Home > Store

Enterprise Security: Solaris Operating Environment, Security Journal, Solaris OEv2.51, 2.6, 7, and 8

Register your product to gain access to bonus material or receive a coupon.

Enterprise Security: Solaris Operating Environment, Security Journal, Solaris OEv2.51, 2.6, 7, and 8

Book

  • This product currently is not for sale.
Not for Sale

Description

  • Copyright 2003
  • Dimensions: 7 X 9-1/4
  • Pages: 464
  • Edition: 1st
  • Book
  • ISBN-10: 0-13-100092-6
  • ISBN-13: 978-0-13-100092-6

Key Benefits This guide provides the reader with best practices from Sun Microsystems for architecting multi-tiered datacenter environments. Key Topics This Sun Microsystems Blue Print features documented, automated, and supported security best practices for high-end servers and cluster software. Written for experienced developers and system administrators it includes tricks, tools, and techniques that hackers use to break into systems. The author details best practices and tools for sniffing out "trojaned" system files and binaries and describes Solaris security features, network settings, and minimization. Market This book is targeted at developers and system administrators.

Sample Content

Online Sample Chapter

Solaris Operating Environment Security

Table of Contents

Acknowledgements.
Preface.

I. SOLARIS OPERATING ENVIRONMENT SECURITY.

1. Solaris Operating Environment Security.
File Systems and Local Security. Initial Installation. Minimization. Console Security. File System. Accounts. The init System. Kernel Adjustments. Log Files. Miscellaneous Configuration. Network Service Security. Network Service Issues. Available Tools. Telnet. Remote Access Services (rsh, rlogin, and rcp). Remote Execution Service (rexec). FTP. Trivial FTP. inetd Managed Services. RPC Services. NFS Server. Automount. sendmail Daemon. Name Service Caching (nscd). Print Services. IP Forwarding. Network Routing. Multicast Routing. Reducing inetsvc. Network Service Banners. Related Resources.

2. Network Settings for Security.
The ndd Command. Notes on Parameter Changes. Address Resolution Protocol (ARP). ARP Attacks. ARP Defenses. Internet Control Message Protocol (ICMP). Broadcasts. Redirect Errors. Internet Protocol (IP). IP Forwarding. Strict Destination Multihoming. Forwarding Directed Broadcasts. Routing. Forwarding Source Routed Packets. Transmission Control Protocol (TCP). SYN Flood Attacks. Connection Exhaustion Attacks. IP Spoofing Attacks. Common TCP and UDP Parameters. Adding Privileged Ports. Changing the Ephemeral Port Range. Script for Implementing ndd Commands. Related Resources.

3. Minimization.
Installation Clusters. Test Environment. Methodology Overview. Verifying JumpStart Software. Installing Core Solaris OE Cluster. Installing Patches. Removing Unnecessary Packages. Using JumpStart Software to Configure the OS. Installing and Configuring Software Packages. Checking For Errors. Testing Software Installation. Final Configuration of iPlanet Web Server 4.1. Solaris 8 OE. Solaris 7 OE. Solaris 2.6 OE. Related Resources. Publications. Web Sites.

4. Auditing.
Sun SHIELD Basic Security Module (BSM). Auditing Principles. Auditing Goals. Enabling Auditing. Definition of Terms. Audit Flag. Audit Preselection Mask. Audit Trail. Audit User ID (AUID). audit_class. audit_control. audit_event. audit_user. Audit Trails. Audit Classes and Events. Login or Logout (lo). Nonattribute (na). Administrative (ad). Additional Audit Events. Application Audit Class. Excluded Audit Classes. Audit Trail Analysis. audit_control, audit_class, and audit_event Files. audit_control File. Modified audit_class File. Modified audit_event File. audit_event Modifications. Solaris OE Upgrades. Related Resources.

II. ARCHITECTURE SECURITY.


5. Building Secure N-Tier Environments.
Is There a Silver Bullet? N-Tier Description. Web Server Tier. Application Server Tier. Database Server Tier. Storage Area Network Tier. Backup Tier. ExtraNet/Service Provider Tier. Management Tier. Defense-In-Depth. Segmentation. System Build Requirements. Dedicated Functionality. Hardening. Host-Based Firewall. Minimization. Communication and IP Forwarding. Network Flow. System Configuration. Network Segmentation. Internet-Web Server Tier. Web Server-Application Server Tier. Application Server Tier-Database Tier. ExtraNet Tier-Database Tier. Backup Tier-Systems Being Backed Up. SAN Tier-Systems Using SAN. Management Tier-All Servers. Build Process. Encryption. Backups. Centralized Logging. Intrusion Detection. Related Resources.

III. JUSTIFICATION FOR SECURITY. 6. How Hackers Do It: Tricks, Tools, and Techniques.

Tricks. Finding Access Vulnerabilities. Finding Operating System Vulnerabilities. Attacking Solaris OE Vulnerabilities. Tools. Port Scanners. Vulnerability Scanners. Rootkits. Sniffers. Techniques. Attacks From the Internet. Attacks From Employees. How to Use the Tools. Using Port Scanners. Using Vulnerability Scanners. Using Rootkits. Using Sniffers. References. Related Resources. Publications. Web Sites.

IV. TOOLS SECURITY.


7. Solaris Fingerprint Database.
How Does the sfpDB Work? sfpDB Scope. Limitations. Downloading and Installing MD5. Creating an MD5 Digital Fingerprint. Testing an MD5 Digital Fingerprint. Real-World Results. Additional sfpDB Tools. Solaris FingerPrint Database Companion (sfpC). Solaris Fingerprint Database Sidekick (sfpS). Frequently Asked Questions. Related Resources.

V. HARDWARE AND SOFTWARE SECURITY.


8. Securing the Sun Fire 15K System Controller.
Introduction to Sun Fire 15K SC. Assumptions and Limitations. Understanding the SC Functions. Redundant SCs. System Management Services (SMS). Software. Securing the Sun Fire 15K SC. Solaris Security Toolkit Software. Obtaining Support. Default SC SMS Software Configuration. SC Solaris OE SMS Packages. SC SMS Accounts and Security. SC SMS Daemons. SC Network Interfaces. Main SC Network Interfaces. Spare SC Network Interfaces. Secured SC Solaris OE Configuration. Security Recommendations. Implementing the Recommendations. Software Installation. Securing the SC with the Solaris Security Toolkit Software. Related Resources.

9. Securing Sun Fire 15K Domains.
Disclaimer. Obtaining Support. Assumptions and Limitations. Solaris 8 OE. SMS. Solaris OE Packages. Solaris Security Toolkit Software. Network Cards. Minimization. Domain Solaris OE Configuration. Sun Fire 15K Domain Hardening. Standalone Versus JumpStart Modes. Solaris Security Toolkit Software. Security Modifications. Installing Security Software. Installing the Solaris Security Toolkit Software. Installing the Recommended and Security Patch Clusters. Installing the FixModes Software. Installing the OpenSSH Software. Installing the MD5 Software. Domain Solaris OE Modifications. Executing the Solaris Security Toolkit Software. Verifying Domain Hardening. Secured Domain Solaris OE Configuration. Solaris Security Toolkit Scripts. Related Resources.

10. Securing Sun Enterprise 10000 System Service Processors.
Background Information. Assumptions and Limitations. Qualified Software Versions. Obtaining Support. Sun Enterprise 10000 System Features and Security. System Service Processor (SSP). Solaris OE Defaults and Modifications. Building a Secure Sun Enterprise 10000 System. Modifying Network Topology. Installing Main SSP Detection Script. Adding Security Software. Creating Domain Administrator Accounts. Adding Host-Based Firewalls. Verifying SSP Hardening. Testing the Main SSP. Testing the Spare SSP. Sample SunScreen Software Configuration File. Related Resources.

11. Sun Cluster 3.0 (12/01) Security with the Apache and iPlanet Web and Messaging Agents.
Software Versions. Obtaining Support. Assumptions and Limitations. Solaris 8 OE. Sun Cluster 3.0 (12/01) Software. iPlanet Web and Messaging Servers and Apache Web Server Supported. Solaris OE Packages and Installation. Cluster Interconnect Links. Solaris Security Toolkit Software. Security Modification Scope. Minimization. Solaris OE Service Restriction. Hardening Modifications. Hardening Results. Sun Cluster 3.0 Daemons. Terminal Server Usage. Node Authentication. Securing Sun Cluster 3.0 Software. Installing Security Software. Sun Cluster 3.0 Node Solaris OE Modifications. Verifying Node Hardening. Maintaining a Secure System. Solaris Security Toolkit Software Backout Capabilities. Related Resources.

12. Securing the Sun Fire Midframe System Controller.
System Controller (SC) Overview. Midframe Service Processor. Hardware Requirements. Mapping of MSP to SC. Network Topology. Terminal Servers. Control-A and Control-X Commands. MSP Fault Tolerance. MSP Security. MSP Hardening. Solaris Security Toolkit Installation. Recommended and Security Patch Installation. Solaris Security Toolkit Execution. MSP SYSLOG Configuration. SC Application Security Settings. Platform Administrator. Domain Administrator. Domain Security Settings. The setkeyswitch Command. Other System Controller Security Issues. Engineering Mode. dumpconfig and restoreconfig. Flashupdate. Recovering a Platform Administrator's Lost Password. Related Resources. Publications.Web Sites.

VI. SOLARIS SECURITY TOOLKIT DOCUMENTATION.


13. Quick Start.
Installation. Compressed Tar Archive. Package Format. Configuration and Usage. Standalone Mode. JumpStart Mode. Undo. Frequently Asked Questions. Related Resources.

14. Installation, Configuration, and User Guide.
Problem. Solution. Standalone Mode. JumpStart Technology Mode. Supported Versions. Obtaining Support. Architecture. Installation and Basic Configuration. Advanced Configuration. driver.init Configuration File. JASS_FILES_DIR. finish.init Configuration File. user.init Configuration File. Using the Solaris Security Toolkit. JumpStart Mode. Standalone Mode. Building Custom Packages. Related Resources.

15. Internals.
Supported Solaris OE Versions. Architecture. Documentation Directory. Drivers Directory. Driver Script Creation. Driver Script Listing. Files Directory. The JASS_FILES Environment Variable and Files Directory Setup. Files Directory Listing. Finish Directory. Finish Script Creation. Finish Script Listing. Install Finish Scripts. Minimize Finish Script. Print Finish Scripts. Remove Finish Script. Set Finish Scripts. Update Finish Scripts. OS Directory. Packages Directory. Patches Directory. Profiles Directory. Profile Creation. Profile Configuration Files. Sysidcfg Directory. Version Control. Related Resources.

16. Release Notes.
New Undo Feature. Updated Framework. driver.run Script. JASS_CONFIG_DIR Variable Renamed. SCRIPTS* and FILES* Prefix Conventions. SUNWjass. New Data Repository. copy_files Function Enhanced. New Configuration File finish.init. Changes to Profiles. New Driver Scripts. Changes to Driver Scripts. New Finish Scripts. Changes to Finish Scripts. Disabled Accounts. Increased Partition Size Default. Modified disable-system-accounts.fin. Renamed disable-rlogin-rhosts.fin. Updated install-strong-permissions.fin. Removed EvilList Parameter Duplicates. Improved Output Format for print-jass-environment.fin. Symbolic Links Changed in set-system-umask.fin. Improved Finish Scripts. Preventing kill Scripts from Being Disabled. New File Templates. Miscellaneous Changes. Logging Changes to System Files. Symbolic Links to Files and Directories. Formatting Leading Slashes (/). Processing User Variables-Bug Fixed. Removed add-client Directory Dependency. Changed Default le0 Entry. New Variable JASS_HOSTNAME.

Index.

Preface

Preface

This book is one of an ongoing series of books collectively known as the SunBluePrints program. This book provides a compilation of best practices andrecommendations, previously published as Sun BluePrints Online articles, forsecuring Solaris Operating Environment (Solaris OE).

This book applies to Solaris OE Versions 2.5.1, 2.6, 7, and 8.

About This Book

Securing computer systems against unauthorized access is one of the most pressingissues facing today's datacenter administrators. Recent studies suggest that thenumber of unauthorized access continues to rise, as do the monetary lossesassociated with these security breaches.

As with any security decisions, a balance must be attained between systemmanageability and security.

Many attacks have preventative solutions available; however, every day, hackerscompromise systems using well-known attack methods. Being aware of how theseattacks are performed, you can raise awareness within your organization for theimportance of building and maintaining secure systems. Many organizations makethe mistake of addressing security only during installation, then never revisit it.Maintaining security is an ongoing process and is something that must be reviewedand revisited periodically.

Sun BluePrints Program

The mission of the Sun BluePrints Program is to empower Sun's customers with thetechnical knowledge required to implement reliable, extensible, and secureinformation systems within the datacenter using Sun products. This programprovides a framework to identify, develop, and distribute best practices informationthat applies across the Sun product lines. Experts in technical subjects in variousareas contribute to the program and focus on the scope and usefulness of theinformation.

The Sun BluePrints Program includes books, guides, and online articles. Throughthese vehicles, Sun can provide guidance, installation and implementationexperiences, real-life scenarios, and late-breaking technical information.

The monthly electronic magazine, Sun BluePrints OnLine, is located on the Web at:

http://www.sun.com/blueprints

To be notified about updates to the Sun BluePrints Program, please register yourselfon this site.

Who Should Use This Book

This book is primarily intended for the busy system administrator (SA) who needshelp handling nonsecure systems. Secondary audiences include individuals whoarchitect and implement systems—for example, architects, consultants, andengineers.

Before You Read This Book

You should be familiar with the basic administration and maintenance functions ofthe Solaris OE. You should also have an understanding of standard networkprotocols and topologies.

Because this book is designed to be useful to people with varying degrees ofexperience or knowledge of security, your experience and knowledge are thedetermining factors of the path you choose through this book.

How This Book Is Organized

This book is organized into six parts that organize security best practices andrecommendations as follows:

Part I--Solaris Operating Environment Security

Chapter 1 "Solaris Operating Environment Security" by Alex Noordergraaf and KeithWatson describes the Solaris OE subsystems and the security issues surroundingthose subsystems. This chapter provides recommendations on how to secure SolarisOE subsystems.

Chapter 2 "Network Settings for Security" by Keith Watson and Alex Noordergraafdescribes known attack methods so that administrators become aware of the need toset or change network settings. The application of most of these network securitysettings requires planning and testing and should be applicable to most computingenvironments.

Chapter 3 "Minimization" by Alex Noordergraaf focuses on practices andmethodology (processes) that improve overall system security by minimizing andautomating Solaris OE installation.

Chapter 4 "Auditing" by Will Osser and Alex Noordergraaf was derived from anauditing case study and includes a set of audit events and classes usable on Solaris 8OE.

Part II--Architecture Security

Chapter 5 "Building Secure N-Tier Environments" by Alex Noordergraaf providesrecommendations for architecting and securing N-Tier environments.

Part III--Justification for Security

Chapter 6 "How Hackers Do It: Tricks, Tools, and Techniques" by Alex Noordergraafdescribes the tricks, tools, and techniques that hackers use to gain unauthorizedaccess to Solaris OE systems.

Part IV--Tools for Security

Chapter 7 "Solaris Fingerprint Database" by Vasanthan Dasan, Alex Noordergraaf, andLou Ordorica provides an introduction to the Solaris Fingerprint Database (sfpDB).

Part V--Hardware and Software Security

Chapter 8 "Securing the Sun Fire 15K System Controller" by Alex Noordergraaf andDina Kurktchi provides recommendations on how to enhance the security of a SunFire 15K system controller (SC).

Chapter 9 "Securing Sun Fire 15K Domains" by Alex Noordergraaf and Dina Kurktchidocuments all of the security modifications that can be performed on a Sun Fire 15Kdomain without negatively affecting its behavior.

Chapter 10 "Securing Sun Enterprise 10000 System Service Processors" by AlexNoordergraaf describes a secure Sun Enterprise 10000 configuration that is fully Sunsupported. It provides tips, instructions, and guidance for creating a more secureSun Enterprise 10000 system.

Chapter 11 "Sun Cluster 3.0 (12/01) Security with the Apache and iPlanet Web andMessaging Agents" by Alex Noordergraaf, Mark Hashimoto, and Richard Lau describesa supported procedure by which certain Sun Cluster 3.0 (12/01) software agents canbe run on secured and hardened Solaris OE systems.

Chapter 12 "Securing the Sun Fire Midframe System Controller" by AlexNoordergraaf and Tony M. Benson provides recommendations on how to securelydeploy the Sun Fire System Controller (SC).

Part VI--Solaris Security Toolkit Documentation

Chapter 13 "Quick Start" by Alex Noordergraaf and Glenn Brunette is for individualswho want to get started with the Solaris Security Toolkit software as quickly aspossible. Only the bare essentials in getting the Solaris Security Toolkit softwaredownloaded and installed are addressed.

Chapter 14 "Installation, Configuration, and User Guide" by Alex Noordergraaf andGlenn Brunette describes the advanced configuration and user options available inversion 0.3 of the Solaris Security Toolkit software.

Chapter 15 "Internals" by Alex Noordergraaf and Glenn Brunette describes all of thedirectories and scripts used by the Solaris Security Toolkit software to harden andminimize Solaris OE systems.

Chapter 16 "Release Notes" by Alex Noordergraaf and Glenn Brunette describes thechanges made to the Solaris Security Toolkit since the release of version 0.2 inNovember of 2000.

Note - This book does not contain an Index.

Ordering Sun Documents

The SunDocs SM program provides more than 250 manuals from Sun Microsystems,Inc. If you live in the United States, Canada, Europe, or Japan, you can purchasedocumentation sets or individual manuals through this program.

Accessing Sun Documentation Online

The docs.sun.com web site enables you to access Sun technical documentationonline. You can browse the docs.sun.com archive or search for a specific book titleor subject. The URL is as follows:

http://docs.sun.com/

Related Documentation

At the end of each chapter in this book is a "Related Resources" section, whichprovides references to publications and web sites applicable to the information ineach chapter.

Sun Welcomes Your Comments

We are interested in improving our documentation and welcome your commentsand suggestions. You can email your comments to us at:

docfeedback@sun.com

About the Authors

Alex Noordergraaf authored or worked with other authors on the chapters in thisbook. In some cases, he was the primary author, and in other cases, he was a co-author.Refer to "How This Book Is Organized" on page xxiii for the names ofauthors for each chapter. The following provides biographical information for allauthors, in alphabetical order by last name.

Tony M. Benson

Tony Benson has over twenty years of experience of developing software solutionsin the areas of military, aerospace, and financial applications. As a Staff Engineer inthe Enterprise Server Products group of Sun Microsystems, he is developing systemmanagement solutions for the Enterprise Server Product line. Prior to his role in theEnterprise Server Products group, he developed secure, distributed revenuecollection systems for a worldwide base of customers in the transit industry.

Glenn Brunette

Glenn Brunette has more than eight years of experience in the areas of computer andnetwork security. Glenn currently works with in the Sun Professional Services SMorganization where he is the Lead Security Architect for the Northeastern USAregion. In this role, he works with many Fortune 500 companies to deliver tailoredsecurity solutions such as assessments, architecture design and implementation, aswell as policy and procedure review and development. His customers have includedmajor financial institutions, ISP, New Media, and government organizations.

In addition to billable services, Glenn works with the Sun Professional ServicesGlobal Security Practice and Enterprise Engineering group on the development andreview of new security methodologies, best practices, and tools.

Vasanthan Dasan

Vasanthan Dasan is an ES Principal Engineer, one of five high-ranked engineers inSun's Enterprise Services. Vasanthan joined Sun Microsystems in 1992 and iscurrently a Technology Strategist in the Support Services Global Strategy BusinessDevelopment group. He is responsible for architecting application availabilityservices and for providing technical expertise on merger and acquisition activities.

Vasanthan was the Chief Architect for Support Services Engineering, responsible fordeveloping online support services for Sun's customer support engineers andexternal customers. Prior to that, he worked on Solaris products such as CacheFS,AutoClient, Solstice PC Products, and JumpStart as part of the Solaris engineeringteam. Vasanthan co-authored Hands-On Intranet, published by Prentice Hall, andhas written numerous Sun whitepapers. He was largely responsible for Sun's earlyadoption of the Web in 1994, and holds one of the industry's first Web patents,awarded for the invention of web-based personal newspapers.

Mark Hashimoto

Mark Hashimoto has been with Sun Microsystems in Menlo Park, California, for thepast three years. Currently, he is developing the user interface components for theSun Cluster Products group. Mark was also one of the originators of the SunPlexManager GUI tool. Mark holds a Master's degree in Computer Science from theUniversity of Arizona.

Dina Kurktchi

Dina Kurktchi is a senior software engineer with 15 years of experience in manyareas from device drivers to databases. Her last four years have been focused insecure software development and deployment of security system solutions such asvulnerability assessment tools, intrusion detection systems, and public keyinfrastructures. Currently, she works with the Enterprise Systems Group at SunMicrosystems.

Richard Lau

Richard Lau has three years of working experience. As part of the Sun Cluster QAgroup of Sun Microsystems, his duties include Sun Cluster 2.2 patch testing, testingnew features, and performing regression tests for Sun Cluster 3.0 products.

Alex Noordergraaf

Alex Noordergraaf has over 10 years of experience in the areas of computer andnetwork security. As the Security Architect of the Enterprise Server Products (ESP)group at Sun Microsystems, he is responsible for the security of Sun servers. He isthe driving force behind the very popular freeware Solaris Security Toolkit. Prior tohis role in ESP, he was a Senior Staff Engineer in the Enterprise Engineering (EE)group of Sun Microsystems, where he developed, documented, and publishedsecurity best practices through the Sun BluePrints program. Published topicsinclude: Sun Fire Midframe 15K system security, secure N-tier environments, SolarisOE minimization, Solaris OE network settings, and Solaris OE security. He co-authoredJumpStart Technology: Effective Use in the Solaris Operating Environment.

Prior to his role in EE, he was a Senior Security Architect with Sun ProfessionalServices where he worked with many Fortune 500 companies on projects thatincluded security assessments, architecture development, architectural reviews, andpolicy/procedure review and development. He developed and delivered anenterprise security assessment methodology and training curriculum to be usedworldwide by Sun Professional Services. His customers included majortelecommunication firms, financial institutions, ISPs, and ASPs. Before joining Sun,Alex was an independent contractor specializing in network security. His clientsincluded BTG, Inc. and Thinking Machines Corporation.

Lou Ordorica

Lou Ordorica worked for several years as a system administrator at SunMicrosystems. He went on to teach and write about system administration for Sun'semployees and customers, and is currently providing online support to customersusing the Web.

Will Osser

Will Osser has over eight years of experience in the area of Computer and NetworkSecurity. He has worked extensively with B-1 secure UNIX(R) systems in a variety ofroles including developing, sustaining, pre- and post-sales support, as well astraining. He has also worked as a security consultant designing system and softwarearchitecture. Will is currently a software engineer working for Sun Microsystems inthe Solaris Secure Technology Group.

Will joined Sun directly after completing his Master's Thesis in ComputerEngineering at the University of California.

Keith Watson

Keith Watson has spent nearly four years at Sun working in the area of computerand network security. He is currently the product manager for core Solaris security.Previously, Keith was a member of the Global Enterprise Security Service (GESS)team in Sun Professional Services. He is also a co-developer of an enterprise networksecurity auditing tool named the Sun Enterprise Network Security Service (SENSS).Prior to joining Sun, Keith was part of the Computer Operations, Audit, andSecurity Technologies (COAST) laboratory (now part of the CERIAS research center)at Purdue University.

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020