#MCN2017-F7 - Dexibit · “Forget Bluejacking, Blueborn doesn’t require the hacker to pair with...

Lock It Down!Securing Your Museum In a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff WilliamsFriday, November 10th, 2017

#MCN2017-F7

Panelists

MCN 201702

Mara Kurlandsky

Project Coordinator for Digital EngagementNational Museum of Women in the Arts

@mkurlandsky

Adam Gegg

Director of Information Technology

St. Louis Art Museum

adam.gegg@slam.org

Angie Judge

Chief Executive OfficerDexibit

@angie_dexibit

James Vitale

Senior Solutions Architect

L.A. County Museum of Art

jvitale@lacma.org

Jeff Williams

Associate Director Technology

Hammer Museum

@cjeffw

#MCN2017-F7

Agenda

MCN 201703

• When the worst happens…

‒ Major breaches in 2017

‒ Risk and consequence

‒ Lessons learned

• Trends

• Responding to museum security challenges in a digital age

‒ Infrastructure (plus Q&A)

‒ Software (plus Q&A)

‒ Users (plus Q&A)

• The security checklist• Priorities and takeaways

#MCN2017-F7

A question not of if, but when

MCN 201704

73% of Americans have fallen victim to cybercrime -

IF

why is executive sponsorship forinvestment in security such a hard sell?

#MCN2017-F7

When the worst happens...

Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams

MCN 201705

“There should have been a very comprehensive set of policies and procedures for what to do to respond” Jonathan Bernstein. President Bernstein Crisis Management”

MCN 201706 #MCN2017-F7

“We live in the era of big data, where all software is tracked. In the face of a software vulnerability that may bring a portion of the world to a halt, we should expect more than the timely release of a patch.” - Alexander Urbelis, Security Expert

MCN 201707 #MCN2017-F7

Most devices and routers rely on WPA2 to encrypt your WiFi traffic, so chances are you’re affected.

MCN 201708 #MCN2017-F7

“Forget Bluejacking, Blueborn doesn’t require the hacker to pair with your device.”

MCN 201709 #MCN2017-F7

“Misconfiguration isn’t a malicious hack in itself, but it is a critical and all too common cybersecurity risk for both institutions and individuals.” - Wired

MCN 2017010 #MCN2017-F7

“What should have been a service interruption error became a devastating data loss when the company discovered its back ups were ineffectual.”

MCN 2017011 #MCN2017-F7

Risks and consequences

MCN 2017012

Loss of reputation

Cost of ransom

Loss of data

Loss of time

Cost of repair

#MCN2017-F7

Lessons learned

MCN 2017013

What can we do to keep our museums safe?

• Stay informed and listen to regular updates and announcements

• Stay patched (including for bring your own device users)

• Know your partners and what they’re doing to stay secure

• Routinely audit your configurations

• Monitor alerts

#MCN2017-F7

Institutional technology trends impacting security

MCN 2017014

Mobile, BYOD and IoT

Guest WiFi Telecommuting Cloud and open source

Social engineering

#MCN2017-F7

How to respond to security vulnerabilities

MCN 2017015

Infrastructure Software Users

#MCN2017-F7

Responding to museum security:infrastructure

Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams

MCN 2017016

Infrastructure

MCN 2017017

What needs to be done?

• Protecting Your Network

‒ Physical

‒ Wireless

‒ Wired

• Protecting Your Desktop

• Protecting Your Data

What is needed to do this?

• Processes

‒ Documented

‒ Followed

‒ Audited

• Hardware

‒ Firewall, switches, etc...

#MCN2017-F7

Infrastructure

MCN 2017018

• Protecting Your Network: Physical Site

‒ Work closely with security department to ensure staff and guests

aren’t where they shouldn’t be:

▪ Visible ID Badges

▪ Secured Entry

▪ Monitored Access Logs

▪ Locking Offices

▪ Securing computers in public spaces

#MCN2017-F7

Infrastructure

MCN 2017019

• Protecting Your Network: Wireless Network Security

‒ Access Policies & Virtual Local Area Network (VLAN) Configuration

‒ Guest WiFi

‒ Corporate / Internal WiFi

▪ MAC Address filtering

▪ Domain Authentication

#MCN2017-F7

Infrastructure

MCN 2017020

• Protecting Your Network: Wired Network Security

‒ Ethernet Ports / Port Security

▪ Mac Address

‒ Access Policies & VLAN Configuration

‒ Network Authentication and User Management

▪ Active Directory

▪ Processes to ensure only active staff have active accounts

‒ Firewall & Security Appliances

Cisco 5585-X Adaptive Security Appliance: Firewall, VPN, and Intrusion Prevention System

#MCN2017-F7

• Protecting Your Network: Data Security

‒ Backup Policy

▪ RPO - Recovery Point Objective

▪ RTO - Recovery Time Objective

▪ DR/BC - Disaster Recovery / Business Continuity

‒ Backup Appliances

‒ Offsite / Onsite Options (Cloud considerations)

▪ AWS, Iron Mountain, etc...

Infrastructure

MCN 2017021 #MCN2017-F7

Infrastructure

MCN 2017022

• Preventive

‒ Firewall (Network Intrusion)

‒ Data Backups (Ransomware Protection)

‒ Endpoint Protection

▪ “0-day” virus attacks

▪ Known virus attacks

▪ Email/Chat/Browser Clients

▪ File Attachments / Downloads / Quarantining Infected Files

#MCN2017-F7

Q&A

INFRASTRUCTURE

MCN 2017023

Responding to museum security:software

Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams

MCN 2017024

Software

MCN 2017025

• Protecting Your Network

‒ Threat Avoidance & DNS

‒ Monitoring & Alerts

• Protecting Your Desktop

‒ Antivirus / Endpoint Protection, Anti-Malware

‒ Application Whitelisting

• Remote Access Solutions

#MCN2017-F7

Protecting Your Network: Threat Avoidance & DNS

MCN 2017026

Domain Name System (DNS) is at the foundation of the internet

All modern malware relies on DNS to function

Cisco Umbrella (OpenDNS) - Network Protection as a service

● 100B. requests/day, 86M. daily active users● Ease of implementation / support● Policy based (staff v. guest wifi)● Protects remote users, laptop, iOS and Android

Threat Avoidance v. Content Filtering

Stop threats before they reach your edge.

Best single security investment. ($18/u/y)

#MCN2017-F7

Protecting Your Network: Domain Name System

MCN 2017027 #MCN2017-F7

Protecting Your Network: Monitoring & Alerts

MCN 2017028

Configure alerts so that you can focus on what matters and not spend all day reading logfiles.

Active resource monitoring lets you spot performance problems before they affect production

Free: Spiceworks

Enterprise: Solarwinds, Microsoft System Center Operations Manager (SCOM)

At SLAM we use SC0M for performance and security monitoring of our servers. SCOM integrates with

Operations Manager in Azure to aggregate performance, health and security status on our servers and

workstations and VMware and Network resources.

#MCN2017-F7

Protecting Your Desktop: Anti-virus/Anti-malware

MCN 2017029

Traditional v Next-Gen Antivirus

“A traditional AV solution is limited to detecting only the malware it knows. If the threat is not known, not analyzed and not recorded in the DAT file, or if the DAT file is not updated, or if the attack doesn’t use malware in the first place, the protection offered is nonexistent for that class of threats.” -SANS.ORG

Traditional:● Less expensive● Needs more management - updates● Can be less effective

But used as one component in a larger cybersecurity stack traditional AV can be perfectly adequate.

Next-Gen:● Can be much more expensive● Less management required● Novel technologies - machine learning, cloud

analytics, managed hunting

Due to high cost, industries like finance and healthcare may be more appropriate for next-gen AV solutions.

#MCN2017-F7

Protecting Your Desktop: Application Whitelisting

MCN 2017030

Prevents programs from running unless they are specifically permitted by policy.This includes packaged apps, Executables, Installer Scripts and DLLs

● AppLocker is built into Windows 10 (all flavors) and Windows 7 Ultimate and Enterprise (Not Professional) ● Managed via Group Policy Object (GPO)● Deployed via AD Security Group● Filters by Publisher, Path or File Hash● Run it it Audit Mode and review the logs to see what would be blocked before you go live!

#MCN2017-F7

Remote access

MCN 2017031

Three common methods of remote access -

Remote Desktop via Web VPN Client

LogMeIn

#MCN2017-F7

Remote access

MCN 2017032

Remote Access methods compared

Technology:

Remote Desktop via web

LogMeIn

VPN

Strengths

● No client software to install● Win/Mac/iOS friendly● No actual data transfer in/out ● Users managed via A/D● Single Sign-On

Weaknesses

● Complicated initial setup● Security concerns/firewall access● Requires deep IT knowledge to admin● Limited access to network storage

● Puts remote PC on internal network● Win/Mac/iOS clients exist (mostly)● Access to network storage

● Complicated set-up & management● Requires client software install● Enterprise apps must be on remote PC● Puts remote PC on internal network

● Easiest setup & management● 2-factor auth available● No client software to install● Easy access to network storage

● Ties up an actual PC while in use● User management duplication

#MCN2017-F7

Q&A

SOFTWARE

MCN 2017033

Responding to museum security:users

Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams

MCN 2017034

Keeping Users Secure

MCN 2017035

• Mobile Security

• Endpoint Security

• Online Behaviors

• Offline Behaviors

• IT / HR Partnership

#MCN2017-F7

Keeping Users Secure

MCN 2017036

• Mobile Security

‒ Enable extra layers of security

‒ Install and test location-finding software

‒ Install anti-virus software

‒ Regularly check for firmware and security updates

#MCN2017-F7

Keeping Users Secure

MCN 2017037

• Endpoint Security

‒ Anti-virus Solutions

‒ Anti-malware Solutions

‒ Effective

‒ Regularly check for firmware and security updates

#MCN2017-F7

Keeping Users Secure

MCN 2017038

• Online Behaviors

‒ Mindfulness around unfamiliar links

‒ Be a conscientious web browser

‒ Posting security-sensitive data on Social Media

‒ Social Media Authentication vs. Password Vault Solutions

‒ User Awareness Training: “If you see something, say something”

‒ Executive buy-in on user training

#MCN2017-F7

Keeping Users Secure

MCN 2017039

• Offline Behaviors

‒ Locking your PC

‒ Locking down your laptop (cable locks, keep out-of-site, etc.)

‒ Eliminate writing down passwords

‒ Printing secure documents and removing them from the workplace

‒ “Clear desk” policy

‒ External Storage Device policy (thumb drives, etc.)

#MCN2017-F7

Keeping Users Secure

MCN 2017040

• IT / HR Partnership

‒ Off-board / On-boarding

‒ Changes in Roles/Responsibilities

‒ Fraudulent Internal Security Threats

‒ Security Trainings and Threat Communications

▪ Frequency, Content and Format

▪ Target Audiences

▪ Certification, Test Drills, Compliance

#MCN2017-F7

Q&A

USERS

MCN 2017041

Takeaways

MCN 2017042

• Angie: “Make sure your security compliance and risk metrics are a core governance item”@angie_dexibit | angie@dexibit.com

• Adam: “Open DNS/Umbrella is the best security investment you can make (it’s FREE!!!)”adam.gegg@slam.org

• Mara: “Make sure someone is thinking of security. Know where to get advice. And: quit sharing passwords.”@mkurlandsky | mkurlandsky@nmwa.org

• James: “Always manually type in the URLs of websites you receive through email or IMs.” jvitale@lacma.org

• Jeff: “Our people are our greatest asset and risk when it comes to cyber security.”@cjeffw | jwilliams@hammer.ucla.edu

#MCN2017-F7

Thank you

MCN 2017043