Data Security Symposium
Network Security and Planning
Ron Ternowski
Data Security Symposium
Today’s Activities
•
9:40 a.m. – 10:30 a.m. – Session I
•
10:30 a.m. – 10:40 a.m. – Break
•
10:40 a.m. – 11:30 a.m. – Session II
•
11:30 a.m. – 11:40 a.m. – Break
•
11:40 a.m. – 12:30 p.m. – Session III
•
12:30 p.m. – 1:15 p.m. – Lunch
•
1:15 p.m. – 2:15 p.m. – Second Keynote
Network Security and Planning
•
C.I.A.
•
Data Breach
•
Network Security
•
Network Firewalls
•
VPN Access
•
Content Filtering
•
BYOD
•
Transfer of Data – i.e. dropbox, vendor drives,
icloud
•
Email Security
C.I.A.
•
Confidentiality –
ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.•
Integrity –
the assurance of the accuracy and reliability of the information and systems is provided, and any unauthorized modification is prevented.•
Availability –
ensures reliability and timely access to data and resources to authorized individuals.C.I.A
C.I.A
Data Breach
Why do we worry about security?
•
Insurance company, WellPoint, fined $1.7m over
data exposure -
In 2009, WellPoint reported to the federal agency that an online database holding personal and health information for 612,402 individuals was left accessible over the Internet between October 2009 and March 2010. The dataincluded names, addresses, birth dates, Social Security numbers, phone numbers and health information.
•
6,300 USC students warned about data breach –
The University of South Carolina is dealing with another data breach while it continues work to eliminate unnecessary use of Social Security numbers. USC sent letters this week to 6,300 students whose personal information, including Social Security numbers, could have been on a laptop stolen from the physics department.Data Breach
•
Fla. Dept. of Education Reports Breach -
The FloridaDepartment of Education reports that 47,000 participants in a
teacher preparation program had personal information exposed on the Internet for 14 days during a data transfer between servers
housed at Florida State University. Compromised information includes names, Social Security numbers, and, in some cases, addresses, according to a spokesperson for the Department of
Education. The university is performing work under contract with the education department, according to a statement the Department of Education provided to DataBreachToday. Upon discovering the problem, the education department closed off access to the
personal information, cleared all cached data files and ran security checks to ensure information was only accessible by authorized
users, according to the statement. An investigation determined that the information may have been accessed 23 times via Google; that may have included unauthorized access, the statement
acknowledges. Affected Individuals are being offered free credit monitoring services, the spokesperson said.
Network Security
•
Documentation
•
Physical security
– Is the server room locked? – Are the cabinets locked?
– Are switches/routers in a locked cabinet with controlled access?
•
VLAN Design
– By building? By Network segment? By usage?
– Are servers on their own VLAN? Segmented by Firewall?
•
DHCP Snooping
– Trusted interfaces are the only responders to requests.
•
SLPP (Avaya) and BPDU Guard (Cisco)
– disable any port that receives a BPDU message, helps prevent loops.
Network Security – Layer 2
•
Always use a dedicated VLAN ID for all trunk ports.
•
Avoid using VLAN 1.
•
Set all user ports to access.
•
Deploy port security when possible for user ports.
•
Enable STP attack mitigation (BPDU Guard, Root
Guard, SLPP).
•
Disable all unused ports and put them in an
unused VLAN.
Network Firewalls
• Checkpoint Firewall – Model 4800 – Running Gaia R75.40
• Multiple Security Zones – Server Area – BYOD – DMZ • VPN Capable • Statefull Firewall • Feature Availability
Network Firewalls
Network Firewalls
•
Firewall Logs
VPN Access
•
Multiple methods for VPN Access
– Contivity, ASA, Firewall
•
How do you control and log access?
– Is it tied to your directory structure? – Who has access?
– When and from where was it accessed?
– MOST IMPORTANT – What access do the end-users have?
•
Very Important that the access and user accounts
are audited on a regular basis.
– Recommend every quarter but should be done annually as a minimum.
Content Filtering
•
Lightspeed Systems
– URL Filtering – P2P Networks – Proxy Blocking – Port Blocking•
Blocked File Extensions
•
Blocked Search Keywords
•
Reports, Reports, Reports
– Search Queries and Suspicious Search Queries – Web Activity
– Peer 2 Peer Report option – Summary Reports
Content Filtering
Content Filtering
BYOD
BYOD
•
School Board Policy?
– Is there one?
– Do we need to update?
•
Is there an AUP for Staff or Students?
– E1B Policy Group can Assist.
•
Where do we put these devices?
– BYOD network? Off the firewall?
– What type of authentication should be used, if any? – What level of filtering should they have?
Transfer of Data
•
How is data moved in our District?
– Do we know where all of our PII is kept? – Do we know when it is moved?
– Is it moved securely? Remember the CIA Triad. – Do we know who has access to this data?
• What permissions are on the folders, files, shares?
•
Are we using cloud services?
– Are you sure??? – Dropbox
– SkyDrive
– Google Drive – iCloud
Email Security
•
What email system do you use?
– How is it accessed?
– Is it available from outside the District?
– Is the client or web based access encrypted?
•
Are you using a SPAM service?
•
Do you have clear rules about email use?
– Establish and promote a robust email policy
• AUP i.e. Do not forward inappropriate material, not for personal use, limit attachment size to X MB’s…
•
Present the dangers clearly.
– Viruses, trojans, bots, spam and phishing attacks. – Hatemail, bullying, other inappropriate actions. – Illegal or copyright file transmission.
Email Security
•
Email Etiquette – Train the user regularly
– What to send. – Who to send to.
– Reply vs Reply All vs BCC
•
Scan all emails and attachments for viruses
•
Prevent data loss through email
– Block attachments by file type.
– Add disclaimers and banners to emails in both directions. – Ensure your system is not being abused by unknown or
Passwords
•
Password Policy!!!
•
What is an acceptable compromise between
Contact People
•
WNYRIC Service Desk
– (716)821-7171 or (800) 872-0780
•
WAN Seniors
– ON Region – Dave Buettner – E1 Region – Chris Siniscalchi – E2 Region – Pat Gugino
– CA/GST Regions – Kyle Lyon – Buffalo – Ken Koch
•
Content Filtering
– Barb Fedchak – Ron Ternowski
