Private Data - Keep Out!
•Als PPTX, PDF herunterladen•
1 gefällt mir•291 views
Security concerns have changed IT jobs from providing services to our users to protecting users' data. The basics of how that change happened for us are described here. Presented at NETC2015 in Big Sky, Montana.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (17)
Ähnlich wie Private Data - Keep Out!
Ähnlich wie Private Data - Keep Out! (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Private Data - Keep Out!
- 1. Private Data – Keep Out! National Extension Technology Conference Greg Parmer Jonathan Davis August 12, 2015
- 2. The Day My Job Changed History Firewall hole added for workgroup NAS device, against IT recommendation 4 years later… Mail relay incident A dozen “exposed” SSNs Nearly 5 figure forensics bill Faculty members’ change of heart Policy necessity (and now politically acceptable!)
- 3. Gas On The Fire College of Business incident Admissions Office incident NAS Device Replacement (incorrect configuration) Exposures of Personally Identifiable Information (PII) ID Theft insurance for thousands of individuals Policy avalanche… (and why hasn’t this already been fixed?)
- 4. Finding Personally Identifiable Info Deployed Identity Finder software Scan all University computers for PII (SSNs and credit card numbers) Deployed on relatively short notice Remediation by end-users Where to store PII?
- 5. Information Security Awareness Training Training required of all employees 23 video modules, each a few minutes long Quiz after each module Repeat annually Planning for customized content
- 6. Border Firewall and NAT Much Greater Acceptance of Campus NAT Border Firewall is Default Closed
- 7. Server Certification Working Group Purpose: Develop security standards to evaluate and secure all University servers. Create a secure server certification program, with certain expectations: 1. Server certification will be based on a recognized standard. 2. Server security standard should preferably be in use at peer institutions. 3. Server security standard will include criteria to determine what systems will be subject to compliance. 4. Servers will be audited and re-certified regularly at an interval consistent with industry standards. 5. Complete access to servers will be required by the audit team during audits. 6. Server security additional criteria and requirements for successful certification program.
- 8. Peer Institution Policies Florida IT Policies, Data classification, Network and Host Security Standard, NIST standards referenced (IT Security PPT presentation for faculty, staff, students, etc to “sell” the policies) Iowa State (was pending, but applied well to AU) Data Governance Committee, Data classification, Security Standards & Guidance Univ of Tennessee Institute for Agriculture (policies and procedures were pending) Scanning with Qualys - working toward NIST standard Texas A&M AgriLife/Extension (follow Aggie Standard Administrative Procedures) Servers are registered in an online app, scanned monthly with Nessus and reports provided to the registered server administrator. Administrators are also required to do a yearly risk assessment per university rule. The risk assessment is done via an online questionnaire. In addition any server that handles registration/payment has a quarterly PCI scan and remediation process. (Thank you, colleagues! Great information from extech mailing list, online, and personal e-mail.)
- 9. 4 Aspects of Server Standards In A Nutshell Server Registration Audit via multiple methods Data Classification Audit via Identity Finder NIST’s National Checklist Program Audit via CIS-CAT Patch at least CVSS levels 4 and 5 Audit via Qualys (and 3rd party tools like Nessus) Data Governance Committee to Audit Process, Policy, and Audits
- 10. Differences in Policy Cloud service agreement with vendors? OneDrive GoogleDocs Dropbox Evernote Guarantee for confidential data? This seemingly minor difference results in major implementation differences!
- 11. Other Tools Scanners Nessus Qualys (authenticated scans) Password Managers LastPass KeePass Secret Server Multifactor Authentication RSA Duo “Off-Campus” Scans
- 12. Questions? Thanks for attending! PS: “Dark Alleys of the Internet” Updated on Slideshare www.slideshare.net/gparmer/dark-alleys2015 Greg Parmer parmega@auburn.edu or gregparmer@gmail.com Jonathan Davis jdavis@auburn.edu
Hinweis der Redaktion
- Auburn University has implemented measures to strengthen the institution’s overall data security posture with a focus on protecting Personally Identifiable Information (PII). Join us to learn about some of the technical and human factors to consider for enhancing information security from the campus level to the desktop. http://www.aces.edu http://www.auburn.edu
- I was a system and network administrator whose job was to keep the people happy and provide IT solutions. When the bills for forensics and insurance start rolling in, the job becomes one of protecting data.
- First high-profile event: November 2013 Got the attention of university administration Luckily Auburn had cyber-insurance
- Challenges: Deploy quickly with little training and server config testing for so many computers Remediation by end-users – very time-intensive for them and for us to confirm Where to store PII that must be kept (grant forms, veteran’s outreach forms, etc.)
- First year was contracted out to SANS. Subsequent years will likely feature a homegrown solution tailored to our environment.
- Campus firewall and NAT are now being begged for. Attitude changed from “why do that?” to “why haven’t you already done that?” Aside: do you request firewall openings by port or by application?
- Morphed. There was no payoff for being certified so we managed to drop “certification” and create a standards program with a goal of meeting industry standards and a steadily improved security posture.
- With Extech and web searches we found a common theme of data security policies (primarily online, some via email) MIT - "Compliance with this Program will be reviewed as part of regularly scheduled operational and IT audits conducted by MIT's Audit Division." Texas A&M - An interesting side effect of these procedures has been a migration away from running local servers in departments to using VM platforms that we (AgriLife IT) offer as service to Extension, Research and our College departments. In that scenario we manage most of the security for them.
- NIST – National Institute of Standards and Technology CVE – Common Vulnerabilities and Exposures CIS – Center for Internet Security (-CAT Configuration Assessment Tool)
- Our agreement apparently does not guarantee private data. At least one other institution has an agreement that the cloud vendor will take responsibility for data exposure, so they are moving all confidential data to the cloud (at least within county extension offices).