• No results found

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

N/A
N/A
Protected

Academic year: 2021

Share "Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence"

Copied!
31
0
0

Loading.... (view fulltext now)

Full text

(1)

Universities and Schools Under

Cyber-Attack:

How to Protect Your Institution of

Excellence

(2)

About ERM

© 2013 Enterprise Risk Management, Inc.

(3)

About The Speaker

Information Security Expert at ERM

B.S. Software Engineering and Information Technology

- University of Miami Recently Passed the CISSP

Core Experience: Penetration Testing

(4)

Agenda

Our Institutions Under Attack How it Works

Compliance vs. Security

Protecting Your Institution of Excellence

© 2013 Enterprise Risk Management, Inc.

(5)

Money Is The Motive

Tons of Sensitive Information Confidential Research

Identity Theft

(6)

University Attacks in the News

© 2013 Enterprise Risk Management, Inc.

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Team GhostShell claimed credit for breaking into servers at 100 major universities from around the world

– Included U.S. News Top 10 universities

A month ago, a large university reported that confidential files

containing personal information on 72,000 people were hacked.

A month ago, a major academic intution’s Internet technology

database was hacked and school officials made an announcement suggesting students and staff reset their passwords.

(7)

Types of Attacks

Network Attack

Physical Layer

Social Engineering

(8)

© 2013 Enterprise Risk Management, Inc.

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(9)

DDoS

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Distributed Denial of Service

Masters - system that is initially exploited due to a vulnerability Slaves – Infected with malware distributed by the master

Goal is to overload the network or a targeted application

(10)

Software Weaknesses

SQL Injection

Insertion of malicious SQL statements into an entry field

Attacker attempts to dump the database contents to the attacker Zero-Day Exploits

Exploits that exist in software in which patches have not yet been developed

© 2013 Enterprise Risk Management, Inc.

(11)

BYOD (Bring-Your-Own-Device)

Mobile Devices

Access to sensitive information is authenticated by device Lost or Stolen Device

Data Breach

(12)

Rouge Access Points

BYOD part deux

Bring your own wireless access point to campus Allow an attacker to see all traffic

© 2013 Enterprise Risk Management, Inc.

(13)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(14)

Active Ports

An attacker attempts to gain access to the wired network by testing for active Ethernet ports

© 2013 Enterprise Risk Management, Inc.

(15)

Tailgating / Piggybacking

Attempting to gain access to a secure premise through the exploitation of common courtesy or carelessness.

(16)

Dumpster Diving

The act of searching through trash bins to discover

sensitive information.

© 2013 Enterprise Risk Management, Inc.

(17)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(18)

Social Engineering

The art of manipulating people into performing actions or divulging confidential information.

Relies on people’s inability to keep up with a culture that relies heavily on information technology.

Use your own employees to defeat your security controls and practices.

© 2013 Enterprise Risk Management, Inc.

(19)

Social Engineering Attacks

Phishing

Malicious Email Attachment Click the link

Fake Website Baiting

Shoulder Surfing

(20)

Academic Institution Attack

© 2013 Enterprise Risk Management, Inc.

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Scenario: Target DB Administrators and Finance AND you have 2 weeks

Information Gathering:

Google / LinkedIn: Name of all people in both departments

Institution’s Website: Lay out of entire building including desk location;

Used PeopleSoft Application; Emails of identified staff; Dean’s contact information, signature, and sample emails

Attack:

Phishing: Crafted a spoofed email pretending from the dean to the victims

for a PeopleSoft training that they must take with a link to the site

Fake Website: Victims entered their PeopleSoft credentials; took those

credentials and logged into the institution’s PeopleSoft site which happens to be externally facing.

(21)

Compliance vs. Security

Annual grind is to become compliant with the numerous regulations

Compliance and security are VERY DIFFERENT!!

Implement security from the very foundation

(22)

Cloud Computing

All about VENDOR MANAGEMENT Compliance is key

Ensure that cloud computing companies comply with regulations (e.g. HIPAA, PCI, and GLBA)

Compliance risk assessment

© 2013 Enterprise Risk Management, Inc.

(23)

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

(24)

Fight the DDoS

Load Balancing

Throttling

Honeypots

© 2013 Enterprise Risk Management, Inc.

(25)

Breach Health Check-ups

Timely checkups for security breaches Bring in professionals who will analyze your network Large Organizations -> Once a quarter

Smaller Organizations -> At least every six months

(26)

Data Assurance

Identify and track the life cycle of information in the organization

Ensure it is properly

secured throughout the entire life cycle

Data leakage prevention

© 2013 Enterprise Risk Management, Inc.

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

Origin of Data Data in Transit Data Destruction

(27)

Audits and Assessments

Regular penetration testing Configuration assessments Patches, patches, patches!! Social Engineering Tests

Physical Intrusion Tests Preventative Policies

(28)

Security Awareness Training

© 2013 Enterprise Risk Management, Inc.

(29)

You’re Not Alone

Educause

FBI College and University Security Effort (CAUSE)

Multiple Tools

(30)

© 2013 Enterprise Risk Management, Inc.

CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS

THE SECURITY OF YOUR ENTIRE INSTITUTION

(31)

Your go to advisors

for all matters in

information security.

800 S Douglas Road #940 Coral Gables, FL 33134

Phone: 305-447-6750 Email: [email protected]

References

Related documents

To capture how climate change and climate variability could affect the agricultural sector, a recent wave of studies looks at the effects of change in climate variables

Title: Breeding for Bruchid Resistance in Common Bean ( Phaseolus vulgaris L.): Interspecific Introgression of Lectin-like Seed Proteins from Tepary Bean ( P. Gray), Genetic

Items 5 and 6 were asked of participants in the control (no attentional instruction) condition, and response options ranged from 1 (not at all) to 5 (very much). Items 7 and 8

For example, according to Armstrong (2006, p.8), “the overall purpose of human resource management is to ensure that the organization is able to achieve success

Park et al, 1999 ). The two maize genes are compared to their shared single orthologs in the Sorghum, fox- tail millet, rice and Brachypodium genomes. The conserved

tax code, many companies, including TRALA members, depend on tax provisions that were designed to incentivize companies to invest in new equipment and grow their businesses and

Others proposals circulate, even at the highest levels of politics: the creation of a public investment bank, the creation of a sovereign wealth fund, the creation of

An explanatory paragraph following the opinion paragraph, describing that (i) the statement of social insurance presents the actuarial present value of the agency’s estimated