Post on 25-Jan-2015
description
Stealing Christmas
Dr. Curtis A. Carver Jr.Vice Chancellor and CIO
Board of Regents
• Policy ATE technology, oh my!
• Landscape
• What to do now?
• Questions, Comments, a Conversation
Agenda
Necessary ComponentsPolicy, awareness, training, and education (ATE), and technology must form the core of your security program. All three are necessary.
Landscape(Policy)
• Many policy or policy frameworks are available.– COBIT– ISO 27000 series– ITIL– NIST
• Pick one and execute as a first step.
• College courses in security policy are available.
Perh
aps
Not
this
Pol
icy
Technology
• Technology is getting better rapidly.• It is necessary but not sufficient.• Attack vector is shifting away from hacks to
social engineering. • Technology is not so good at preventing social
engineering.
Recent Example: UGA• 8,500 staff and students
• Slow, deliberate social engineering attack
• Answers to “secret” questions found on Facebook.
Another Example: South CarolinaGovernor Nikki Haley, “This is
not a good day for South Carolina.”
3/4ths of state citizens affected.
“The cost is also going to be enormous,
given that South Carolina may be required to pay for identity
theft protection services for anyone who has paid taxes in South
Carolina since 1998,”
October 27, 2012
Landscape
• Attacks are increasing.
• Attacks are increasingly complex.
• Education, training and awareness becoming increasingly important.
Normal versus Abnormal?Three Questions• What is normal for my
organization?• What is abnormal?• What do I do if
something abnormal occurs?
Awareness, Training, and Education
Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST
Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.
Three Examples
• Accountability Plus
• Carronade
• IT SAMI
Accountability Plus
Time
Inci
dent
Cou
nt
Issue: In a five month period this year, 23% of helpdesk incidents were computer abuse. This represents a 255% increase over the same period last year
Computer Abuse Process
• Computer incident occurs• Help Desk Notified• Institution notified• Help Desk Follows Up after 5 days• Help Desk Ticket closed out by Help Desk
What is wrong with
this process?
Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet
• Actions Taken: – Incidents characterized as high, medium, or low impact.– Processes redefined to escalate resolution of these cases
to the President’s boss.– New processes go into effect on 9 April.
• Importance to USG Presidents: A telephone call from USG CIO is indicative of four days remaining until the case is forwarded to USG senior leadership.
Accountability Plus
Galileo, GeorgiaBest, GeorgiaFirst, GeorgiaonMyLine, GeorgiaView, GIL, PeachNet
• Rest of the Story: I told the presidents that if I ever call them, their first step should be to fire the institutional CIO.
• Two Years Later: – The computer abuse line is linear – not
exponential.– I have not called a President…yet.
Rest of the Story and Two Years Later…
Carronade• Issue: The longer
students are at our institution, the more susceptible they are to phishing attacks.
• Issue 2: – Death by PowerPoint
training version 1 failed. – Death by PowerPoint
training version 2 failed.
Carronade Hypothesis
• Have the students launch spear phishing attacks against each other in a controlled manner.
• Have students remediate other students.• Don’t tell the technical staff when it will
happen.• Do it every semester.
Typical Email
Problems with Typical Email
Carronade Results
Two Years Later…
04/10/2023 03:30 PM 23
IT-SAMI INSPECTION SHEET
Cadet Name Company Year Inspector Name
CategoryITEM POINTS
AD-AWAREINSTALLED? NO, -30CHECK UPDATES >= 1 WEEK OLD, - 05
>=3 WEEKS, -10
>= 1 MONTH, - 20
LAST SYSTEM SCAN >= 1 WEEK OLD, - 05>=3 WEEKS,
-10>= 1 MONTH,
- 20SCAN RESULTS
For each process -10For every 20 additional items, -05
DEFRAGEMENT ANALYZESYSTEM SUGGESTED? YES, -10
ADD/REMOVE PROGRAM LISTWILD TANGENT YES, -10WEATHER BUG YES, -10WELL KNOWN FILE SHARING YES, -20/item
BROWSER HEALTHSEARCH BAR OTHER THAN GOOGLE YES, -10
VIRUSES DEFENITION FILES >= 1 WEEK OLD, - 5
>=3 WEEKS, -10
>= 1 MONTH, - 20
SYSTEM DATASPACE REMAINING ON C-DRIVE < 20%, -10MAJORITY OF ACDEMIC DATA
STORED ON C-DRIVE YES, -20
Best In BDE
Best Regiment: 86.13
Best Company: 95.00
Worst Reg: 75.00
Worst Company: 53.50
04/10/2023 03:30 PM 24
Saturday AM Inspection (IT SAMI)
In the hallways, cadetsstand inspection of theirmilitary equipment.
In their rooms, cadetsstand inspection of theircomputers.
Stealing Christmas• The threat of organized crime and nation states attacking
your personal information is real. Grinch is alive and well.
• Give your organization the gifts of a strong security policy program, strong technology, and a strong education program.
• Think outside the box in educating, training and rewarding your organization.
Questions, Comments, a Conversation
Dr. Curtis A. Carver Jr.Vice Chancellor and CIO
Board of Regents