Presented by Brad Hoover04/22/23

I talk fast so stop me and get clarification

Please hold all of the following questions to the end• Why are you guys doing ____?• What does the ____ policy/SAP mean?

I am not a lawyer Don’t try this at home or work!!

Knowing:• What needs to be protected• Why it needs to be protected• How to protect it for as long as it exists

100% Security = 0% Productivity

Risk Impact • Public/Sponsor Trust• Proprietary Information• Homeland Security

Asset

Exploit

VulnerabilityThreat

Owner: The manager responsible for the business function which is supported by the information resource.• Program Manager

Custodian: Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner.• NIS

Sensitive: Information that requires special precautions to assure the integrity of the information, by protecting it from unauthorized modification or deletion.

Confidential: The most sensitive business information that is intended strictly for use within the organization.

Public: All other information

How much is my data worth? If I lost my data what would I do? How much protection do I need for my

data? Business Continuity Plan (BCP)

• Committee is being formed soon• Should include everything from:

Where am I going to get pencils from When must this service be available

Disaster Recovery Plan• IT portion of the BCP

“Measures shall be taken to protect these assets against unauthorized access, disclosure, modification or destruction, whether accidental or deliberate, as well as to assure the availability, integrity, utility, authenticity, and confidentiality of information.”

“The integrity of data, its source, its destination, and processes applied to it must be assured.”

- Texas Administrative Code Title 1 Part 10 Chapter 202 Subchapter C Rule §202.70 Security Standards Policy

Issues to remember• TAC 202.70 compliance• E-discovery• Open records requests

External services hinder the compliance with the above issues

Identity Finder Social Security Numbers

• Travel vouchers • Purchasing vouchers• Inventory forms

Credit Card Numbers• Receipts/Notes• Reports

Student Grades Employee Reviews Health Data (HIPPA)

Remove the data (Fiscal Memo 08-03) • From the network• From your hard drives• Any other media

Hard copies of vouchers with SSN• Once submitted the SSN should be removed

Scans of network drives• Already done for TTI-BCS

Next up is local hard drives

Seizure of laptop/PDA data Eavesdropping (voice and data) Phone call limitation Sensitive data restrictions

Seizure of laptop/PDA data• Whole disk encryption• Individual file encryption• FedEx your laptop• Wipe the machine before/after

Eavesdropping (voice and data)• Voice

Use temporary phones while there Use Skype or Cisco Communicator over VPN

• Data USE VPN !! Make sure the built-in firewall (at least) is turned

on for your connection Phone call limitation

• Skype/Cisco Communicator over VPN• You may not be available via phone

Sensitive data restrictions• Do not take sensitive data with you

internationally• EU requires you to prove you can have

sensitive data prior to getting it back• If you absolutely must take sensitive data

contact me: b-hoover@tamu.edu

Physical Security High Speed Internet Access Dumpster Diving/Identity Theft Insider Attacks Viruses/Malware Cyber Warfare Vulnerable Code Password Guessing

Physical Security• Lock your office doors• Screensaver lockout• Watch out for visitors

High Speed Internet Access (8 Mbps-$33)• High availability• Firewalls• Intrusion detection

Dumpster Diving/Identity Theft• Shred everything you can• Be careful what you put out there

Facebook, Resumes, MySpace … etc

Insider Attacks• Do background checks• International students may not have

background information• Non-disclosure agreements (contractors,

vendors, students and employees)• Example: State of California, Virginia Health

Records Viruses/Malware

• Virus protection• Run as a non-privileged user• Be careful where you go (P2P, E-mails)

Cyber Warfare• Not much you can do• Call the authorities, block what you can and

have your backups ready• Examples:

World Bank Federal Government Georgia (the country)

Vulnerable Code• 20-25 possible security vulnerabilities per

KLOC• Check and double check code that you write• Security is often the last thing to be thought

aboutOperating System Lines of Code

Windows NT 4.0 11-12 Million

Windows XP 40 Million

Windows Vista/Server 2003

50 Million

Linux Kernel 2.6.29 11 Million

Password Guessing• Passwords are things like

T$T%IR0cK$ Brad!SC00l

• Passphrases are things like I was married on October 20th @ 5:00 p.m. When I stub my toe I say #$@!