UNYCC Information Security Discussion

Ben Woelk, CISSP, CPTC
Ben Woelk, CISSP, CPTCSecurity awareness expert | Content strategist | Professor | Introverted leadership mentor, coach | Speaker | Writer
Copyright © 2014 Rochester Institute of Technology
UNYCC
Information Security
Discussion
Facilitated by
Rochester Institute of Technology
February 24, 2014
Copyright © 2014 Rochester Institute of Technology
Agenda
• Policy
• Jonathan Maurer, Information Security
Officer
• Security Awareness
• Ben Woelk, Program Manager
• Penetration Testing
• Paul Lepkowski, Enterprise Information
Security Lead Engineer
Copyright © 2014 Rochester Institute of Technology
About RIT
• RIT Environment
– 18,000 students
– 3,500 faculty and
staff
– International
Locations
– ~40,000+ systems on
the network at any
given time
– Very skilled IT
security students
• RIT ISO
– 4 full time
• Information Security
Officer
• Program Manager
• Lead Security Engineer
• Sr. Forensics Investigator
– 4+ student employees
• Mix of coop and part-time
Copyright © 2014 Rochester Institute of Technology
Information
Security Policy
Jonathan Maurer
Information Security Officer
RIT Information Security Office
February 24, 2014
Copyright © 2014 Rochester Institute of Technology
Agenda
• Policy Introduction
• Architecture
• Types of Policies
• Example Components
• Policy Development
• Ingredients
• Processes
• Discussion
Copyright © 2014 Rochester Institute of Technology
Policy Introduction
Copyright © 2014 Rochester Institute of Technology
Policy Introduction
• Policy is the essential foundation of an
effective information security program
• Policy objectives
– Reduced risk
– Compliance with laws and regulations
– Assurance of confidentiality, integrity and
continuity of operations (availability).
• Policies are the least expensive means of
control and often the most difficult to
implement
Copyright © 2014 Rochester Institute of Technology
Policy Considerations
• Basic rules for shaping a policy
– Policy should never conflict with law
– Policy must be able to stand up in court if
challenged
– Policy must be properly and administered
• Policies are important reference documents
– For internal audits
– For the resolution of legal disputes about
management's due diligence
– Policy documents can act as a clear statement of
management's intent
Copyright © 2014 Rochester Institute of Technology
Policy Architecture
• Policies
– Enterprise information security program policy
– Issue-specific information security policies
• Standards
– A more detailed statement of what must be done
to comply with policy
• Practices
– Procedures and guidelines explain how
employees will comply with policy
Copyright © 2014 Rochester Institute of Technology
Policies, Standards, & Practices
Copyright © 2014 Rochester Institute of Technology
Enterprise Information Security
Policy (EISP)
• Sets strategic direction, scope, and tone for
organization’s security efforts
• Assigns responsibilities for various areas of
information security
• Guides development, implementation, and
management requirements of information
security program
Copyright © 2014 Rochester Institute of Technology
Example EISP Components
• Statement of purpose
– An overview of the organizational philosophy on
security
• Information technology security elements
– Defines information security
• Need for information technology security
– Justifies importance of information security in the
organization
• Information technology security responsibilities and roles
– Defines organizational structure
• Reference to other information technology standards and
guidelines
Copyright © 2014 Rochester Institute of Technology
Issue-Specific Security Policy (ISSP)
• Provides detailed, targeted guidance
– Begins with introduction to fundamental
technological philosophy of the organization
– Instructs the organization in secure use of a
technology systems
• Protects organization from inefficiency and ambiguity
– Documents how the technology-based system is
controlled
– Identifies the processes and authorities that
provide this control
• Indemnifies the organization against liability for an
employee’s inappropriate or illegal system use
Copyright © 2014 Rochester Institute of Technology
Example ISSP Components
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of Equipment
– User access
– Fair and responsible use
– Protection of privacy
• Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other
intellectual property
– Other restrictions
• Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption
• Violations of policy
– Procedures for reporting violations
– Penalties for violations
• Policy review and modification
– Scheduled review of policy and
procedures for modification
• Limitations of liability
– Statements of liability or disclaimers
Copyright © 2014 Rochester Institute of Technology
Standards
• A more detailed statement of what must be done to
comply with policy
• Articulate requirements for Technology, People and
Processes
Processes
Copyright © 2014 Rochester Institute of Technology
Practices
• Procedures and guidelines explain how
employees will comply with policy
• Reasons to separate out practices from
standards:
– Needs to be known by a small population
– Requires more frequent change than review
processes allow
– Provides the Information Security Office
professional judgment and discretion
– Protects confidential details from unauthorized
parties
Copyright © 2014 Rochester Institute of Technology
Policy Development
Copyright © 2014 Rochester Institute of Technology
Policy Ingredients
External
• Laws
• Security Standards
• Best Practices
• Benchmarks
Internal
• Governance
• Strategy
• Management
• Environment
• Culture
Policies, Standards and Practices
Copyright © 2014 Rochester Institute of Technology
Planning
“Plans are meaningless,
Planning is everything.”
- Dwight Eisenhower
19
Copyright © 2014 Rochester Institute of Technology
• Revised policies • Educated
community
• Compliance with
policies
• Draft policies• Structure and
team
• Review as dictated
by governance
process
• Identify issues,
gaps and
implications
• Management
Support
• Distribution
mechanisms
• Training &
Awareness
• Resource
prioritization and
allocation
• Impacted
organizations
implement policies
• Determine goals
• Consider
ingredients
• Write policies
ORGANIZE DRAFT REVIEW COMMUNICATE
1 2 3 4
IMPLEMENT
5
• Develop
governance
process
• Clarify roles and
responsibilities
• Fill roles with key
stakeholders
Process > Output
Key Activities
Key Deliverables
Maintain
Copyright © 2014 Rochester Institute of Technology
3 Completely Different Processes
Copyright © 2014 Rochester Institute of Technology
Key Learnings
Copyright © 2014 Rochester Institute of Technology
RIT Key Learnings
• Key Learnings
– Author to Facilitator
• Role shift for ISO during processes
– Patience is a virtue
• Tortoise and the Hare
• More heterogeneous = more complicated governance process
– Short and Simple
• Plain language
• Object-oriented
– Communication is key
• Means disseminated, read, understood, agreed-to, and
uniformly enforced. Understanding > Compliance
• Exception Process
Copyright © 2014 Rochester Institute of Technology
Experiences of Other
Universities and Colleges
Copyright © 2014 Rochester Institute of Technology
Security Awareness and
Training
Ben Woelk
Program Manager
RIT Information Security Office
February 24, 2014
Copyright © 2014 Rochester Institute of Technology
Overview
• Basic Security Awareness Principles
• What we’re doing at RIT
• What other colleges and universities are
doing
Copyright © 2014 Rochester Institute of Technology
EDUCAUSE Resources
• EDUCAUSE HEISC A&T Working Group
• Cybersecurity Awareness Resource Library
– https://wiki.internet2.edu/confluence/display/itsg2/Cybersecu
rity+Awareness+Resource+Library
• Security Awareness Quick Start Guide
– https://wiki.internet2.edu/confluence/display/itsg2/Security+A
wareness+Quick+Start+Guide
• Security Awareness Detailed Instruction Manual
– https://wiki.internet2.edu/confluence/display/itsg2/Security+A
wareness+Detailed+Instruction+Manual
Copyright © 2014 Rochester Institute of Technology
HEISC Quick Start Guide Overview
1. Establish an Information Security Program
2. Develop a Security Awareness Plan
3. Adopt and Modify “Key Messages”
4. Establish a Security Awareness Website
5. Use HEISC Awareness Posters and Videos
Copyright © 2014 Rochester Institute of Technology
Quick Start Guide
6. Present “Key Messages” and Campus
Resources in Existing Training Venues
7. Publish Original or Republish HEISC Articles
(or Ads) in Existing Campus Publications
8. Participate in National Cyber Security
Awareness Month (NCSAM)
9. Measure the Effectiveness of Your Program
Annually
10.Automate Services (Feeds, etc.)
Copyright © 2014 Rochester Institute of Technology
Establish an Information Security Program
• Information Security Guide: Effective
Practices and Solutions for Higher Education
– https://wiki.internet2.edu/confluence/display/itsg2/
Home
Copyright © 2014 Rochester Institute of Technology
Develop a Security Awareness
Plan
• Components
– Audience analysis
– Key messages
– Communications channels
– Calendar of promotions
– Develop relationships
Copyright © 2014 Rochester Institute of Technology
Audience Analysis
• Who are your audiences?
• How do they communicate now?
Copyright © 2014 Rochester Institute of Technology
Key Messages
• Short and Simple
Copyright © 2014 Rochester Institute of Technology
Communications Channels
Copyright © 2014 Rochester Institute of Technology
Calendar of Promotions
Copyright © 2014 Rochester Institute of Technology
Education, Training & Awareness
Awareness Training Education
ISO Website
- Comprehensive
information on RIT
Information Security
New Student
Orientation
- All incoming students
GCCIS S Courses
- Enterprise Security
- Cyber Self Defense
Social Media
- 6100 face fans (320
posts)
- 1400 twitter followers
(270 tweets)
Digital Self Defense
Training
- Hundreds of employees
trained since inception
FBI Infragard
Meetings
Phishing and
Poster Campaigns
McAfee Training
- 10 IT staff trained
Rochester Security
Summit
Alerts / Advisories
- Approx. 20 annually
Incident Handling
and DR Training
Copyright © 2014 Rochester Institute of Technology
RIT Infosec Website
Copyright © 2014 Rochester Institute of Technology
RIT Social Media
Copyright © 2014 Rochester Institute of Technology
Posters
Copyright © 2014 Rochester Institute of Technology
Alerts and Advisories
Copyright © 2014 Rochester Institute of Technology
Lightning Talks
Copyright © 2014 Rochester Institute of Technology
Experiences of Other
Universities and Colleges
Copyright © 2014 Rochester Institute of Technology
Penetration Testing
Paul Lepkowski
CISM, CISSP, GIAC-GPEN
Enterprise Information Security Lead Engineer
RIT Information Security Office
February 24, 2014
Copyright © 2014 Rochester Institute of Technology
Introduction
• More focus on concepts and not as
much on tools
• Why Pen Test?
– Deeper than vulnerability scans
– Actually confirm if systems may be penetrable
– Verify vulnerabilities
– Determine what data an attack might expose
Copyright © 2014 Rochester Institute of Technology
Available Certifications
• GIAC-GPEN
• CEH
Copyright © 2014 Rochester Institute of Technology
Pen Tests At RIT
• Done on an arranged basis
• Typically internal
• Security reviews
• Scheduled audits
• Automated and manual methods
• Using several methods and tools
– Metasploit Pro
– Core Impact – we discontinued this – cost
– Kali Linux
Copyright © 2014 Rochester Institute of Technology
Internal or External
• Internal
– Only if you have the skillset on staff
– Certified staff
– Done from the inside network
– Some or significant knowledge about network
– Minimal recon phases needed
• External
– Expensive
– May have more capabilities from off-campus
Copyright © 2014 Rochester Institute of Technology
Pen Testing – Planning Areas
Copyright © 2014 Rochester Institute of Technology
Pen Testing - Planning
• Determine scope
• Determine who
• Non-disclosure agreement
• Gather inventory
• Determine schedule
• Determine tools
• Determine if security controls should be on or
off?
• Systems be done as is or should they patch
before?
Copyright © 2014 Rochester Institute of Technology
Planning (con’t)
• Communication plan
• Boundaries if penetration happens
• Written permission
• Plan of attack
• System preparation
Copyright © 2014 Rochester Institute of Technology
Implementation
• Follow your plan
• Be careful with improvising – legal and scope
issues?
• If security control changes needed (i.e.
firewall rule changes), contact them
• Fill out your checklist
• Monitor the tests
Copyright © 2014 Rochester Institute of Technology
Implementation (con’t)
• Be ready for phone calls/emails if testing
causes problems
• Need to be able to stop testing immediately if
problems arise
• Try to multi-task without creating extra noise
• Exploitation?
• Remember to close any open firewall rules if
they were open for testing window!
Copyright © 2014 Rochester Institute of Technology
Reporting
• Who
– Customer
– ISO
– Audit?
• What
– Introduction
– Scope
– Tested systems / applications
– Results
Copyright © 2014 Rochester Institute of Technology
Reporting (con’t)
• Risks
– Penetrations?
• How
• What data accessed
• Could data be viewed, modified, deleted, moved
• System integrity
• Listener?
• Payload (malware) install?
Copyright © 2014 Rochester Institute of Technology
Reporting (con’t)
• Suggested remediations / prevention
– Patch
– Configuration
– Policies
– Additional security controls
• Timing
– Issue report right away depending on severity of
issues
Copyright © 2014 Rochester Institute of Technology
Experiences of Other
Universities and Colleges
1 of 56

Recommended

14.05.08 connecting the it dots by
14.05.08 connecting the it dots14.05.08 connecting the it dots
14.05.08 connecting the it dotskevin_donovan
318 views31 slides
Introduction to Health Informatics Ch11 power point by
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointbradleyl2
148 views60 slides
Information security by
Information securityInformation security
Information securityPraveen Minz
623 views20 slides
Digital Self Defense at RIT by
Digital Self Defense at RITDigital Self Defense at RIT
Digital Self Defense at RITBen Woelk, CISSP, CPTC
659 views40 slides
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011 by
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011
Top Ten Tips for Shockproofing Your Use of Social Media, Lavacon 2011Ben Woelk, CISSP, CPTC
1.2K views20 slides
Collaborating securely: Protecting Your Community and Yourself by
Collaborating securely: Protecting Your Community and YourselfCollaborating securely: Protecting Your Community and Yourself
Collaborating securely: Protecting Your Community and YourselfBen Woelk, CISSP, CPTC
1.4K views14 slides

More Related Content

Similar to UNYCC Information Security Discussion

Digital Self Defense by
Digital Self DefenseDigital Self Defense
Digital Self DefenseBen Woelk, CISSP, CPTC
697 views39 slides
Exeter university ig manager presentation [1] by
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]Martin Lawrence
151 views13 slides
Chapter-7.pptx by
Chapter-7.pptxChapter-7.pptx
Chapter-7.pptxAmanuelZewdie4
48 views40 slides
Privacy Engineering in the Wild by
Privacy Engineering in the WildPrivacy Engineering in the Wild
Privacy Engineering in the WildCREST @ University of Adelaide
4 views33 slides
Digital self defense iia isaca it audit seminar by
Digital self defense iia isaca it audit seminarDigital self defense iia isaca it audit seminar
Digital self defense iia isaca it audit seminarBen Woelk, CISSP, CPTC
1.1K views43 slides
Information Security Blueprint by
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
13.4K views29 slides

Similar to UNYCC Information Security Discussion(20)

Exeter university ig manager presentation [1] by Martin Lawrence
Exeter university ig manager presentation [1]Exeter university ig manager presentation [1]
Exeter university ig manager presentation [1]
Martin Lawrence151 views
Information Security Blueprint by Zefren Edior
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior13.4K views
Introduction to information security by Kumawat Dharmpal
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal3.3K views
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar... by SURF Events
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
Ethics & Privacy issues in the context of Learning Analytics - Alan Berg, Mar...
SURF Events756 views
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ... by EOSCpilot .eu
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
Results from the FAIR Expert Group Stakeholder Consultation on the FAIR Data ...
EOSCpilot .eu821 views
Turning FAIR into Reality - Role for Libraries by dri_ireland
Turning FAIR into Reality - Role for Libraries Turning FAIR into Reality - Role for Libraries
Turning FAIR into Reality - Role for Libraries
dri_ireland684 views
Engaging with students and researchers: the case of the social sciences by Louise Corti
Engaging with students and researchers: the case of the social sciencesEngaging with students and researchers: the case of the social sciences
Engaging with students and researchers: the case of the social sciences
Louise Corti215 views
Starting a Digital Preservation Program by Sarah Shreeves
Starting a Digital Preservation ProgramStarting a Digital Preservation Program
Starting a Digital Preservation Program
Sarah Shreeves973 views
Turning FAIR into Reality: Briefing on the EC’s report on FAIR data by dri_ireland
Turning FAIR into Reality: Briefing on the EC’s report on FAIR dataTurning FAIR into Reality: Briefing on the EC’s report on FAIR data
Turning FAIR into Reality: Briefing on the EC’s report on FAIR data
dri_ireland295 views
ISO27001: Implementation & Certification Process Overview by Shankar Subramaniyan
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan14.3K views
chapter 1. Introduction to Information Security by elmuhammadmuhammad
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad582 views
Chapter 5 Planning for Security-students.ppt by Shruthi48
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
Shruthi481.5K views
Internal financial control - how ready are you - Webinar by Ali Zeeshan
Internal financial control - how ready are you - WebinarInternal financial control - how ready are you - Webinar
Internal financial control - how ready are you - Webinar
Ali Zeeshan778 views

More from Ben Woelk, CISSP, CPTC

Creating a Sense of Belonging--Engaging the Virtual Workforce by
Creating a Sense of Belonging--Engaging the Virtual WorkforceCreating a Sense of Belonging--Engaging the Virtual Workforce
Creating a Sense of Belonging--Engaging the Virtual WorkforceBen Woelk, CISSP, CPTC
6 views40 slides
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx by
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxCreating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxBen Woelk, CISSP, CPTC
108 views39 slides
Saying "Yes, and...?" to Leadership Opportunities by
Saying "Yes, and...?" to Leadership OpportunitiesSaying "Yes, and...?" to Leadership Opportunities
Saying "Yes, and...?" to Leadership OpportunitiesBen Woelk, CISSP, CPTC
158 views29 slides
Perspectives on Mentoring: Selected Stories by
Perspectives on Mentoring: Selected StoriesPerspectives on Mentoring: Selected Stories
Perspectives on Mentoring: Selected StoriesBen Woelk, CISSP, CPTC
141 views14 slides
We're All Winners--Gamification and Security Awareness by
We're All Winners--Gamification and Security AwarenessWe're All Winners--Gamification and Security Awareness
We're All Winners--Gamification and Security AwarenessBen Woelk, CISSP, CPTC
295 views35 slides
The Introvert in the Workplace--Strategies for Success by
The Introvert in the Workplace--Strategies for SuccessThe Introvert in the Workplace--Strategies for Success
The Introvert in the Workplace--Strategies for SuccessBen Woelk, CISSP, CPTC
343 views39 slides

More from Ben Woelk, CISSP, CPTC(20)

Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx by Ben Woelk, CISSP, CPTC
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptxCreating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
Creating a Sense of Belonging--Engaging the Virtual Workforce Summit.pptx
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18 by Ben Woelk, CISSP, CPTC
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18The Introvert in the Workplace: Becoming an Influencer and Leader #STC18
The Introvert in the Workplace: Becoming an Influencer and Leader #STC18
Follow the yellow brick road: A Leadership Journey to the Emerald City by Ben Woelk, CISSP, CPTC
Follow the yellow brick road: A Leadership Journey to the Emerald CityFollow the yellow brick road: A Leadership Journey to the Emerald City
Follow the yellow brick road: A Leadership Journey to the Emerald City
Shockproofing Your Use of Social Media (professional development progression) by Ben Woelk, CISSP, CPTC
Shockproofing Your Use of Social Media (professional development progression)Shockproofing Your Use of Social Media (professional development progression)
Shockproofing Your Use of Social Media (professional development progression)
Empowering the Introvert Within: Becoming an Outstanding Leader by Ben Woelk, CISSP, CPTC
Empowering the Introvert Within: Becoming an Outstanding Leader Empowering the Introvert Within: Becoming an Outstanding Leader
Empowering the Introvert Within: Becoming an Outstanding Leader

Recently uploaded

GCSE Spanish by
GCSE SpanishGCSE Spanish
GCSE SpanishWestHatch
53 views166 slides
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively by
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
651 views18 slides
When Sex Gets Complicated: Porn, Affairs, & Cybersex by
When Sex Gets Complicated: Porn, Affairs, & CybersexWhen Sex Gets Complicated: Porn, Affairs, & Cybersex
When Sex Gets Complicated: Porn, Affairs, & CybersexMarlene Maheu
99 views73 slides
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdf by
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdfSTRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdf
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdfDr Vijay Vishwakarma
87 views68 slides
CUNY IT Picciano.pptx by
CUNY IT Picciano.pptxCUNY IT Picciano.pptx
CUNY IT Picciano.pptxapicciano
56 views17 slides
Retail Store Scavenger Hunt.pptx by
Retail Store Scavenger Hunt.pptxRetail Store Scavenger Hunt.pptx
Retail Store Scavenger Hunt.pptxjmurphy154
47 views10 slides

Recently uploaded(20)

GCSE Spanish by WestHatch
GCSE SpanishGCSE Spanish
GCSE Spanish
WestHatch53 views
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively by PECB
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB 651 views
When Sex Gets Complicated: Porn, Affairs, & Cybersex by Marlene Maheu
When Sex Gets Complicated: Porn, Affairs, & CybersexWhen Sex Gets Complicated: Porn, Affairs, & Cybersex
When Sex Gets Complicated: Porn, Affairs, & Cybersex
Marlene Maheu99 views
CUNY IT Picciano.pptx by apicciano
CUNY IT Picciano.pptxCUNY IT Picciano.pptx
CUNY IT Picciano.pptx
apicciano56 views
Retail Store Scavenger Hunt.pptx by jmurphy154
Retail Store Scavenger Hunt.pptxRetail Store Scavenger Hunt.pptx
Retail Store Scavenger Hunt.pptx
jmurphy15447 views
Relationship of psychology with other subjects. by palswagata2003
Relationship of psychology with other subjects.Relationship of psychology with other subjects.
Relationship of psychology with other subjects.
palswagata200377 views
Pharmaceutical Inorganic Chemistry Unit IVMiscellaneous compounds Expectorant... by Ms. Pooja Bhandare
Pharmaceutical Inorganic Chemistry Unit IVMiscellaneous compounds Expectorant...Pharmaceutical Inorganic Chemistry Unit IVMiscellaneous compounds Expectorant...
Pharmaceutical Inorganic Chemistry Unit IVMiscellaneous compounds Expectorant...
Ms. Pooja Bhandare166 views
EIT-Digital_Spohrer_AI_Intro 20231128 v1.pptx by ISSIP
EIT-Digital_Spohrer_AI_Intro 20231128 v1.pptxEIT-Digital_Spohrer_AI_Intro 20231128 v1.pptx
EIT-Digital_Spohrer_AI_Intro 20231128 v1.pptx
ISSIP407 views
11.28.23 Social Capital and Social Exclusion.pptx by mary850239
11.28.23 Social Capital and Social Exclusion.pptx11.28.23 Social Capital and Social Exclusion.pptx
11.28.23 Social Capital and Social Exclusion.pptx
mary850239383 views
AUDIENCE - BANDURA.pptx by iammrhaywood
AUDIENCE - BANDURA.pptxAUDIENCE - BANDURA.pptx
AUDIENCE - BANDURA.pptx
iammrhaywood131 views
Create a Structure in VBNet.pptx by Breach_P
Create a Structure in VBNet.pptxCreate a Structure in VBNet.pptx
Create a Structure in VBNet.pptx
Breach_P80 views
The Accursed House by Émile Gaboriau by DivyaSheta
The Accursed House  by Émile GaboriauThe Accursed House  by Émile Gaboriau
The Accursed House by Émile Gaboriau
DivyaSheta234 views
JQUERY.pdf by ArthyR3
JQUERY.pdfJQUERY.pdf
JQUERY.pdf
ArthyR396 views
Pharmaceutical Inorganic chemistry UNIT-V Radiopharmaceutical.pptx by Ms. Pooja Bhandare
Pharmaceutical Inorganic chemistry UNIT-V Radiopharmaceutical.pptxPharmaceutical Inorganic chemistry UNIT-V Radiopharmaceutical.pptx
Pharmaceutical Inorganic chemistry UNIT-V Radiopharmaceutical.pptx
Ms. Pooja Bhandare120 views

UNYCC Information Security Discussion

  • 1. Copyright © 2014 Rochester Institute of Technology UNYCC Information Security Discussion Facilitated by Rochester Institute of Technology February 24, 2014
  • 2. Copyright © 2014 Rochester Institute of Technology Agenda • Policy • Jonathan Maurer, Information Security Officer • Security Awareness • Ben Woelk, Program Manager • Penetration Testing • Paul Lepkowski, Enterprise Information Security Lead Engineer
  • 3. Copyright © 2014 Rochester Institute of Technology About RIT • RIT Environment – 18,000 students – 3,500 faculty and staff – International Locations – ~40,000+ systems on the network at any given time – Very skilled IT security students • RIT ISO – 4 full time • Information Security Officer • Program Manager • Lead Security Engineer • Sr. Forensics Investigator – 4+ student employees • Mix of coop and part-time
  • 4. Copyright © 2014 Rochester Institute of Technology Information Security Policy Jonathan Maurer Information Security Officer RIT Information Security Office February 24, 2014
  • 5. Copyright © 2014 Rochester Institute of Technology Agenda • Policy Introduction • Architecture • Types of Policies • Example Components • Policy Development • Ingredients • Processes • Discussion
  • 6. Copyright © 2014 Rochester Institute of Technology Policy Introduction
  • 7. Copyright © 2014 Rochester Institute of Technology Policy Introduction • Policy is the essential foundation of an effective information security program • Policy objectives – Reduced risk – Compliance with laws and regulations – Assurance of confidentiality, integrity and continuity of operations (availability). • Policies are the least expensive means of control and often the most difficult to implement
  • 8. Copyright © 2014 Rochester Institute of Technology Policy Considerations • Basic rules for shaping a policy – Policy should never conflict with law – Policy must be able to stand up in court if challenged – Policy must be properly and administered • Policies are important reference documents – For internal audits – For the resolution of legal disputes about management's due diligence – Policy documents can act as a clear statement of management's intent
  • 9. Copyright © 2014 Rochester Institute of Technology Policy Architecture • Policies – Enterprise information security program policy – Issue-specific information security policies • Standards – A more detailed statement of what must be done to comply with policy • Practices – Procedures and guidelines explain how employees will comply with policy
  • 10. Copyright © 2014 Rochester Institute of Technology Policies, Standards, & Practices
  • 11. Copyright © 2014 Rochester Institute of Technology Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for organization’s security efforts • Assigns responsibilities for various areas of information security • Guides development, implementation, and management requirements of information security program
  • 12. Copyright © 2014 Rochester Institute of Technology Example EISP Components • Statement of purpose – An overview of the organizational philosophy on security • Information technology security elements – Defines information security • Need for information technology security – Justifies importance of information security in the organization • Information technology security responsibilities and roles – Defines organizational structure • Reference to other information technology standards and guidelines
  • 13. Copyright © 2014 Rochester Institute of Technology Issue-Specific Security Policy (ISSP) • Provides detailed, targeted guidance – Begins with introduction to fundamental technological philosophy of the organization – Instructs the organization in secure use of a technology systems • Protects organization from inefficiency and ambiguity – Documents how the technology-based system is controlled – Identifies the processes and authorities that provide this control • Indemnifies the organization against liability for an employee’s inappropriate or illegal system use
  • 14. Copyright © 2014 Rochester Institute of Technology Example ISSP Components • Statement of Purpose – Scope and applicability – Definition of technology addressed – Responsibilities • Authorized Access and Usage of Equipment – User access – Fair and responsible use – Protection of privacy • Prohibited Usage of Equipment – Disruptive use or misuse – Criminal use – Offensive or harassing materials – Copyrighted, licensed or other intellectual property – Other restrictions • Systems management – Management of stored materials – Employer monitoring – Virus protection – Physical security – Encryption • Violations of policy – Procedures for reporting violations – Penalties for violations • Policy review and modification – Scheduled review of policy and procedures for modification • Limitations of liability – Statements of liability or disclaimers
  • 15. Copyright © 2014 Rochester Institute of Technology Standards • A more detailed statement of what must be done to comply with policy • Articulate requirements for Technology, People and Processes Processes
  • 16. Copyright © 2014 Rochester Institute of Technology Practices • Procedures and guidelines explain how employees will comply with policy • Reasons to separate out practices from standards: – Needs to be known by a small population – Requires more frequent change than review processes allow – Provides the Information Security Office professional judgment and discretion – Protects confidential details from unauthorized parties
  • 17. Copyright © 2014 Rochester Institute of Technology Policy Development
  • 18. Copyright © 2014 Rochester Institute of Technology Policy Ingredients External • Laws • Security Standards • Best Practices • Benchmarks Internal • Governance • Strategy • Management • Environment • Culture Policies, Standards and Practices
  • 19. Copyright © 2014 Rochester Institute of Technology Planning “Plans are meaningless, Planning is everything.” - Dwight Eisenhower 19
  • 20. Copyright © 2014 Rochester Institute of Technology • Revised policies • Educated community • Compliance with policies • Draft policies• Structure and team • Review as dictated by governance process • Identify issues, gaps and implications • Management Support • Distribution mechanisms • Training & Awareness • Resource prioritization and allocation • Impacted organizations implement policies • Determine goals • Consider ingredients • Write policies ORGANIZE DRAFT REVIEW COMMUNICATE 1 2 3 4 IMPLEMENT 5 • Develop governance process • Clarify roles and responsibilities • Fill roles with key stakeholders Process > Output Key Activities Key Deliverables Maintain
  • 21. Copyright © 2014 Rochester Institute of Technology 3 Completely Different Processes
  • 22. Copyright © 2014 Rochester Institute of Technology Key Learnings
  • 23. Copyright © 2014 Rochester Institute of Technology RIT Key Learnings • Key Learnings – Author to Facilitator • Role shift for ISO during processes – Patience is a virtue • Tortoise and the Hare • More heterogeneous = more complicated governance process – Short and Simple • Plain language • Object-oriented – Communication is key • Means disseminated, read, understood, agreed-to, and uniformly enforced. Understanding > Compliance • Exception Process
  • 24. Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
  • 25. Copyright © 2014 Rochester Institute of Technology Security Awareness and Training Ben Woelk Program Manager RIT Information Security Office February 24, 2014
  • 26. Copyright © 2014 Rochester Institute of Technology Overview • Basic Security Awareness Principles • What we’re doing at RIT • What other colleges and universities are doing
  • 27. Copyright © 2014 Rochester Institute of Technology EDUCAUSE Resources • EDUCAUSE HEISC A&T Working Group • Cybersecurity Awareness Resource Library – https://wiki.internet2.edu/confluence/display/itsg2/Cybersecu rity+Awareness+Resource+Library • Security Awareness Quick Start Guide – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Quick+Start+Guide • Security Awareness Detailed Instruction Manual – https://wiki.internet2.edu/confluence/display/itsg2/Security+A wareness+Detailed+Instruction+Manual
  • 28. Copyright © 2014 Rochester Institute of Technology HEISC Quick Start Guide Overview 1. Establish an Information Security Program 2. Develop a Security Awareness Plan 3. Adopt and Modify “Key Messages” 4. Establish a Security Awareness Website 5. Use HEISC Awareness Posters and Videos
  • 29. Copyright © 2014 Rochester Institute of Technology Quick Start Guide 6. Present “Key Messages” and Campus Resources in Existing Training Venues 7. Publish Original or Republish HEISC Articles (or Ads) in Existing Campus Publications 8. Participate in National Cyber Security Awareness Month (NCSAM) 9. Measure the Effectiveness of Your Program Annually 10.Automate Services (Feeds, etc.)
  • 30. Copyright © 2014 Rochester Institute of Technology Establish an Information Security Program • Information Security Guide: Effective Practices and Solutions for Higher Education – https://wiki.internet2.edu/confluence/display/itsg2/ Home
  • 31. Copyright © 2014 Rochester Institute of Technology Develop a Security Awareness Plan • Components – Audience analysis – Key messages – Communications channels – Calendar of promotions – Develop relationships
  • 32. Copyright © 2014 Rochester Institute of Technology Audience Analysis • Who are your audiences? • How do they communicate now?
  • 33. Copyright © 2014 Rochester Institute of Technology Key Messages • Short and Simple
  • 34. Copyright © 2014 Rochester Institute of Technology Communications Channels
  • 35. Copyright © 2014 Rochester Institute of Technology Calendar of Promotions
  • 36. Copyright © 2014 Rochester Institute of Technology Education, Training & Awareness Awareness Training Education ISO Website - Comprehensive information on RIT Information Security New Student Orientation - All incoming students GCCIS S Courses - Enterprise Security - Cyber Self Defense Social Media - 6100 face fans (320 posts) - 1400 twitter followers (270 tweets) Digital Self Defense Training - Hundreds of employees trained since inception FBI Infragard Meetings Phishing and Poster Campaigns McAfee Training - 10 IT staff trained Rochester Security Summit Alerts / Advisories - Approx. 20 annually Incident Handling and DR Training
  • 37. Copyright © 2014 Rochester Institute of Technology RIT Infosec Website
  • 38. Copyright © 2014 Rochester Institute of Technology RIT Social Media
  • 39. Copyright © 2014 Rochester Institute of Technology Posters
  • 40. Copyright © 2014 Rochester Institute of Technology Alerts and Advisories
  • 41. Copyright © 2014 Rochester Institute of Technology Lightning Talks
  • 42. Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges
  • 43. Copyright © 2014 Rochester Institute of Technology Penetration Testing Paul Lepkowski CISM, CISSP, GIAC-GPEN Enterprise Information Security Lead Engineer RIT Information Security Office February 24, 2014
  • 44. Copyright © 2014 Rochester Institute of Technology Introduction • More focus on concepts and not as much on tools • Why Pen Test? – Deeper than vulnerability scans – Actually confirm if systems may be penetrable – Verify vulnerabilities – Determine what data an attack might expose
  • 45. Copyright © 2014 Rochester Institute of Technology Available Certifications • GIAC-GPEN • CEH
  • 46. Copyright © 2014 Rochester Institute of Technology Pen Tests At RIT • Done on an arranged basis • Typically internal • Security reviews • Scheduled audits • Automated and manual methods • Using several methods and tools – Metasploit Pro – Core Impact – we discontinued this – cost – Kali Linux
  • 47. Copyright © 2014 Rochester Institute of Technology Internal or External • Internal – Only if you have the skillset on staff – Certified staff – Done from the inside network – Some or significant knowledge about network – Minimal recon phases needed • External – Expensive – May have more capabilities from off-campus
  • 48. Copyright © 2014 Rochester Institute of Technology Pen Testing – Planning Areas
  • 49. Copyright © 2014 Rochester Institute of Technology Pen Testing - Planning • Determine scope • Determine who • Non-disclosure agreement • Gather inventory • Determine schedule • Determine tools • Determine if security controls should be on or off? • Systems be done as is or should they patch before?
  • 50. Copyright © 2014 Rochester Institute of Technology Planning (con’t) • Communication plan • Boundaries if penetration happens • Written permission • Plan of attack • System preparation
  • 51. Copyright © 2014 Rochester Institute of Technology Implementation • Follow your plan • Be careful with improvising – legal and scope issues? • If security control changes needed (i.e. firewall rule changes), contact them • Fill out your checklist • Monitor the tests
  • 52. Copyright © 2014 Rochester Institute of Technology Implementation (con’t) • Be ready for phone calls/emails if testing causes problems • Need to be able to stop testing immediately if problems arise • Try to multi-task without creating extra noise • Exploitation? • Remember to close any open firewall rules if they were open for testing window!
  • 53. Copyright © 2014 Rochester Institute of Technology Reporting • Who – Customer – ISO – Audit? • What – Introduction – Scope – Tested systems / applications – Results
  • 54. Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Risks – Penetrations? • How • What data accessed • Could data be viewed, modified, deleted, moved • System integrity • Listener? • Payload (malware) install?
  • 55. Copyright © 2014 Rochester Institute of Technology Reporting (con’t) • Suggested remediations / prevention – Patch – Configuration – Policies – Additional security controls • Timing – Issue report right away depending on severity of issues
  • 56. Copyright © 2014 Rochester Institute of Technology Experiences of Other Universities and Colleges