Security 101 - Presentation

8/2/2019 Security 101 - Presentation

1/85

SECURITY 101:

1

Information Security Basics

Sponsored by UW Division of Informational TechnologyOffice of Campus Information Securityand Professional Technical Education

--------------------------------Instructors: Cliff Cunningham & Braden Bruington


2/85

GREETINGS & INTRODUCTIONS

Cliff Cunningham - DoIT

Braden Bruington - DoIT

Rick Keir - OCIS(Office of Campus Information Security)

2


3/85

DID YOU KNOW?

Approx 1,200 IT professionals in UW schools

2/3 of them are notaffiliated with DoIT

Non-DoIT

DoIT

3


4/85

POLICIES & GUIDELINES

Campus IT PoliciesAppropriate Use Policies

Electronic Devices

Payment Card IndustryData Security Standard a.k.a. PCIDSS

List of specificsuggestions

Used by OCIS

4


5/85

All staff

Security

workshop

Securitybrownbags

On-line material

100-levelAll staff

Security 101:Information

Security Basics

200-levelSystem Admin

(others?)

Security 201:

Windows(SEP 21)

Security 202:OS X

(AUG 11)

Security 203:Linux

(FALL 2009?)

300-levelSelected staff

IIS Security

DevelopingSecure Code

Apache Security

Oracle Security

Firewall Security

Other?

SECURITY TRAINING IN THE BEGINNING

5


6/85

All staff

Security

workshop

Securitybrownbags

On-line material

100-levelAll staff


Security Basics


(others?)

Security 201:

Windows(SEP 21)

Security 202:OS X

(AUG 11)

Security 203:Linux

(FALL 2009?)


IIS Security


Apache Security

Oracle Security

Firewall Security

Other?

SECURITY TRAINING WINTER 08

6

You arehere!


7/85

All staff

Security

workshop

Securitybrownbags

On-line material

100-levelAll staff


Security Basics


(others?)

Security 201:

Windows(SEP 21)

Security 202:OS X

(AUG 11)

Security 203:Linux

(FALL 2009?)


IIS Security


Apache Security

Oracle Security

Firewall Security

Other?

SECURITY TRAINING SPR/SUM 09

7


8/85

All staff

Security

workshop

Securitybrownbags

On-line material

100-levelAll staff


Security Basics


(others?)

Security 201:

Windows(SEP 21)

Security 202:OS X

(AUG 11)

Security 203:Linux

(FALL 2009?)


IIS Security


Apache Security

Oracle Security

Firewall Security

Other?

SECURITY TRAINING SUM/FALL 09

8

Other?


9/85

GOALS FOR THESE COURSES

To continue the campus-wide conversation

Advertise OCIS training resources

Increase networking (social) within ITcommunity on UW campuses

Share war stories

lessons learned, scars received.

9


10/85

AGENDA

1. General discussion

2. Defining sensitive data

---------- BREAK ----------

3. How do I find sensitive data?

4. Handling a data security incident

---------- BREAK ----------

5. Closing remarks & next steps

10


11/85

WHO ARE YOU?

Titles?

Roles?

Operating systems?

What kinds of data?Financial information

Health information

GradesCredit cards

Other sensitive types of information

11


12/85

HAND-OUTS

Packet of handouts

Sign-up sheet

12


13/85

AGENDA



---------- BREAK ----------



---------- BREAK ----------


13


14/85

DATA BREACH, JUNE 4

June 4, 2009 Maine Office of Information Technology(Augusta, ME)

Through a printing error, 597 people receivingunemployment benefits last week got direct-depositinformation including Social Security numbersbelonging to another person.

"We received a print job and were running it, andthere was an equipment malfunction." Recipients

received one page with their own information andanother page with information belonging to a differentperson.

Number effected: 597

14


15/85

DATA BREACH, JUNE 5

June 5, 2009 Virginia Commonwealth University(Richmond, VA)

A desktop computer was stolen from a secured area. The computer may have contained student names, Social

Security numbers and test scores dating from October2005 to the present. VCU discontinued use of SocialSecurity numbers as ID numbers in January 2007.

An additional 22,500 students are being notified that theirnames and test scores may have also been on the

computer. No Social Security numbers were recordedwith those names, but computer-generated student IDnumbers may have been.

Number effected: 17,214

15


16/85

DATA BREACH, JUNE 6

Ohio State University Dining Services (Columbus,OH)

Student employees SSNs accidentally leaked in ane-mail.

OSU employee received an e-mail with anattachment that included students' names and socialsecurity numbers. He unwittingly forwarded withattachment to his student employees.

After realizing the mistake, the hiring coordinatorcalled the Office of Information Technology, whichstopped the e-mails before all of them were sent.

Number effected: 35016


17/85

DISCUSS

What keeps you awake at

night?(Please restrict your answers to IT security-related

topics.)

17


18/85

ANALYSIS OF DATA LOSS INCIDENTS

18

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

2006PrivateSector

PublicSector

HigherEducn

MedicalCenters

Outside Hackers 15% 13% 52% 3%

Insider Malfeasance 10% 5% 2% 20%

Human Error orSoftware Misconfig

20% 44% 21% 20%

Theft 55% 38% 37% 57%
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*


19/85

ANALYSIS OF DATA LOSS INCIDENTS

2006PrivateSector

PublicSector

HigherEducn

MedicalCenters

Outside Hackers 15% 13% 52% 3%

Insider Malfeasance 10% 5% 2% 20%

Human Error orSoftware Misconfig

20% 44% 21% 20%

Theft 55% 38% 37% 57%

19

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*


20/85

WHO CARES?

Why should we be concerned about thehandling of sensitive data?

20
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*


21/85

EFFECTS OF DATA LOSS

On the individual

Personal credit info can be destroyed

Embarrassment

Patents & intellectual property rights

On the university

Reputation

Grants

Patents & intellectual property rights

21
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*


22/85

FALLOUT FROM DATA LOSS AT OU

If there is any financial damage I will hold

OU at fault and seek legal counsel to recoverany and all loss, with punitive damages.

22

Quotes taken from article OU has been getting an earful about huge data theft

by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*http://www.mail-archive.com/[email protected]/msg05835.htmlhttp://www.mail-archive.com/[email protected]/msg05835.html


23/85

THAT IS WHY

IT professionals are scattered on campus.

Data security presents a huge financial,ethical and reputational exposure.

We need to unify our efforts.

E pluribus unum:

Out of many, one.

23


24/85

AGENDA



---------- BREAK ----------



---------- BREAK ----------


24


25/85

CLASSES OF INFORMATION

25

Personal

information

Health & medical

information

Financial

information

Academicinformation


26/85

PERSONAL INFORMATION

Social SecurityNumbers

Drivers License

Number Name & Address

Biometric data

Finger prints DNA Maps

Voice patterns

26


27/85

HEALTH & MEDICAL INFORMATION

Physical diagnoses

Mental health

Psychological

diagnoses Treatment

Prescriptions

27


28/85

FINANCIAL INFORMATION

Account numbers

Account pass codes

Credit card numbers

(NOTE: All financial informationtends to be sensitive.)

28


29/85

ACADEMIC INFORMATION

Students

Grades

Transcripts

Communicationsw/faculty

Faculty/Staff

Intellectual property

Research data

29


30/85

WISCONSIN STATE LAW

Wisconsins Data Breach Notification LawStatute 895.507 (2006)

Formerly, Act 138

Any unauthorized access to personal info must notify individual(s) within 45 days

Data includesSSN

Drivers license or state IDAccount number, code, password, PIN

DNA or biometric info

30


31/85

RESTRICTED VS. SENSITIVE

Restricted: explicitly protected underWisconsin State Law. Must notify if lost.

Sensitive: still needs to be guarded with

great care, but notification not required.

All restricted data is sensitive.

Not all sensitive data is restricted.

31


32/85

FEDERAL LAW

FERPA academic

Family Education Rightsand Privacy Act

HIPAA health & medical

Health Insurance Portability andAccountability Act

32


33/85

CLIFFS PERSONAL ANECDOTE

From just this past June (2009).

33


34/85

FERPA: TWO TYPES OF INFO

Public Information Considered public *

Examples includes

Name, address, phone

Email address Dates of attendance

Degrees awarded

Enrollment status

Major field of study

* Students can request this informationbe suppressed

Private Information Tightly restricted

Examples includes

SSN

Student ID number Race, ethnicity,

nationality

Gender

Transcripts & grades

34

Information provided by Office of Registrar

UW-Madison Student Privacy Rights and Responsibilities

(partial list) (partial list)


35/85

FERPA AND ITS TENTACLES

Lesser-known items within FERPAs reach

Educational records

Personal notes between faculty and students

Communications with parents/guardians How to post grades

Letters of recommendations

35


36/85

WWW.REGISTRAR.WISC.EDU

For more info, Office of the Registrar

Brochures

FAQs

On-line tutorials

On-site training

One-on-one consultation

36


37/85

NOW FOR SOMETHING ENTIRELY DIFFERENT

A data security case study

37


38/85

THE FACTS

On an unnamed Big 10 university campus

DoIT Store website collecting data from hits

This data was being analyzed by the webhosting service

Web hosting service posted its findings

38

Any warningsigns?


39/85

THE REST OF THE STORY

The data being captured included

campus IDs and NetIDs

Old Campus IDs used to contain SSNs

Web hosting service didnt know about SSNs

Captured data posted on semi-public site

39


40/85

THE ANALYSIS

All were capable, professional entities

They didnt know

They didnt anticipate

Therefore

40


41/85

THE MORAL OF THE STORY

Dont overestimate

other folks knowledge or motivation.

Dont underestimate

the value that you can add.

41


42/85

AGENDA



---------- BREAK ----------



---------- BREAK ----------


42


43/85

43


44/85

AGENDA



---------- BREAK ----------



---------- BREAK ----------


44


45/85

BEFORE RUNNING A SCAN!!

45

GET INFORMED PERMISSION!!!

These scans will

produce unusual net-

traffic !


46/85

FINDING SENSITIVE INFORMATION?

PII = Personally identifiable information

Numerous applications, called PII finders

They scan drives

They locate recognizable patterns

They produce reports

You dont always know what is on your

machine

46


47/85

HOW?

Question: How might sensitive data find

its way onto a piece ofhardware?

47


48/85

PII FINDER

Identity Finder

Being considered by UW DoIT Security group

More costly, but more robust

Free edition is now available, so its worth a try

Lets see how it works.

48


49/85

ARE YOU AT RISK?

OCIS provides access to afew scanning tools

These tools test the security

of network & workstation This will tell you whether you

are at risk.

49


50/85

BEFORE RUNNING A SCAN!!

50

GET INFORMED PERMISSION!!!

These scans will

produce unusual net-

traffic !


51/85

AGENDA



---------- BREAK ----------



---------- BREAK ----------


51


52/85

INCIDENT VS. BREACH

Define incident

Undetermined whether data has been lost

Any number of scenarios

Losing a laptop

Firewall down

Criticalpatches are out-of-date

Hacked, or infected with malware

52


53/85

INCIDENT VS. BREACH

Define breach

We knowdata has been acquired byunauthorized person

53


54/85

INCIDENT VS. BREACH

54


55/85

WELL-HANDLED INCIDENTS

Well-handled incidents will reduce

1. your exposure,

2. the universitys exposure.

55


56/85

DISCUSSION QUESTION

Do you have an incident handling process?

56


57/85

57

Incident

ResponseFlowchart

- Department

- Investigators

- CIO

- Admin Leader

Team

- UniversityCommns


58/85

58

Incident

ResponseFlowchart

- Department

- Investigators

- CIO

- Admin Leader

Team

- UniversityCommns


59/85

59

The part you need to know


60/85

1 WHAT HAPPENED?

Incident

Any exposure

Any risk

Not a breach, yet

60


61/85

2 WAS DATA AT RISK?

Was sensitiveinformation at risk?

Does the devicecontain sensitiveinformation?

Was that informationaccessible by non-authorized user?

Physically accessible

Cyber-accessible

(judgment?)

61


62/85

3 IF NO RESOLVE THE INCIDENT

Close the issue

No need to report it

62


63/85

4 IF YES REPORT THE INCIDENT

You need toescalate theissue

But, how do youreport an incident?

63


64/85

HOW TO REPORT AN INCIDENT?

It depends. Non-urgent: [email protected]

Need a faster response?

Open a DoIT HelpDesk ticket They can escalate it if necessary

After hours?

Contact Network

Operations Center (NOC) Phone: 263-4188

64
mailto:[email protected]:[email protected]


65/85

WHAT DO I DO?

Preserve as much data as possible. Do not tamper with the information

This can hinder further investigation.

Remove device from the network This cuts off any remote access to the machine

Do notpower-off the machine

Some forensic information may be stored in cache

65


66/85

SCENARIOS

1. A laptop in your department has beeninfected with a virus.

2. You have a single workstation that

interfaces with a special piece of scientificequipment. It runs an unsupported OS.You are concerned that it may have been

compromised.3. You get a call saying your departments web

server is unexpectedly serving pop-up ads.

66


67/85

AGENDA



---------- BREAK ----------



---------- BREAK ----------


67


68/85

68


69/85

AGENDA

1. General discussion2. Defining sensitive data

---------- BREAK ----------



---------- BREAK ----------


69


70/85

GOALS FOR THESE COURSES (REMINDER)

To continue the campus-wide conversation

Advertise OCIS training resources

Increase networking (social) within ITcommunity on UW campuses

Share war stories

lessons learned, scars received.

70


71/85

THE TROUBLE WITH SENSITIVE DATA

Difficult to get rid of.

It replicates

Hardcopy

Cached Email forward

Backed up

Get rid of it! (if possible)

71

Considerations

Do you really need the data? Rethink business practices.

Frequently re-assess securitystandards. Things change

Yesterday: SSNs

Tomorrow: Mobile phone numbers?

Office of Campus InformationSecurity OCIS is your friend


72/85

OCIS IS YOUR FRIEND

Training andLockdown

72

Extensiveresources

Security riskassessment

Individual &Departmental

www.cio.wisc.edu/security

IT SecurityPrinciples
http://www.cio.wisc.edu/securityhttp://www.cio.wisc.edu/security


73/85

IT SECURITY PRINCIPLE #1

Principle #1: Security is everyones responsibility.

It takes a

village...

Managers

IT support

Office staff

Faculty

End users

Students

Campus police

You! 73


74/85


Principle #2: Security is part of the development lifecycle.

Plan for it!

Not an after-thought!

Designed into the project plan

i.e. Allocate the necessary resources

Logging & auditing capabilities Layering security defenses

74


75/85


Principle #3: Security is asset management.

Lock it up!

Classification of data

Establishing privileges

Separating or

redistributing job

responsibilities and duties

75


76/85


Principle #4: Security is a common understanding.

Think it through!

Due diligence

Risks & Threats Costs (OCIS assessment)

Incident handling

76


77/85

WHEN I GET BACK TO THE OFFICE 1

Find the dataAsk your manager

Do we generate, use, receive, store sensitive

data? If so, what measures, practices are in place

77


78/85


Scanning for sensitive data Identify Finder

GET PERMISSION FIRST!

Suggest that you scour ALL servers

78


79/85

79

70% of data breaches involve

data the owners didnt evenknow was there.


80/85


Prepare to respond to an incident Inquire about current response procedure

Make sure it is well-known, published

Remember our flow chart

80


81/85


Keep the conversation aliveShare info with coworkers

Bookmark OCIS website

Future IT security coursesPut appointment in calendar to check progress

81


82/85

RESOURCES

Organizationswww.doit.wisc.edu/about/advisory.asp

TechPartners forum

Sign-up

CTIG Campus Technical Issues Group

Watch for presentations, attend andjoin?

MTAG Madison Technology Advisory GroupKnow they exist appointed roles

82
http://www.doit.wisc.edu/about/advisory.asphttp://www.doit.wisc.edu/about/advisory.asp


83/85

RESOURCES & NEXT STEPS

Refer to your handout When I Get Back to My Office, I Will

83


84/85

AGENDA - RECAP





5. Resources & Next steps

84


85/85

THE END

Thank you!Please fill out the course evaluation

and leave it by the door on your way out.

Security 101 - Presentation

Documents

Transcript of Security 101 - Presentation