1 / 30

Protecting Data in the Cyber Age - What Schools Are Doing NYSOBBA, 9 /201 9

Explore the measures schools are taking to protect data in the cyber age, including compliance efforts, threat and attack trends, and safe computing tips.

msanto
Télécharger la présentation

Protecting Data in the Cyber Age - What Schools Are Doing NYSOBBA, 9 /201 9

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Data in the Cyber Age - What Schools Are Doing NYSOBBA, 9/2019

  2. Agenda Intro / Background Does this deserve our attention? Compliance vs. Risk Threat and Attack Trends Safe Computing Tips

  3. Jeffrey Mackey is the Senior Business Systems Analyst for Stony Brook University’s Office of the Bursar and Student Accounts. In this role, he: • acts as the subject matter expert for the University’s student financials system; • oversees e-commerce activity across the campus; • is the University’s Internal Security Assessor for PCI Compliance; and • sounds paranoid in meetings. A frequent collaborator with his colleagues in Information Security and the Division of IT in general, he chairs the University’s Business Compliance Working Group and serves as a member of the campus’ Incident Response Working Group. Introducing Jeffrey Mackey

  4. Matt Nappi is the Chief Information Security Officer at Stony Brook University. In this role, he: • sounds paranoid in meetings. Introducing Matt Nappi

  5. Background: Anatomy of an Incident(1990’s)

  6. Anatomy of an Incident (Today)

  7. Background: What is cybersecurity anyway? CIA CIA Most important? Recruitment? – A Bursar’s Office – I Registrar’s Office – C Alumni - C Case Study: OPM The “other” CIA Intel through deduction

  8. Modern Cybersecurity Program Goals To make risks visible to senior management Intelligently evaluate and determine if, what, where, when and how to invest in security. Balance the business needs of an organization with the level of risk tolerance that administration is willing to endure. Identify and address areas of unacceptable risk levels. To have a broad understanding of every constituents role in maintaining information security. Enforce privacy requirements. Eliminate paranoid sounding people.

  9. Cybersecurity Program Essentials Formal authorization A set of policies, procedures and standards that can be enforced. For example: Incident response Data classification Asset and workforce inventory and documentation Analysis of the controls that protect the identified assets and the threats that can exploit them. Public awareness, documented training and accountability for members of the organization. Rinse and repeat.

  10. Does this deserve our attention? Higher Ed is a target. Especially certain departments. PII is valuable. Sutton’s Law Photo credit.

  11. Does this deserve our attention? Business/Accounting Office - What effect would misdirected direct deposit funds have on a student or employee? (Ask BU) Communications – What effect does a headline grabbing breach or extended website downtime have upon institutional reputation? (Ask Rutgers) Academics – What effect does the exposure of past and present identities on the internet have upon a campus? (Ask Maryland or Maricopa or UC Berkeley or …) Research – Would we pay the ransom if years of research data was encrypted and held hostage? Would we lose research partners if research data was compromised? (Ask Penn State) Alumni – Would a hacked database negatively impact donations? (Ask Polytechnic) Health Data – How much could we be fined in the event of a HIPAA breach? (Ask Columbia)

  12. The Struggle is Real Open / Collaborative Network Computer Viruses Bring Your Own Devices (B.Y.O.D) Computing Power Decentralized Infrastructure Decentralized Operations Highly Valued Data Waning Sympathy * 2017 Verizon DBIR

  13. Compliance vs. Risk: Beyond FERPA Do you accept Payments via Credit/Debit card – anywhere on campus or online? Payment Card Industry Data Security Standard (PCI-DSS) Do you get audited by the Department of Education’s office of Federal Student Aid? Gramm-Leach-Bliley Act (GLBA) Safeguards rule FTC Red Flags Rule Dear Colleague, July 1, 2016 GLBA NIST 800-171 Do you process data related to individuals living in the EU? EU General Data Protection Regulation (GDPR) Does your institution participate in or support research? NIST 800-171 and FAR final rule for non-classified federal contractors

  14. GLBA Safeguards Rule Develop, implement, and maintain a written information security program; Designate the employee(s) responsible for coordinating the information security program; Identify and assess risks to customer information; Design and implement an information safeguards program; Select appropriate service providers that are capable of maintaining appropriate safeguards; and Periodically evaluate and update their security program.

  15. GDPR Primer Scope Lawful basis for data collection Retention practices Privacy Policy(ies) Right to be (not) remembered Organizational contacts Controller vs. Processor Contract language Notification requirements DPO → Supervisory authority

  16. Threat Trends: Phishing and Malware Accidental Insider • Phishing • Phishing • Phishing Ransomware • Money for your data! Smartphone Malware • Android / iPhone You can be a hacker too! • But don’t, it’s illegal!

  17. Threat Trends:Hardware Devices Cheap hardware, big payout.

  18. Attack Trends: International Exchange Fraud •A student is contacted via social media or instant messaging application, and is offered assistance in making cross-border payments or a favorable exchange rate. •The student provides the bad actor with their credentials to the University’s SIS. •The bad actor makes fraudulent payments using stolen credit card information. •The student confirms that their account has been paid, and sends their funds to the bad actor. •The student’s balance re-appears over the coming weeks/months as cardholders initiate disputes. The student may attempt to contact the bad actor – only to find that the account is no longer accepting messages.

  19. Attack Trends: International Exchange Fraud What’s been lost? Public Image – Every cardholder who files a dispute will remember the name of your institution. Student Image – Students talk, especially when they feel that they’ve been wronged. Your student has just had a large sum of money stolen from them, and now you’re after them to repay their student account! (you didn’t write that balance off, did you?) Student data – What’s available on your SIS, and can it be used to steal the student’s identity – or worse? Demographics (Addresses, Phone Numbers, Email Addresses) SSN/ITIN For those of you who are sure you don’t display this – what about your 1098-Ts? Financial information (Direct Deposit) Your time Responding to disputes Dealing with the student (Do they need late fee waivers? Registration agreements? Payment plans?) Communicating with the vulnerable population Digging into your logs to figure out who else has been impacted

  20. Attack Trends: International Exchange Fraud Solutions! Communication Students – especially international students – should know how you accept payment. International Student Services offices might be a resource here, as are certain student organizations Security Training We train our employees not to give their credentials to others (right?) – but do your students receive similar training? Monitoring Work with your developers and information security folks to alert on potentially troubling account activity: Are students suddenly logging on from countries they’ve never logged on from before? Are they making payments using cards with suspicious billing addresses? Are a large number of their payments suddenly declining? Rapid Remediation Do you have a mechanism in place to report compromised accounts to your IT/Security groups? Do they reset ‘everything’ - or just the one account?

  21. Attack Trends: Spyware/Malware An employee receives an email (on their work account because we never check our home email on a work machine, right?) with a link or an attachment, along with an enticing reason to click/download Please approve this transfer from your bank account Your shipment is out for delivery Thank you for your order! Please verify your account These emails may appear legitimate – from banks you deal with, companies you’ve heard of, or even from an internal group/person Employee clicks on the link or downloads the attachment PC is now infected

  22. Attack Trends: Spyware/Malware What’s been lost? Student Data - more than you’d think Residency verification – tax returns with SSNs, leases, images of driver’s licenses Payment information – Names, addresses (hopefully not CC/direct deposit details!) Communications with students and parents Data from other offices - Your employees work with other offices, and may have access to their data Registrar - Registration data (FERPA) Student Health – billing information (HIPAA) Admissions – data from other institutions (FERPA again) Financial Aid – FAFSA information on students and parents/guardians HR – Payroll data The above, but permanently Is your data backed up regularly? Have you ever tested it? Are the backups sitting on the same computers or servers that have just been impacted? Reputation Georgia Tech – Information on 1.3 million current and former students, employees, and applicants leaked Grinnell, Hamilton, Oberlin – Complete admissions records offered for sale to the applicants themselves Australian National University – 19 years of student and staff data

  23. Attack Trends: Spyware/Malware Solutions! Training, Training, Training! How to tell if an email/attachment is suspicious Internal phishing exercises (in concert with your friendly neighborhood IT folks) Are employees securely storing only the information they need? Or are they hoarding the information they might want to have some day? Security review Is the access granted to your employees appropriate? How about that one person who’s been with the office since day one and has held every position? How about your Senior Business Systems Analyst, who is also everybody’s backup? Are your endpoints protected by antivirus that is: Running Updated Monitored? Backups Are they happening? Are they happening often enough? Are they happening for the right files?

  24. How can I help? Do something. Ask questions. Think in terms of risk. Manage our health. Reduce risk whenever possible. For example, delete data when it is no longer useful. If you see something, say something. Be skeptical. Assume value in all data. Be a partner to your IT and security team.

  25. Safe Computing: Passwords Passwords on Post-it notes Does IT come into your office? Do students? Electricians/painters/facilities? Cleaners? Password re-use How many systems do you have access to? How much trouble could you find yourself in when someone sees your Password Post-it note and logs in to your SIS as you? Personal/Professional overlap Password changes Your password is January, and it expires every 30 days. Guess what your password is going to be next month? Can a bad guy figure it out if they find the old Password Post-it note that you threw away? Two-Factor Authentication Why aren’t you using it?

  26. Safe Computing: Pass Phrases

  27. https://haveibeenpwned.com AWWW shucks… ☹

  28. Safe Computing: Mobile devices Require pin to unlock. Not 1234! Set auto lock timeout. Encrypt device iPhone encrypts with pin by default. Android users, go play in your settings for a while. Enroll in “Find my device” technology. There is No Such Thing as a Free Lunch - or a safe ‘free’ hotspot! If lost or stolen, report that information to leadership ASAP. Talk to your IT colleagues about encrypting your laptops, external hard drives, etc.

  29. Safe Computing: Computer hygiene Stop postponing those updates! Lock Desktop (Windows Key + L) or Logout - even if you’re “just running to the vending machine”. Report odd behavior (e.g. random reboots, mystery mouse movements, warnings from Antivirus)

  30. Matt Nappi Assistant Vice President for InfoSec & CISO Stony Brook University • matt.nappi@stonybrook.edu • (631) 632-4856 • Twitter: @mattnappiciso • Blog: you.stonybrook.edu/matthewnappi Jeffrey Mackey Sr. Business Analyst Stony Brook University • jeffrey.mackey@stonybrook.edu • (631) 632-9583 • Twitter: @jeffmackatron

More Related