Stealing Christmas

Dr. Curtis A. Carver Jr.Vice Chancellor and CIO

Board of Regents

• Policy ATE technology, oh my!

• Landscape

• What to do now?

• Questions, Comments, a Conversation

Agenda

Necessary ComponentsPolicy, awareness, training, and education (ATE), and technology must form the core of your security program. All three are necessary.

Landscape(Policy)

• Many policy or policy frameworks are available.– COBIT– ISO 27000 series– ITIL– NIST

• Pick one and execute as a first step.

• College courses in security policy are available.

Perh

aps

Not

this

Pol

icy

Technology

• Technology is getting better rapidly.• It is necessary but not sufficient.• Attack vector is shifting away from hacks to

social engineering. • Technology is not so good at preventing social

engineering.

Recent Example: UGA• 8,500 staff and students

• Slow, deliberate social engineering attack

• Answers to “secret” questions found on Facebook.

Another Example: South CarolinaGovernor Nikki Haley, “This is

not a good day for South Carolina.”

3/4ths of state citizens affected.

“The cost is also going to be enormous,

given that South Carolina may be required to pay for identity

theft protection services for anyone who has paid taxes in South

Carolina since 1998,”

October 27, 2012

Landscape

• Attacks are increasing.

• Attacks are increasingly complex.

• Education, training and awareness becoming increasingly important.

Normal versus Abnormal?Three Questions• What is normal for my

organization?• What is abnormal?• What do I do if

something abnormal occurs?

Awareness, Training, and Education

Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST

Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.

Three Examples

• Accountability Plus

• Carronade

• IT SAMI

Accountability Plus

Time

Inci

dent

Cou

nt

Issue: In a five month period this year, 23% of helpdesk incidents were computer abuse. This represents a 255% increase over the same period last year

Computer Abuse Process

• Computer incident occurs• Help Desk Notified• Institution notified• Help Desk Follows Up after 5 days• Help Desk Ticket closed out by Help Desk

What is wrong with

this process?

Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet

• Actions Taken: – Incidents characterized as high, medium, or low impact.– Processes redefined to escalate resolution of these cases

to the President’s boss.– New processes go into effect on 9 April.

• Importance to USG Presidents: A telephone call from USG CIO is indicative of four days remaining until the case is forwarded to USG senior leadership.

Accountability Plus

Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet

• Rest of the Story: I told the presidents that if I ever call them, their first step should be to fire the institutional CIO.

• Two Years Later: – The computer abuse line is linear – not

exponential.– I have not called a President…yet.

Rest of the Story and Two Years Later…

Carronade• Issue: The longer

students are at our institution, the more susceptible they are to phishing attacks.

• Issue 2: – Death by PowerPoint

training version 1 failed. – Death by PowerPoint

training version 2 failed.

Carronade Hypothesis

• Have the students launch spear phishing attacks against each other in a controlled manner.

• Have students remediate other students.• Don’t tell the technical staff when it will

happen.• Do it every semester.

Typical Email

Problems with Typical Email

Carronade Results

Two Years Later…

04/10/2023 03:30 PM 23

IT-SAMI INSPECTION SHEET

Cadet Name Company Year Inspector Name

CategoryITEM POINTS

AD-AWAREINSTALLED? NO, -30CHECK UPDATES >= 1 WEEK OLD, - 05

>=3 WEEKS, -10

>= 1 MONTH, - 20

LAST SYSTEM SCAN >= 1 WEEK OLD, - 05>=3 WEEKS,

-10>= 1 MONTH,

- 20SCAN RESULTS

For each process -10For every 20 additional items, -05

DEFRAGEMENT ANALYZESYSTEM SUGGESTED? YES, -10

ADD/REMOVE PROGRAM LISTWILD TANGENT YES, -10WEATHER BUG YES, -10WELL KNOWN FILE SHARING YES, -20/item

BROWSER HEALTHSEARCH BAR OTHER THAN GOOGLE YES, -10

VIRUSES DEFENITION FILES >= 1 WEEK OLD, - 5

>=3 WEEKS, -10

>= 1 MONTH, - 20

SYSTEM DATASPACE REMAINING ON C-DRIVE < 20%, -10MAJORITY OF ACDEMIC DATA

STORED ON C-DRIVE YES, -20

Best In BDE

Best Regiment: 86.13

Best Company: 95.00

Worst Reg: 75.00

Worst Company: 53.50

04/10/2023 03:30 PM 24

Saturday AM Inspection (IT SAMI)

In the hallways, cadetsstand inspection of theirmilitary equipment.

In their rooms, cadetsstand inspection of theircomputers.

Stealing Christmas• The threat of organized crime and nation states attacking

your personal information is real. Grinch is alive and well.

• Give your organization the gifts of a strong security policy program, strong technology, and a strong education program.

• Think outside the box in educating, training and rewarding your organization.

Questions, Comments, a Conversation

Dr. Curtis A. Carver Jr.Vice Chancellor and CIO

Board of Regents