MIS

1. Managing Information Security
Information Security Office
Toni Frank & Barry Tracy CISA/CISM

2. Agenda
Starter Questions
Information Security Objectives
Security Domains
Standards and Laws
Security Best Practices
Protecting Data
Working in Information Security
Resources
Scenarios

3. Starter Questions
What do you want to do after graduation?
What’s the purpose of IT in an organization?
What is security’s role in an organization?
Why is security important?
Whose job is security?
To whom or what is security beholden?

4. Defining Information Security
C.I.A. Triad - Protecting information
and systems from unauthorized :
 Access
 Use
 Disclosure
 Disruption
 Modification
 Perusal
 Inspection
 Recording
 Destruction

5. 1. Security and Risk Management
2. Asset Security
3. Security Architecture and Engineering
4. Communications and Network Security
5. Identity and Access Management
6. Security Assessment and Testing
7. Security Operations
8. Software Development Security
(ISC)2
CISSP Security Domains

6. Standards and Laws
Standards
• ISO/IEC 27000 series
• NIST SP 800 series
• Payment Card Industry (PCI/DSS)
Laws
• Texas Administrative Code (TAC 202)
• Health Insurance Portability and Accountability Act (HIPAA)
• Family Education Rights and Privacy Act (FERPA)
• Breach notification laws (in 46+ states)
• GDPR - EU

7. 1. Threat – Something that could cause harm
2. Vulnerability – A weakness or deficiency
3. Exploit – Use of a vulnerability to actualize a threat
4. Event – Observed or suspected deviation from expected operations
5. Incident – Actual compromise of C/I/A or policy violation
6. Risk – Quantifiable or qualifiable measurement of “what could go
wrong?” Often calculated as Risk = Probability x Impact
Terms

8. Phishing & Social Engineering
• Affects practically all enterprises in all industries
• Threat actors have many different methods and goals
Ransomware
• Different groups seek different targets
• Ransomware now handled as data breach
Unpatched Systems
• Many vulnerabilities published in last few years
• Unpatched systems make it way easier for threat actors
Third-Party Vendor Compromise
• Industry shift to “the cloud” often means less control
• The cloud is just other computers
Threats

9. Where Do Threats Come From?
Schudel & Smith (Cisco), 2008
Cybersecurity Threats
Human
Malicious
Attacker/outside
hacker
Insider /
employee threat
Non-malicious
Ignorance or
accident
Natural Disasters
Floods, fires,
earthquakes,
hurricanes,
blizzards
Threats can be human or not,
intentional or not, but they all pose a
danger to the confidentiality, integrity,
and availability (CIA) of data.

10. Security Best Practices
There is no governing body for all security domains

11. Update OS Update Applications
Patch vulnerabilities

12. Password Hygiene

13. Use strong passwords
•Simple passwords can be guessed. Make
passwords at least
•16 characters long, random and unique for each
account.
•Use a password manager, a secure program
that maintains
•and creates passwords. This easy-to-use
program will store
•passwords and fill them in automatically on the
web.

14. Use a Password Manager
WHY USE A PASSWORD MANAGER?
• Stores your passwords
• Alerts you of duplicate passwords
• Generates strong new passwords
• Some automatically fill your login credentials
into website to make sign-in easy
• It won't fall for a phishing website, even if
you do!
Encryption ensures that password managers
never "know" what your passwords are,
keeping them safe from cyber attacks.

15. Password Manager and MFA
​
LastPass – TXST Official​
​
Passwords and ID information​
​
Encrypts and decrypts locally ​
​
​
​
Syncs everywhere
Duo Push​
​
Text message​
​
Phone call​
​
Pre-gen keys​
​
Hardware tokens

16. Turn on Multifactor Authentication
WHAT IS IT?
• A code sent to your phone or email
• An authenticator app
• A security key
• Biometrics
o Fingerprint
o Facial recognition

17. Password managers
​
LastPass is the Official Texas State
University password manager
Students get free premium personal
account
Stores passwords and identity
information
Encrypts and decrypts locally ​
​
Syncs everywhere

19. MFA Authenticators

20. Take a moment and create a Plan B
Duo Push Text Message Phone Call Pre-Gen Keys Hardware token

21. Avoid Insecure or public networks
Change default router passwords
Use the strongest encryption available
Use WPA 2 or newer
Use a complex WPA password
Only use authorized wireless networks
Provide a separate guest WIFI network
Wireless connections

24. Use passwords on all mobile and
smart devices
Always keep the device with you
when you are away from the office
Disable unnecessary service:
• Bluetooth
• Location Services
• Search for Wireless
Encrypt mobile devices
Remove or “shred” all data before
disposing or transferring
Mobile device threats

25. Utility versus security
Learn to balance the ease of
use of a tool with the tool's
level of security and find
what works for you.

26. Protecting Data
Everyone has a role in safeguarding institutional data

27. Read and understand applicable standards, policies, and
publications at the university and future employers.
• UPPS No. 04.01.01 Security of Information Resources
• UPPS No. 04.01.05 Network Use Policy
• UPPS No. 04.01.07 Appropriate Use of Information Resources
• UPPS No. 05.01.02 University Surplus Property
Be Informed

28. Industry Controls and Risks

29. Top 10 Web Application Security Risks
(2017)
1. Injection flaws
2. Broken Authentication
3. Sensitive Data exposure
4. XML External Entities – XXE
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting – XSS
8. Insecure Deserialization
9. Using Components with Unknown Vulnerabilities
10. Insufficient Logging & Monitoring

30. Top 10 Web Application Security Risks
(2021)
1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery (SSRF)

31. 2017 versus 2021

32. Top 20 CIS Controls

33. Basic CIS Controls
• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software
• Continuous Vulnerability Assessment and Remediation
• Controlled Use of Administrative Privileges
• Maintenance and Analysis of Security Audit Logs

34. • Boundary Defense
• Data Protection
• Controlled Access based on Need-to-Know
• Wireless Access Control
• Account Monitoring and Control
Foundational CIS Controls

35. • Email and Web Browser Protections
• Malware Defenses
• Limitation and Control of Ports, Protocols and Services
• Data Recovery Capability
• Secure Configurations for Network Devices
Foundational CIS Controls

36. • Security Skills Assessments and Training
• Application Software Security
• Incident Response and Management
• Penetration Tests and Red Team Exercises
Organizational CIS Controls

37. Working in Information Security
A career field with virtually 0% unemployment

38. Quick Facts: Information Security Analysts
2019 Median Pay $99,730 per year / $47.95 per hour
2020 Median Pay $103,590 per year / $49.80 per hour
Typical Entry-Level Education Bachelor's degree
Work Experience in a Related Occupation Less than 5 years
On-the-job Training None
Number of Jobs 131,000 (2019) | 141,200 (2020)
Job Outlook, 2020-30 33% (Much faster than average)
Employment Change 40,900 (2019-29) | 47,100 (2020-30)
Source: https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm

39. Career Paths
• CISO/ISO/Director of Security
• Engineer or analyst
• Encryption and forensics
• Risk management
• Incident investigation
• Penetration testing
• Security software developer
• Vulnerability research
• Disaster recovery
• Audit & Analysis

40. Certifications
CRISC – Certified Risk and Information Systems Control
CEH – Certified Ethical Hacker
C|HFI – Computer Hacking Forensic Investigator
CISSP – Certified Information Systems Security Professional
GIAC – Global Information Assurance Certification
CCNP – Cisco Certified Network Professional Security
CISM – Certified information Security Manager
CISA – Certified Information Systems Auditor
MCSE – Microsoft Certified Solutions Expert
Linux+ – Linux certified systems administrator
Security+ – Entry-level certification for professionals

41. Resources
Gartner Group: www.gartner.com
• Business reviews, magic quadrant
Dark Reading: http://www.darkreading.com/
• Database and application security, technical security threats
OWASP: https://owasp.org
• Secure software development resources
SANS: www.sans.org
• security training and GIAC certification
(ISC)2: www.isc2.org
• CISSP certification, training, awareness, community
EDUCAUSE: http://www.educause.edu/
• Non-profit advance higher education by promoting IT

42. Podcasts
Introductory
• Hackable?
• Smashing Security
True Crime
• Darknet Diaries
• Malicious Life
• CPradio
Industry News & Educational
• The CyberWire Daily
• SANS Internet Stormcenter
• Paul’s Security Weekly
• Defensive Security Podcast

43. Your coworkers Mike and Sam tell you about a cool flaw they
found in the software your employer develops. The flaw takes
advantage of a rounding error made when transferring money
between accounts, and they found a way to skim the fractions
of a cent from each transaction. They intend to keep the
money in a separate, hidden account since the system won’t
normally recognize more than two decimal places.
• Who hasn’t seen Office Space?
• What would you do?
• What kind of issues are apparent here, and what kind of attack
is taking place?
Scenario 1

44. You’re responsible for maintaining a production system for
your employer. On a Tuesday morning, you learn that an
emergency patch got released for a vulnerability that’s already
been exploited in the wild. Patching would require at least 24
hours of downtime for a system that generates serious
revenue.
• What would you do?
• What if management disagreed with your instinct?
Scenario 2

45. You and your research team have partnered with a US-based
hospital to get access to some patient information so you can
work on refining some models used to predict patient
outcomes.
• What law(s) might be relevant here?
• What could you do to protect the data?
• What kind of incident could affect the integrity and availability
of the data without affecting the confidentiality?
Scenario 3

46. Your friend asks you to help them set up an online store so
they can finally live their best life by selling silkscreened tee-
shirts they’ve been working on. They definitely want to be able
to accept credit-card payments.
• What law(s) or standards might be relevant here?
• What could you do to protect the website?
Scenario 4

47. You recently joined a new company that has a lot of “legacy”
software and is finally deciding to better fund its IT and
software development departments. A long-time developer who
used to be the one-person IT department was recently let go,
and a few months after they got fired, some strange things
start happening in internal systems.
• What might be happening?
• What kind of malware or vulnerability might be present?
• What could be done to prevent this from happening?
Scenario 5

48. You work for an organization that does a lot of work with high-value data
and does a lot of software development. After a long weekend, you
discover that all the files on your servers and workstations have been
changed and now have the “.krab” extension, and nothing is working like it
should.
• What might be happening?
• What kind of malware or vulnerability might be present?
• What could be done to prevent this from happening?
• How could your org recover?
The threat actors are demanding $150,000 in Monero, or else they’ll (1)
not let you decrypt your data and (2) will publicly disclose all your data.
• Should the ransom be paid?
Scenario 6

49. TXST Information Security Office
CHIEF INFORMATION SECURITY OFFICER
DAN OWEN
Sr. Information Security
Analyst
Rick Myers
Sr. Information Security
Analyst
Gabriel Nwajiaku
Information Security Analyst
Julia Lara
Electronic Information
Resources
Accessibility Coordinator
Evan Pickrel
Director, Governance Risk Mgmt. &
Compliance
Michelle Sowell
Information Security Analyst
Toni Frank 
Information Security Analyst
Barry Tracy
Information Security Analyst
Greg Furmage
infosecurity@txstate.edu
(512)245.4225