private data - keep out!
TRANSCRIPT
Private Data – Keep Out!National Extension Technology Conference
Greg ParmerJonathan Davis
August 12, 2015
The Day My Job ChangedHistory
Firewall hole added for workgroup NAS device, against IT recommendation
4 years later…Mail relay incidentA dozen “exposed” SSNsNearly 5 figure forensics billFaculty members’ change of heartPolicy necessity (and now politically acceptable!)
Gas On The Fire
College of Business incidentAdmissions Office incident
NAS Device Replacement (incorrect configuration)
Exposures of Personally Identifiable Information (PII)ID Theft insurance for thousands of individualsPolicy avalanche… (and why hasn’t this already been fixed?)
Finding Personally Identifiable Info
Deployed Identity Finder softwareScan all University computers for PII (SSNs and credit card numbers)Deployed on relatively short noticeRemediation by end-usersWhere to store PII?
Information Security Awareness Training
Training required of all employees23 video modules, each a few minutes longQuiz after each moduleRepeat annuallyPlanning for customized content
Border Firewall and NAT
Much Greater Acceptance of Campus NATBorder Firewall is Default Closed
Server Certification Working GroupPurpose:Develop security standards to evaluate and secure all University servers. Create a secure server certification program, with certain expectations:
1. Server certification will be based on a recognized standard.2. Server security standard should preferably be in use at peer
institutions.3. Server security standard will include criteria to determine what
systems will be subject to compliance.4. Servers will be audited and re-certified regularly at an interval
consistent with industry standards.5. Complete access to servers will be required by the audit team during
audits.6. Server security additional criteria and requirements for successful
certification program.
Peer Institution PoliciesFlorida
IT Policies, Data classification, Network and Host Security Standard, NIST standards referenced(IT Security PPT presentation for faculty, staff, students, etc to “sell” the policies)
Iowa State (was pending, but applied well to AU)Data Governance Committee, Data classification, Security Standards & Guidance
Univ of Tennessee Institute for Agriculture (policies and procedures were pending)Scanning with Qualys - working toward NIST standard
Texas A&M AgriLife/Extension (follow Aggie Standard Administrative Procedures)Servers are registered in an online app, scanned monthly with Nessus and reports provided to the registered server administrator. Administrators are also required to do a yearly risk assessment per university rule. The risk assessment is done via an online questionnaire. In addition any server that handles registration/payment has a quarterly PCI scan and remediation process.
(Thank you, colleagues! Great information from extech mailing list, online, and personal e-mail.)
4 Aspects of Server Standards In A Nutshell
Server RegistrationAudit via multiple methods
Data ClassificationAudit via Identity Finder
NIST’s National Checklist ProgramAudit via CIS-CAT
Patch at least CVSS levels 4 and 5Audit via Qualys (and 3rd party tools like Nessus)
Data Governance Committee to Audit Process, Policy, and Audits
Differences in Policy
Cloud service agreement with vendors?OneDriveGoogleDocsDropboxEvernote
Guarantee for confidential data?This seemingly minor difference results in major implementation differences!
Other ToolsScanners
NessusQualys (authenticated scans)
Password ManagersLastPassKeePassSecret Server
Multifactor AuthenticationRSADuo
“Off-Campus” Scans
Questions?
Thanks for attending!
PS: “Dark Alleys of the Internet”Updated on Slideshare
www.slideshare.net/gparmer/dark-alleys2015
Greg Parmer [email protected] or [email protected] Davis [email protected]