Lots of good examples of policy available.Technology is good and rapidly improving.ATE is the weakest component in my opinion.
“Data security prep for the holidays or how not to go dark on black friday
Stealing Christmas Dr. Curtis A. Carver Jr. Vice Chancellor and CIO Board of Regents
Agenda• Policy ATE technology, oh my!• Landscape• What to do now?• Questions, Comments, a Conversation
Necessary ComponentsPolicy, awareness,training, and education(ATE), and technologymust form the core ofyour security program. Allthree are necessary.
Landscape (Policy)• Many policy or policy frameworks are available. – COBIT – ISO 27000 series – ITIL – NIST• Pick one and execute as a first step.• College courses in security policy are available.
Technology• Technology is getting better rapidly.• It is necessary but not sufficient.• Attack vector is shifting away from hacks to social engineering.• Technology is not so good at preventing social engineering.
Recent Example: UGA• 8,500 staff and students• Slow, deliberate social engineering attack• Answers to “secret” questions found on Facebook.
Another Example: South Carolina Governor Nikki Haley, “This is not a good day for South Carolina.”October 27, 2012 3/4ths of state citizens affected. “The cost is also going to be enormous, given that South Carolina may be required to pay for identity theft protection services for anyone who has paid taxes in South Carolina since 1998,”
Landscape• Attacks are increasing.• Attacks are increasingly complex.• Education, training and awareness becoming increasingly important.
Normal versus Abnormal?Three Questions• What is normal for my organization?• What is abnormal?• What do I do if something abnormal occurs?
Awareness, Training, and Education Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.
Three Examples• Accountability Plus• Carronade• IT SAMI
Accountability PlusIncident Count Issue: In a five month period this year, 23% of helpdesk incidents were computer abuse. This represents a 255% increase over the same period last year Time
Computer Abuse Process• Computer incident occurs What is• Help Desk Notified wrong with this process?• Institution notified• Help Desk Follows Up after 5 days• Help Desk Ticket closed out by Help Desk
Accountability Plus • Actions Taken: – Incidents characterized as high, medium, or low impact. – Processes redefined to escalate resolution of these cases to the President’s boss. – New processes go into effect on 9 April. • Importance to USG Presidents: A telephone call from USG CIO is indicative of four days remaining until the case is forwarded to USG senior leadership.Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet
Rest of the Story and Two Years Later… • Rest of the Story: I told the presidents that if I ever call them, their first step should be to fire the institutional CIO. • Two Years Later: – The computer abuse line is linear – not exponential. – I have not called a President…yet.Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet
Carronade• Issue: The longer students are at our institution, the more susceptible they are to phishing attacks.• Issue 2: – Death by PowerPoint training version 1 failed. – Death by PowerPoint training version 2 failed.
Carronade Hypothesis• Have the students launch spear phishing attacks against each other in a controlled manner.• Have students remediate other students.• Don’t tell the technical staff when it will happen.• Do it every semester.
IT-SAMI INSPECTION SHEET Best In BDECadet Name Company Year Inspector NameCategory ITEM POINTS Best Regiment: 86.13AD-AWARE INSTALLED? NO, CHECK UPDATES >= 1 WEEK OLD, -30 - 05 Best Company: 95.00 >=3 WEEKS, -10 >= 1 MONTH, - 20 Worst Reg: 75.00 LAST SYSTEM SCAN >= 1 WEEK OLD, - 05 >=3 WEEKS, >= 1 MONTH, -10 - 20 Worst Company: 53.50 SCAN RESULTS For each process -10 For every 20 additional items, -05DEFRAGEMENT ANALYZE SYSTEM SUGGESTED? YES, -10ADD/REMOVE PROGRAM LIST WILD TANGENT YES, -10 WEATHER BUG YES, -10 WELL KNOWN FILE SHARING YES, -20/itemBROWSER HEALTH SEARCH BAR OTHER THAN GOOGLE YES, -10VIRUSES DEFENITION FILES >= 1 WEEK OLD, -5 >=3 WEEKS, -10 >= 1 MONTH, - 20SYSTEM DATA SPACE REMAINING ON C-DRIVE < 20%, -10 MAJORITY OF ACDEMIC DATA STORED ON C-DRIVE YES, -204/7/2013 11:26 AM 23
Saturday AM Inspection (IT SAMI) In the hallways, cadets stand inspection of their military equipment. In their rooms, cadets stand inspection of their computers. 4/7/2013 11:26 AM 24
Stealing Christmas• The threat of organized crime and nation states attacking your personal information is real. Grinch is alive and well.• Give your organization the gifts of a strong security policy program, strong technology, and a strong education program.• Think outside the box in educating, training and rewarding your organization.
Questions, Comments, a Conversation Dr. Curtis A. Carver Jr. Vice Chancellor and CIO Board of Regents