1 information security basics for it staff sponsored by uw division of informational technology...

1

SECURITY 101:Information Security Basics for IT Staff

Sponsored by UW Division of Informational Technology Office of Campus Information Security

and Professional Technical Education--------------------------------

Instructors: Cliff Cunningham & Braden Bruington

2

GREETINGS & INTRODUCTIONS

Cliff Cunningham & Braden Bruington Technology Instructor & Consultant

DoIT security staff

3

WHY ARE YOU HERE?Let’s be honest…

4

GOALS FOR THIS COURSE

To communicate… … healthy data management practices.

To demonstrate… … how to locate sensitive data.

To educate you… … in the event of a data security incident.

To encourage you … to take some preemptive steps.

5

AGENDA

1. Defining our scope: Why is this important?

2. Defining sensitive data.---------- BREAK ----------

3. How do I find sensitive data?4. Handling a data security incident.

---------- BREAK ----------

5. Resources & Next steps

6

HAND-OUTS

Sign-up sheet (blue) Copy of this presentation Resources page (green) Next Steps (yellow) Evaluation form (pink)

cream

7

WHO ARE YOU?

Titles? Roles? Operating systems? Show of hands…

Financial information Health information Grades Credit cards Other unique information types

8

AGENDA


2. Defining sensitive data.---------- BREAK ----------

3. How do I find sensitive data?4. Handling a data security incident.

---------- BREAK ----------


9

DID YOU KNOW…?

Within UW system… 2 out of 3 IT

professionals work outside of DoIT

How many different UW entities have their own IT staff?

Non-DoIT

DoIT

IT Professionals at UW

Why is this important?

10

SHOW ME THE MONEY

80% of campus-wide IT budget is for specified work

Decentralized funding = decentralized IT


11

THUS, THIS COURSE…

This is a campus-wide initiative to… To standardize our approach to campus-

wide information security Establish expectations Generate a sense of ownership

Our own little “E Pluribus Unum” “From many, one”


12

TIP OF THE TRAINING ICEBERG

All staff

Security workshops

100-levelAll IT staff

Security 101:Information

Security Basics for IT

Staff

Security 1XX:Information Security for

Managers (?)(TBA)

200-levelSystem Admin

(others?)

Security 201:Windows(JUL 28)

Security 202:OS X

(AUG 11)

Security 203:Linux

(SUM 2009)

300-levelSelected staff

IIS Security

Developing Secure Code

Apache SecurityOracle

SecurityFirewall Security

Other…?Other…?You are

here!


13

TELL US YOUR STORIES…Why is this important?

14

IT’S THE LAW…

Wisconsin’s Data Breach Notification Law Statute 895.507 (2006) Formerly, Act 138 Any unauthorized access to personal info…

… must notify individual(s) within 45 days Data includes

SSN Driver’s license or state ID Account number, code, password, PIN DNA or biometric info


15

ANALYSIS OF DATA LOSS INCIDENTS

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

2006 Private Sector

Public Sector

Higher Educ’n

Medical Centers

Outside Hackers 15% 13% 52% 3%

Insider Malfeasance 10% 5% 2% 20%

Human Error or Software Misconfig 20% 44% 21% 20%

Theft 55% 38% 37% 57%


http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm*



16

ANALYSIS OF DATA LOSS INCIDENTS

2006 Private Sector

Public Sector

Higher Educ’n

Medical Centers

Outside Hackers 15% 13% 52% 3%

Insider Malfeasance 10% 5% 2% 20%

Human Error or Software Misconfig 20% 44% 21% 20%

Theft 55% 38% 37% 57%

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm





17

FALLOUT FROM DATA LOSS AT OU

“If there is any financial damage… I will hold OU at fault and seek legal counsel to recover

any and all loss, with punitive damages.”

“It was my intention to leave a sizable

endowment to OU, but not any longer”

“I will never donate another penny to you.”

Quotes taken from article “OU has been getting an earful about huge data theft”

by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12

http://www.mail-archive.com/[email protected]/msg05835.html

18

EFFECTS OF DATA LOSS - VICTIM

On the victim Personal credit info can be destroyed Bank accounts can be exploited Private information can be made public Intellectual property can be compromised Patent opportunities can be lost


19

EFFECTS OF DATA LOSS - UNIVERSITY On the university

Loss of grant money, contracts, research opp. National Institute of Health won’t grant

funds until… Loss of reputation Lawsuits Intellectual property & patents


20

LAWSUITS…

Lending Tree, May ‘08 TJ Maxx, Jan ’07 ($24 million) Fidelity Nat’l Information Services, Aug

‘07 Davidson Companies, Apr ’08 Hannaford Bros. Co, Mar ‘08 TSA, May ‘07


21

WHAT CAN YOU DO TO HELP?

Don’t overestimate… … the awareness of

managers. Don’t underestimate…

… the value that you can add. Use your educated eyes and

ears. Help data custodians realize that

they (we?) may be in violation of certain laws or policies.


22

WHY IS THIS IMPORTANT? - recap

It’s the law. 1/5th of data loss episodes result from

human error or software misconfiguration.

Lost data causes damage to individuals.

Lost data causes damage to the university.

You are in a great position to help.


23

AGENDA


2. What is sensitive data?---------- BREAK ----------

3. How do I find sensitive data?4. What do I do with a data security

incident?---------- BREAK ----------


24

PERSONAL INFORMATION

SSN Drivers License

Number Name & Address Biometric data

Finger prints DNA Maps Voice patterns

What is sensitive information?

25

HEALTH & MEDICAL INFORMATION

Physical diagnoses

Psychological diagnoses & treatment

Prescriptions


26

FINANCIAL INFORMATION

Account numbers Account passcodes Debt balances Net worth Payroll Expense report


27

ACADEMIC INFORMATION

Students Grades Transcripts Communications

w/faculty Faculty/Staff

Intellectual property Research data


28

LAWS

Wisconsin’s “Breach Notification” law

FERPA – academic Family Education Rights

and Privacy Act HIPAA – health & medical

Health Insurance Portability and Accountability Act


29

FERPA: TWO TYPES OF INFO

Public Information Considered public Student must request

to have it suppressed Includes

Name, address, phone Email address Dates of attendance Degrees awarded Enrollment status Major field of study

(this is a partial list)

Private Information Tightly restricted Includes

SSN Student ID number Race, ethnicity,

nationality Gender Transcripts & grades

(this is a partial list)Information provided by Office of Registrar

UW-Madison Student Privacy Rights and Responsibilities


30

FERPA AND ITS TENTACLES

Lesser-known items within FERPA’s reach Educational records Personal notes between faculty and students Communications with parents/guardians How to post grades Letters of recommendations


31

WWW.REGISTRAR.WISC.EDU

For more info, Office of the Registrar Brochures FAQs On-line tutorials Onsite training One-on-one consultation


32

POLICIES & GUIDELINES

Campus IT Policies Appropriate Use Policies Electronic Devices

Payment Card Industry Data Security Standard a.k.a. PCIDSS List of specific

suggestions Used by OCIS


33

CASE STUDY…

DoIT Store website Collecting data from hits This collected data was being analyzed

by the web hosting service Web hosting service posted its findings


34

THE REST OF THE STORY…

The data that was being captured included… campus ID’s and NetIDs

Old Campus ID’s used to include SSN’s Web hosting service didn’t know Web hosting service made its finding

available to too many people Web hosting service included captured data


35

THE ANALYSIS

All were capable, professional entities They didn’t know They didn’t anticipate


36

SOME RED FLAGS

Multiple parties involved SSNs were still in some University IDs Website collected too much info Findings were publicly available


37

AGENDA




incident?---------- BREAK ----------


38

AGENDA




incident?---------- BREAK ----------


39

BEFORE RUNNING A SCAN!!How do I find sensitive information?

GET INFORMED PERMISSION!!!

These scans will produce unusual

net-traffic !

40

FINDING SENSITIVE INFORMATION?

PII = Personally identifiable information

Numerous applications, called “PII finders” They scan drives They locate recognizable patterns They produce reports

You don’t always know what is on your machine

How do I find sensitive information?

41

HOW?

Question:How might sensitive data find its way onto a piece of hardware?


42

TWO PII FINDERS

Cornell Spider Free, simplistic

Identity Finder Being considered by UW DoIT Security

group More costly, but more robust Free edition is now available, so it’s worth

a try Let’s see how they work


43

COMPARE / CONTRAST

Pro Con

Cornell Spider Free

Fewer results, less

accurate

Identity Finder

More results, more

accurate

Relatively expensive


44

ARE YOU AT RISK?

OCIS provides access to a few scanning tools

These tools test the security of network & workstation

This will tell you whether you are “at risk”.


45

BEFORE RUNNING A SCAN!!How do I find sensitive information?

GET INFORMED PERMISSION!!!

These scans will produce unusual

net-traffic !

46

AGENDA




incident?---------- BREAK ----------


47

INCIDENT VS. BREACH

Define “incident” Undetermined whether data has been lost Any number of scenarios…

Losing a laptop Firewall down Critical patches are out-of-date Hacked, or infected with malware

What to do with an incident?

48

INCIDENT VS. BREACH

Define “breach” We know data has been acquired by

unauthorized person


49

INCIDENT VS. BREACH

All breaches are incidents.Not all incidents are

breaches.


50

WELL-HANDLED INCIDENTS

Well-handled incidents will reduce…1. … your exposure,2. … the university’s exposure.


51

DISCUSSION QUESTION…

Do you have an incident handling process?


52


Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns

TOO MUCH

INFORMATIO

N

53


Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns

54

What to do with an incident?The part you need to

know

55

1 – WHAT HAPPENED?

Incident Any exposure Any risk Not a “breach”, yet


56

2 – WAS DATA AT RISK?

Was sensitive information at risk? Does the device

contain sensitive information?

Was that information accessible by non-authorized user?

Physically accessible Cyber-accessible

(judgment?)


57

3 – IF “NO”… RESOLVE THE INCIDENT

Close the issue No need to report

it


58

4 – IF “YES”… REPORT THE INCIDENT

You need to escalate the issue…

But, how do you report an incident?


59

HOW TO REPORT AN INCIDENT?

“It depends.” Non-urgent:

[email protected] Need a faster response?

Open a DoIT HelpDesk ticket They can escalate it if necessary

After hours? Contact Network

Operations Center (NOC) Phone: 263-4188


mailto:[email protected]

60

WHAT DO I DO?

Preserve as much data as possible. Do not tamper with the information

This can hinder further investigation. Remove device from the network

This cuts off any remote access to the machine

Do not power-off the machine Some forensic information may be stored in

cache


61

SCENARIOS

1. A laptop in your department has been infected with a virus.

2. You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised.

3. You get a call saying your department’s web server is unexpectedly serving pop-up ads.

62

AGENDA




incident?---------- BREAK ----------


63

AGENDA




incident?---------- BREAK ----------


64

70% of data breaches involve data the owners didn’t even

know was there.

65

THE TROUBLE WITH SENSITIVE DATA… Once you get it, it is

very difficult to get rid of.

It replicates… Hardcopy Backed up

Get rid of it! (if possible)

Resources & next steps

66

THINGS TO CONSIDER…

Do you really need the data? Question business practices.

Frequently re-assess security standards. Things change… Yesterday: SSNs Tomorrow: Mobile phone numbers?

Office of Campus Information Security OCIS is your friend


67

OCIS IS YOUR FRIEND

Training and Lockdown

Extensive resources

Security risk assessment

Individual & Departmental

www.cio.wisc.edu/security

IT Security Principles

http://www.cio.wisc.edu/security

http://www.cio.wisc.edu/security

68

IT SECURITY PRINCIPLE #1

Principle #1: Security is everyone’s responsibility. It takes a village...

Managers IT support Office staff Faculty End users Students Maintenance crew Cleaning crew Campus police

69


Principle #2: Security is part of the development life cycle.

Plan for it! Not an after-thought! Designed into the project plan

i.e. Resources allocated Logging & auditing capabilities Layering security defenses

70


Principle #3: Security is asset management.

Lock it up! Classification of data Establishing privileges Separating or

redistributing job responsibilities and duties

71


Principle #4: Security is a common understanding.

Think it through! Due diligence Risks & Threats

Costs (OCIS assessment)

Incident handling

72

RESOURCES & NEXT STEPS

Organizations www.doit.wisc.edu/about/advisory.asp TechPartners – forum

Sign-up CTIG – Campus Technical Issues Group

Watch for presentations, attend… and join? MTAG – Madison Technology Advisory

Group Know they exist… appointed roles


http://www.doit.wisc.edu/about/advisory.asp

73

RESOURCES & NEXT STEPS

Refer to your handout… “When I Get Back to My Office, I Will…”


74

AGENDA - RECAP


2. What is sensitive data?

3. How do I find sensitive data?

4. What do I do with a data security incident?


75

THE END…

Thank you!

1 information security basics for it staff sponsored by uw division of informational technology...

Documents

data security incident

information security

cream slide

honest slide

staff security workshops

sensitive data

days data

unique information types