New Jersey Association of School Business Officials Information Security K-12 June 5, 2014
Agenda Introduction K 12 Technology Trends Case Study (A Cautionary Tale) What Constitutes a Data Breach Data Breach Trends Types of Data Compromised Assessing Information Security and Technology Risk Additional Technical Security Testing Achieving and Maintaining an Information Security Function Protecting Student and Employee Data Procurement Questions and Answers
With You Today Andrew Cannata Partner, Sunera LLC. Andrew has overall responsibility for Sunera s Information Security Practice. He has more than twenty years of information technology and security experience, having worked at the senior management level within Big Four, defense and private sector organizations. Prior to Sunera, Andrew was a Senior Manager with KPMG s Information Risk Management practice. Prior to joining KPMG, Andrew led one of the largest Department of Defense Information Assurance Programs for the United States Special Operations Command (USSOCOM). Andrew is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM), and a Payment Card Industry s Qualified Security Assessor (QSA). David Gannon Partner, Wiss and Company LLP. David has more than 16 years of experience serving the public and not-for-profit sectors. His experience includes providing accounting and auditing services to public school systems, municipalities, local authorities, state authorities, state departments, not-for-profit organizations, New York City agencies, and higher education. David has provided services to public sector entities with budgets of $1 million to $3 billion and with assets exceeding $7 billion. Specialties: Public Sector and Not-for-Profit Accounting and Auditing Government Auditing Standards OMB Circular A-133 NJ OMB Circular 04-04XXX
K 12 Technology Trends What do we See? Changing Service Models for Infrastructure and Applications Changing IT Organizational Structures IT Governance Online, Hybrid and Collaborative Learning Bring Your Own Device (BYOD) Personalized Learning Environments (PLEs) One-to-One (Student-to-Computer Ratio) Digital Curriculum Big Data Cloud Computing Game-Based Learning
K 12 Technology Trends What is Missing? Information Security is frequently overlooked and underfunded Some constraints Lack of internal subject matter expertise Lean staffing Student population growth Conflicting priorities Great Recession and associated funding constraints Evolving technology trends Key Results Many K-12 environments have not been designed to protect sensitive data Organizations have been breached but do not even realize it
A Cautionary Tale Background We were engaged by a K-12 school district to perform an external and internal vulnerability assessment What we found Systems had been compromised by an Armenian hacker group Mid-engagement, a 2nd hacker group from Algeria took control of the same systems The compromised systems permitted secondary access to student information systems What went wrong (i.e. root cause analysis)? Low maturity in terms of information security function and posture Due to lack of segmentation, student information systems were accessible externally (from the Internet) Lack of system patching, insecure system and firewall configurations Limited audit logging, monitoring, and incident response no one knew they had been compromised, and if they had, they would not have been able to respond appropriately
A Cautionary Tale
What Constitutes a Data Breach? As we just discussed, a malicious attacker compromising an organization's technical infrastructure But what else? Lost or stolen hardware Backup tapes lost in transit Employees stealing information or allowing access to information Poor practices (e.g. mishandling of sensitive information) Careless disposal of information (that may be retrieved via dumpster diving) Malware
Data Breach Trends 1 Who caused the breach? 92% resulted from external sources 19% tied to state-affiliated groups 14% caused by insiders 1% implicated business partners Mechanism of the breach? 76% exploited weak or stolen credentials 52% due to hacking 40% incorporated malware 35% were via physical attacks 29% employed social tactics 13% involved misuse of privileged access All in all, 2012 reminded us that breaches are a multi-faceted problem, and any one-dimensional attempt to describe them fails to adequately capture their complexity. Verizon, 2013 Data Breach Investigations Report 1
Data Breach Trends Who caused the breach? Mechanism of the breach? Verizon, 2014 Data Breach Investigations Report
Types of Data Compromised 1 Variety Breaches Payment card numbers / data 61% Authentication credentials (usernames, pwds, etc.) 38% Sensitive organizational data (reports, plans, etc.) 24% System information (config, svcs, sw, etc.) 20% Trade secrets 20% Personal information (name, SSN, Addr., etc.) 10% Bank account numbers/data 6% Unknown (specific type is not known) 6% Copyrighted / Trademark material 1% Classified information <1% Medical records <1% Verizon, 2013 Data Breach Investigations Report 1
Assessing Information Security Risk - Program Level Objective: To ensure that existing and emerging risks are appropriately addressed through a comprehensive information security program Considerations Organizational structure responsible for information security management Skill set(s) utilized to manage and execute the program Current scope of the program and methods used to validate scope Processes for identifying emerging risks Techniques for assessing risk and remediation priorities Process for tracking required program updates from identification through resolution
Assessing Information Security Risk - Detailed Considerations Objective: To ensure the operational effectiveness of the technical and procedural mechanisms in place to address IT security related risks to the District s environment. Topic Risk Management and Assessment Processes Compliance Management Vulnerability Management Considerations Frameworks used (e.g., ISO27005, NIST SP 800-30, OCTAVE) Frequency of risk assessments Participants contributing to and approving the results Tracking and remediation of residual risk Identification and tracking of compliance requirements and industry frameworks (i.e., PCI and ISO27001) Involvement of key departments in compliance management (e.g., Legal and HR) Types of technical security testing performed Frequency of technical security testing Tools and manual techniques utilized Tracking and remediation of issues Data Loss Prevention Technology utilized Processes followed Review, tracking and remediation of issues
Assessing Information Security Risk - Detailed Considerations (Cont.) Topic Considerations Data Encryption Technology utilized Secure System Development, Developer Skill Sets and Training Scope of data included Procedures for key management Audience included in training Frequency of training Quality and content of training Embedded security gates in the SDLC Integration with vulnerability management processes Configuration Management Use of documented baselines Integration with change management Anti-virus Management Technology utilized Frequency and nature of monitoring and/ or reviews Configuration management Frequency of updates and scans Patch Management Technology utilized Technology and procedures for logging and reporting Procedures for monitoring and resolution Risk-based threat assessment processes Frequency and timeliness of implementation
Assessing Information Security Risk - Detailed Considerations (Cont.) Topic Logical Access to Systems and Data and Identity Management Considerations Authentication Authorization Audit Logging Technology utilized Incident Identification and Response Security Awareness Training Policies and procedures for provisioning Policies and procedures for decommissioning Completeness of scope Monitoring and review processes Methodology and framework Frequency of testing Training of participants Scope and content Audience to receive training Delivery mechanism Data Classification Methodology utilized Third Party Management and Due Diligence Procedures for compliance monitoring and resolution Accuracy and completeness of scope Effectiveness of communication Completeness and effectiveness of implementation Evaluation framework Consistency and completeness of implementation
Additional Technical Security Testing Analyze local and wide area networks and infrastructure implementation for security and continuity considerations. External and Internal Penetration Testing and/or Vulnerability Assessment Evaluate all internally and externally facing IP addresses Perform automated scans to identify: poor or improper configurations; software flaws; or operational weaknesses. Leverage manual and automated techniques to exploit vulnerabilities and provide a proof of concept regarding the risk of data exposure. Test wireless design, implementation and configuration.
Identification of Scope Where is your Sensitive Data? Critical to achieving and maintaining data security Manual Methods (Necessary) Interviews with business process owners and IT Identifies manual and automated business processes and systems that store, process or transmit sensitive data Questionnaires are a useful tool in this process Automated Methods (Supplemental) Automated scanning of potential locations of sensitive data Identifies potential electronic storage locations of sensitive data Freeware and custom scripting are available options Limitations Some file types such as images and PDF formats Binary files require sophisticated techniques than regular textual pattern matching such as Optical Character Recognition (OCR)
Keys to Achieving and Maintaining an InfoSec Program Executive management support and prioritization Assignment of a program lead Dedicated resource May be within Information Security, Internal Audit or IT Clearly defined control owners with responsibility Identify who performs the action and who is responsible for oversight, if applicable Administrative Calendar Periodic, recurring tasks, e.g. bi-annual firewall reviews, annual risk assessment annual (internal and external) penetration testing, quarterly scans, quarterly wireless analysis Many organizations use an existing help desk ticketing system Periodic Controls Monitoring Identifies potential issues before they result in control failure
Protecting Your Student and Employee Data Third-party partners Are your partners secure? Data transmission processes (fax, mail, email, phone, etc.) Secure storage Network segmentation Identity and access management Data retention Encryption Mobile technologies Consistent social media policy
Procurement IT Security Review Overview of Local Public Contracts Law: Professional Service Extraordinary Unspecifiable Service Competitive Contracting Professional Service: Professional services are services rendered or performed by a person authorized by law to practice a recognized profession, whose practice is regulated by law, and the performance of which services requires knowledge of an advanced type in a field of learning acquired by a prolonged formal course of specialized instruction and study as distinguished from general academic instruction or apprenticeship and training. Whether a contract could be awarded under this option is dependent upon the company proposing to perform the engagement. Key question to ask - Are they regulated by law?
Procurement IT Security Review Extraordinary Unspecifiable Service: Extraordinary unspecifiable services are services that are specialized and qualitative in nature requiring expertise, extensive training and proven reputation in the field of endeavor. Keys to awarding a contract under this provision: The need for expertise, extensive training and proven reputation in the field of endeavor must be critical and essential to the project, and not merely a desire to have a reliable job performed. The services must be of such a qualitative nature that the performance of the services cannot be reasonably described by written specifications.
Procurement IT Security Review Competitive Contracting: Competitive contracting means the method described in sections 1 through 5 of P.L.1999, c.440 (C.18A:18A-4.1 thru 18A:18A-4.5) of contracting for specialized goods and services in which formal proposals are solicited from vendors; formal proposals are evaluated by the purchasing agent or counsel or administrator; and the governing body awards a contract to a vendor or vendors from among the formal proposals received. May be used under the following provisions: At the option of the governing body of the contracting unit, any good or service that is exempt from bidding pursuant to section 5 of P.L.1971, c.198 (C.18A:18A-5). The operation, management or administration of other services, with the approval of the Director of the Division of Local Government Services.
Questions?