UNB S CYBERSECURITY PROGRAM

Transcription

1 UNB S CYBERSECURITY PROGRAM SEPTEMBER 7, 017 A fundamental step towards an advanced cybersecurity practice at UNB was taken recently when the Board of Governors approved the Information Security Policy, which shares responsibility for the protection of UNB information across the entire UNB community. An underlying principle of the policy is that community members must do their part in securing the enterprise; further, the Information Security Policy describes the framework of roles and responsibilities for information protection, including assignment to ITS of developing and executing this cybersecurity program. 1

2 INTRODUCTION Ever since UNB was established, most of its information has been stored on paper and the primary technology used to secure it was the lock. Roles and responsibilities for securing information were relatively easy to define. A lot has changed. Now, most information is created, stored and maintained electronically, and there is a lot of it. People expect to access information any time and from anywhere in the world. In recent times, the value of information for criminal purposes has skyrocketed. Criminals work hard to obtain it, because the payback is good; they are always coming up with new methods to do their deeds. The results can be devastating. Universities across the world experience data breaches resulting in the loss of huge numbers of personal records costing reputations and sometimes millions of dollars. Intellectual property is particularly attractive, and always at high risk. Furthermore, criminals are rapidly adapting their attacks to support extortion attempts; some universities, having fallen prey to malicious takeovers of their information, have paid significant ransoms to obtain access to their own property. Various high-profile cybersecurity breaches of late at Canada s National Research Council, Carleton University, the University of Calgary, to name just a few provide a stark reminder that criminals are intent on exploiting weaknesses in cybersecurity wherever they can find them. Every week at UNB over 50 million attempts are made to find ways into our systems (akin to someone checking a door to see if it is locked, these attempts are highly automated and very, very persistent). Students, faculty, and staff succumb to phishing attempts with alarming frequency, and every month over 100 UNB-owned computers fall victim to malware and worse. Since a 01 external assessment of UNB s IT security, ITS has worked tirelessly to ensure the university has the best cybersecurity program possible. Many crucial building blocks have been put in place or are underway; we ve come a long way, and while there is more to do, the road ahead is clearer than it s ever been. This document describes the cybersecurity program, including its objectives, the framework of standards upon which it is built, plus several current and future initiatives that ensure the university is as cyber-safe and -aware as it can possibly be.

3 OBJECTIVES The cybersecurity program has several objectives: 1 Implement a robust, standards-based cybersecurity approach and practice Deploy appropriate tools throughout the technology stack to ensure a multi-layered defense 3 Support active community participation in cybersecurity through building awareness of best practices 4 Produce reasonable, coherent, and usable cybersecurity procedures and guidelines 5 Collaborate with stakeholders across the university to encourage shared oversight and to mitigate risk STANDARDS-BASED APPROACH UNB s cybersecurity framework is based on various international standards: 1 ISO/IEC 700:013, Information technology Security techniques Code of practice for information security management (International Organization for Standardization) NIST SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations (National Institute for Science and Technology) 3 COBIT5 Processes: APO13: Manage Security; DSS05: Manage Security Services (ISACA) 3

4 FRAMEWORK Governance, Risk, Compliance Education, Awareness Threat management, Incident response Architecture, Development, Tools Operations, Monitoring UNB s cybersecurity framework has five major components¹, encompassing: 1 GOVERNANCE, RISK, AND COMPLIANCE Align with UNB s governance model; foster collaboration with risk management; and ensure compliance with university policies. ARCHITECTURE, DEVELOPMENT, AND TOOLS Ensure a security by design approach to all IT initiatives 3 OPERATIONS AND MONITORING Support the basics patching, monitoring, adopting best practices, etc. and make sure they are done right 4 THREAT MANAGEMENT AND INCIDENT RESPONSE Understand the threat environment and provide appropriate incident response 5 EDUCATION AND AWARENESS Address the human factor in cybersecurity ¹ Adapted from Josi, Monika, Building a security transformation program in our new information security world, ISACA blog posting, May 1,

5 CURRENT AND COMING CYBERSECURITY INITIATIVES ALIGNED WITH UNB STRATEGY Exceptional student experience Provide robust, always-on data networks that enable discovery while protecting students and UNB A next-generation firewall (NGFW) is being implemented across UNB, replacing obsolete technology while advancing our ability to finely tune perimeter protection of our networks to allow only legitimate community members and traffic to use them. NGFW ensures stable, reliable networks that are always available, 4/7. Network access control (NAC) technology is being deployed to ensure cybersecurity rules covering who has access to what are being enforced easing the way for students and guests but preventing unauthorized users from attacking or piggybacking on our systems. New end-point protection software has been deployed across UNB to reduce virus, malware, and other incidents that plague individual users. Over the next year, UNB s wireless networks will be fully refurbished; we are adopting new technology to keep up with demand posed by ever-increasing numbers of devices connecting to our networks. The average student now brings at least 3 wi-fi connected devices to our campuses every day. Leadership in discovery, innovation, and entrepreneurship Try out new tools, contributing to their design and development ITS has a long and unique history of developing, testing, and piloting new tools to help us protect the university and its data assets. Most recently, IBM s Watson (AI) for cybersecurity was tried out. We also piloted Trend Micro s Deep Discovery, an analysis tool for hard-to-detect incidents. In both cases, feedback provided to the vendors was useful in enhancing the products. 5

6 ITS uses Q-Radar, an incident analysis tool it helped develop years ago, and which eventually was spun off, by the former UNB employees who developed it, as a separate company. We work with the vendor (now IBM) by testing enhancements and additional features, and providing feedback. Foster ideas and initiatives that advance cybersecurity beyond UNB We are currently working on a joint cybersecurity project with CANARIE, Canada s research and education network, to build a nationwide community of cybersecurity expertise and tools. We have begun to deploy Beauceron, a new product from a start-up of the same name (and built by current and former ITS staff), which will help community members protect themselves and the university by building awareness and providing timely education about cybersecurity threats and best practices in preventing incidents and breaches. Financial resilience and responsibility Reduce overall cyber-risk by deploying state-of-the-art monitoring tools and responding appropriately when threats appear A variety of monitoring tools gives ITS insight into network, equipment, and service security and performance. We monitor all aspects of IT operations, and use experience, skill, and analytical processes and tools to assist us in evaluating data and making decisions on responses quickly and appropriately. Assess periodically the university s preparedness for cybersecurity threats and events ITS has a well-defined disaster recovery and business continuity strategy and plan, which are constantly updated to reflect the ever-changing landscape of threats and technological change. We ve expanded the definition of disaster recovery to include cybersecurity incidents, and perform table-top tests to gain practice and to refine our maturing processes and procedures. 6

7 ITS has undergone several external assessments in recent years, notably threat risk assessment, and penetration and vulnerability testing. These assessments led directly to major strategic initiatives such as renovation of the main UNB data centre, construction of the Wu disaster recovery site, and hardening of all our IT infrastructure to protect it from a multitude of threats. When the current deployment of NGFW, NAC, and end-point protection is completed, we will commission another external assessment to identify any remaining gaps in our cybersecurity posture. Build a better university Develop and communicate reasonable and usable cybersecurity standards, best practices, procedures, and guidelines With the approval of the university s first Information Security Policy, the foundation is established for building out the tools the community needs to fully understand the various roles necessary for protecting UNB from cyber-threats. For example, basic guidelines for responding to cyber incidents have been formulated, along with corresponding step-by-step procedures to ensure timely and adequate actions. Many more such documents will be produced over time, ensuring community members have access to relevant, understandable resources, whether to proactively head off incidents, or to deal with them while and after they occur. Deliver community education and awareness on cyber-risk, and broadly communicate ways to reduce personal and UNB cyber-risk It has been amply and well demonstrated at UNB that effective education and awareness training greatly reduces individual risk of succumbing to phishing, attempted fraud, and outright theft of personal data. ITS continues to conduct simulated phishing attempts aimed at staff and faculty to ensure they don t become complacent and ease up on cyber threat vigilance. In addition, targeted presentations to groups and committees ensure cybersecurity remains top-of-mind throughout the university, from senior management and the Board, to faculty councils, to student bodies and clubs. 7

8 Build a better province Protect the provincial research and education network As the operator of the New Brunswick research and education data network, on behalf of the NB/PEI Educational Computer Network (ECN), ITS is responsible for ensuring the network meets performance, financial, and cybersecurity expectations and standards. The NGFW being deployed at UNB is also being implemented across the R&E network, equipping it with state-of-the-art protection and tools. Collaborate with other IT services across the public and private sectors ITS has a rich history of collaboration with others on IT projects and initiatives; cybersecurity presents many oppportunties for continuing this highly-valued tradition. For years, ECN has procured anti-virus and anti-spam solutions; the latest consortium-wide procurements include endpoint protection and the NGFW mentioned above. All of these are led and managed by ITS. Further, ITS is fully engaged with its ECN partners in seeking out projects that will benefit all or most with lower costs and ease of management. For example, the forthcoming UNB cybersecurity assessment is part of a larger initiative in which all of the ECN institutions will have similar assessments done, with results to be shared to the benefit of all. 8

9 RESOURCES Effective cybersecurity requires highly specialized skills, equipment, and tools, along with appropriate organization and management. To ensure UNB is well protected, a number of groups and positions participate in the cybersecurity program. Goveranance The Enterprise Systems and Services Governance committee, chaired by the Vice President Administration and Finance, ensures that UNB has appropriate strategies and resources in place to provide the most secure but flexible IT environment possible to the community. A steering committee, reporting to ESSG, will be set up. Once operating, this steering committee will provide strategic guidance for the cybersecurity program, and with other ESSG members will encourage the entire UNB community to participate in cybersecurity education and awareness through personal engagement with community members, sponsor activities such as simulated phishing campaigns, and lead by example by trying out and adopting common cybersecurity best practices and tools. Management The Security Operations Committee (SOC) reports to the AVP, ITS, and is accountable for deploying resources to protect the university; monitoring the effectiveness of various tools used to provide robust protection across UNB; and responding to incidents as needed. Membership is comprised of: Director of IT Operations Director of IT Architecture Manager of Technical Operations Manager of Service Operations Senior Cybersecurity Officer Network Services Manager (Saint John) AVP, ITS (ex officio) 9

10 Operations Day-to-day cybersecurity monitoring, analysis, and response are distributed among positions both within and external to ITS. Systems and network analysts monitor tools like Q-Radar to keep informed of potential and real threats occurring at any given time affecting UNB IT infrastructure; when issues arise they either respond directly or escalate them to SOC. The Desktop Management Group, along with the entire Level 1 community across UNB, deal with issues affecting desktops, laptops, and other devices. In the future, much of this activity will be coordinated by the Senior Cybersecurity Officer, who will provide a single-point-of-contact for many cybersecurity issues. Training and Awareness The Senior Cybersecurity Officer will also be responsible for extending and sustaining current and future training and awareness about cybersecurity across UNB. This includes phishing simulations, presentations to governance, management, and staff and students groups on all campuses, and online resources in support of cybersecurity initiatives. 10