1 information security basics for it staff sponsored by uw division of informational technology...
TRANSCRIPT
1
SECURITY 101:Information Security Basics for IT Staff
Sponsored by UW Division of Informational Technology Office of Campus Information Security
and Professional Technical Education--------------------------------
Instructors: Cliff Cunningham & Braden Bruington
2
GREETINGS & INTRODUCTIONS
Cliff Cunningham & Braden Bruington Technology Instructor & Consultant
DoIT security staff
3
WHY ARE YOU HERE?Let’s be honest…
4
GOALS FOR THIS COURSE
To communicate… … healthy data management practices.
To demonstrate… … how to locate sensitive data.
To educate you… … in the event of a data security incident.
To encourage you … to take some preemptive steps.
5
AGENDA
1. Defining our scope: Why is this important?
2. Defining sensitive data.---------- BREAK ----------
3. How do I find sensitive data?4. Handling a data security incident.
---------- BREAK ----------
5. Resources & Next steps
6
HAND-OUTS
Sign-up sheet (blue) Copy of this presentation Resources page (green) Next Steps (yellow) Evaluation form (pink)
cream
7
WHO ARE YOU?
Titles? Roles? Operating systems? Show of hands…
Financial information Health information Grades Credit cards Other unique information types
8
AGENDA
1. Defining our scope: Why is this important?
2. Defining sensitive data.---------- BREAK ----------
3. How do I find sensitive data?4. Handling a data security incident.
---------- BREAK ----------
5. Resources & Next steps
9
DID YOU KNOW…?
Within UW system… 2 out of 3 IT
professionals work outside of DoIT
How many different UW entities have their own IT staff?
Non-DoIT
DoIT
IT Professionals at UW
Why is this important?
10
SHOW ME THE MONEY
80% of campus-wide IT budget is for specified work
Decentralized funding = decentralized IT
Why is this important?
11
THUS, THIS COURSE…
This is a campus-wide initiative to… To standardize our approach to campus-
wide information security Establish expectations Generate a sense of ownership
Our own little “E Pluribus Unum” “From many, one”
Why is this important?
12
TIP OF THE TRAINING ICEBERG
All staff
Security workshops
100-levelAll IT staff
Security 101:Information
Security Basics for IT
Staff
Security 1XX:Information Security for
Managers (?)(TBA)
200-levelSystem Admin
(others?)
Security 201:Windows(JUL 28)
Security 202:OS X
(AUG 11)
Security 203:Linux
(SUM 2009)
300-levelSelected staff
IIS Security
Developing Secure Code
Apache SecurityOracle
SecurityFirewall Security
Other…?Other…?You are
here!
Why is this important?
13
TELL US YOUR STORIES…Why is this important?
14
IT’S THE LAW…
Wisconsin’s Data Breach Notification Law Statute 895.507 (2006) Formerly, Act 138 Any unauthorized access to personal info…
… must notify individual(s) within 45 days Data includes
SSN Driver’s license or state ID Account number, code, password, PIN DNA or biometric info
Why is this important?
15
ANALYSIS OF DATA LOSS INCIDENTS
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
2006 Private Sector
Public Sector
Higher Educ’n
Medical Centers
Outside Hackers 15% 13% 52% 3%
Insider Malfeasance 10% 5% 2% 20%
Human Error or Software Misconfig 20% 44% 21% 20%
Theft 55% 38% 37% 57%
Why is this important?
16
ANALYSIS OF DATA LOSS INCIDENTS
2006 Private Sector
Public Sector
Higher Educ’n
Medical Centers
Outside Hackers 15% 13% 52% 3%
Insider Malfeasance 10% 5% 2% 20%
Human Error or Software Misconfig 20% 44% 21% 20%
Theft 55% 38% 37% 57%
http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
Why is this important?
17
FALLOUT FROM DATA LOSS AT OU
“If there is any financial damage… I will hold OU at fault and seek legal counsel to recover
any and all loss, with punitive damages.”
“It was my intention to leave a sizable
endowment to OU, but not any longer”
“I will never donate another penny to you.”
Quotes taken from article “OU has been getting an earful about huge data theft”
by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12
18
EFFECTS OF DATA LOSS - VICTIM
On the victim Personal credit info can be destroyed Bank accounts can be exploited Private information can be made public Intellectual property can be compromised Patent opportunities can be lost
Why is this important?
19
EFFECTS OF DATA LOSS - UNIVERSITY On the university
Loss of grant money, contracts, research opp. National Institute of Health won’t grant
funds until… Loss of reputation Lawsuits Intellectual property & patents
Why is this important?
20
LAWSUITS…
Lending Tree, May ‘08 TJ Maxx, Jan ’07 ($24 million) Fidelity Nat’l Information Services, Aug
‘07 Davidson Companies, Apr ’08 Hannaford Bros. Co, Mar ‘08 TSA, May ‘07
Why is this important?
21
WHAT CAN YOU DO TO HELP?
Don’t overestimate… … the awareness of
managers. Don’t underestimate…
… the value that you can add. Use your educated eyes and
ears. Help data custodians realize that
they (we?) may be in violation of certain laws or policies.
Why is this important?
22
WHY IS THIS IMPORTANT? - recap
It’s the law. 1/5th of data loss episodes result from
human error or software misconfiguration.
Lost data causes damage to individuals.
Lost data causes damage to the university.
You are in a great position to help.
Why is this important?
23
AGENDA
1. Defining our scope: Why is this important?
2. What is sensitive data?---------- BREAK ----------
3. How do I find sensitive data?4. What do I do with a data security
incident?---------- BREAK ----------
5. Resources & Next steps
24
PERSONAL INFORMATION
SSN Drivers License
Number Name & Address Biometric data
Finger prints DNA Maps Voice patterns
What is sensitive information?
25
HEALTH & MEDICAL INFORMATION
Physical diagnoses
Psychological diagnoses & treatment
Prescriptions
What is sensitive information?
26
FINANCIAL INFORMATION
Account numbers Account passcodes Debt balances Net worth Payroll Expense report
What is sensitive information?
27
ACADEMIC INFORMATION
Students Grades Transcripts Communications
w/faculty Faculty/Staff
Intellectual property Research data
What is sensitive information?
28
LAWS
Wisconsin’s “Breach Notification” law
FERPA – academic Family Education Rights
and Privacy Act HIPAA – health & medical
Health Insurance Portability and Accountability Act
What is sensitive information?
29
FERPA: TWO TYPES OF INFO
Public Information Considered public Student must request
to have it suppressed Includes
Name, address, phone Email address Dates of attendance Degrees awarded Enrollment status Major field of study
(this is a partial list)
Private Information Tightly restricted Includes
SSN Student ID number Race, ethnicity,
nationality Gender Transcripts & grades
(this is a partial list)Information provided by Office of Registrar
UW-Madison Student Privacy Rights and Responsibilities
What is sensitive information?
30
FERPA AND ITS TENTACLES
Lesser-known items within FERPA’s reach Educational records Personal notes between faculty and students Communications with parents/guardians How to post grades Letters of recommendations
What is sensitive information?
31
WWW.REGISTRAR.WISC.EDU
For more info, Office of the Registrar Brochures FAQs On-line tutorials Onsite training One-on-one consultation
What is sensitive information?
32
POLICIES & GUIDELINES
Campus IT Policies Appropriate Use Policies Electronic Devices
Payment Card Industry Data Security Standard a.k.a. PCIDSS List of specific
suggestions Used by OCIS
What is sensitive information?
33
CASE STUDY…
DoIT Store website Collecting data from hits This collected data was being analyzed
by the web hosting service Web hosting service posted its findings
What is sensitive information?
34
THE REST OF THE STORY…
The data that was being captured included… campus ID’s and NetIDs
Old Campus ID’s used to include SSN’s Web hosting service didn’t know Web hosting service made its finding
available to too many people Web hosting service included captured data
What is sensitive information?
35
THE ANALYSIS
All were capable, professional entities They didn’t know They didn’t anticipate
What is sensitive information?
36
SOME RED FLAGS
Multiple parties involved SSNs were still in some University IDs Website collected too much info Findings were publicly available
What is sensitive information?
37
AGENDA
1. Defining our scope: Why is this important?
2. What is sensitive data?---------- BREAK ----------
3. How do I find sensitive data?4. What do I do with a data security
incident?---------- BREAK ----------
5. Resources & Next steps
38
AGENDA
1. Defining our scope: Why is this important?
2. What is sensitive data?---------- BREAK ----------
3. How do I find sensitive data?4. What do I do with a data security
incident?---------- BREAK ----------
5. Resources & Next steps
39
BEFORE RUNNING A SCAN!!How do I find sensitive information?
GET INFORMED PERMISSION!!!
These scans will produce unusual
net-traffic !
40
FINDING SENSITIVE INFORMATION?
PII = Personally identifiable information
Numerous applications, called “PII finders” They scan drives They locate recognizable patterns They produce reports
You don’t always know what is on your machine
How do I find sensitive information?
41
HOW?
Question:How might sensitive data find its way onto a piece of hardware?
How do I find sensitive information?
42
TWO PII FINDERS
Cornell Spider Free, simplistic
Identity Finder Being considered by UW DoIT Security
group More costly, but more robust Free edition is now available, so it’s worth
a try Let’s see how they work
How do I find sensitive information?
43
COMPARE / CONTRAST
Pro Con
Cornell Spider Free
Fewer results, less
accurate
Identity Finder
More results, more
accurate
Relatively expensive
How do I find sensitive information?
44
ARE YOU AT RISK?
OCIS provides access to a few scanning tools
These tools test the security of network & workstation
This will tell you whether you are “at risk”.
How do I find sensitive information?
45
BEFORE RUNNING A SCAN!!How do I find sensitive information?
GET INFORMED PERMISSION!!!
These scans will produce unusual
net-traffic !
46
AGENDA
1. Defining our scope: Why is this important?
2. What is sensitive data?---------- BREAK ----------
3. How do I find sensitive data?4. What do I do with a data security
incident?---------- BREAK ----------
5. Resources & Next steps
47
INCIDENT VS. BREACH
Define “incident” Undetermined whether data has been lost Any number of scenarios…
Losing a laptop Firewall down Critical patches are out-of-date Hacked, or infected with malware
What to do with an incident?
48
INCIDENT VS. BREACH
Define “breach” We know data has been acquired by
unauthorized person
What to do with an incident?
49
INCIDENT VS. BREACH
All breaches are incidents.Not all incidents are
breaches.
What to do with an incident?
50
WELL-HANDLED INCIDENTS
Well-handled incidents will reduce…1. … your exposure,2. … the university’s exposure.
What to do with an incident?
51
DISCUSSION QUESTION…
Do you have an incident handling process?
What to do with an incident?
52
What to do with an incident?
Incident Response Flowchart
- Department
- Investigators
- CIO
- Admin Leader Team
- University Comm’ns
TOO MUCH
INFORMATIO
N
53
What to do with an incident?
Incident Response Flowchart
- Department
- Investigators
- CIO
- Admin Leader Team
- University Comm’ns
54
What to do with an incident?The part you need to
know
55
1 – WHAT HAPPENED?
Incident Any exposure Any risk Not a “breach”, yet
What to do with an incident?
56
2 – WAS DATA AT RISK?
Was sensitive information at risk? Does the device
contain sensitive information?
Was that information accessible by non-authorized user?
Physically accessible Cyber-accessible
(judgment?)
What to do with an incident?
57
3 – IF “NO”… RESOLVE THE INCIDENT
Close the issue No need to report
it
What to do with an incident?
58
4 – IF “YES”… REPORT THE INCIDENT
You need to escalate the issue…
But, how do you report an incident?
What to do with an incident?
59
HOW TO REPORT AN INCIDENT?
“It depends.” Non-urgent:
[email protected] Need a faster response?
Open a DoIT HelpDesk ticket They can escalate it if necessary
After hours? Contact Network
Operations Center (NOC) Phone: 263-4188
What to do with an incident?
60
WHAT DO I DO?
Preserve as much data as possible. Do not tamper with the information
This can hinder further investigation. Remove device from the network
This cuts off any remote access to the machine
Do not power-off the machine Some forensic information may be stored in
cache
What to do with an incident?
61
SCENARIOS
1. A laptop in your department has been infected with a virus.
2. You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised.
3. You get a call saying your department’s web server is unexpectedly serving pop-up ads.
62
AGENDA
1. Defining our scope: Why is this important?
2. What is sensitive data?---------- BREAK ----------
3. How do I find sensitive data?4. What do I do with a data security
incident?---------- BREAK ----------
5. Resources & Next steps
63
AGENDA
1. Defining our scope: Why is this important?
2. What is sensitive data?---------- BREAK ----------
3. How do I find sensitive data?4. What do I do with a data security
incident?---------- BREAK ----------
5. Resources & Next steps
64
70% of data breaches involve data the owners didn’t even
know was there.
65
THE TROUBLE WITH SENSITIVE DATA… Once you get it, it is
very difficult to get rid of.
It replicates… Hardcopy Backed up
Get rid of it! (if possible)
Resources & next steps
66
THINGS TO CONSIDER…
Do you really need the data? Question business practices.
Frequently re-assess security standards. Things change… Yesterday: SSNs Tomorrow: Mobile phone numbers?
Office of Campus Information Security OCIS is your friend
Resources & next steps
67
OCIS IS YOUR FRIEND
Training and Lockdown
Extensive resources
Security risk assessment
Individual & Departmental
www.cio.wisc.edu/security
IT Security Principles
68
IT SECURITY PRINCIPLE #1
Principle #1: Security is everyone’s responsibility. It takes a village...
Managers IT support Office staff Faculty End users Students Maintenance crew Cleaning crew Campus police
69
IT SECURITY PRINCIPLE #2
Principle #2: Security is part of the development life cycle.
Plan for it! Not an after-thought! Designed into the project plan
i.e. Resources allocated Logging & auditing capabilities Layering security defenses
70
IT SECURITY PRINCIPLE #3
Principle #3: Security is asset management.
Lock it up! Classification of data Establishing privileges Separating or
redistributing job responsibilities and duties
71
IT SECURITY PRINCIPLE #4
Principle #4: Security is a common understanding.
Think it through! Due diligence Risks & Threats
Costs (OCIS assessment)
Incident handling
72
RESOURCES & NEXT STEPS
Organizations www.doit.wisc.edu/about/advisory.asp TechPartners – forum
Sign-up CTIG – Campus Technical Issues Group
Watch for presentations, attend… and join? MTAG – Madison Technology Advisory
Group Know they exist… appointed roles
Resources & next steps
73
RESOURCES & NEXT STEPS
Refer to your handout… “When I Get Back to My Office, I Will…”
Resources & next steps
74
AGENDA - RECAP
1. Defining our scope: Why is this important?
2. What is sensitive data?
3. How do I find sensitive data?
4. What do I do with a data security incident?
5. Resources & Next steps
75
THE END…
Thank you!