SEAS Cybersecurity Awareness Day

Discussion on…

A CIO’s Perspective on Information SecuritySteve King

Interim Executive Director for Computing@SEAS

October 17, 2012

Table of Contents

Page

After Lunch Perspectives• YouTube and Vimeo 3

• Dilbert and Blogs 5

The Role of the CIO in Information Security• Blanket 9

• Balance 14

• Teamwork 18

• Case Studies 22

Practical Steps for Improvement at SEAS 27

Vimeo

https://vimeo.com/47189352 - ITSM Weekly - ***

https://vimeo.com/47189353 - ITSM Weekly - **

YouTube – a leading security guru: Bruce Schneier from BThttp://www.youtube.com/watch?v=dy4VJP-lZpA – Identification & I.D. Security

Three favorite quotes:1.If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.2.There are two types of encryption: one that will prevent your sister from reading your diary and one that will prevent your government.3.Think of your existing power as the exponent in an equation that determines the value of information. The more power you have, the more additional power you derive from the new data.

Newest

Popularity

Rating

Blogs

Blanket

Blanket – Four Pillars of Information Security

Physical Security

Network Security

Logical (host and

client)Security

Physical   Security

Network  Security

Logical (host and client)Security

Procedures

Source: Lansing Business Monthly: 10_15_12

Blanket – Range of Computing@SEAS Services

Blanket - Information Security is a Journey, not a Destination

Keys

Proxy Servers

Encryption

Secure File Transfers

Information Security Definition from Wikipedia

Balance - Information Security Model from Wikipedia

Source: Wikipedia

Balance – IS Risks vs. IS Spend/Investments

Risks – “security as the state of being free of fear and anxiety”; e.g. Linus

Costs: IS needs to be a discipline, also balancing due care and due diligence

Balance – Organization Checks and Directions

• Peer organizations here at SEAS• Strong alignment with HUIT, for both

organizations• Alliances and partnerships with vendors and

associations and higher ed groups• IS role expanding; analogy to Iron Mountain:

CSO vs. CRO vs. CCO vs. CPO• Need to evaluate and use enterprise

application (e.g., GRC)

Balance – IS and Computing Activities

Teamwork – Cyber Security & Incident Response Team

High priority events are those that meet one or more of the following criteria:Responsible for the disruption of a production service or system maintained by SEAS Computing.Affect a large number of accounts or systems.Grants access to confidential or HRCI data.Causes a severe business impact.Remotely exploitable vulnerability with privilege escalation.

Medium priority events are those that meet one or more of the following criteria:Affect services or systems maintained by SEAS computing.Affect only individual accounts rather than granting systemic access.Grants access to development or testing data.Locally exploitable vulnerability with privilege escalation.

Low priority events are those that meet one or more of the following criteria:Affect individual laptops and desktops.Affect services or systems not maintained by SEAS Computing.

Priority Time to first response

Remediation target1

High 1 business day (BD) 2 BD

Medium 2 BD 4 BD

Low 5 BD Best effort

1

Remediation entails one of the following categories: Repair, Rebuild and Notify

;

Teamwork – Security Operations

• Weekly meeting on Wednesdays at 2pm• Triage role which rotates and communicates regularly

with ISO• “Event” driven – tracking system and documentation

wiki• security@seas.harvard.edu• Most common events in 1Q FY13

– Infected computers– Vulnerable websites– Host software currency (or lack thereof)

Teamwork – Quarterly Joint Project Objectives

• 2Q FY13 Priorities:– “Admin” Active Directory Retirement– AirWatch MDM– Secunia CSI– Quest Password Self-Service– Desktop Banner

• 2013 Backlog: Stealth Audit, Web Application Firewalls, Identity Finder, …

Teamwork – Certs, Membs, and Rptg

CSA

IANS

CISSP

Metrics

Case Study 1: SEAS Identity Consolidation

• Admin domain, seas domain, nis• Hard to tell if someone is trying to

impersonate you or break your password• Hard to keep passwords in sync• Hard to make sure services are revoked

when someone leaves the school

Case Study 1: SEAS Identity Consolidation

• Check how you connect to network file shares (vfiler0, vfiler1)

• If you use windows, check how you log in to your desktop or laptop

How can I help?

Case Study 1: SEAS Identity Consolidation

• Computing@SEAS can deliver a self service password reset tool (answer security questions to reset your own password without a support call)

• Step toward identity integration between schools at Harvard

What’s in it for me?

Case Study 2: Secure Remote Desktops

• Remote Desktops for Courses and Research– Because provides shell access, requires stronger

identity assurance– Approach: NX using SSH keys and user password– Dedicated SSH keys per user for connections,

provides secure transport and initial connections– User passwords grant access to your account once

connected to system– Poor man’s two-factor

Case Study 3: Refactored Data & Networkingparadigms for academic work

• Old model: living on the edge– build a desktop or web server machine, put it on the internet,

and login remotely via SSH+password – fodder for script kiddies

• New model: behind closed doors– locate these client machines on dedicated networks for users,

and provide firewalled internet access or VPN connections –warm fuzzy feelings of security

• Future model: living in the cloud– Your data follows you securely across the network and internet,

and your server spins up or down only when you need it, on demand. Your laptop/iPad/mobile device stays with you on secured networks.

Practical Steps for Improvement at SEAS

Recommendations from Executive Director for ComputingI.Begin to use and build the SmartCard ID for proximity access, Charlie and parking Metercard and bicycle rental integrationII.Strengthen our password management policies and require periodic changeIII.Introduce second factor authentication in network accessIV.Accelerate SEAS moves to IAM and HUIT shared servicesV.Implement new activity, reporting and compliance system