• Save
UNYCC Information Security Discussion
Upcoming SlideShare
Loading in...5
×
 

UNYCC Information Security Discussion

on

  • 306 views

Three part presentation on Higher Education information security practices presented by Rochester Institute of Technology's Jonathan Maurer, ISO, Ben Woelk, Program Manager, and Paul Lepkowski, ...

Three part presentation on Higher Education information security practices presented by Rochester Institute of Technology's Jonathan Maurer, ISO, Ben Woelk, Program Manager, and Paul Lepkowski, Enterprise Information Security Lead Engineer

Statistics

Views

Total Views
306
Views on SlideShare
306
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

UNYCC Information Security Discussion UNYCC Information Security Discussion Presentation Transcript

  • Copyright © 2014 Rochester Institute of Technology UNYCC Information Security Discussion Facilitated by Rochester Institute of Technology February 24, 2014
  • Copyright © 2014 Rochester Institute of Technology Agenda • Policy • Jonathan Maurer, Information Security Officer • Security Awareness • Ben Woelk, Program Manager • Penetration Testing • Paul Lepkowski, Enterprise Information Security Lead Engineer
  • Copyright © 2014 Rochester Institute of Technology About RIT • RIT Environment – 18,000 students – 3,500 faculty and staff – International Locations – ~40,000+ systems on the network at any given time – Very skilled IT security students • RIT ISO – 4 full time • Information Security Officer • Program Manager • Lead Security Engineer • Sr. Forensics Investigator – 4+ student employees • Mix of coop and part-time
  • Copyright © 2014 Rochester Institute of Technology Information Security Policy Jonathan Maurer Information Security Officer RIT Information Security Office February 24, 2014
  • Copyright © 2014 Rochester Institute of Technology Agenda • Policy Introduction • Architecture • Types of Policies • Example Components • Policy Development • Ingredients • Processes • Discussion
  • Copyright © 2014 Rochester Institute of Technology Policy Introduction
  • Copyright © 2014 Rochester Institute of Technology Policy Introduction • Policy is the essential foundation of an effective information security program • Policy objectives – Reduced risk – Compliance with laws and regulations – Assurance of confidentiality, integrity and continuity of operations (availability). • Policies are the least expensive means of control and often the most difficult to implement
  • Copyright © 2014 Rochester Institute of Technology Policy Considerations • Basic rules for shaping a policy – Policy should never conflict with law – Policy must be able to stand up in court if challenged – Policy must be properly and administered • Policies are important reference documents – For internal audits – For the resolution of legal disputes about management's due diligence – Policy documents can act as a clear statement of management's intent
  • Copyright © 2014 Rochester Institute of Technology Policy Architecture • Policies – Enterprise information security program policy – Issue-specific information security policies • Standards – A more detailed statement of what must be done to comply with policy • Practices – Procedures and guidelines explain how employees will comply with policy
  • Copyright © 2014 Rochester Institute of Technology Policies, Standards, & Practices
  • Copyright © 2014 Rochester Institute of Technology Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for organization’s security efforts • Assigns responsibilities for various areas of information security • Guides development, implementation, and management requirements of information security program
  • Copyright © 2014 Rochester Institute of Technology Example EISP Components • Statement of purpose – An overview of the organizational philosophy on security • Information technology security elements – Defines information security • Need for information technology security – Justifies importance of information security in the organization • Information technology security responsibilities and roles – Defines organizational structure • Reference to other information technology standards and guidelines
  • Copyright © 2014 Rochester Institute of Technology Issue-Specific Security Policy (ISSP) • Provides detailed, targeted guidance – Begins with introduction to fundamental technological philosophy of the organization – Instructs the organization in secure use of a technology systems • Protects organization from inefficiency and ambiguity – Documents how the technology-based system is controlled – Identifies the processes and authorities that provide this control • Indemnifies the organization against liability for an employee’s inappropriate or illegal system use
  • Copyright © 2014 Rochester Institute of Technology Example ISSP Components • Statement of Purpose – Scope and applicability – Definition of technology addressed – Responsibilities • Authorized Access and Usage of Equipment – User access – Fair and responsible use – Protection of privacy • Prohibited Usage of Equipment – Disruptive use or misuse – Criminal use – Offensive or harassing materials – Copyrighted, licensed or other intellectual property – Other restrictions • Systems management – Management of stored materials – Employer monitoring – Virus protection – Physical security – Encryption • Violations of policy – Procedures for reporting violations – Penalties for violations • Policy review and modification – Scheduled review of policy and procedures for modification • Limitations of liability – Statements of liability or disclaimers
  • Copyright © 2014 Rochester Institute of Technology Standards • A more detailed statement of what must be done to comply with policy • Articulate requirements for Technology, People and Processes Processes
  • Copyright © 2014 Rochester Institute of Technology Practices • Procedures and guidelines explain how employees will comply with policy • Reasons to separate out practices from standards: – Needs to be known by a small population – Requires more frequent change than review processes allow – Provides the Information Security Office professional judgment and discretion – Protects confidential details from unauthorized parties
  • Copyright © 2014 Rochester Institute of Technology Policy Development
  • Copyright © 2014 Rochester Institute of Technology Policy Ingredients External • Laws • Security Standards • Best Practices • Benchmarks Internal • Governance • Strategy • Management • Environment • Culture Policies, Standards and Practices
  • Copyright © 2014 Rochester Institute of Technology Planning “Plans are meaningless, Planning is everything.” - Dwight Eisenhower 19
  • Copyright © 2014 Rochester Institute of Technology • Revised policies • Educated community • Compliance with policies • Draft policies• Structure and team • Review as dictated by governance process • Identify issues, gaps and implications • Management Support • Distribution mechanisms • Training & Awareness • Resource prioritization and allocation • Impacted organizations implement policies • Determine goals • Consider ingredients • Write policies ORGANIZE DRAFT REVIEW COMMUNICATE 1 2 3 4 IMPLEMENT 5 • Develop governance process • Clarify roles and responsibilities • Fill roles with key stakeholders Process > Output Key Activities Key Deliverables Maintain
  • Copyright © 2014 Rochester Institute of Technology 3 Completely Different Processes
  • Copyright © 2014 Rochester Institute of Technology Key Learnings
  • Copyright © 2014 Rochester Institute of Technology RIT Key Learnings • Key Learnings – Author to Facilitator • Role shift for ISO during processes – Patience is a virtue • Tortoise and the Hare • More heterogeneous = more complicated governance process – Short and Simple • Plain language • Object-oriented – Communication is key • Means disseminated, read, understood, agreed-to, and uniformly enforced. Understanding > Compliance • Exception Process
  • Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
  • Copyright © 2014 Rochester Institute of Technology Security Awareness and Training Ben Woelk Program Manager RIT Information Security Office February 24, 2014
  • Copyright © 2014 Rochester Institute of Technology Overview • Basic Security Awareness Principles • What we’re doing at RIT • What other colleges and universities are doing
  • Copyright © 2014 Rochester Institute of Technology EDUCAUSE Resources • EDUCAUSE HEISC A&T Working Group • Cybersecurity Awareness Resource Library – https://wiki.internet2.edu/confluence/display/itsg2/Cybersecu rity+Awareness+Resource+Library • Security Awareness Quick Start Guide – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Quick+Start+Guide • Security Awareness Detailed Instruction Manual – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Detailed+Instruction+Manual
  • Copyright © 2014 Rochester Institute of Technology HEISC Quick Start Guide Overview 1. Establish an Information Security Program 2. Develop a Security Awareness Plan 3. Adopt and Modify “Key Messages” 4. Establish a Security Awareness Website 5. Use HEISC Awareness Posters and Videos
  • Copyright © 2014 Rochester Institute of Technology Quick Start Guide 6. Present “Key Messages” and Campus Resources in Existing Training Venues 7. Publish Original or Republish HEISC Articles (or Ads) in Existing Campus Publications 8. Participate in National Cyber Security Awareness Month (NCSAM) 9. Measure the Effectiveness of Your Program Annually 10.Automate Services (Feeds, etc.)
  • Copyright © 2014 Rochester Institute of Technology Establish an Information Security Program • Information Security Guide: Effective Practices and Solutions for Higher Education – https://wiki.internet2.edu/confluence/display/itsg2/ Home
  • Copyright © 2014 Rochester Institute of Technology Develop a Security Awareness Plan • Components – Audience analysis – Key messages – Communications channels – Calendar of promotions – Develop relationships
  • Copyright © 2014 Rochester Institute of Technology Audience Analysis • Who are your audiences? • How do they communicate now?
  • Copyright © 2014 Rochester Institute of Technology Key Messages • Short and Simple
  • Copyright © 2014 Rochester Institute of Technology Communications Channels
  • Copyright © 2014 Rochester Institute of Technology Calendar of Promotions
  • Copyright © 2014 Rochester Institute of Technology Education, Training & Awareness Awareness Training Education ISO Website - Comprehensive information on RIT Information Security New Student Orientation - All incoming students GCCIS S Courses - Enterprise Security - Cyber Self Defense Social Media - 6100 face fans (320 posts) - 1400 twitter followers (270 tweets) Digital Self Defense Training - Hundreds of employees trained since inception FBI Infragard Meetings Phishing and Poster Campaigns McAfee Training - 10 IT staff trained Rochester Security Summit Alerts / Advisories - Approx. 20 annually Incident Handling and DR Training
  • Copyright © 2014 Rochester Institute of Technology RIT Infosec Website
  • Copyright © 2014 Rochester Institute of Technology RIT Social Media
  • Copyright © 2014 Rochester Institute of Technology Posters
  • Copyright © 2014 Rochester Institute of Technology Alerts and Advisories
  • Copyright © 2014 Rochester Institute of Technology Lightning Talks
  • Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
  • Copyright © 2014 Rochester Institute of Technology Penetration Testing Paul Lepkowski CISM, CISSP, GIAC-GPEN Enterprise Information Security Lead Engineer RIT Information Security Office February 24, 2014
  • Copyright © 2014 Rochester Institute of Technology Introduction • More focus on concepts and not as much on tools • Why Pen Test? – Deeper than vulnerability scans – Actually confirm if systems may be penetrable – Verify vulnerabilities – Determine what data an attack might expose
  • Copyright © 2014 Rochester Institute of Technology Available Certifications • GIAC-GPEN • CEH
  • Copyright © 2014 Rochester Institute of Technology Pen Tests At RIT • Done on an arranged basis • Typically internal • Security reviews • Scheduled audits • Automated and manual methods • Using several methods and tools – Metasploit Pro – Core Impact – we discontinued this – cost – Kali Linux
  • Copyright © 2014 Rochester Institute of Technology Internal or External • Internal – Only if you have the skillset on staff – Certified staff – Done from the inside network – Some or significant knowledge about network – Minimal recon phases needed • External – Expensive – May have more capabilities from off-campus
  • Copyright © 2014 Rochester Institute of Technology Pen Testing – Planning Areas
  • Copyright © 2014 Rochester Institute of Technology Pen Testing - Planning • Determine scope • Determine who • Non-disclosure agreement • Gather inventory • Determine schedule • Determine tools • Determine if security controls should be on or off? • Systems be done as is or should they patch before?
  • Copyright © 2014 Rochester Institute of Technology Planning (con’t) • Communication plan • Boundaries if penetration happens • Written permission • Plan of attack • System preparation
  • Copyright © 2014 Rochester Institute of Technology Implementation • Follow your plan • Be careful with improvising – legal and scope issues? • If security control changes needed (i.e. firewall rule changes), contact them • Fill out your checklist • Monitor the tests
  • Copyright © 2014 Rochester Institute of Technology Implementation (con’t) • Be ready for phone calls/emails if testing causes problems • Need to be able to stop testing immediately if problems arise • Try to multi-task without creating extra noise • Exploitation? • Remember to close any open firewall rules if they were open for testing window!
  • Copyright © 2014 Rochester Institute of Technology Reporting • Who – Customer – ISO – Audit? • What – Introduction – Scope – Tested systems / applications – Results
  • Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Risks – Penetrations? • How • What data accessed • Could data be viewed, modified, deleted, moved • System integrity • Listener? • Payload (malware) install?
  • Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Suggested remediations / prevention – Patch – Configuration – Policies – Additional security controls • Timing – Issue report right away depending on severity of issues
  • Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges