Embed Size (px)
Citation preview
SEAS Cybersecurity Awareness Day
Discussion on…
A CIO’s Perspective on Information SecuritySteve King
Interim Executive Director for Computing@SEAS
October 17, 2012
Table of Contents
Page
After Lunch Perspectives• YouTube and Vimeo 3
• Dilbert and Blogs 5
The Role of the CIO in Information Security• Blanket 9
• Balance 14
• Teamwork 18
• Case Studies 22
Practical Steps for Improvement at SEAS 27
Vimeo
https://vimeo.com/47189352 - ITSM Weekly - ***
https://vimeo.com/47189353 - ITSM Weekly - **
YouTube – a leading security guru: Bruce Schneier from BThttp://www.youtube.com/watch?v=dy4VJP-lZpA – Identification & I.D. Security
Three favorite quotes:1.If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.2.There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.3.Think of your existing power as the exponent in an equation that determines the value of information. The more power you have, the more additional power you derive from the new data.
Newest
Popularity
Rating
Blogs
Blanket
Blanket – Four Pillars of Information Security
Physical Security
Network Security
Logical (host and
client)Security
Physical Security
Network Security
Logical (host and client)Security
Procedures
Source: Lansing Business Monthly: 10_15_12
Blanket – Range of Computing@SEAS Services
Blanket - Information Security is a Journey, not a Destination
Keys
Proxy Servers
Encryption
Secure File Transfers
Information Security Definition from Wikipedia
Balance - Information Security Model from Wikipedia
Source: Wikipedia
Balance – IS Risks vs. IS Spend/Investments
Risks – “security as the state of being free of fear and anxiety”; e.g. Linus
Costs: IS needs to be a discipline, also balancing due care and due diligence
Balance – Organization Checks and Directions
• Peer organizations here at SEAS• Strong alignment with HUIT, for both
organizations• Alliances and partnerships with vendors and
associations and higher ed groups• IS role expanding; analogy to Iron Mountain:
CSO vs. CRO vs. CCO vs. CPO• Need to evaluate and use enterprise
application (e.g., GRC)
Balance – IS and Computing Activities
Teamwork – Cyber Security & Incident Response Team
High priority events are those that meet one or more of the following criteria:Responsible for the disruption of a production service or system maintained by SEAS Computing.Affect a large number of accounts or systems.Grants access to confidential or HRCI data.Causes a severe business impact.Remotely exploitable vulnerability with privilege escalation.
Medium priority events are those that meet one or more of the following criteria:Affect services or systems maintained by SEAS computing.Affect only individual accounts rather than granting systemic access.Grants access to development or testing data.Locally exploitable vulnerability with privilege escalation.
Low priority events are those that meet one or more of the following criteria:Affect individual laptops and desktops.Affect services or systems not maintained by SEAS Computing.
Priority Time to first response
Remediation target1
High 1 business day (BD) 2 BD
Medium 2 BD 4 BD
Low 5 BD Best effort
1
Remediation entails one of the following categories: Repair, Rebuild and Notify
;
Teamwork – Security Operations
• Weekly meeting on Wednesdays at 2pm• Triage role which rotates and communicates regularly
with ISO• “Event” driven – tracking system and documentation
wiki• [email protected]• Most common events in 1Q FY13
– Infected computers– Vulnerable websites– Host software currency (or lack thereof)
Teamwork – Quarterly Joint Project Objectives
• 2Q FY13 Priorities:– “Admin” Active Directory Retirement– AirWatch MDM– Secunia CSI– Quest Password Self-Service– Desktop Banner
• 2013 Backlog: Stealth Audit, Web Application Firewalls, Identity Finder, …
Teamwork – Certs, Membs, and Rptg
CSA
IANS
CISSP
Metrics
Case Study 1: SEAS Identity Consolidation
• Admin domain, seas domain, nis• Hard to tell if someone is trying to
impersonate you or break your password• Hard to keep passwords in sync• Hard to make sure services are revoked
when someone leaves the school
Case Study 1: SEAS Identity Consolidation
• Check how you connect to network file shares (vfiler0, vfiler1)
• If you use windows, check how you log in to your desktop or laptop
How can I help?
Case Study 1: SEAS Identity Consolidation
• Computing@SEAS can deliver a self service password reset tool (answer security questions to reset your own password without a support call)
• Step toward identity integration between schools at Harvard
What’s in it for me?
Case Study 2: Secure Remote Desktops
• Remote Desktops for Courses and Research– Because provides shell access, requires stronger
identity assurance– Approach: NX using SSH keys and user password– Dedicated SSH keys per user for connections,
provides secure transport and initial connections– User passwords grant access to your account once
connected to system– Poor man’s two-factor
Case Study 3: Refactored Data & Networkingparadigms for academic work
• Old model: living on the edge– build a desktop or web server machine, put it on the internet,
and login remotely via SSH+password – fodder for script kiddies
• New model: behind closed doors– locate these client machines on dedicated networks for users,
and provide firewalled internet access or VPN connections –warm fuzzy feelings of security
• Future model: living in the cloud– Your data follows you securely across the network and internet,
and your server spins up or down only when you need it, on demand. Your laptop/iPad/mobile device stays with you on secured networks.
Practical Steps for Improvement at SEAS
Recommendations from Executive Director for ComputingI.Begin to use and build the SmartCard ID for proximity access, Charlie and parking Metercard and bicycle rental integrationII.Strengthen our password management policies and require periodic changeIII.Introduce second factor authentication in network accessIV.Accelerate SEAS moves to IAM and HUIT shared servicesV.Implement new activity, reporting and compliance system
