Windows 7 Project and Heartbleed Update

Sian Shumway

Director, IT Customer Service

2

Windows XP Overview• Technical issue:

• Windows XP support ends April 8, 2014.• Microsoft will no longer provide patches, updates, or support.• XP systems will no longer meet UCSF minimum security

requirements and must be upgraded.

• Risk: • XP systems will be vulnerable to security exploits.• UCSF enterprise at risk from anticipated influx of threats.

• Action: • Mandate the upgrade of all Windows XP systems.• Executive support for escalation, potential funding, and minimizing

security exceptions.Post April 8th UCSF will have substantial quantities of XP computers operating in our environment which requires us to take risk mitigation steps immediately.

3

Where We Started

• ~8500 XP systems to upgrade• ~359 Applications to test, migrate or except• Timeline:

4

Progress Update

• ~5000+ XP systems complete to date• ~3000 systems remaining • Estimated completion date of May 31

• ~400 systems excepted due to application migration cost/availability - complete by April 2015, many earlier

• ~350 Applications test and migrated • ~10 applications required exception to complete

migration by April 2015 (~500 systems)

5

Risk Mitigations

• Microsoft extended support for Windows XP for 1 year

• Installation of Symantec Endpoint Protection 12 on all computers

• Install Microsoft Enhance Mitigation Experience Toolkit (EMET) XP computers

• Enhance the UCSF Spam Firewall

• Web filtering to monitor network traffic

6

What is the Heartbleed bug

• This flaw potentially allows attackers to steal passwords or other data from websites using OpenSSL encryption.

• Approximately 2/3 of all sites on the Internet were vulnerable for almost 2 years until the bug was discovered last week.

• It’s difficult or impossible to determine whether or not this vulnerability was widely used to steal passwords and confidential information.

7

What we are doing about it

• Remediation is a 3-step process: • Patch the software• Install a new SSL certificate• Have users to change their passwords

• IT Security scanned the network to identify vulnerable UCSF systems and notified system administrators

• Dozens of Internet-accessible systems and many more internally accessible systems have been patched

• Email will be sent to all users next week asking you to change UCSF passwords

8

What should you do about it?

• Change your Active Directory password when asked by IT

• Change passwords for your personal accounts on sites that may have been affected (Google “Mashable Heartbleed” for a good list of popular, affected sites)

• Look for updates at: http://tiny.ucsf.edu/heartbleed

9

Questions?

• Web: readyfor7.ucsf.edu

• Sian Shumway, Director IT Customer Service sian.shumway@ucsf.edu]

• Project Manager: arabella.handy@ucsf.edu