Stealing Christmas  Dr. Curtis A. Carver Jr. Vice Chancellor and CIO    Board of Regents
Agenda• Policy ATE technology, oh my!• Landscape• What to do now?• Questions, Comments, a Conversation
Necessary ComponentsPolicy, awareness,training, and education(ATE), and technologymust form the core ofyour security progr...
Landscape                            (Policy)• Many policy or policy  frameworks are available.   –   COBIT   –   ISO 2700...
Perhaps Not this Policy
Technology• Technology is getting better rapidly.• It is necessary but not sufficient.• Attack vector is shifting away fro...
Recent Example: UGA• 8,500 staff and students• Slow, deliberate social  engineering attack• Answers to “secret”  questions...
Another Example: South Carolina                                        Governor Nikki Haley, “This is                     ...
Landscape• Attacks are increasing.• Attacks are increasingly complex.• Education, training and awareness becoming  increas...
Normal versus Abnormal?Three Questions• What is normal for my  organization?• What is abnormal?• What do I do if  somethin...
Awareness, Training, and Education         Source: National Institute of Standards and Technology.            An Introduct...
Three Examples• Accountability Plus• Carronade• IT SAMI
Accountability PlusIncident Count                                Issue: In a five month period this year, 23% of          ...
Computer Abuse Process•   Computer incident occurs              What is•   Help Desk Notified                  wrong with ...
Accountability Plus        • Actions Taken:                – Incidents characterized as high, medium, or low              ...
Rest of the Story and Two Years Later…        • Rest of the Story: I told the presidents that if I          ever call them...
Carronade• Issue: The longer  students are at our  institution, the more  susceptible they are to  phishing attacks.• Issu...
Carronade Hypothesis• Have the students launch spear phishing  attacks against each other in a controlled  manner.• Have s...
Typical Email
Problems with Typical Email
Carronade Results
Two Years Later…
IT-SAMI INSPECTION SHEET                                                                                                  ...
Saturday AM Inspection                                     (IT SAMI)                                                 In t...
Stealing Christmas• The threat of organized crime and nation states  attacking your personal information is real. Grinch i...
Questions, Comments, a     Conversation     Dr. Curtis A. Carver Jr.    Vice Chancellor and CIO       Board of Regents
Upcoming SlideShare
Loading in …5
×

“Data security prep for the holidays or how not to go dark on black friday

129 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
129
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Lots of good examples of policy available.Technology is good and rapidly improving.ATE is the weakest component in my opinion.
  • Stephen Cobb
  • “Data security prep for the holidays or how not to go dark on black friday

    1. 1. Stealing Christmas Dr. Curtis A. Carver Jr. Vice Chancellor and CIO Board of Regents
    2. 2. Agenda• Policy ATE technology, oh my!• Landscape• What to do now?• Questions, Comments, a Conversation
    3. 3. Necessary ComponentsPolicy, awareness,training, and education(ATE), and technologymust form the core ofyour security program. Allthree are necessary.
    4. 4. Landscape (Policy)• Many policy or policy frameworks are available. – COBIT – ISO 27000 series – ITIL – NIST• Pick one and execute as a first step.• College courses in security policy are available.
    5. 5. Perhaps Not this Policy
    6. 6. Technology• Technology is getting better rapidly.• It is necessary but not sufficient.• Attack vector is shifting away from hacks to social engineering.• Technology is not so good at preventing social engineering.
    7. 7. Recent Example: UGA• 8,500 staff and students• Slow, deliberate social engineering attack• Answers to “secret” questions found on Facebook.
    8. 8. Another Example: South Carolina Governor Nikki Haley, “This is not a good day for South Carolina.”October 27, 2012 3/4ths of state citizens affected. “The cost is also going to be enormous, given that South Carolina may be required to pay for identity theft protection services for anyone who has paid taxes in South Carolina since 1998,”
    9. 9. Landscape• Attacks are increasing.• Attacks are increasingly complex.• Education, training and awareness becoming increasingly important.
    10. 10. Normal versus Abnormal?Three Questions• What is normal for my organization?• What is abnormal?• What do I do if something abnormal occurs?
    11. 11. Awareness, Training, and Education Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.
    12. 12. Three Examples• Accountability Plus• Carronade• IT SAMI
    13. 13. Accountability PlusIncident Count Issue: In a five month period this year, 23% of helpdesk incidents were computer abuse. This represents a 255% increase over the same period last year Time
    14. 14. Computer Abuse Process• Computer incident occurs What is• Help Desk Notified wrong with this process?• Institution notified• Help Desk Follows Up after 5 days• Help Desk Ticket closed out by Help Desk
    15. 15. Accountability Plus • Actions Taken: – Incidents characterized as high, medium, or low impact. – Processes redefined to escalate resolution of these cases to the President’s boss. – New processes go into effect on 9 April. • Importance to USG Presidents: A telephone call from USG CIO is indicative of four days remaining until the case is forwarded to USG senior leadership.Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet
    16. 16. Rest of the Story and Two Years Later… • Rest of the Story: I told the presidents that if I ever call them, their first step should be to fire the institutional CIO. • Two Years Later: – The computer abuse line is linear – not exponential. – I have not called a President…yet.Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet
    17. 17. Carronade• Issue: The longer students are at our institution, the more susceptible they are to phishing attacks.• Issue 2: – Death by PowerPoint training version 1 failed. – Death by PowerPoint training version 2 failed.
    18. 18. Carronade Hypothesis• Have the students launch spear phishing attacks against each other in a controlled manner.• Have students remediate other students.• Don’t tell the technical staff when it will happen.• Do it every semester.
    19. 19. Typical Email
    20. 20. Problems with Typical Email
    21. 21. Carronade Results
    22. 22. Two Years Later…
    23. 23. IT-SAMI INSPECTION SHEET Best In BDECadet Name Company Year Inspector NameCategory ITEM POINTS Best Regiment: 86.13AD-AWARE INSTALLED? NO, CHECK UPDATES >= 1 WEEK OLD, -30 - 05 Best Company: 95.00 >=3 WEEKS, -10 >= 1 MONTH, - 20 Worst Reg: 75.00 LAST SYSTEM SCAN >= 1 WEEK OLD, - 05 >=3 WEEKS, >= 1 MONTH, -10 - 20 Worst Company: 53.50 SCAN RESULTS For each process -10 For every 20 additional items, -05DEFRAGEMENT ANALYZE SYSTEM SUGGESTED? YES, -10ADD/REMOVE PROGRAM LIST WILD TANGENT YES, -10 WEATHER BUG YES, -10 WELL KNOWN FILE SHARING YES, -20/itemBROWSER HEALTH SEARCH BAR OTHER THAN GOOGLE YES, -10VIRUSES DEFENITION FILES >= 1 WEEK OLD, -5 >=3 WEEKS, -10 >= 1 MONTH, - 20SYSTEM DATA SPACE REMAINING ON C-DRIVE < 20%, -10 MAJORITY OF ACDEMIC DATA STORED ON C-DRIVE YES, -204/7/2013 11:26 AM 23
    24. 24. Saturday AM Inspection (IT SAMI) In the hallways, cadets stand inspection of their military equipment. In their rooms, cadets stand inspection of their computers. 4/7/2013 11:26 AM 24
    25. 25. Stealing Christmas• The threat of organized crime and nation states attacking your personal information is real. Grinch is alive and well.• Give your organization the gifts of a strong security policy program, strong technology, and a strong education program.• Think outside the box in educating, training and rewarding your organization.
    26. 26. Questions, Comments, a Conversation Dr. Curtis A. Carver Jr. Vice Chancellor and CIO Board of Regents

    ×