Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting February 6, 2015 Information Security [email protected]

Information SecurityThe University of Texas at Dallas

Education – Partnership – Solutions

ISC Meeting

February 6, 2015

Information [email protected]



New PolicyPresented by Stephenie Edwards



New Policy Location



New Policy Location



Contracts EvaluationPresented by Leigh Hausman



Dr. StrangeCloudOr:

How I Learned to Stop Worrying and Love the Cloud



Policy Change

• Previous ISO leadership resisted the cloud; current ISO leadership embraces the cloud when used responsibly.

• Cloud services subject to the ISO’s vendor survey process.

• We don’t say “no,” we ask “how can this be done safely?”



Why Cloud Services?

Advantages• Faster to implement – might be activated without

involvement from IR• Less expensive (or free) – pay for only the capacity

you use• Flexible – add capacity as your needs change

Disadvantages• Dependent on vendor – will they stay in business?• More complex – do systems integrate?• Less control – where is my data stored?



Lawyers to the rescue!• Contracts are negotiable, but we have to do it

before it is signed• We should request any and all protections justified

by the value of the data• Contracts can require security equivalent to UTD

controls• There are many specialists on campus who can

assist you (i.e. ISO, Contracts Office, Attorney)• IT professionals are becoming more familiar with

contracts affecting their operations.



Important Protections Available to UTD• Appropriate architecture

– Multi-tenant versus physical isolation– Method of access

• Security controls– Service Level Agreements (SLAs)– Timely patching– Secure transfer and storage of data– Limited vendor access

• Right to audit– UTD allowed to audit?– UTD access to audit results? (i.e. penetration tests, SSAE-16,

3rd party reports)



• Does the contract address data ownership?– UTD data ownership should not shift to vendor. – Data may need to be destroyed at the end of the relationship.

• Does the contract specify compliance with applicable laws? – Medical data needs to remain HIPAA compliant.

• What happens if there is a breach?– Notification provisions– Indemnification for losses if vendor is at fault

• What happens if the company goes out of business or is acquired?– Source code escrow

Important Protections Available to UTD, cont.



PCIPresented by Jason Carter



What is PCI?

• Payment Card Industry Data Security Standard (PCI DSS)• Is it a Standard or a Law?• PCI versus GLBA• PCI DSS currently on Version 3.0• We are considered “SAQ C” Level Entity…

• Because we accept credit card payments, but do not store full credit card numbers



Where Do We Fit in the Process?

UTD

GlobalPayments

WellsFargo

Donor



How Could Non-Compliance Affect UTD?

• Failure to comply can result in:• Fines• A Breach, Leading to Fines + Loss of Reputation• Loss of Our Ability to Accept Payments and DONATIONS via Credit

Card

• REMEMBER… Part of the purpose of PCI DSS is determining liability for breaches and resulting losses (e.g. Target)

• Does your Department take Card Payments?



ISO’s Compliance Strategy for PCI DSS

Re-assessing using the new PCI DSS v3.0 checklist:• Step 1: Scoping our Cardholder Data Environment (CDE)

• Departments taking CC payments• Equipment used for transactions• Systems used for transactions• Network architecture supporting transactions

• Step 2: Assessment of CDE for Issues• Step 3: Remediation of Issues

“Our goal is to help departments achieve compliance while not disrupting operations.”



Risk Scenario: “Concierge” Service

• We enter a Credit Card transaction on behalf of the donor, using a website intended for the donor (UTD Giving Sites)

• Common scenario among non-profits• Problems:

• No logs of who entered the transaction• If the donor disputes the charge, it becomes apparent to the

providers that the transaction was entered incorrectly• Can lead to external audits by the card companies



Next Steps

Below is a list of areas officially taking card payments (aside from MarketPlace, Bookstore & Dining Services). If there are more locations taking card payments, including concierge transactions, please let us know.

• Bursar’s Office• Office of Development & Alumni

Relations• Callier Center• Activities Center• Parking Office

• Copy Center• Library Kiosks• Student Health Center• Comet Center• SSB Kiosks



Sony Pictures – Incident PostmortemPresented by Dalton Brown

“The crooks were able to attack the same thing because Sony Pictures wasn’t going out and fixing it…You shouldn’t be able to gain access to one part of the

network and get access to everything.”

- Chester Wisniewski, 2011

The November 2014 Hack – Background

• Confidential data belonging to Sony Pictures was released online. This data included the following:– Personal information for 47,000 employees (names, addresses,

SSNs, etc.)

– Emails between employees

– Salaries

– Full copies of unreleased films, including content which is politically controversial

– Additional information unrelated to Sony Pictures’ business

The November 2014 Hack – Background

• Evidence of Hack– Evidence suggests that attackers had access for almost a year before detection.

– Following the breach, the attackers (self-proclaimed “Guardians of Peace” or “GOP”) planted malware known as Wiper in the infrastructure (Wiper is designed to erase all data from hard drives).

– GOP announced their hack on November 24, 2014 by displaying a graphic on employee workstations that contained a red skull with a message signed by the GOP.

– IT operations and Information Security personnel learned of the attack at the same time as general employees and management.

How Did the GOP Gain Access?

The investigation is ongoing, but initial findings suggest:• The GOP were able to gain network access through

malware infection• Workstations more risky if missing patches, lacking

malware prevention utility, or user running as administrator.

• The GOP exploited additional machine to in order to find as much vital information as they could around the network.

• The GOP covered all traces of evidence using Wiper.

What Could Sony Have Done?

Sony Pictures was not alerted to the attack in progress due to the following:• Security monitoring of the internal network was lacking, which

allowed the GOP to travel laterally from system to system without detection.

• Hosts on the network were not resistant to malware infection.• Sony Pictures did not sufficiently hide or isolate high-risk information

within the network.– One report in early December of 2014 showed that Sony kept thousands of

sensitive passwords in a folder named “Passwords.”

• Past breaches performed by other attackers did not result in enough architectural or cultural change within organization.

Sony’s Faults

Sony’s systems were repeatedly breached:

• Lack of investment in Information Security. The first CISO in Sony’s history was hired following the Anonymous attack of 2011.

• Sony has an history of laying off Information Security personnel after reductions in breach frequency.

• Sony never became proactive about system patching.

• Sony and the hacking community have a history of feuding with one another.

Lessons Learned• Monitor networks, both Internet and internal

• Patch your systems

• Classify your data and isolate accordingly

• Purge data you do not need for operations or compliance

• Train users to identify suspicious emails

• Coordinate incident response with communications, public relations, and legal to minimize confrontation with customers and potential attackers.



Questions & Discussion

Information [email protected]

Documents

Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting February 6, 2015 Information Security [email protected]