Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting February 6, 2015 Information Security

Similar presentations


Presentation on theme: "Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting February 6, 2015 Information Security"— Presentation transcript:

1 Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting February 6, 2015 Information Security infosecurity@utdallas.edu

2 Information Security The University of Texas at Dallas Education – Partnership – Solutions New Policy Presented by Stephenie Edwards

3 Information Security The University of Texas at Dallas Education – Partnership – Solutions New Policy Location

4 Information Security The University of Texas at Dallas Education – Partnership – Solutions New Policy Location

5 Information Security The University of Texas at Dallas Education – Partnership – Solutions Contracts Evaluation Presented by Leigh Hausman

6 Information Security The University of Texas at Dallas Education – Partnership – Solutions Dr. StrangeCloud Or: How I Learned to Stop Worrying and Love the Cloud

7 Information Security The University of Texas at Dallas Education – Partnership – Solutions Policy Change Previous ISO leadership resisted the cloud; current ISO leadership embraces the cloud when used responsibly. Cloud services subject to the ISO’s vendor survey process. We don’t say “no,” we ask “how can this be done safely?”

8 Information Security The University of Texas at Dallas Education – Partnership – Solutions Why Cloud Services? Advantages Faster to implement – might be activated without involvement from IR Less expensive (or free) – pay for only the capacity you use Flexible – add capacity as your needs change Disadvantages Dependent on vendor – will they stay in business? More complex – do systems integrate? Less control – where is my data stored?

9 Information Security The University of Texas at Dallas Education – Partnership – Solutions Lawyers to the rescue! Contracts are negotiable, but we have to do it before it is signed We should request any and all protections justified by the value of the data Contracts can require security equivalent to UTD controls There are many specialists on campus who can assist you (i.e. ISO, Contracts Office, Attorney) IT professionals are becoming more familiar with contracts affecting their operations.

10 Information Security The University of Texas at Dallas Education – Partnership – Solutions Important Protections Available to UTD Appropriate architecture – Multi-tenant versus physical isolation – Method of access Security controls – Service Level Agreements (SLAs) – Timely patching – Secure transfer and storage of data – Limited vendor access Right to audit – UTD allowed to audit? – UTD access to audit results? (i.e. penetration tests, SSAE- 16, 3 rd party reports)

11 Information Security The University of Texas at Dallas Education – Partnership – Solutions Does the contract address data ownership? – UTD data ownership should not shift to vendor. – Data may need to be destroyed at the end of the relationship. Does the contract specify compliance with applicable laws? – Medical data needs to remain HIPAA compliant. What happens if there is a breach? – Notification provisions – Indemnification for losses if vendor is at fault What happens if the company goes out of business or is acquired? – Source code escrow Important Protections Available to UTD, cont.

12 Information Security The University of Texas at Dallas Education – Partnership – Solutions PCI Presented by Jason Carter

13 Information Security The University of Texas at Dallas Education – Partnership – Solutions What is PCI? Payment Card Industry Data Security Standard (PCI DSS) Is it a Standard or a Law? PCI versus GLBA PCI DSS currently on Version 3.0 We are considered “SAQ C” Level Entity… Because we accept credit card payments, but do not store full credit card numbers

14 Information Security The University of Texas at Dallas Education – Partnership – Solutions Where Do We Fit in the Process?

15 Information Security The University of Texas at Dallas Education – Partnership – Solutions How Could Non-Compliance Affect UTD? Failure to comply can result in: Fines A Breach, Leading to Fines + Loss of Reputation Loss of Our Ability to Accept Payments and DONATIONS via Credit Card REMEMBER… Part of the purpose of PCI DSS is determining liability for breaches and resulting losses (e.g. Target) Does your Department take Card Payments?

16 Information Security The University of Texas at Dallas Education – Partnership – Solutions ISO’s Compliance Strategy for PCI DSS Re-assessing using the new PCI DSS v3.0 checklist: Step 1: Scoping our Cardholder Data Environment (CDE) Departments taking CC payments Equipment used for transactions Systems used for transactions Network architecture supporting transactions Step 2: Assessment of CDE for Issues Step 3: Remediation of Issues “Our goal is to help departments achieve compliance while not disrupting operations.”

17 Information Security The University of Texas at Dallas Education – Partnership – Solutions Risk Scenario: “Concierge” Service We enter a Credit Card transaction on behalf of the donor, using a website intended for the donor (UTD Giving Sites) Common scenario among non-profits Problems: No logs of who entered the transaction If the donor disputes the charge, it becomes apparent to the providers that the transaction was entered incorrectly Can lead to external audits by the card companies

18 Information Security The University of Texas at Dallas Education – Partnership – Solutions Next Steps Below is a list of areas officially taking card payments (aside from MarketPlace, Bookstore & Dining Services). If there are more locations taking card payments, including concierge transactions, please let us know. Bursar’s Office Office of Development & Alumni Relations Callier Center Activities Center Parking Office Copy Center Library Kiosks Student Health Center Comet Center SSB Kiosks

19 Information Security The University of Texas at Dallas Education – Partnership – Solutions Sony Pictures – Incident Postmortem Presented by Dalton Brown

20 “The crooks were able to attack the same thing because Sony Pictures wasn’t going out and fixing it…You shouldn’t be able to gain access to one part of the network and get access to everything.” - Chester Wisniewski, 2011

21 The November 2014 Hack – Background Confidential data belonging to Sony Pictures was released online. This data included the following: – Personal information for 47,000 employees (names, addresses, SSNs, etc.) – Emails between employees – Salaries – Full copies of unreleased films, including content which is politically controversial – Additional information unrelated to Sony Pictures’ business

22 The November 2014 Hack – Background Evidence of Hack – Evidence suggests that attackers had access for almost a year before detection. – Following the breach, the attackers (self-proclaimed “Guardians of Peace” or “GOP”) planted malware known as Wiper in the infrastructure (Wiper is designed to erase all data from hard drives). – GOP announced their hack on November 24, 2014 by displaying a graphic on employee workstations that contained a red skull with a message signed by the GOP. – IT operations and Information Security personnel learned of the attack at the same time as general employees and management.

23 How Did the GOP Gain Access? The investigation is ongoing, but initial findings suggest: The GOP were able to gain network access through malware infection Workstations more risky if missing patches, lacking malware prevention utility, or user running as administrator. The GOP exploited additional machine to in order to find as much vital information as they could around the network. The GOP covered all traces of evidence using Wiper.

24 What Could Sony Have Done? Sony Pictures was not alerted to the attack in progress due to the following: Security monitoring of the internal network was lacking, which allowed the GOP to travel laterally from system to system without detection. Hosts on the network were not resistant to malware infection. Sony Pictures did not sufficiently hide or isolate high-risk information within the network. – One report in early December of 2014 showed that Sony kept thousands of sensitive passwords in a folder named “Passwords.” Past breaches performed by other attackers did not result in enough architectural or cultural change within organization.

25 Sony’s Faults Sony’s systems were repeatedly breached: Lack of investment in Information Security. The first CISO in Sony’s history was hired following the Anonymous attack of 2011. Sony has an history of laying off Information Security personnel after reductions in breach frequency. Sony never became proactive about system patching. Sony and the hacking community have a history of feuding with one another.

26 Lessons Learned Monitor networks, both Internet and internal Patch your systems Classify your data and isolate accordingly Purge data you do not need for operations or compliance Train users to identify suspicious emails Coordinate incident response with communications, public relations, and legal to minimize confrontation with customers and potential attackers.

27 Information Security The University of Texas at Dallas Education – Partnership – Solutions Questions & Discussion Information Security infosecurity@utdallas.edu


Download ppt "Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting February 6, 2015 Information Security"

Similar presentations


Ads by Google