Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Lock It Down!Securing Your Museum In a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff WilliamsFriday, November 10th, 2017
#MCN2017-F7
Panelists
MCN 201702
Mara Kurlandsky
Project Coordinator for Digital EngagementNational Museum of Women in the Arts
@mkurlandsky
Adam Gegg
Director of Information Technology
St. Louis Art Museum
Angie Judge
Chief Executive OfficerDexibit
@angie_dexibit
James Vitale
Senior Solutions Architect
L.A. County Museum of Art
Jeff Williams
Associate Director Technology
Hammer Museum
@cjeffw
#MCN2017-F7
Agenda
MCN 201703
• When the worst happens…
‒ Major breaches in 2017
‒ Risk and consequence
‒ Lessons learned
• Trends
• Responding to museum security challenges in a digital age
‒ Infrastructure (plus Q&A)
‒ Software (plus Q&A)
‒ Users (plus Q&A)
• The security checklist• Priorities and takeaways
#MCN2017-F7
A question not of if, but when
MCN 201704
73% of Americans have fallen victim to cybercrime -
IF
why is executive sponsorship forinvestment in security such a hard sell?
#MCN2017-F7
When the worst happens...
Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams
MCN 201705
“There should have been a very comprehensive set of policies and procedures for what to do to respond” Jonathan Bernstein. President Bernstein Crisis Management”
MCN 201706 #MCN2017-F7
“We live in the era of big data, where all software is tracked. In the face of a software vulnerability that may bring a portion of the world to a halt, we should expect more than the timely release of a patch.” - Alexander Urbelis, Security Expert
MCN 201707 #MCN2017-F7
Most devices and routers rely on WPA2 to encrypt your WiFi traffic, so chances are you’re affected.
MCN 201708 #MCN2017-F7
“Forget Bluejacking, Blueborn doesn’t require the hacker to pair with your device.”
MCN 201709 #MCN2017-F7
“Misconfiguration isn’t a malicious hack in itself, but it is a critical and all too common cybersecurity risk for both institutions and individuals.” - Wired
MCN 2017010 #MCN2017-F7
“What should have been a service interruption error became a devastating data loss when the company discovered its back ups were ineffectual.”
MCN 2017011 #MCN2017-F7
Risks and consequences
MCN 2017012
Loss of reputation
Cost of ransom
Loss of data
Loss of time
Cost of repair
#MCN2017-F7
Lessons learned
MCN 2017013
What can we do to keep our museums safe?
• Stay informed and listen to regular updates and announcements
• Stay patched (including for bring your own device users)
• Know your partners and what they’re doing to stay secure
• Routinely audit your configurations
• Monitor alerts
#MCN2017-F7
Institutional technology trends impacting security
MCN 2017014
Mobile, BYOD and IoT
Guest WiFi Telecommuting Cloud and open source
Social engineering
#MCN2017-F7
How to respond to security vulnerabilities
MCN 2017015
Infrastructure Software Users
#MCN2017-F7
Responding to museum security:infrastructure
Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams
MCN 2017016
Infrastructure
MCN 2017017
What needs to be done?
• Protecting Your Network
‒ Physical
‒ Wireless
‒ Wired
• Protecting Your Desktop
• Protecting Your Data
What is needed to do this?
• Processes
‒ Documented
‒ Followed
‒ Audited
• Hardware
‒ Firewall, switches, etc...
#MCN2017-F7
Infrastructure
MCN 2017018
• Protecting Your Network: Physical Site
‒ Work closely with security department to ensure staff and guests
aren’t where they shouldn’t be:
▪ Visible ID Badges
▪ Secured Entry
▪ Monitored Access Logs
▪ Locking Offices
▪ Securing computers in public spaces
#MCN2017-F7
Infrastructure
MCN 2017019
• Protecting Your Network: Wireless Network Security
‒ Access Policies & Virtual Local Area Network (VLAN) Configuration
‒ Guest WiFi
‒ Corporate / Internal WiFi
▪ MAC Address filtering
▪ Domain Authentication
#MCN2017-F7
Infrastructure
MCN 2017020
• Protecting Your Network: Wired Network Security
‒ Ethernet Ports / Port Security
▪ Mac Address
‒ Access Policies & VLAN Configuration
‒ Network Authentication and User Management
▪ Active Directory
▪ Processes to ensure only active staff have active accounts
‒ Firewall & Security Appliances
Cisco 5585-X Adaptive Security Appliance: Firewall, VPN, and Intrusion Prevention System
#MCN2017-F7
• Protecting Your Network: Data Security
‒ Backup Policy
▪ RPO - Recovery Point Objective
▪ RTO - Recovery Time Objective
▪ DR/BC - Disaster Recovery / Business Continuity
‒ Backup Appliances
‒ Offsite / Onsite Options (Cloud considerations)
▪ AWS, Iron Mountain, etc...
Infrastructure
MCN 2017021 #MCN2017-F7
Infrastructure
MCN 2017022
• Preventive
‒ Firewall (Network Intrusion)
‒ Data Backups (Ransomware Protection)
‒ Endpoint Protection
▪ “0-day” virus attacks
▪ Known virus attacks
▪ Email/Chat/Browser Clients
▪ File Attachments / Downloads / Quarantining Infected Files
#MCN2017-F7
Q&A
INFRASTRUCTURE
MCN 2017023
Responding to museum security:software
Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams
MCN 2017024
Software
MCN 2017025
• Protecting Your Network
‒ Threat Avoidance & DNS
‒ Monitoring & Alerts
• Protecting Your Desktop
‒ Antivirus / Endpoint Protection, Anti-Malware
‒ Application Whitelisting
• Remote Access Solutions
#MCN2017-F7
Protecting Your Network: Threat Avoidance & DNS
MCN 2017026
Domain Name System (DNS) is at the foundation of the internet
All modern malware relies on DNS to function
Cisco Umbrella (OpenDNS) - Network Protection as a service
● 100B. requests/day, 86M. daily active users● Ease of implementation / support● Policy based (staff v. guest wifi)● Protects remote users, laptop, iOS and Android
Threat Avoidance v. Content Filtering
Stop threats before they reach your edge.
Best single security investment. ($18/u/y)
#MCN2017-F7
Protecting Your Network: Domain Name System
MCN 2017027 #MCN2017-F7
Protecting Your Network: Monitoring & Alerts
MCN 2017028
Configure alerts so that you can focus on what matters and not spend all day reading logfiles.
Active resource monitoring lets you spot performance problems before they affect production
Free: Spiceworks
Enterprise: Solarwinds, Microsoft System Center Operations Manager (SCOM)
At SLAM we use SC0M for performance and security monitoring of our servers. SCOM integrates with
Operations Manager in Azure to aggregate performance, health and security status on our servers and
workstations and VMware and Network resources.
#MCN2017-F7
Protecting Your Desktop: Anti-virus/Anti-malware
MCN 2017029
Traditional v Next-Gen Antivirus
“A traditional AV solution is limited to detecting only the malware it knows. If the threat is not known, not analyzed and not recorded in the DAT file, or if the DAT file is not updated, or if the attack doesn’t use malware in the first place, the protection offered is nonexistent for that class of threats.” -SANS.ORG
Traditional:● Less expensive● Needs more management - updates● Can be less effective
But used as one component in a larger cybersecurity stack traditional AV can be perfectly adequate.
Next-Gen:● Can be much more expensive● Less management required● Novel technologies - machine learning, cloud
analytics, managed hunting
Due to high cost, industries like finance and healthcare may be more appropriate for next-gen AV solutions.
#MCN2017-F7
Protecting Your Desktop: Application Whitelisting
MCN 2017030
Prevents programs from running unless they are specifically permitted by policy.This includes packaged apps, Executables, Installer Scripts and DLLs
● AppLocker is built into Windows 10 (all flavors) and Windows 7 Ultimate and Enterprise (Not Professional) ● Managed via Group Policy Object (GPO)● Deployed via AD Security Group● Filters by Publisher, Path or File Hash● Run it it Audit Mode and review the logs to see what would be blocked before you go live!
#MCN2017-F7
Remote access
MCN 2017031
Three common methods of remote access -
Remote Desktop via Web VPN Client
LogMeIn
#MCN2017-F7
Remote access
MCN 2017032
Remote Access methods compared
Technology:
Remote Desktop via web
LogMeIn
VPN
Strengths
● No client software to install● Win/Mac/iOS friendly● No actual data transfer in/out ● Users managed via A/D● Single Sign-On
Weaknesses
● Complicated initial setup● Security concerns/firewall access● Requires deep IT knowledge to admin● Limited access to network storage
● Puts remote PC on internal network● Win/Mac/iOS clients exist (mostly)● Access to network storage
● Complicated set-up & management● Requires client software install● Enterprise apps must be on remote PC● Puts remote PC on internal network
● Easiest setup & management● 2-factor auth available● No client software to install● Easy access to network storage
● Ties up an actual PC while in use● User management duplication
#MCN2017-F7
Q&A
SOFTWARE
MCN 2017033
Responding to museum security:users
Securing Your Museum in a Hacker’s WorldMara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams
MCN 2017034
Keeping Users Secure
MCN 2017035
• Mobile Security
• Endpoint Security
• Online Behaviors
• Offline Behaviors
• IT / HR Partnership
#MCN2017-F7
Keeping Users Secure
MCN 2017036
• Mobile Security
‒ Enable extra layers of security
‒ Install and test location-finding software
‒ Install anti-virus software
‒ Regularly check for firmware and security updates
#MCN2017-F7
Keeping Users Secure
MCN 2017037
• Endpoint Security
‒ Anti-virus Solutions
‒ Anti-malware Solutions
‒ Effective
‒ Regularly check for firmware and security updates
#MCN2017-F7
Keeping Users Secure
MCN 2017038
• Online Behaviors
‒ Mindfulness around unfamiliar links
‒ Be a conscientious web browser
‒ Posting security-sensitive data on Social Media
‒ Social Media Authentication vs. Password Vault Solutions
‒ User Awareness Training: “If you see something, say something”
‒ Executive buy-in on user training
#MCN2017-F7
Keeping Users Secure
MCN 2017039
• Offline Behaviors
‒ Locking your PC
‒ Locking down your laptop (cable locks, keep out-of-site, etc.)
‒ Eliminate writing down passwords
‒ Printing secure documents and removing them from the workplace
‒ “Clear desk” policy
‒ External Storage Device policy (thumb drives, etc.)
#MCN2017-F7
Keeping Users Secure
MCN 2017040
• IT / HR Partnership
‒ Off-board / On-boarding
‒ Changes in Roles/Responsibilities
‒ Fraudulent Internal Security Threats
‒ Security Trainings and Threat Communications
▪ Frequency, Content and Format
▪ Target Audiences
▪ Certification, Test Drills, Compliance
#MCN2017-F7
Q&A
USERS
MCN 2017041
Takeaways
MCN 2017042
• Angie: “Make sure your security compliance and risk metrics are a core governance item”@angie_dexibit | [email protected]
• Adam: “Open DNS/Umbrella is the best security investment you can make (it’s FREE!!!)”[email protected]
• Mara: “Make sure someone is thinking of security. Know where to get advice. And: quit sharing passwords.”@mkurlandsky | [email protected]
• James: “Always manually type in the URLs of websites you receive through email or IMs.” [email protected]
• Jeff: “Our people are our greatest asset and risk when it comes to cyber security.”@cjeffw | [email protected]
#MCN2017-F7
Thank you
MCN 2017043