Upload
noah-merry
View
213
Download
0
Embed Size (px)
Citation preview
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
ISC Meeting
February 6, 2015
Information [email protected]
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
New PolicyPresented by Stephenie Edwards
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
New Policy Location
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
New Policy Location
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Contracts EvaluationPresented by Leigh Hausman
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Dr. StrangeCloudOr:
How I Learned to Stop Worrying and Love the Cloud
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Policy Change
• Previous ISO leadership resisted the cloud; current ISO leadership embraces the cloud when used responsibly.
• Cloud services subject to the ISO’s vendor survey process.
• We don’t say “no,” we ask “how can this be done safely?”
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Why Cloud Services?
Advantages• Faster to implement – might be activated without
involvement from IR• Less expensive (or free) – pay for only the capacity
you use• Flexible – add capacity as your needs change
Disadvantages• Dependent on vendor – will they stay in business?• More complex – do systems integrate?• Less control – where is my data stored?
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Lawyers to the rescue!• Contracts are negotiable, but we have to do it
before it is signed• We should request any and all protections justified
by the value of the data• Contracts can require security equivalent to UTD
controls• There are many specialists on campus who can
assist you (i.e. ISO, Contracts Office, Attorney)• IT professionals are becoming more familiar with
contracts affecting their operations.
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Important Protections Available to UTD• Appropriate architecture
– Multi-tenant versus physical isolation– Method of access
• Security controls– Service Level Agreements (SLAs)– Timely patching– Secure transfer and storage of data– Limited vendor access
• Right to audit– UTD allowed to audit?– UTD access to audit results? (i.e. penetration tests, SSAE-16,
3rd party reports)
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
• Does the contract address data ownership?– UTD data ownership should not shift to vendor. – Data may need to be destroyed at the end of the relationship.
• Does the contract specify compliance with applicable laws? – Medical data needs to remain HIPAA compliant.
• What happens if there is a breach?– Notification provisions– Indemnification for losses if vendor is at fault
• What happens if the company goes out of business or is acquired?– Source code escrow
Important Protections Available to UTD, cont.
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
PCIPresented by Jason Carter
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
What is PCI?
• Payment Card Industry Data Security Standard (PCI DSS)• Is it a Standard or a Law?• PCI versus GLBA• PCI DSS currently on Version 3.0• We are considered “SAQ C” Level Entity…
• Because we accept credit card payments, but do not store full credit card numbers
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Where Do We Fit in the Process?
UTD
GlobalPayments
WellsFargo
Donor
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
How Could Non-Compliance Affect UTD?
• Failure to comply can result in:• Fines• A Breach, Leading to Fines + Loss of Reputation• Loss of Our Ability to Accept Payments and DONATIONS via Credit
Card
• REMEMBER… Part of the purpose of PCI DSS is determining liability for breaches and resulting losses (e.g. Target)
• Does your Department take Card Payments?
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
ISO’s Compliance Strategy for PCI DSS
Re-assessing using the new PCI DSS v3.0 checklist:• Step 1: Scoping our Cardholder Data Environment (CDE)
• Departments taking CC payments• Equipment used for transactions• Systems used for transactions• Network architecture supporting transactions
• Step 2: Assessment of CDE for Issues• Step 3: Remediation of Issues
“Our goal is to help departments achieve compliance while not disrupting operations.”
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Risk Scenario: “Concierge” Service
• We enter a Credit Card transaction on behalf of the donor, using a website intended for the donor (UTD Giving Sites)
• Common scenario among non-profits• Problems:
• No logs of who entered the transaction• If the donor disputes the charge, it becomes apparent to the
providers that the transaction was entered incorrectly• Can lead to external audits by the card companies
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Next Steps
Below is a list of areas officially taking card payments (aside from MarketPlace, Bookstore & Dining Services). If there are more locations taking card payments, including concierge transactions, please let us know.
• Bursar’s Office• Office of Development & Alumni
Relations• Callier Center• Activities Center• Parking Office
• Copy Center• Library Kiosks• Student Health Center• Comet Center• SSB Kiosks
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Sony Pictures – Incident PostmortemPresented by Dalton Brown
“The crooks were able to attack the same thing because Sony Pictures wasn’t going out and fixing it…You shouldn’t be able to gain access to one part of the
network and get access to everything.”
- Chester Wisniewski, 2011
The November 2014 Hack – Background
• Confidential data belonging to Sony Pictures was released online. This data included the following:– Personal information for 47,000 employees (names, addresses,
SSNs, etc.)
– Emails between employees
– Salaries
– Full copies of unreleased films, including content which is politically controversial
– Additional information unrelated to Sony Pictures’ business
The November 2014 Hack – Background
• Evidence of Hack– Evidence suggests that attackers had access for almost a year before detection.
– Following the breach, the attackers (self-proclaimed “Guardians of Peace” or “GOP”) planted malware known as Wiper in the infrastructure (Wiper is designed to erase all data from hard drives).
– GOP announced their hack on November 24, 2014 by displaying a graphic on employee workstations that contained a red skull with a message signed by the GOP.
– IT operations and Information Security personnel learned of the attack at the same time as general employees and management.
How Did the GOP Gain Access?
The investigation is ongoing, but initial findings suggest:• The GOP were able to gain network access through
malware infection• Workstations more risky if missing patches, lacking
malware prevention utility, or user running as administrator.
• The GOP exploited additional machine to in order to find as much vital information as they could around the network.
• The GOP covered all traces of evidence using Wiper.
What Could Sony Have Done?
Sony Pictures was not alerted to the attack in progress due to the following:• Security monitoring of the internal network was lacking, which
allowed the GOP to travel laterally from system to system without detection.
• Hosts on the network were not resistant to malware infection.• Sony Pictures did not sufficiently hide or isolate high-risk information
within the network.– One report in early December of 2014 showed that Sony kept thousands of
sensitive passwords in a folder named “Passwords.”
• Past breaches performed by other attackers did not result in enough architectural or cultural change within organization.
Sony’s Faults
Sony’s systems were repeatedly breached:
• Lack of investment in Information Security. The first CISO in Sony’s history was hired following the Anonymous attack of 2011.
• Sony has an history of laying off Information Security personnel after reductions in breach frequency.
• Sony never became proactive about system patching.
• Sony and the hacking community have a history of feuding with one another.
Lessons Learned• Monitor networks, both Internet and internal
• Patch your systems
• Classify your data and isolate accordingly
• Purge data you do not need for operations or compliance
• Train users to identify suspicious emails
• Coordinate incident response with communications, public relations, and legal to minimize confrontation with customers and potential attackers.
Information SecurityThe University of Texas at Dallas
Education – Partnership – Solutions
Questions & Discussion
Information [email protected]