Security concerns have changed IT jobs from providing services to our users to protecting users' data. The basics of how that change happened for us are described here.
Presented at NETC2015 in Big Sky, Montana.
1. Private Data – Keep Out!
National Extension Technology Conference
Greg Parmer
Jonathan Davis
August 12, 2015
2. The Day My Job Changed
History
Firewall hole added for workgroup NAS device, against
IT recommendation
4 years later…
Mail relay incident
A dozen “exposed” SSNs
Nearly 5 figure forensics bill
Faculty members’ change of heart
Policy necessity (and now politically acceptable!)
3. Gas On The Fire
College of Business incident
Admissions Office incident
NAS Device Replacement (incorrect configuration)
Exposures of Personally Identifiable Information
(PII)
ID Theft insurance for thousands of individuals
Policy avalanche… (and why hasn’t this already
been fixed?)
4. Finding Personally Identifiable Info
Deployed Identity Finder software
Scan all University computers for PII (SSNs and credit
card numbers)
Deployed on relatively short notice
Remediation by end-users
Where to store PII?
5. Information Security Awareness Training
Training required of all employees
23 video modules, each a few minutes long
Quiz after each module
Repeat annually
Planning for customized content
6. Border Firewall and NAT
Much Greater Acceptance of Campus NAT
Border Firewall is Default Closed
7. Server Certification Working Group
Purpose:
Develop security standards to evaluate and secure all University
servers. Create a secure server certification program, with certain
expectations:
1. Server certification will be based on a recognized standard.
2. Server security standard should preferably be in use at peer
institutions.
3. Server security standard will include criteria to determine what
systems will be subject to compliance.
4. Servers will be audited and re-certified regularly at an interval
consistent with industry standards.
5. Complete access to servers will be required by the audit team
during audits.
6. Server security additional criteria and requirements for successful
certification program.
8. Peer Institution Policies
Florida
IT Policies, Data classification, Network and Host Security Standard, NIST
standards referenced
(IT Security PPT presentation for faculty, staff, students, etc to “sell” the
policies)
Iowa State (was pending, but applied well to AU)
Data Governance Committee, Data classification, Security Standards &
Guidance
Univ of Tennessee Institute for Agriculture (policies and procedures were
pending)
Scanning with Qualys - working toward NIST standard
Texas A&M AgriLife/Extension (follow Aggie Standard Administrative Procedures)
Servers are registered in an online app, scanned monthly with Nessus and
reports provided to the registered server administrator. Administrators are also
required to do a yearly risk assessment per university rule. The risk
assessment is done via an online questionnaire. In addition any server that
handles registration/payment has a quarterly PCI scan and remediation
process.
(Thank you, colleagues! Great information from extech mailing list, online, and
personal e-mail.)
9. 4 Aspects of Server Standards In A Nutshell
Server Registration
Audit via multiple methods
Data Classification
Audit via Identity Finder
NIST’s National Checklist Program
Audit via CIS-CAT
Patch at least CVSS levels 4 and 5
Audit via Qualys (and 3rd party tools like Nessus)
Data Governance Committee to Audit Process, Policy, and
Audits
10. Differences in Policy
Cloud service agreement with vendors?
OneDrive
GoogleDocs
Dropbox
Evernote
Guarantee for confidential data?
This seemingly minor difference results in major
implementation differences!
12. Questions?
Thanks for attending!
PS: “Dark Alleys of the Internet”
Updated on Slideshare
www.slideshare.net/gparmer/dark-alleys2015
Greg Parmer parmega@auburn.edu or gregparmer@gmail.com
Jonathan Davis jdavis@auburn.edu
Hinweis der Redaktion
Auburn University has implemented measures to strengthen the institution’s overall data security posture with a focus on protecting Personally Identifiable Information (PII). Join us to learn about some of the technical and human factors to consider for enhancing information security from the campus level to the desktop.
http://www.aces.edu
http://www.auburn.edu
I was a system and network administrator whose job was to keep the people happy and provide IT solutions.
When the bills for forensics and insurance start rolling in, the job becomes one of protecting data.
First high-profile event: November 2013
Got the attention of university administration
Luckily Auburn had cyber-insurance
Challenges:
Deploy quickly with little training and server config testing for so many computers
Remediation by end-users – very time-intensive for them and for us to confirm
Where to store PII that must be kept (grant forms, veteran’s outreach forms, etc.)
First year was contracted out to SANS. Subsequent years will likely feature a homegrown solution tailored to our environment.
Campus firewall and NAT are now being begged for. Attitude changed from “why do that?” to “why haven’t you already done that?”
Aside: do you request firewall openings by port or by application?
Morphed. There was no payoff for being certified so we managed to drop “certification” and create a standards program with a goal of meeting industry standards and a steadily improved security posture.
With Extech and web searches we found a common theme of data security policies (primarily online, some via email)
MIT - "Compliance with this Program will be reviewed as part of regularly scheduled operational and IT audits conducted by MIT's Audit Division."
Texas A&M - An interesting side effect of these procedures has been a migration away from running local servers in departments to using VM platforms that we (AgriLife IT) offer as service to Extension, Research and our College departments. In that scenario we manage most of the security for them.
NIST – National Institute of Standards and Technology
CVE – Common Vulnerabilities and Exposures
CIS – Center for Internet Security (-CAT Configuration Assessment Tool)
Our agreement apparently does not guarantee private data. At least one other institution has an agreement that the cloud vendor will take responsibility for data exposure, so they are moving all confidential data to the cloud (at least within county extension offices).