematic, professional cybersecurity attacks. The OIT Information Security team will also use this tool to augment existing intrusion and breach detection technologies.
UCOP has published information about the current TDI system, which includes network threat detection, endpoint threat detection (see below), and a staffed 24/7/365 managed service that monitors and analyzes automated security alerts and escalates to on-call OIT Security staff to initiate a campus response when needed.
Network data is inspected for malware, ransomware, known bad Internet addresses, command-and-control traffic nodes, and other indicators of compromise. Information may include: source and destination IP addresses, source and destination ports, URLs, and a snapshot of traffic related to attack for a limited amount of time to help reconstruct what happened during the attack or breach.
Blocking
Users or systems that threaten the UCI network or UCI electronic resources may have network access revoked until the issue is resolved. This includes systems that have serious vulnerabilities and fall under our network disconnect procedure. Blocked computers will usually be redirected to a page with additional information. Blocked user accounts may deny access without additional information. OIT Security Staff will make best efforts to directly contact the account or system owner by email, but this is not always possible. If a system or account owner cannot be identified, OIT Security Staff will make best efforts to contact appropriate OIT or departmental computer support staff.
To see if your network access has been blocked visit the OIT Blocked List. To request an unblock, please email security@uci.edu.
Bandwidth Monitoring
UCInet has no traffic cap or bandwidth limit for academic use. In some cases traffic is monitored for changes in bandwidth usage that could point to unusual activity and potential security compromise.
To ensure quality network access for all users and to prevent abuse of campus network resources, excessive bandwidth usage for non-academic traffic that impacts academic use may be asked to stop.
The information may include: source and destination IP addresses, source and destination ports, and bandwidth usage quantity.
If you will be utilizing high bandwidth, especially if you are concerned it may be mis-identified as personal traffic, please email security@uci.edu. This is not a requirement but it helps the security and network engineers tune the campus network and security practices.
Attachment Analysis
Certain attachments on inbound email will meet criteria for additional scrutiny. Email originating from on campus is not processed.
Attachments identified for analysis are sent via an encrypted connection to a cloud-based, highly secure, automated analysis service. Following analysis, the copied attachment is destroyed.
Attachments found to carry malware are used to update the list of threat signatures recognized by the intrusion detection and prevention system. Forensic information for the purposes of tracking or mitigating damage may be stored.
Anti-spamming
The OIT Information Security team uses a combination of automated technology and manual review to identify systems or accounts that may be sending out bulk unsolicited email (“spam”). Because spam comes from unauthorized access to UCI email accounts, the OIT Security Team may take extra steps to review access or transaction logs to identify and contact users who may have had their passwords stolen or their accounts compromised.
The contents of emails are not reviewed or accessed without consent in the course of normal monitoring and review.
The information may include: source and destination IP addresses, source and destination ports, user names, and email addresses.
Anti-Phishing and Business Email Compromise
OIT Information Security operates advanced email protection for all UCI email addresses regardless of delivery point. Automated scans of entire email including headers, body, and attachments occur. Besides attachments getting scanned for malware, other indicators of business email compromise (BEC) including malicious patterns in the content that match known threat intelligence are detected and blocked. Links within messages are also scanned and checked for known malicious websites at time of each click.
Metadata for all incoming messages are retained for 30 days (sender, recipient, mail server hostname/IP address, subject line, rewritten URLs, attachment filenames).
Clicked email links are retained for 14 days including email address, datetime, IP address, browser/OS, and whether the site was permitted or blocked by the filter.
When a message is identified as malicious, the full message is retained in quarantine for two weeks, and metadata and threat information is retained for one year.
Endpoints
Endpoint Detection & Response
Also part of University of California’s Threat Detection and Identification (TDI) program (see above), endpoint detection & response (EDR) is a software tool that is installed locally on computing devices to protect, detect, and respond to cybersecurity threat activity that can’t be seen on the campus network alone. It includes a classic anti-virus engine, malware guard with machine learning to protect against ransomware, exploit guard using vetted threat intelligence, and a real time indicator to correlate security event metadata for investigation.
The software engine monitors changes to the file system, registry persistence, live memory, processes, DNS lookups, IP connections, and URL events for indicators of compromise (IOC). A forensic snapshot of that system state information related to the exploit when an IOC is detected is saved locally for analysis, along with a 120-500 MB rolling event buffer that stores information of what happened right before a compromise is detected.
System Activity
The OIT Information Security Team stores and utilizes a variety of logs. These logs may be reviewed by automated systems with pre-determined “red flag” algorithms or manually reviewed, as allowed by policy and law, to verify incident reports.
Connection Logs
Connection logs are created and stored for all network traffic to and from UCInet and the internet and from UCInet and ResNet. Connection logs (Netflow) are created and stored for devices sending electronic communication within UCInet.
Access logs to servers and web applications are also stored and monitored for malicious activity and to correlate with other security events.
The information may include: source and destination IP addresses, source and destination ports, packet counts, and byte counts.
User Logs
Authentication logs are created and stored for access to campus resources, such as campus web single sign-on, email, VPN, etc. Campus system owners may also create and store their own logs for security audit purposes.
The information may include: source and destination IP addresses, URLs, and user names.