Post on 14-Feb-2022
Information Security PrinciplesOctober 2021
PRESENTED BY
NICOLAS BUACHE, CISO
UGH…SECURITY
BLOCKS ME
PREVENTSWORKINGDELAYS
PROJECTS
“The security team is here, HIDE!”
YASSS…SECURITY!
NEW HABITS LEARN NEW SKILLS
PROTECTSMY
WORK
“Security team, can you help me?”
INFORMATION SECURITY = PROTECTION
PERSONAL PROTECTION
CreditCard
Bank account
CRA / ARC
SIN /NAS
PROTECT HOME & FAMILY
INFORMATION SECURITY AT UOTTAWA
Protect students’ information
Protect employees’ information
Protect intellectual property
Preserve uOttawa’s reputation
Personal information
Health information
Studies, Research
Grades, Diplomas
GOOD SECURITY Source: HighTou ch Technologies
Protection
Protection BAD SECURITY
VS
WHAT IS GOOD SECURITY? Balanced security, supports the business
• Transformation 2030 and Digital Campus Transformation Plan
Multiple layers of protection
Consistent level of security• Security level is dependent on the weakest point!
Look for opportunities to improve end-user experience
Technology
ProcessPeople
Security is everyone’s responsibility!
WHAT IS LAYERED
SECURITY?
Discourage burglars or catch them before they
can steal!
MAIN INFORMATION SECURITY CHALLENGES
Mobility & Collaboration• Access information from anywhere, any device• Share information with third parties
Cloud Solutions• Multiple Cloud solutions, accessible from
everywhere• Store sensitive data without adequate security
controls
Security Risks Evolve• New vulnerabilities are identified every day• Cookbooks and hacking tools are available to
everyone
MAIN uOTTAWA SECURITY CHALLENGES
Unmanaged devices connecting to the network• Students, professors, partners, and personal devices• Windows, MacOS, Linux, iOS, Android
Research, Labs, Professors, Students• Specific equipment or solutions• Research data or intellectual property
Higher Education is a big target
Unstandardized IT
Training and awareness
My security senses are tingling!
2021 CYBERTHREATS AT uOTTAWA
20,000+reported phishing emails
4,500+security-
related service desk requests
(last 12 months)
200+compromised
accounts(last 12 months)
EASY ENTRY POINTS: USERS
• Share or write a password down
• Reuse password
• Open a malicious link
• Share information
This Photo by Unknown Author is licensed under CC BY
EASY ENTRY POINTS: DEVICES
Is anyone guarding the coffee machine?
• Missing updates
• Weak or default password
• Application not secure
• Systems not managed
HOW YOU CAN HELP! Question yourself before acting
Apply simple security measures
Ask for help if you are not sure
Report suspicious activities What you observed What you did
Don’t be afraid to report security concerns to the Service Desk
Security is here to PROTECT and SUPPORT you!
Key PrinciplesYou are the University’s first line of defence
Always be yourself. Unless you can be Batman then always be Batman.
This Photo by Unknown Author is licensed under CC BY-NC
SECURING YOUR IDENTITY IS KEY
01
Easy targets• Phishing/vishing
attacks• Social engineering
02
Common methods• Creating sense of urgency• Take advantage of
compassion and empathy
03
Impact• Same accesses as user• Use access to prepare
attack
AUTHENTICATION & AUTHORIZATION
Password Strong (>8 characters and mix of uppercase/lowercase
letters, numbers, special characters) Unique password, stored in a secure vault Activate Multi-Factor Authentication (MFA) Personal, must not be shared
Yah… I’m the REAL
SUPERMAN
Permissions Verify the person must and is authorized to
access information Regularly review who can access information
This Photo by Unknown Author is licensed under CC BY-NC-ND
ZERO TRUST PRINCIPLE
Never trust,Always verify !
Can I authenticate the third party?• Validate the identity of the person• Validate website authenticity
Ask for Multi-Factor AuthenticationCall the person on the number you know
Is it authorized?• Is the person eligible to access the
information• Is the solution adapted to share the
informationVerify the URL or use your bookmarksResearch the company on Internet
Is it safe to connect?• Do I put myself at risk?• Do I put the organization at risk?
Ensure device is up to date & protectedVerify that network connection secure
HARDWARE & SOFTWARE BASICS
• Change default password• Rename or disable default
username• Inventory all assets• Apply updates (Firmware, OS,
Apps) & restart device• Isolate non-compliant devices
(limit internal communication; no Internet connection)
SECUREDEVICES
Foundations Encrypt all drives Password protect your devices, lock it when not in use Keep operating system and applications updated Security protections healthy and updated
Applications Install only approved applications Verify the application
Immediately report theft or loss!
REPORT PHISHING / SECURITY INCIDENTS
See a ‘phishy’ message?• In Outlook: Use Report Message button on the upper-
right corner of the Home ribbon• In Outlook on the Web: open email options (the three
horizontal dots to the right of the email subject) and click the Report message option
• On your mobile device: forward the email to phishing@uOttawa.ca
Clicked a phishing link or opened an attachment:
Open a Service Centre ticket
RESPECT UNIVERSITY POLICIES AND PROCEDURESGUIDELINES
FOR PROTECTING
uOTTAWA
Policy 117 – Information Classification and Handling Public, Internal, Confidential, Restricted
Schedule D – Password ProtectionPassword should not be shared or written
Schedule I – Virus ProtectionUsers must ensure anti-virus is running on their device
Schedule L – Privileged Account Usage on end-user DeviceThe University follows the principle of least privilege
Schedule S – Security Awareness and TrainingAll employees must complete the training
Schedule U – Software InstallationOnly authorized software can be installed
https://uozone2.uottawa.ca/standard/schedule/all
WITH GREAT POWER COMES GREAT RESPONSIBILITY