Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Transcription

1 Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

2 About ERM

3 About The Speaker Information Security Expert at ERM B.S. Software Engineering and Information Technology Recently Passed the CISSP Core Experience: Penetration Testing Regulatory Compliance and Standards Technical Security Assessment Social Engineering - University of Miami

4 Agenda Our Institutions Under Attack How it Works Compliance vs. Security Protecting Your Institution of Excellence

5 Money Is The Motive Tons of Sensitive Information Confidential Research Identity Theft

6 University Attacks in the News Team GhostShellclaimed credit for breaking into servers at 100 major universities from around the world Included U.S. News Top 10 universities A month ago, a large university reported that confidential files containing personal information on 72,000 people were hacked. A month ago, a major academic intution s Internet technology database was hacked and school officials made an announcement suggesting students and staff reset their passwords.

7 Types of Attacks Network Attack Physical Layer Social Engineering

8 NETWORK ATTACKS

9 DDoS Distributed Denial of Service Masters -system that is initially exploited due to a vulnerability Slaves Infected with malware distributed by the master Goal is to overload the network or a targeted application

10 Software Weaknesses SQL Injection Insertion of malicious SQL statements into an entry field Attacker attempts to dump the database contents to the attacker Zero-Day Exploits Exploits that exist in software in which patches have not yet been developed

11 BYOD (Bring-Your-Own-Device) Mobile Devices Access to sensitive information is authenticated by device Lost or Stolen Device Data Breach

12 Rouge Access Points BYOD part deux Bring your own wireless access point to campus Allow an attacker to see all traffic

13 PHYSICAL ATTACKS

14 Active Ports An attacker attempts to gain access to the wired network by testing for active Ethernet ports

15 Tailgating / Piggybacking Attempting to gain access to a secure premise through the exploitation of common courtesy or carelessness.

16 Dumpster Diving The act of searching through trash bins to discover sensitive information.

17 SOCIAL ENGINEERING

18 Social Engineering The art of manipulating people into performing actions or divulging confidential information. Relies on people s inability to keep up with a culture that relies heavily on information technology. Use your own employees to defeat your security controls and practices.

19 Social Engineering Attacks Phishing Malicious Attachment Click the link Fake Website Baiting Shoulder Surfing

20 Academic Institution Attack Scenario: Target DB Administrators and Finance AND you have 2 weeks Information Gathering: Google / LinkedIn: Name of all people in both departments Institution s Website: Lay out of entire building including desk location; Used PeopleSoft Application; s of identified staff; Dean s contact information, signature, and sample s Attack: Phishing: Crafted a spoofed pretending from the dean to the victims for a PeopleSoft training that they must take with a link to the site Fake Website: Victims entered their PeopleSoft credentials; took those credentials and logged into the institution s PeopleSoft site which happens to be externally facing.

21 Compliance vs. Security Annual grind is to become compliant with the numerous regulations Compliance and security are VERY DIFFERENT!! Implement security from the very foundation

22 Cloud Computing All about VENDOR MANAGEMENT Compliance is key Ensure that cloud computing companies comply with regulations (e.g. HIPAA, PCI, and GLBA) Compliance risk assessment

23 COUNTERMEASURES

24 Fight the DDoS Load Balancing Throttling Honeypots

25 Breach Health Check-ups Timely checkups for security breaches Bring in professionals who will analyze your network Large Organizations -> Once a quarter Smaller Organizations -> At least every six months

26 Data Assurance Data Destruction Origin of Data Data in Transit Identify and track the life cycle of information in the organization Ensure it is properly secured throughout the entire life cycle Data leakage prevention

27 Audits and Assessments Regular penetration testing Configuration assessments Patches, patches, patches!! Social Engineering Tests Physical Intrusion Tests Preventative Policies

28 Security Awareness Training

29 You re Not Alone Educause FBI College and University Security Effort (CAUSE) Multiple Tools

30 THE SECURITY OF YOUR ENTIRE INSTITUTION IS AS GOOD AS YOUR WEAKEST LINK!

31 Your go to advisors for all matters in information security. 800 S Douglas Road #940 Coral Gables, FL Phone: info@emrisk.com