Presentation is loading. Please wait.

Presentation is loading. Please wait.

Desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006.

Published byEgbert Hancock Modified over 8 years ago

Similar presentations

Presentation on theme: "Desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006."— Presentation transcript:

1 desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006

2 desktop 2 Agenda issues (real) issues (per vendors) extra.edu issues throw policy technical?

3 desktop 3 Issues: Software & Vendors Bellovin - buggy software a key problem e.g., 40 M lines of code in Windows slooooow fixes patches on a schedule - bugs not follow a schedule

4 desktop 4 Issues: ID Theft ID theft: ability to assume someone’s identity not just steal credit card # & exp date primary reason we try to protect SSNs 246K ID theft reports to FTC in 2004 actual count may be as high as 9M ($52B losses) can take years to repair

5 desktop 5 Issues: Crustacean Security installing firewalls can install complacency users assume they are protected but open to everyone inside the wall only real security is host-based but firewalls help and are required by many regulations firewalls/filters should be put as close to server being protected as possible in addition to perimeter firewalls

6 desktop 6 Issues: Portable Data data migrates to individual user’s computers desktops, laptops, handhelds... little encryption on these machines stolen or improperly decommissioned machines (& disk drives) can contain important data many examples in news - machine lies to user can be issue if machine shared with employee’s family

7 desktop 7 Biggest Issue: People are Human people don’t think of consensuses: e.g., sharing passwords grant process that requires tax returns data on laptops - no encryption, no password- protected screensaver leaving report on desk at night email report to co-worker or vendor hard to know what to protect... corollary: security gets in the way

8 desktop 8 Foisted Answers 1-2 calls from telemarketers per month usually a script kiddie always “best in industry” &/or “protect against ALL malware” control data flow and access ensure patch level protect corporate secrets comply with {SOX, HIPAA, GLB...} protect against ‘bad’ content in email, surfing etc some may be real problems in.edu

9 desktop 9 Vendor Assumptions Ghengis Khan is in charge of network the WHOLE network & ALL computers all computers controlled by enterprise its all Windows users do not have admin access single control point clear understanding of sensitive information someone to watch a screen many someones to configure system

10 desktop 10.edu Reality many networks many network managers with local semi-power whole lotta owners not just Windows agent requirement hard (if possible) no clue about sensitive information people are expensive faculty do not answer to anyone

11 desktop 11.edu Risks central IT groups generally know what they are doing risk areas local graduate-student run research labs student-owned machines researchers (e.g., getting SSNs from subjects) data exchange with vendors...

12 desktop 12 Throwing Policy active policy development process university-wide mandates local implementations on web site -{security|privacy}.harvard.edu policies info on regulations, processes etc contract riders internal auditors enforce policy

13 desktop 13 Some Policies passwords network/system setup checkers, IDS etc no Harvard confidential data on portable computers(including vendors) human subject data credit card security processes & reporting...

14 desktop 14 What Are We Doing? administration computers per school standard disk image includes virus checkers etc central admin adding whole-disk encryption advise other schools to do same other computers undergraduate software package includes checker etc state best practices low cost checker software at university store

15 desktop 15 What Are We Doing, contd. finding problems watch net with SNORT & home brew packages mousetrap machines that trigger

16 desktop 16 Biggest Problem internal communication lots of talks mail (e- & paper) to VPs etc newspapers web site on-line training but still too few people know policies nor do they know where the Personnel Manual is

17 desktop 17 Example: WWHW

18 desktop 18 Can Technology Work? can a research.edu use technical protection systems beyond virus checkers etc sure for the business part(s) of the university for places that have a network czar with power for places that have few researchers but confidential data seems to have legs and shows up where you least expect it

Download ppt "Desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA Security.

HIPAA Security.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Supporting The Mobile Client: Expanding Our Borders John Guidone Manager, Desktop Technologies and Dawn E. Colonese Manager, Help Desk & Client Access.

Supporting The Mobile Client: Expanding Our Borders John Guidone Manager, Desktop Technologies and Dawn E. Colonese Manager, Help Desk & Client Access.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
For further information computersecurity.wlu.ca

For further information computersecurity.wlu.ca
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
TAX-AIDE Computer Security Chris Hughes Chairman NTC 1 NLT Meeting Aug 2014.

TAX-AIDE Computer Security Chris Hughes Chairman NTC 1 NLT Meeting Aug 2014.
TAX-AIDE Computer Security Chris Hughes (HMR mod) Chairman NTC 1 NLT Meeting Aug 2014.

TAX-AIDE Computer Security Chris Hughes (HMR mod) Chairman NTC 1 NLT Meeting Aug 2014.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.

9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Locking the Backdoor: Computer Security and Medical Office Practice Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology.

Locking the Backdoor: Computer Security and Medical Office Practice Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
IT Security Essentials Ian Lazerwitz, Information Security Officer.

IT Security Essentials Ian Lazerwitz, Information Security Officer.

Similar presentations

Ads by Google