Information UH Today"

Transcription

1 Information UH Today" Thursday, November 29, 2012" Jodi Ito" Information Security Officer" jodi@hawaii.edu" (808) " Michael Hodges, ITS Identity & Access Management (IAM) Group" mhodges@hawaii.edu

2 Happy Holidays!"

3 Upcoming Events" Current Threats" Agenda" UH Information Security Program" Protecting UH (& your own) Assets" ITS-initiated Security Projects" Open discussion on security issues/ concerns"

4 UH Infosec Team" Jodi Ito: Deanna Pasternak: Taylor Summers: Team address: "

5 Information Security Resources" Password Guidelines" Encryption" Secure Deletion of Electronic Files" UH Policies & Procedures, etc."

6 Upcoming Events" Calendar: " " FBI Cyber Security Presentation: " "DAD Cyber Division, James Burrell" "Dec. 10, 11:30 12:30 HITS (register at: kuhi.its.hawaii.edu/training/ under IT Security )" EDUCAUSE Student Video & Poster contest" "

7 Recent Cyber Events" h"p://

8 h"p://securitywatch.pcmag.com/none/ south- carolina- data- breach- exposes- ssn

9 h"p://openchannel.nbcnews.com/_news/2012/11/20/ one- - exposes- millions- of- people- to- data- thei- in- south- carolina- cybera"ack?lite

10 SC Public Incident Report" Contracted with Mandiant" h"p://governor.sc.gov/documents/mandiant %20Public%20IR%20Report%20- %20Department %20of%20Revenue%20- %2011%2020% pdf

11 Top 10 Govt. Breaches" /10-top-government-databreaches-of-2012.html"

12 Epic Hack" apple-amazon-mat-honan-hacking/all/" Google account compromised/deleted" Twitter account compromised" Apple ID compromised hackers erased ALL iphone, ipad, MacBook data" WHY? Accounts were linked together & weak vetting of identity for password reset"

13 Current Threats" Phishing s targeted at UH Community" 19 reported since Sept. 2012" Over 100 compromised accounts this year" Malware (viruses, spyware, botnets, etc.)" Open network environment" Insecure handling of sensitive information" Having data when no longer needed" Data not protected adequately" Systems with sensitive information not protected adequately " People not aware of responsibilities & threats"

14 Cloud " Cloud computing, Cloud storage, Cloud security" SaaS, IaaS, PaaS " SaaS: Google Apps, Microsoft Office 365" IaaS: cloud storage, cloud security" PaaS: developer s platform (compilers/ interpreters/scripting)" Pluses: cost-effective, uses less resources, lower maintenance cost, CONVENIENCE!

15 Cloud Considerations" IT S ALL ABOUT THE DATA!! Is the data sensitive? Intellectual Property?" Is it protected by laws and regulations?" HIPAA, FERPA, NISPOM, FISMA, PCI DSS, etc." If you can encrypt, can you maintain control over encryption keys?" Contract language? Who s responsible for cost and notification if there is a breach?" What happens if there is an outage or loss? (Impact considerations)" What happens if service fails OPEN?"

16 Physical Security" Increased theft of Apple computers on campuses" For UH computers: " "Stolen computer + unencrypted sensitive information = BREACH! Physical device security: " " Laptop Security Strategies: " "

17 UH Information Security Program" Designed to mitigate risks of exposure by:" Information Security Risk Assessments" Survey of repositories of sensitive information" Survey of servers including scanning for sensitive information & vulnerabilities" Mandatory training" Implementation of technical controls including requiring stronger passwords, identity & access management, implementation of network security technologies, stronger network policies "

18 Protecting UH Assets" Protecting Sensitive Information at UH:" " Searching for sensitive information:" University owned machines: use Identity Finder ( Personal machines: use free Identity Finder ( IdentityFinder/Free)"

19 Secure Computers" Use Anti-virus and update frequently" Check for (and install) operating system and application updates monthly" Encrypt files that contain sensitive information" Securely delete files that contain sensitive information when no longer required! Key consideration: required vs. convenience " Backup your files (& test your backups)"

20 Safe Computing Practices" Do NOT respond to phishing s" Do NOT give out your personal information in response to unsolicited requests" Protect your password" Use strong passwords for sensitive accounts" Do NOT click links in pop up windows that tell you your computer is infected (it could be rogue antivirus)" Visit/use legitimate web sites"

21 ITS Security Initiatives" Mandatory information security training" Information Security Risk Assessments" Find & remediate repositories of sensitive information" Implement network security technologies" Update policies to reflect current technologies/threats/risks" Enterprise license: Oracle Advanced Security" Develop technology infrastructure to automate as much as possible"

22 Michael Hodges, ITS Identity and Access Management (IAM) Group" TOPICS ACER Acknowledgements and Cer4fica4ons Planning for Federated Iden4ty Management IAM and the UH Applica4on Development Community Enterprise Deprovisioning

23 ACER and ACER/SECE " ACER, Acknowledgements and CERtifications" SECE, Student Employment and Cooperative Education, on-line application integrated with ACER as of 10/26. New SECE features:" Student job listings now can be associated with access to sensitive information, requiring a GCN, General Confidentiality Notice" Student GCN acceptance can be confirmed." ACER 1.0 has been in production since 03/2012" Specifications for ACER 2.0 have been prepared, but if we build it will it get used?"

24 Tentative ACER 2.0 Specs" Require specific groups (by EAC) to perform specific Acknowledgements and Certifications." Provide Personnel Officers (POs) with reports on who has and hasn't done their Acknowledgement or Certification." Provide POs with the history of previous acceptance of Acknowledgements and Certifications." Automate annual and biennial renewal reminders for initial and renewal of compliance." These 2.0 feature requests suggest that UH should develop a single set of standards for the administration of acknowledgements and certifications. Standardize:" Life span of certs and acks so that we can implement a simple remember schedule" Reminder schedule for notifications" Retention policy for historic information"

25 Planning for Federated IdM" Topics:" UH does Shibboleth, a Federated IdM solution" NSTIC, National Strategy for Trusted Identities in Cyberspace" IdM (online) Iden4ty Management

26 Planning for Federated IdM" UH does Shibboleth, a Federated IdM solution" Google@UH, InCommon, California Digital Library, EDUCAUSE, Internet2, Research.com, TeraGrid" And very soon *all* Service Providers (SPs) categorized as Research and Scholarship will automatically be included." Candidates for the R&S Category are low-risk services that support research and scholarship as an essential component. For example, a service providing tools for both multi-institutional research collaboration and instruction is eligible as a candidate for the R&S Category"

27 Planning for Federated IdM" NSTIC, National Strategy for Trusted Identities in Cyberspace" The Federal Government and the White House are strong advocates for cyberspace security, and IdM is a crucial component. " IdM implies Levels of Assurance; involves vetting identity info and establishing Bronze or Silver levels of assurance. " Federated IdM to Research.com, etc to require Bronze; implication: UH must implement 2-factor authentication." Bronze impacts our password practices; implication: UH must implement 2-factor authentication." Silver requires extra identity and address vetting procedures; implication: UH must augment existing credentialing processes. ITS to pilot initially; long term, POs and/or Campus Id Reps processes to expand."

28 IAM and the UH App Developer Community, Tools" Active Directory for Authentication" A cost-based service available to campuses." Still under development." UH Web Login 3.0 (CAS) for Authentication" Application registration will be required" UH Web Login 2.0 scheduled for retirement no later than end of 2014." Direct application (Special DN) access to LDAP also in the cross-hairs."

29 IAM and the UH App Developer Community, Tools" ACER for developers, supports Authorizations" Check to make sure the GCN is done, for example" UH Message Broker" Application developers can step into the world of messaging."

30 IAM and the UH App Developer Community, Tools" UHIMS Events" Applications can be notified of UH Username changes, UH Number changes, appointment terminations, etc." UH Applications Developers LISTSERV list" For developers and IT Managers" Nearly 140 participants" Web-enabled, searchable archives of past discussions" Announcements, questions, discussions"

31 Enterprise Deprovisioning" Applications can be informed and automatically adjust an individual s application authorization." Applications can respond to emergency deprovisioning events, aka emergency terminations." The technology is documented and developers are aware of the possibilities. " IAM group will be working to get the message out to the developer community."

32 Resources" Overview of Identity and Access Management (IAM) at UH" < UH Federation with InCommon Service Providers" < UH Applications Developers forum" < Enterprise Deprovisioning (UHIMS Events)" < ACER Acknowledgements and Certifications" <

33 Open Discussion & Questions" Thank you!!