Universities and Schools Under
Cyber-Attack:
How to Protect Your Institution of
Excellence
About ERM
© 2013 Enterprise Risk Management, Inc.
About The Speaker
Information Security Expert at ERM
B.S. Software Engineering and Information Technology
- University of Miami Recently Passed the CISSP
Core Experience: Penetration Testing
Agenda
Our Institutions Under Attack How it Works
Compliance vs. Security
Protecting Your Institution of Excellence
© 2013 Enterprise Risk Management, Inc.
Money Is The Motive
Tons of Sensitive Information Confidential Research
Identity Theft
University Attacks in the News
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Team GhostShell claimed credit for breaking into servers at 100 major universities from around the world
– Included U.S. News Top 10 universities
A month ago, a large university reported that confidential files
containing personal information on 72,000 people were hacked.
A month ago, a major academic intution’s Internet technology
database was hacked and school officials made an announcement suggesting students and staff reset their passwords.
Types of Attacks
Network Attack
Physical Layer
Social Engineering
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
DDoS
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Distributed Denial of Service
Masters - system that is initially exploited due to a vulnerability Slaves – Infected with malware distributed by the master
Goal is to overload the network or a targeted application
Software Weaknesses
SQL Injection
Insertion of malicious SQL statements into an entry field
Attacker attempts to dump the database contents to the attacker Zero-Day Exploits
Exploits that exist in software in which patches have not yet been developed
© 2013 Enterprise Risk Management, Inc.
BYOD (Bring-Your-Own-Device)
Mobile Devices
Access to sensitive information is authenticated by device Lost or Stolen Device
Data Breach
Rouge Access Points
BYOD part deux
Bring your own wireless access point to campus Allow an attacker to see all traffic
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Active Ports
An attacker attempts to gain access to the wired network by testing for active Ethernet ports
© 2013 Enterprise Risk Management, Inc.
Tailgating / Piggybacking
Attempting to gain access to a secure premise through the exploitation of common courtesy or carelessness.
Dumpster Diving
The act of searching through trash bins to discover
sensitive information.
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Social Engineering
The art of manipulating people into performing actions or divulging confidential information.
Relies on people’s inability to keep up with a culture that relies heavily on information technology.
Use your own employees to defeat your security controls and practices.
© 2013 Enterprise Risk Management, Inc.
Social Engineering Attacks
Phishing
Malicious Email Attachment Click the link
Fake Website Baiting
Shoulder Surfing
Academic Institution Attack
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Scenario: Target DB Administrators and Finance AND you have 2 weeks
Information Gathering:
Google / LinkedIn: Name of all people in both departments
Institution’s Website: Lay out of entire building including desk location;
Used PeopleSoft Application; Emails of identified staff; Dean’s contact information, signature, and sample emails
Attack:
Phishing: Crafted a spoofed email pretending from the dean to the victims
for a PeopleSoft training that they must take with a link to the site
Fake Website: Victims entered their PeopleSoft credentials; took those
credentials and logged into the institution’s PeopleSoft site which happens to be externally facing.
Compliance vs. Security
Annual grind is to become compliant with the numerous regulations
Compliance and security are VERY DIFFERENT!!
Implement security from the very foundation
Cloud Computing
All about VENDOR MANAGEMENT Compliance is key
Ensure that cloud computing companies comply with regulations (e.g. HIPAA, PCI, and GLBA)
Compliance risk assessment
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Fight the DDoS
Load Balancing
Throttling
Honeypots
© 2013 Enterprise Risk Management, Inc.
Breach Health Check-ups
Timely checkups for security breaches Bring in professionals who will analyze your network Large Organizations -> Once a quarter
Smaller Organizations -> At least every six months
Data Assurance
Identify and track the life cycle of information in the organization
Ensure it is properly
secured throughout the entire life cycle
Data leakage prevention
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
Origin of Data Data in Transit Data Destruction
Audits and Assessments
Regular penetration testing Configuration assessments Patches, patches, patches!! Social Engineering Tests
Physical Intrusion Tests Preventative Policies
Security Awareness Training
© 2013 Enterprise Risk Management, Inc.
You’re Not Alone
Educause
FBI College and University Security Effort (CAUSE)
Multiple Tools
© 2013 Enterprise Risk Management, Inc.
CYBER SECURITY | REGULATORY COMPLIANCE | DIGITAL FORENSICS
THE SECURITY OF YOUR ENTIRE INSTITUTION
Your go to advisors
for all matters in
information security.
800 S Douglas Road #940 Coral Gables, FL 33134
Phone: 305-447-6750 Email: [email protected]