Baseline Security Strategy. January 17, 2013

Transcription

1 Baseline Security Strategy January 17, 2013

2 Risk Continuum (Lowest Highest) Copyright Violation/ HEOA Unauthorized Network Access Unauthorized Access to Restricted Data Failure to Comply with PCI standards Failure to Adhere to FISMA/HIPAA Standards Risks: If students Illegally download materials (music, documents, etc.) there is a risk of prosecution, and loss of access to UW network. There is also a risk of UW losing financial aid funding Risks: If hackers access the network through servers, printers, computers, web applications, etc., there is a risk is the loss of intellectual property, and malfeasance. Risks: If hackers access restricted data (SSN, Credit Cards, etc.), there are risks of legal fees, reputation, and financial costs of remediation Risks: Not properly securing credit card data and processes, may result in fines ($25k per day) and a diminished reputation Risks: Not adhering to FISMA/HIPAA requirements may result in loss of grant award, grant continuation, and research reputation

3 Successful hacker attacks at UW- Madison (Note: Our firewalls stop 10s of thousands attacks daily)

4 Threats Human/Software Incompetence Insider Malfeasance Private Public Higher Common Sector Vulnerabilities Sector Education Medical Centers 19% 29% 31% 14% 12% 6% 2% 10% Outside Hackers 20% 8% 30% 3% Theft Laptop/ Computer 44% 51% 36% 70% Unknown 5% 6% 1% 3% Source: Data through January 2011 * Columns that don t add up to 100% are due to rounding errors

5 How are we addressing the threats? 1. Unauthorized Network Access: apply security baseline A/V, Patch Management, Data Search, Firewall Monitor the above controls for security issues 2. Restricted data, PCI and FISMA: apply appropriate security controls 3. Training, Assessments and Consulting

6 Why do we need a Baseline Security Strategy? 1. To address common security threats 2. To focus organizational commitment, support, and efforts 3. To leverage campus resources 4. Common objective: create 2-3 year plan that identifies resources, time line and milestones for meeting a baseline

7 Essential Baseline Security 1- Vulnerable Data Find It! 2 -If not needed Delete It! 3 - If needed Protect It!

8 Baseline Controls Anti- Virus Firewalls Patches Secunia (Eliminate Vulnerabilities) Identify Finder Baseline Security Review / Assessment

9 Why Conduct a Baseline Security Review & Assessment? 1. Provides comparable data across campus Establishes a starting point for metrics and assessment of resources required to close the gaps 2. Provides a consistent approach and methodology Leverages expertise and ability to learn from each other

10 Why Identify Finder? 1. Why use Identity Finder? Identify Finder has proven to be effective for finding and deleting restricted data; minimizes the impact Analysis of root causes of campus security breaches consistently shows Identify Finder was not in-place UW-Madison already has a site license Once setup, it runs automatically and is easy to use 2. What about false positives? Identify Finder can learn false positives Assistance available from CIO office to identify false positives

11 Why Secunia? In every incident on campus, investigations have found the machine has had outstanding security updates (patches) that were not applied. The benefit is that Secunia (Patch Monitoring Software) can tell you if your machines are vulnerable to outside attackers. A side benefit is that it provides a software inventory of your systems.

12 Where are we Vulnerable? Lower Risk Mid-Level Risk Higher Risk Organizational Characteristics: Centralized IT Leadership, Small to Mid-Sized Units Organizational Characteristics: Mid-size; Some Centralization of IT Organizational Characteristics: Large Decentralized Units Why Lower Risk? Significant progress has been made in implementing baseline tools and processes Why Mid-Risk? Baseline tools and processes moderately harder to deploy and monitor Why Higher Risk? Implementing baseline tools and processes is challenging to deploy and monitor

13 Proposed Next Steps 1. CIOs/IT Leaders in each School / College / Division contact OSIS to schedule a Baseline Security Review 2. OCIS works with CIOs/IT Leaders to document environment, identify gaps, and required resources 3. CIOs/IT Leaders determine achievable 2013 goals for their units 4. OCIS tracks progress and reports results to MTAG

14 What has been accomplished? Endpoint pilots in VetMed & CALS revisiting Scoping projects in: L&S Education Law Business VCA Restricted Data protocol

15 Demo of Recent Java Vulnerability