rit "snowfall and stolen laptop" research for enterprise security models

I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image.

Stephen Hawking

WE ARE VERYCREATIVE PEOPLE

SITUATIONAL ANALYSIS0

1SUPPORTING INFORMATION0

2

Enterprise SecurityInnovation SuggestionsRMIT Clinton den Heyer

MACRO

CONTEXT

CASE QUESTIONS

OVERALL RECOMMENDATIONS

Please note: Each section above is welcomed by “We Are Very Creative People.”

Florida State G E N E R A L L A P T O P G U I D E L I N E S

Laptops offer a great convenience due to their portability. This portability, however, makes them a prime target for thieves. These thieves not only target portable computers for the value of the device itself, but also for the restricted data they might contain.


By far this is the most common response to discussions and presentations around issues of digital, the net, data, social, organisational security, and specifically, personal safety. In part, this is due to advances in technology, in part, because this is not something that most people ever want to deal with.

The potential loss and fall out posed by digital security breaches is crippling. To the largest degree breaches occur due to human error. We must accept that by and large this is a human problem. Yet technology offers fascinating solutions.

In order to establish a case for RIT, and to allow people to work this out for themselves, let us first take a look metrics and resources that illustrate current state.

“BUT IS IT REALLY THAT BAD?”

4

How much?I T S W O RT H A L O T

The metrics on the right indicate a small snapshot of where ecommerce is, and where it is heading. Figures represent Google and Mobile for North America (RIT Base Country of Operations).h t t p : / / w w w . b r a i n s i n s . c o m /e n / b l o g / c u r r e n t - s t a t e - u s -e c o m m e r c e - i n f o g r a p h i c /3 6 0 9

W h a t i s a t s t a k e ?

https://gigaom.com/2013/09/23/check-out-this-visual-map-that-shows-24-hours-of-internet-usage-around-the-world/

R E D : D e n s e . R e a l t i m e f r o m b o t n e t 2 0 1 2 C e n s u s

Mobile devices are now almost equal to desktop devices: https://www.hallaminternet.com/google-analytics-desktop-vs-mobile-vs-tablet-metrics/

B U T D E V I C E U S E I S C H A N G I N G

W h o i s a ff e c t e d ?

The World is On-Line

AGGREGATED THREAT METRICSThe following three resources represent industry standard metrics.

K A S P E R S K YAvailable at apt.securelist.com

H U M A N FA C T O R 2 0 1 6The cost of the human factor in breaches.Available from https://www.proofpoint.com/us/human-factor-2016-world-map

M C A F E E S D AThe SDA Cyber Defense Report sponsored by McAfeewww.mcafee.com

WHAT DOES BAD LOOK LIKE?

B O T T O M L E F TNORSE:http://map.norsecorp.com/#/

B O T T O M R I G H TSKYNET*:http://vignette1.wikia.nocookie.net/terminator/images/f/f1/Skynet_network01.jpg/revision/latest?cb=20120627213317

MOBILE MALWARE:https://www.lookout.com/resources/reports/mobile-threat-report-2013

T O P L E F T

DDoS: http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16911&view=map

T O P R I G H T

A large number of real time threat maps are available online. They give concise details about world wide attacks.

*SKYNET: I like to use this to see if anyone is paying attention or is a sci fi fan. It’s a kind of wonderful when art and reality collide.

But it remains a human problem

We are very creative people

We can figure this out

THIS IS A MASSIVE PROBLEM

It is a fairly open secret that almost all systems can be hacked, somehow. It is a less spoken of secret that such hacking has actually gone quite mainstream.

Dan Kaminsky


CONTEXTAssumptions have been made. Sections can be recognized by chapter slides titled “We are very creative people” accompanied by a quote.

1 . S H O RTSteps taken by Ballard and Fransesco: Which were effective and ineffective? Arguably, none of the steps were effective given the potential loss of resources and brand equity.

2 . M E D I U MRole of the Dean: What digital assets might he use, what might be stored, and what kind of vulnerability if compromised? Digital assets identified in the case, vulnerabilities not addressed, and a list of assumptions provided.

3 . LO N G T E R MCOB Infosec controls and incident response activities: The main weaknesses, and key takeaway, is that RIT is operating with a fragmented security architecture and does not have a consolidated direct response security division. Security threats are increasing, suggestions have been made.

A SS U M P T I O N SThis research takes the position that any organizational employee assigned a laptop will be using it to full functionality. Areas addressed:Mobile device functionalityAPIsBrowsersSocial

STEPS TAKEN

BALLARD ISOFRANCESCODEAN

EFFECTIVE NEEDS ADDRESSING

SUGGESTED

Calls DEANCannot get through, emails. Receives

answerEnabled asset management alerts

SHOULD CALL RIT ISC Contacts FRANCESCO

Contacts RIT Public SafetyCall DEAN again

Email list of critical questionsContact COB Infosec for next steps

2

BALLARD

Discovers missing laptopCalls PoliceEmails BALLARD (Email is now a Vulnerability as phone synch later established)Awaits PoliceCall HEAD OF RIT IT SECURITYTranslate details of theft: Just Laptop? Or other household items?RECALL: Open items, if Laptop P/W protected, any critical files on H/D

1 (Presumably Sunday Evening)

DEAN

TIMELINE

Inform BALLARD that ISO and ITS have been notified

ISO and ITS had also been in touch with BALLARD

FRANCESCO now in the loop

4

RIT INFORMATION SECURITY COUNCIL

Concern for potential credit monitoring if student PII on laptop expressedFRANCESCO: Asks DEAN about info on HDEstablished: Faculty Salary Information on HDHD had prior PII deleted (therefore still on HD)Too late for this information – should have been established immediately

5

BALLARD, FRANCESCO, DEAN

Locates new laptop from pool of refreshed laptopsLANDesk utilizedDEAN’s new laptop configured to preferencesMeeting scheduled with DEAN

3

Monday (Assumed) Morning pre 9.30am

BALLARD

Not sure of last back upLast back up 2 months ago

Hard to establish what data is missing on stolen HD

7

DEAN

Confirms OUTLOOK emails synched with phoneEstablish that data has not been backed upNew machine restored from last backup

6

DEAN, FRANCESCO, BALLARD

Confirms OUTLOOK emails synched with phoneEstablish that data has not been backed upNew machine restored from last backup

8

FRANCESCO, BALLARD

This is the second time a security breach has occurred at RIT due to stolen laptops. The cost to RIT if compromised is potentially significant. The loss of reputation would hinder the extended mission of the institution to assist in the process of state invigoration and invariably causes loss of both income and resources.

Individuals that may have been compromised should be informed. Violating RIT Policy and New York legislation was irresponsible. Individuals and agencies need to be notified, Francesco and Ballard have effectivly taken the law into their own hands.

The overall assessment, being satisfied by the outcome, indicates that no lessons were actually learned. No documentation was expressly supplied to COB meaning that decision makers had no access to adjust policy and guidelines, much less protect their assetts and integrity. Furthermore, the Deans two month old back up leaves a gap in quantitive knowledge. At the very least his own PII may have been on the stolen laptop.

Loss of laptops, while a seemingly small area of concern for enterprise security, represents a significant portal for large scale loss. In malicious hands, a laptop can provide enough information for a skilled impersonator to access critical areas of an organisations architecture.

Laptop password authentication may be easily bypassed by individuals experienced in IT.

CONCERNS WITH STEPS IDENTIFIED

16

Dedicated Technical Security team notified of theft or data breachRelevant authorities notified. Relevant heads of organization notified. Color code system: Red, Amber, Green for levels of vulnerability, process and levels of escalation.

POINT OF NOTIFICATION

Utilize last back up and scan of breached Hardware or Software to ascertain level of vulnerability. All users equipment is backed up automatically when on campus. Various solutions are available for this.

TECHNICAL SECURITY TEAM

Social, Browsers, APIs and common updates for Windows devices are flagged. Steps taken to mitigate vulnerabilities. Outlook vulnerabilities patched.

VULNERABLE SOFTWARE FLAGGED

Off site usage can be monitored by cloud based HD snapshot software.

BACK UP TO ENCRYPTED CLOUD

SUGGESTED

John McAfee, 1988


The problem of viruses is

temporary and will be

solved in two years.

19

O U T LO O KInformation in Outlook is

stored in HD cache file. Immediately available

H D H I S T O RYHD history stored as drafts. Available to extract with freeware

D E F I N E D H I E R A R C H YGovernance should dictate

levels of monitoring and usage. Rights assigned on

need basis

AT TA C H M E N T SScanned via central database. Remote scans of HD should indicate vulnerable software and APIs installed

DEAN’S LAPTOPVulnerabilities in GREY area. Suggestions in WHITE (white-hat)

area.

20

DEAN’S REQUIREMENTSIndividuals use a random assortment of browsers, API’s, Social Networking sites and Enterprise solutions depending on their

requirements, preferences and option exposure. Almost all expose vulnerabilities.

S O C I A LSocial (FB, LinkedIn, Twitter) plus

Academic (Academia.edu, ResearchGate.net, Slideshare.net –

extension of LinkedIn). All accessed via FB

E N T E R P R I S E C LO U DBlack-Board or similar SaaS offering.

SAP and ORACLE both suffer numerous breaches and are

particularly vulnerable as patches are not often applied after installation

S A F E F I L E S H A R EAny file sharing not detected by Outlook as malicious, or any file

sharing through browsers such as Mozilla, DuckDuckGo, Tor or Chrome

may expose vulnerabilities

D ATA B A C K U P Lack of data back up costs an

organization in efficiency. Mitigating actions for data breaches can be sped

up if back up information is immediately available

21

SUGGESTIONSTechnology and data encryption are not advanced enough to ensure all

potential breach portals are safely secured. Suggestions are best practice given current limitations. All mobile devices are assumed

included.G OV E R N A N C E

Lock devices. Use non standard passwords. Admin authorization required restricted and banned sites. Hierarchy of governance relating to position and permissions established.

R E M O T E F I R E WA L L

Access to HD of any connected device requires permissioned firewall. This should be updated regularly.

E N C RY P T I O NRemote encryption for access. Encrypted password for turning device on.

AU T O U P D AT EEnsure that weekly backups, software and data scans are completed. Set frequency according to risk and position permissions.

22

ORGANIZATIONAL VULNERABILITYRemote devices, digital use, footprint and HD storage only represent a

small part of the potential vulnerability that Universities face. Any updates, Enterprise Applications, or use of ERP Applications (such as

PeopleSoft and the well publicized TokenChpoken breach) expose such organizations to constant orchestrated breaches. ERP’s are particularly

vulnerable.

C O M M U N I C A T E

The key to solution thinking is communication,

understanding and permission based trial and error

I N N O V A T E

Innovation requires teams, new thinking, old thinking and

disrupted incubators

U P D A T E

Ensure organization is up to date across all areas of

identifiable vulnerabilities

WHAT CAN WE DO ABOUT THIS?Innovation stems from need, reward, and a lack of resources. It also stems from shared values and a willingness to make a difference.

Ultimately, breaches are conceived by creative individuals. Universities possess an unlimited resource of creative innovators and experienced gatekeepers. How can we utilize such resources effectively?

23

John McAfee


If operating in a network environment, do not place public domain or shareware programs in a common file-server directory that could be accessible to any other PC on the network.

25

CURRENT + SUGGESTED

The current RIT Architecture is siloed and decentralized. Key players in the case did not appear via the narrative to learn too much from the theft other than the importance of back ups. There is nothing to indicate that this story will not be repeated in the same fashion as reported.The key learning from this case is that a new model should be established.

C E N T R A L I Z AT I O NA central security agency needs to be established first.

I N N OVAT I O NRIT has ready access to great minds. Real world applications are a value proposition for students.

It is the opinion of this research that centralization is not a one sized fits all approach, however, given the fragmentation of the current structure a hybrid model is recommended. This model requires a centralized approach and a decentralized innovation team. Recommended models utilize abundantly available RIT resources.

26

OVERALL OBJECTIVES

RITs Digital Security Department will instigate Processes and

Policies to:

Identify and ProtectMonitor and Detect

Respond and RecoverReduce Risk

27

R e l a t e d a r e a s o f f r a g m e n t e d v u l n e r a b i l i t y H i g h l i g h t e dCurrent Model

B U S I N E S S C O N T I N U I T YMost at risk if Security is compromised.

I N F O R M A T I O N & T E C H N O L O G Y S E R V I C E SResponsible for areas that include security, yet fragmented from Security

I N F O R M A T I O N S E C U R I T YShould be main focus as a serious prolonged breach will cease all other operations

L E G A L S E R V I C E SDirectly affected in the event of a breach

Consolidating a IT Governance and Management structure is never easy.

The nature of the technology itself is fragmented and specialized. Creating an appropriate Architecture is challenging. The following areas are closely related but operating under siloed departments.

28 C e n t r a l i z e d a p p r o a c h t o E n t e r p r i s e S e c u r i t y

To Be Model

C E N T R A L I Z E DReporting, governance and responsibility

M E T R I C SData and Analytics drive organizational decision making

S T R U C T U R E DFragmented areas of responsibility re-defined, silos considerably reduced

C O M M U N I C AT I O NAcross vital areas of the organization, between technology, and people

Combining all Digital Security requirements into one division will consolidate future risk and allow RIT to ensure that assets are secure.

Steps to deliver RITs Digital Security Architecture

A P P R O A C H D I G I T A L T E C H N O L O G I E SC O M M U N I C A T I O N & I N N O V A T I O NO R G A N I Z A T I O N A L F R A M E W O R K

DETERMINEDISCOVERDESIGNDELIVER

DATA & ANALYTICSAIMONITORING & ASSESSMENTEMERGING TECH

COMMUNICATIONEXCHANGEDISRUPTIONINNOVATION

INTEGRATION

29

and Future-Proof Strategy

F U T U R E G R O W T H

INTERNAL FOCUSEXTERNAL FOCUS

30

The Determine phase defines the objectives of the Strategy. Key Stakeholders are consulted, Legislation is factored, Data & Analytics are gathered.

The Discover phase defines the baseline and current situation for the Strategy. This phase incorporates innovation gathered from all areas of RIT.

The Design phase builds the Digital Strategy: the Architecture, the areas of focus and the initiatives to deliver.Capability and Maturity models utilized.

The Deliver phase creates the implementation plan for both the Strategy and supporting structures. Continuous improvements are made to ensure Future Proofing.

APPROACH

Build a Security Strategy using a Structured Four Stage Process.

DETERMINE

DISCOVER DESIGN DELIVER

DIGITAL TECHNOLOGIES

A Digital Security Strategy integrates Digital Technologies into a company’s Strategies and Operations in ways that not only protect, but fundamentally alter the Value Chain. Security Research and Capability; a market predicted to be investing in 2025 at the same levels that Medical Research is investing in 2016.

AI is capable of identifying and predicting up to 85% of Digital threats.

EMERGING TECH

MONITORING &

ASSESSMENT

DATA & ANALYTICS

AI

Building on Quantifiable Data and Analytics toward Process Automation

Approaches | Architecture

Enterprise PortalHOME BASE

ExecutiveGovernanc

e

InnovationGreen Light

Channel ManagementChampio

n Innovati

on

Broadcast

Innovation

External Consultants

Innovation Incubator Home Base

Green Light

Xone Matrix

Best ideas

RIT D & A

RIT Faculty

RIT Information

School

RIT Dept Heads

COMMUNICATION & INNOVATION

Strategy

COMMUNICATION: Working in groups with different specialities

EXCHANGE: Teams are made up of people from different backgrounds and expertise

DISRUPTION: Teams are broken up consistently before they conform

INNOVATION: Fed back to Home Base

ORGANIZATIONAL FRAMEWORK

This approach is built on cross platform communication to guide the overall strategy of RIT.

The 5 areas of intelligence are necessary as we approach integration of IPV6, and 3.0: The Semantic Web.

RIT Digital Security

RIT ProductPlanning

RIT Data &

AnalyticsRIT

CustomerDecisionJourney

RIT Finance &

Budget

STRATEGY

LEGISLATION &CROSS BORDER MANAGEMENT

PARTNERSHIPS &ECO-SYSTEM LEVERAGE

DATA ANALYTICS& INSIGHTS

INNOVATIONCULTURE

BRAND &POSITIONING

FUTUREGROWTH

DIGITALGOVERNANCE

FUTURE PROOF STRATEGY

EXTERNAL FOCUS

INTERNAL FOCUS

By focusing the development of Security Strategies on D&A combined with RITs innovation resources, a framework can established to protect, plan, educate and future-proof while adding value to RITs branding and positioning.

Software production is unlike any other production that preceded it. No raw materials are required, no time is required, and no effort is required. You can make a million copies of a piece of software instantaneously for free. It's a totally new paradigm of production.John McAfee


40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes40 Votes

RECOMMENDED RESOURCESTHE INTERNET

http://michellechandra.github.io/synchronicity.htmlhttp://www.bustle.com/articles/96396-how-many-people-are-on-the-internet-in-the-world-this-map-shows-you-and-itshttps://www.shodan.iohttp://www.businessinsider.com.au/this-world-map-shows-every-device-connected-to-the-internet-2014-9?r=US&IR=Thttp://www.internetworldstats.com/stats.htmhttp://internet-map.nethttp://data.worldbank.org/indicator/IT.NET.USER.P2/countries/1W?display=maphttp://www.theverge.com/2016/2/22/11075456/facebook-population-density-maps-internet-orghttp://qz.com/215669/forget-drones-microsofts-plan-to-bring-the-internet-to-the-world-is-all-about-tv/https://www.e-nor.com/blog/google-analytics/abcs-of-google-analyticshttp://www.cpcstrategy.com/blog/2013/08/ecommerce-infographic/http://www.businessinsider.com.au/google-search-traffic-mobile-passes-desktop-2015-5?r=US&IR=Thttps://searchenginewatch.com/sew/opinion/2353616/mobile-now-exceeds-pc-the-biggest-shift-since-the-internet-beganhttps://www.hallaminternet.com/google-analytics-desktop-vs-mobile-vs-tablet-metrics/http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

RECOMMENDED RESOURCESTHREATS

http://www.theregister.co.uk/2014/09/15/wikileaks_leaks_finfisher_docs_binaries/https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisherhttp://www.securityweek.com/growing-number-governments-using-finfisher-spyware-reporthttps://commons.wikimedia.org/wiki/File:FinFisher_proxy_networks.jpghttp://threatmap.fortiguard.comhttps://www.checkpoint.com/ThreatPortal/livemap.htmlhttp://www.businesscloudnews.com/2015/11/27/conficker-is-commonest-criminal-in-the-cloud-says-threatcloud-report/http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/http://www.trendmicro.com/us/security-intelligence/current-threat-activity/global-botnet-map/index.htmlhttp://www.csoonline.com/article/2130877/data-protection/data-protection-the-15-worst-data-security-breaches-of-the-21st-century.htmlhttp://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.htmlhttp://www.devry.edu/blog/2014/02/top_information_security_breaches_in_history.htmlhttp://blog.maytech.net/history-of-datahttp://www.dailymail.co.uk/news/article-3181179/Shocking-map-shows-600-times-Chinese-hackers-stolen-American-secrets-past-five-years.html

Your text

Your text

RECOMMENDED RESOURCESSECURITY

http://www.slideshare.net/Sligo/Most-malignant-viruses?qid=0b4c1910-5967-427a-a477-7dd47a8a8aff&v=&b=&from_search=10http://www.slideshare.net/cyberjure/virus-or-worm-attacks-india?qid=0b4c1910-5967-427a-a477-7dd47a8a8aff&v=&b=&from_search=6http://www.slideshare.net/CelloLtd/marcelo-silva-lot2task2final?qid=fe9ce00f-0501-4f5f-b446-adf9620a76e1&v=&b=&from_search=12http://www.slideshare.net/InstartLogic/webinar-behavioral-shifts-in-recent-ddos-attacks-that-should-get-you-worried?qid=fe9ce00f-0501-4f5f-b446-adf9620a76e1&v=&b=&from_search=2http://www.slideshare.net/matrosov/zn2012-pdf?qid=e10dd516-2d89-4322-b656-3f21e5480f14&v=&b=&from_search=12http://www.slideshare.net/elie-bursztein/lessons-learned-while-protecting-gmail?qid=e10dd516-2d89-4322-b656-3f21e5480f14&v=&b=&from_search=10http://www.slideshare.net/Dell/ten-expert-tips-on-internet-of-things-security?qid=37865bd8-b543-4327-b448-acb6a6dc3e4f&v=&b=&from_search=3http://www.slideshare.net/abhijitjgd214/graphical-password-authentication-36753648?qid=3643fffb-fbe9-4919-9e16-4120cce7c9ac&v=&b=&from_search=4https://nz.pinterest.com/adgcreative/cyber-security-visualizations/

METRICBASED INFO GRAPHICS

Top to bottom, left to right:

http://raconteur.net/infographics/security-in-the-cloudhttp://blog.theimf.com/2015/06/study-shows-high-rate-of-businesses-hacked-risk-managers-want-more-resources-to-prevent-hacking/http://www.lockheedmartin.com/content/dam/lockheed/data/space/documents/AEHF/Infographic%20Screen%20layout%20FINAL.jpghttp://cbspulse.com/2015/07/05/infographic-cybersecurity-tactics-now/https://nz.pinterest.com/pin/294000681900481386/http://www.svb.com/cybersecurity-report-infographic/

41

IFSEC BEECHAM RESEARCHThe Periodic Table of Security is considered by

many as an industry benchmark for security protocols.

http://www.ifsecglobal.com/periodic-table-of-security/

The Beecham Research IoT vulnerability map provides speculation on immediate areas of

concern for IPV6http://www.beechamresearch.com/download.aspx?

id=43

REAL TIME ATTACK MAPShttp://www.networkworld.com/article/2366962/microsoft-subnet/spellbound-by-maps-tracking-hack-attacks-and-cyber-threats-in-real-time.html

http://krebsonsecurity.com/2015/01/whos-attacking-whom-realtime-attack-trackers/

M A P S O F T H E I N T E R N E Thttp://internetcensus2012.bitbucket.org/images.html

http://blog.visual.ly/mapping-the-internet/

ATTACK METRICS

46

C l i n t o n d e n H e y e [email protected]

rit "snowfall and stolen laptop" research for enterprise security models

Internet