private data - keep out!
TRANSCRIPT
![Page 1: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/1.jpg)
Private Data – Keep Out!National Extension Technology Conference
Greg ParmerJonathan Davis
August 12, 2015
![Page 2: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/2.jpg)
The Day My Job ChangedHistory
Firewall hole added for workgroup NAS device, against IT recommendation
4 years later…Mail relay incidentA dozen “exposed” SSNsNearly 5 figure forensics billFaculty members’ change of heartPolicy necessity (and now politically acceptable!)
![Page 3: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/3.jpg)
Gas On The Fire
College of Business incidentAdmissions Office incident
NAS Device Replacement (incorrect configuration)
Exposures of Personally Identifiable Information (PII)ID Theft insurance for thousands of individualsPolicy avalanche… (and why hasn’t this already been fixed?)
![Page 4: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/4.jpg)
Finding Personally Identifiable Info
Deployed Identity Finder softwareScan all University computers for PII (SSNs and credit card numbers)Deployed on relatively short noticeRemediation by end-usersWhere to store PII?
![Page 5: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/5.jpg)
Information Security Awareness Training
Training required of all employees23 video modules, each a few minutes longQuiz after each moduleRepeat annuallyPlanning for customized content
![Page 6: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/6.jpg)
Border Firewall and NAT
Much Greater Acceptance of Campus NATBorder Firewall is Default Closed
![Page 7: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/7.jpg)
Server Certification Working GroupPurpose:Develop security standards to evaluate and secure all University servers. Create a secure server certification program, with certain expectations:
1. Server certification will be based on a recognized standard.2. Server security standard should preferably be in use at peer
institutions.3. Server security standard will include criteria to determine what
systems will be subject to compliance.4. Servers will be audited and re-certified regularly at an interval
consistent with industry standards.5. Complete access to servers will be required by the audit team during
audits.6. Server security additional criteria and requirements for successful
certification program.
![Page 8: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/8.jpg)
Peer Institution PoliciesFlorida
IT Policies, Data classification, Network and Host Security Standard, NIST standards referenced(IT Security PPT presentation for faculty, staff, students, etc to “sell” the policies)
Iowa State (was pending, but applied well to AU)Data Governance Committee, Data classification, Security Standards & Guidance
Univ of Tennessee Institute for Agriculture (policies and procedures were pending)Scanning with Qualys - working toward NIST standard
Texas A&M AgriLife/Extension (follow Aggie Standard Administrative Procedures)Servers are registered in an online app, scanned monthly with Nessus and reports provided to the registered server administrator. Administrators are also required to do a yearly risk assessment per university rule. The risk assessment is done via an online questionnaire. In addition any server that handles registration/payment has a quarterly PCI scan and remediation process.
(Thank you, colleagues! Great information from extech mailing list, online, and personal e-mail.)
![Page 9: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/9.jpg)
4 Aspects of Server Standards In A Nutshell
Server RegistrationAudit via multiple methods
Data ClassificationAudit via Identity Finder
NIST’s National Checklist ProgramAudit via CIS-CAT
Patch at least CVSS levels 4 and 5Audit via Qualys (and 3rd party tools like Nessus)
Data Governance Committee to Audit Process, Policy, and Audits
![Page 10: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/10.jpg)
Differences in Policy
Cloud service agreement with vendors?OneDriveGoogleDocsDropboxEvernote
Guarantee for confidential data?This seemingly minor difference results in major implementation differences!
![Page 11: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/11.jpg)
Other ToolsScanners
NessusQualys (authenticated scans)
Password ManagersLastPassKeePassSecret Server
Multifactor AuthenticationRSADuo
“Off-Campus” Scans
![Page 12: Private Data - Keep Out!](https://reader033.vdocument.in/reader033/viewer/2022042907/5878f3671a28ab49608b4e91/html5/thumbnails/12.jpg)
Questions?
Thanks for attending!
PS: “Dark Alleys of the Internet”Updated on Slideshare
www.slideshare.net/gparmer/dark-alleys2015
Greg Parmer [email protected] or [email protected] Davis [email protected]