1 information security basics for it staff sponsored by uw division of informational technology...

1

SECURITY 101:Information Security Basics for IT Staff

Sponsored by UW Division of Informational Technology Office of Campus Information Security

and Professional Technical Education--------------------------------

Instructors: Cliff Cunningham & Braden Bruington

2

GREETINGS & INTRODUCTIONS

Cliff Cunningham & Braden Bruington Technology Instructor & Consultant

DoIT security staff

3

WHY ARE YOU HERE?Let’s be honest…

4

GOALS FOR THIS COURSE

To communicate… … healthy data management practices.

To demonstrate… … how to locate sensitive data.

To educate you… … in the event of a data security incident.

To encourage you … to take some preemptive steps.

5

AGENDA

1. Defining our scope: Why is this important?

2. Defining sensitive data.---------- BREAK ----------

3. How do I find sensitive data?4. Handling a data security incident.

---------- BREAK ----------

5. Resources & Next steps

6

HAND-OUTS

Sign-up sheet (blue) Copy of this presentation Resources page (green) Next Steps (yellow) Evaluation form (pink)

cream

7

WHO ARE YOU?

Titles? Roles? Operating systems? Show of hands…

Financial information Health information Grades Credit cards Other unique information types

8

AGENDA

1. Defining our scope: Why is this important?

2. Defining sensitive data.---------- BREAK ----------

3. How do I find sensitive data?4. Handling a data security incident.

---------- BREAK ----------

5. Resources & Next steps

9

DID YOU KNOW…?

Within UW system… 2 out of 3 IT

professionals work outside of DoIT

How many different UW entities have their own IT staff?

Non-DoIT

DoIT

IT Professionals at UW

Why is this important?

10

SHOW ME THE MONEY

80% of campus-wide IT budget is for specified work

Decentralized funding = decentralized IT

Why is this important?

11

THUS, THIS COURSE…

This is a campus-wide initiative to… To standardize our approach to campus-

wide information security Establish expectations Generate a sense of ownership

Our own little “E Pluribus Unum” “From many, one”

Why is this important?

12

TIP OF THE TRAINING ICEBERG

All staff

Security workshops

100-levelAll IT staff

Security 101:Information

Security Basics for IT

Staff

Security 1XX:Information Security for

Managers (?)(TBA)

200-levelSystem Admin

(others?)

Security 201:Windows(JUL 28)

Security 202:OS X

(AUG 11)

Security 203:Linux

(SUM 2009)

300-levelSelected staff

IIS Security

Developing Secure Code

Apache SecurityOracle

SecurityFirewall Security

Other…?Other…?You are

here!

Why is this important?

13

TELL US YOUR STORIES…Why is this important?

14

IT’S THE LAW…

Wisconsin’s Data Breach Notification Law Statute 895.507 (2006) Formerly, Act 138 Any unauthorized access to personal info…

… must notify individual(s) within 45 days Data includes

SSN Driver’s license or state ID Account number, code, password, PIN DNA or biometric info

Why is this important?

15

ANALYSIS OF DATA LOSS INCIDENTS

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

2006 Private Sector

Public Sector

Higher Educ’n

Medical Centers

Outside Hackers 15% 13% 52% 3%

Insider Malfeasance 10% 5% 2% 20%

Human Error or Software Misconfig 20% 44% 21% 20%

Theft 55% 38% 37% 57%

Why is this important?

16

ANALYSIS OF DATA LOSS INCIDENTS

2006 Private Sector

Public Sector

Higher Educ’n

Medical Centers

Outside Hackers 15% 13% 52% 3%

Insider Malfeasance 10% 5% 2% 20%

Human Error or Software Misconfig 20% 44% 21% 20%

Theft 55% 38% 37% 57%

http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm

Why is this important?

17

FALLOUT FROM DATA LOSS AT OU

“If there is any financial damage… I will hold OU at fault and seek legal counsel to recover

any and all loss, with punitive damages.”

“It was my intention to leave a sizable

endowment to OU, but not any longer”

“I will never donate another penny to you.”

Quotes taken from article “OU has been getting an earful about huge data theft”

by Jim Phillips, Athens NEWS Sr Writer, 2006-06-12

18

EFFECTS OF DATA LOSS - VICTIM

On the victim Personal credit info can be destroyed Bank accounts can be exploited Private information can be made public Intellectual property can be compromised Patent opportunities can be lost

Why is this important?

19

EFFECTS OF DATA LOSS - UNIVERSITY On the university

Loss of grant money, contracts, research opp. National Institute of Health won’t grant

funds until… Loss of reputation Lawsuits Intellectual property & patents

Why is this important?

20

LAWSUITS…

Lending Tree, May ‘08 TJ Maxx, Jan ’07 ($24 million) Fidelity Nat’l Information Services, Aug

‘07 Davidson Companies, Apr ’08 Hannaford Bros. Co, Mar ‘08 TSA, May ‘07

Why is this important?

21

WHAT CAN YOU DO TO HELP?

Don’t overestimate… … the awareness of

managers. Don’t underestimate…

… the value that you can add. Use your educated eyes and

ears. Help data custodians realize that

they (we?) may be in violation of certain laws or policies.

Why is this important?

22

WHY IS THIS IMPORTANT? - recap

It’s the law. 1/5th of data loss episodes result from

human error or software misconfiguration.

Lost data causes damage to individuals.

Lost data causes damage to the university.

You are in a great position to help.

Why is this important?

23

AGENDA

1. Defining our scope: Why is this important?

2. What is sensitive data?---------- BREAK ----------

3. How do I find sensitive data?4. What do I do with a data security

incident?---------- BREAK ----------

5. Resources & Next steps

24

PERSONAL INFORMATION

SSN Drivers License

Number Name & Address Biometric data

Finger prints DNA Maps Voice patterns

What is sensitive information?

25

HEALTH & MEDICAL INFORMATION

Physical diagnoses

Psychological diagnoses & treatment

Prescriptions

What is sensitive information?

26

FINANCIAL INFORMATION

Account numbers Account passcodes Debt balances Net worth Payroll Expense report

What is sensitive information?

27

ACADEMIC INFORMATION

Students Grades Transcripts Communications

w/faculty Faculty/Staff

Intellectual property Research data

What is sensitive information?

28

LAWS

Wisconsin’s “Breach Notification” law

FERPA – academic Family Education Rights

and Privacy Act HIPAA – health & medical

Health Insurance Portability and Accountability Act

What is sensitive information?

29

FERPA: TWO TYPES OF INFO

Public Information Considered public Student must request

to have it suppressed Includes

Name, address, phone Email address Dates of attendance Degrees awarded Enrollment status Major field of study

(this is a partial list)

Private Information Tightly restricted Includes

SSN Student ID number Race, ethnicity,

nationality Gender Transcripts & grades

(this is a partial list)Information provided by Office of Registrar

UW-Madison Student Privacy Rights and Responsibilities

What is sensitive information?

30

FERPA AND ITS TENTACLES

Lesser-known items within FERPA’s reach Educational records Personal notes between faculty and students Communications with parents/guardians How to post grades Letters of recommendations

What is sensitive information?

31

WWW.REGISTRAR.WISC.EDU

For more info, Office of the Registrar Brochures FAQs On-line tutorials Onsite training One-on-one consultation

What is sensitive information?

32

POLICIES & GUIDELINES

Campus IT Policies Appropriate Use Policies Electronic Devices

Payment Card Industry Data Security Standard a.k.a. PCIDSS List of specific

suggestions Used by OCIS

What is sensitive information?

33

CASE STUDY…

DoIT Store website Collecting data from hits This collected data was being analyzed

by the web hosting service Web hosting service posted its findings

What is sensitive information?

34

THE REST OF THE STORY…

The data that was being captured included… campus ID’s and NetIDs

Old Campus ID’s used to include SSN’s Web hosting service didn’t know Web hosting service made its finding

available to too many people Web hosting service included captured data

What is sensitive information?

35

THE ANALYSIS

All were capable, professional entities They didn’t know They didn’t anticipate

What is sensitive information?

36

SOME RED FLAGS

Multiple parties involved SSNs were still in some University IDs Website collected too much info Findings were publicly available

What is sensitive information?

37

AGENDA

1. Defining our scope: Why is this important?

2. What is sensitive data?---------- BREAK ----------

3. How do I find sensitive data?4. What do I do with a data security

incident?---------- BREAK ----------

5. Resources & Next steps

38

AGENDA

1. Defining our scope: Why is this important?

2. What is sensitive data?---------- BREAK ----------

3. How do I find sensitive data?4. What do I do with a data security

incident?---------- BREAK ----------

5. Resources & Next steps

39

BEFORE RUNNING A SCAN!!How do I find sensitive information?

GET INFORMED PERMISSION!!!

These scans will produce unusual

net-traffic !

40

FINDING SENSITIVE INFORMATION?

PII = Personally identifiable information

Numerous applications, called “PII finders” They scan drives They locate recognizable patterns They produce reports

You don’t always know what is on your machine

How do I find sensitive information?

41

HOW?

Question:How might sensitive data find its way onto a piece of hardware?

How do I find sensitive information?

42

TWO PII FINDERS

Cornell Spider Free, simplistic

Identity Finder Being considered by UW DoIT Security

group More costly, but more robust Free edition is now available, so it’s worth

a try Let’s see how they work

How do I find sensitive information?

43

COMPARE / CONTRAST

Pro Con

Cornell Spider Free

Fewer results, less

accurate

Identity Finder

More results, more

accurate

Relatively expensive

How do I find sensitive information?

44

ARE YOU AT RISK?

OCIS provides access to a few scanning tools

These tools test the security of network & workstation

This will tell you whether you are “at risk”.

How do I find sensitive information?

45

BEFORE RUNNING A SCAN!!How do I find sensitive information?

GET INFORMED PERMISSION!!!

These scans will produce unusual

net-traffic !

46

AGENDA

1. Defining our scope: Why is this important?

2. What is sensitive data?---------- BREAK ----------

3. How do I find sensitive data?4. What do I do with a data security

incident?---------- BREAK ----------

5. Resources & Next steps

47

INCIDENT VS. BREACH

Define “incident” Undetermined whether data has been lost Any number of scenarios…

Losing a laptop Firewall down Critical patches are out-of-date Hacked, or infected with malware

What to do with an incident?

48

INCIDENT VS. BREACH

Define “breach” We know data has been acquired by

unauthorized person

What to do with an incident?

49

INCIDENT VS. BREACH

All breaches are incidents.Not all incidents are

breaches.

What to do with an incident?

50

WELL-HANDLED INCIDENTS

Well-handled incidents will reduce…1. … your exposure,2. … the university’s exposure.

What to do with an incident?

51

DISCUSSION QUESTION…

Do you have an incident handling process?

What to do with an incident?

52

What to do with an incident?

Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns

TOO MUCH

INFORMATIO

N

53

What to do with an incident?

Incident Response Flowchart

- Department

- Investigators

- CIO

- Admin Leader Team

- University Comm’ns

54

What to do with an incident?The part you need to

know

55

1 – WHAT HAPPENED?

Incident Any exposure Any risk Not a “breach”, yet

What to do with an incident?

56

2 – WAS DATA AT RISK?

Was sensitive information at risk? Does the device

contain sensitive information?

Was that information accessible by non-authorized user?

Physically accessible Cyber-accessible

(judgment?)

What to do with an incident?

57

3 – IF “NO”… RESOLVE THE INCIDENT

Close the issue No need to report

it

What to do with an incident?

58

4 – IF “YES”… REPORT THE INCIDENT

You need to escalate the issue…

But, how do you report an incident?

What to do with an incident?

59

HOW TO REPORT AN INCIDENT?

“It depends.” Non-urgent:

abuse@doit.wisc.edu Need a faster response?

Open a DoIT HelpDesk ticket They can escalate it if necessary

After hours? Contact Network

Operations Center (NOC) Phone: 263-4188

What to do with an incident?

60

WHAT DO I DO?

Preserve as much data as possible. Do not tamper with the information

This can hinder further investigation. Remove device from the network

This cuts off any remote access to the machine

Do not power-off the machine Some forensic information may be stored in

cache

What to do with an incident?

61

SCENARIOS

1. A laptop in your department has been infected with a virus.

2. You have a single workstation that interfaces with a special piece of scientific equipment. It runs an unsupported OS. You are concerned that it may have been compromised.

3. You get a call saying your department’s web server is unexpectedly serving pop-up ads.

62

AGENDA

1. Defining our scope: Why is this important?

2. What is sensitive data?---------- BREAK ----------

3. How do I find sensitive data?4. What do I do with a data security

incident?---------- BREAK ----------

5. Resources & Next steps

63

AGENDA

1. Defining our scope: Why is this important?

2. What is sensitive data?---------- BREAK ----------

3. How do I find sensitive data?4. What do I do with a data security

incident?---------- BREAK ----------

5. Resources & Next steps

64

70% of data breaches involve data the owners didn’t even

know was there.

65

THE TROUBLE WITH SENSITIVE DATA… Once you get it, it is

very difficult to get rid of.

It replicates… Hardcopy Backed up

Get rid of it! (if possible)

Resources & next steps

66

THINGS TO CONSIDER…

Do you really need the data? Question business practices.

Frequently re-assess security standards. Things change… Yesterday: SSNs Tomorrow: Mobile phone numbers?

Office of Campus Information Security OCIS is your friend

Resources & next steps

67

OCIS IS YOUR FRIEND

Training and Lockdown

Extensive resources

Security risk assessment

Individual & Departmental

www.cio.wisc.edu/security

IT Security Principles

68

IT SECURITY PRINCIPLE #1

Principle #1: Security is everyone’s responsibility. It takes a village...

Managers IT support Office staff Faculty End users Students Maintenance crew Cleaning crew Campus police

69

IT SECURITY PRINCIPLE #2

Principle #2: Security is part of the development life cycle.

Plan for it! Not an after-thought! Designed into the project plan

i.e. Resources allocated Logging & auditing capabilities Layering security defenses

70

IT SECURITY PRINCIPLE #3

Principle #3: Security is asset management.

Lock it up! Classification of data Establishing privileges Separating or

redistributing job responsibilities and duties

71

IT SECURITY PRINCIPLE #4

Principle #4: Security is a common understanding.

Think it through! Due diligence Risks & Threats

Costs (OCIS assessment)

Incident handling

72

RESOURCES & NEXT STEPS

Organizations www.doit.wisc.edu/about/advisory.asp TechPartners – forum

Sign-up CTIG – Campus Technical Issues Group

Watch for presentations, attend… and join? MTAG – Madison Technology Advisory

Group Know they exist… appointed roles

Resources & next steps

73

RESOURCES & NEXT STEPS

Refer to your handout… “When I Get Back to My Office, I Will…”

Resources & next steps

74

AGENDA - RECAP

1. Defining our scope: Why is this important?

2. What is sensitive data?

3. How do I find sensitive data?

4. What do I do with a data security incident?

5. Resources & Next steps

75

THE END…

Thank you!