discussion on… a cio’s perspective on information security
TRANSCRIPT
![Page 1: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/1.jpg)
SEAS Cybersecurity Awareness Day
Discussion on…
A CIO’s Perspective on Information SecuritySteve King
Interim Executive Director for Computing@SEAS
October 17, 2012
![Page 2: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/2.jpg)
Table of Contents
Page
After Lunch Perspectives• YouTube and Vimeo 3
• Dilbert and Blogs 5
The Role of the CIO in Information Security• Blanket 9
• Balance 14
• Teamwork 18
• Case Studies 22
Practical Steps for Improvement at SEAS 27
![Page 3: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/3.jpg)
Vimeo
https://vimeo.com/47189352 - ITSM Weekly - ***
https://vimeo.com/47189353 - ITSM Weekly - **
![Page 4: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/4.jpg)
YouTube – a leading security guru: Bruce Schneier from BThttp://www.youtube.com/watch?v=dy4VJP-lZpA – Identification & I.D. Security
Three favorite quotes:1.If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.2.There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.3.Think of your existing power as the exponent in an equation that determines the value of information. The more power you have, the more additional power you derive from the new data.
![Page 5: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/5.jpg)
Newest
![Page 6: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/6.jpg)
Popularity
![Page 7: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/7.jpg)
Rating
![Page 8: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/8.jpg)
Blogs
![Page 9: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/9.jpg)
Blanket
![Page 10: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/10.jpg)
Blanket – Four Pillars of Information Security
Physical Security
Network Security
Logical (host and
client)Security
Physical Security
Network Security
Logical (host and client)Security
Procedures
Source: Lansing Business Monthly: 10_15_12
![Page 11: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/11.jpg)
Blanket – Range of Computing@SEAS Services
![Page 12: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/12.jpg)
Blanket - Information Security is a Journey, not a Destination
Keys
Proxy Servers
Encryption
Secure File Transfers
![Page 13: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/13.jpg)
Information Security Definition from Wikipedia
![Page 14: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/14.jpg)
Balance - Information Security Model from Wikipedia
Source: Wikipedia
![Page 15: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/15.jpg)
Balance – IS Risks vs. IS Spend/Investments
Risks – “security as the state of being free of fear and anxiety”; e.g. Linus
Costs: IS needs to be a discipline, also balancing due care and due diligence
![Page 16: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/16.jpg)
Balance – Organization Checks and Directions
• Peer organizations here at SEAS• Strong alignment with HUIT, for both
organizations• Alliances and partnerships with vendors and
associations and higher ed groups• IS role expanding; analogy to Iron Mountain:
CSO vs. CRO vs. CCO vs. CPO• Need to evaluate and use enterprise
application (e.g., GRC)
![Page 17: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/17.jpg)
Balance – IS and Computing Activities
![Page 18: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/18.jpg)
Teamwork – Cyber Security & Incident Response Team
High priority events are those that meet one or more of the following criteria:Responsible for the disruption of a production service or system maintained by SEAS Computing.Affect a large number of accounts or systems.Grants access to confidential or HRCI data.Causes a severe business impact.Remotely exploitable vulnerability with privilege escalation.
Medium priority events are those that meet one or more of the following criteria:Affect services or systems maintained by SEAS computing.Affect only individual accounts rather than granting systemic access.Grants access to development or testing data.Locally exploitable vulnerability with privilege escalation.
Low priority events are those that meet one or more of the following criteria:Affect individual laptops and desktops.Affect services or systems not maintained by SEAS Computing.
Priority Time to first response
Remediation target1
High 1 business day (BD) 2 BD
Medium 2 BD 4 BD
Low 5 BD Best effort
1
Remediation entails one of the following categories: Repair, Rebuild and Notify
;
![Page 19: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/19.jpg)
Teamwork – Security Operations
• Weekly meeting on Wednesdays at 2pm• Triage role which rotates and communicates regularly
with ISO• “Event” driven – tracking system and documentation
wiki• [email protected]• Most common events in 1Q FY13
– Infected computers– Vulnerable websites– Host software currency (or lack thereof)
![Page 20: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/20.jpg)
Teamwork – Quarterly Joint Project Objectives
• 2Q FY13 Priorities:– “Admin” Active Directory Retirement– AirWatch MDM– Secunia CSI– Quest Password Self-Service– Desktop Banner
• 2013 Backlog: Stealth Audit, Web Application Firewalls, Identity Finder, …
![Page 21: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/21.jpg)
Teamwork – Certs, Membs, and Rptg
CSA
IANS
CISSP
Metrics
![Page 22: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/22.jpg)
Case Study 1: SEAS Identity Consolidation
• Admin domain, seas domain, nis• Hard to tell if someone is trying to
impersonate you or break your password• Hard to keep passwords in sync• Hard to make sure services are revoked
when someone leaves the school
![Page 23: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/23.jpg)
Case Study 1: SEAS Identity Consolidation
• Check how you connect to network file shares (vfiler0, vfiler1)
• If you use windows, check how you log in to your desktop or laptop
How can I help?
![Page 24: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/24.jpg)
Case Study 1: SEAS Identity Consolidation
• Computing@SEAS can deliver a self service password reset tool (answer security questions to reset your own password without a support call)
• Step toward identity integration between schools at Harvard
What’s in it for me?
![Page 25: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/25.jpg)
Case Study 2: Secure Remote Desktops
• Remote Desktops for Courses and Research– Because provides shell access, requires stronger
identity assurance– Approach: NX using SSH keys and user password– Dedicated SSH keys per user for connections,
provides secure transport and initial connections– User passwords grant access to your account once
connected to system– Poor man’s two-factor
![Page 26: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/26.jpg)
Case Study 3: Refactored Data & Networkingparadigms for academic work
• Old model: living on the edge– build a desktop or web server machine, put it on the internet,
and login remotely via SSH+password – fodder for script kiddies
• New model: behind closed doors– locate these client machines on dedicated networks for users,
and provide firewalled internet access or VPN connections –warm fuzzy feelings of security
• Future model: living in the cloud– Your data follows you securely across the network and internet,
and your server spins up or down only when you need it, on demand. Your laptop/iPad/mobile device stays with you on secured networks.
![Page 27: Discussion on… A CIO’s Perspective on Information Security](https://reader031.vdocuments.mx/reader031/viewer/2022022510/6217641731ea5a1f7c458edc/html5/thumbnails/27.jpg)
Practical Steps for Improvement at SEAS
Recommendations from Executive Director for ComputingI.Begin to use and build the SmartCard ID for proximity access, Charlie and parking Metercard and bicycle rental integrationII.Strengthen our password management policies and require periodic changeIII.Introduce second factor authentication in network accessIV.Accelerate SEAS moves to IAM and HUIT shared servicesV.Implement new activity, reporting and compliance system