Tales from the Trenches at Trent University

IT Security Awareness

• Overview of security landscape in higher education• Current measures and controls• Awareness efforts • Phishing Simulation• Challenges• Next steps

Agenda

1

• Growing Threats - Nature of the business• Advanced Persistent Threat

• Students? • FIPPA / PIPEDA • ISO 27001, SANS 20 (CIS)

2

Current Information Security Climate

• Students – Part time and full time, residence and off campus.• Staff – Fairly typical • Faculty – Full time, part time

3

Understanding our Demographics

• Students – Access to their own student data, wireless network (their own wireless networks), network accounts, desktop access.

• Faculty – Access to personal student information, network and desktop access.

• Staff – Access to a large amount of personal student information, network and desktop access.

4

The Risks

• They’re busy!• They’re scared to “bother” support staff• Wide range of devices

5

Student Challenges

• Changing Technology • Budget Difficulties • Access to large amounts of data• Technology Knowledge – Mechanisms for keeping up with technology

change.

6

Staff Challenges

• Traveling – Not fixed to a single location• Periods of not teaching – Summer, Sabbatical leaves, Research trips • Part-time status

7

Faculty Challenges

• Phishing• Information Theft • Information Loss (or improper disclosure)• Data Integrity • Malware• DOS / DDOS

8

Specific Problems

Don’t Take the

Bait__________________

_Trent IT will NEVER

ask you for your username and

password in an email request.

Is your data backed up?

___________________

Backup your files to Google Drive or OneDrive today

When you send me your username and

password__________________

_

If it sounds too good to be true, it always is.

Yours free!

Does your computer have pending updates?___________________

Updates fix critical vulnerabilities in your computer. Unpatched systems are the easiest

way for hackers to infect your computer with

malware. Install updates today!

Your photos are your memories.

Keep them safe by backing up your phone to Google Photos today___________________

Unlimited Space with your Trent account!

Don’t be caught without a backup plan

Backup your data___________________

Google Drive for Students

Microsoft OneDrive for Staff

• May 2017 – PhishingBox.com was contracted to provide a platform to launch simulated phishing on staff and faculty accounts and report on the results.

• 5 phishing tests of varying complexity have been completed. • Individual users are not identified

19

Simulated Phishing

20

The bait

21

The bait

22

The bait

23

Results

Test Link Clicked Full Submit

Easy 4.5 3.3

Moderate 2.8 1

Difficult 6 3

• “Just fix it” • Getting people in for training • Policy• Mobility • Changing Enviornments

24

Challenges

• Security Survey • Training for “higher risk” users• More distance sessions• Cyber Security Awareness Month

25

Next Steps