Data Security Symposium. Network Security and Planning Ron Ternowski

Transcription

1 Data Security Symposium Network Security and Planning Ron Ternowski

2 Data Security Symposium Today s Activities 9:40 a.m. 10:30 a.m. Session I 10:30 a.m. 10:40 a.m. Break 10:40 a.m. 11:30 a.m. Session II 11:30 a.m. 11:40 a.m. Break 11:40 a.m. 12:30 p.m. Session III 12:30 p.m. 1:15 p.m. Lunch 1:15 p.m. 2:15 p.m. Second Keynote 2:15 2:45 p.m. Panel Discussion and Wrap Up

3 Network Security and Planning C.I.A. Data Breach Network Security Network Firewalls VPN Access Content Filtering BYOD Transfer of Data i.e. dropbox, vendor drives, icloud Security Passwords

4 C.I.A. Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. Integrity the assurance of the accuracy and reliability of the information and systems is provided, and any unauthorized modification is prevented. Availability ensures reliability and timely access to data and resources to authorized individuals.

5 C.I.A Security in Layers

6 C.I.A What encompasses security?

7 Data Breach Why do we worry about security? Insurance company, WellPoint, fined $1.7m over data exposure - In 2009, WellPoint reported to the federal agency that an online database holding personal and health information for 612,402 individuals was left accessible over the Internet between October 2009 and March The data included names, addresses, birth dates, Social Security numbers, phone numbers and health information. 6,300 USC students warned about data breach The University of South Carolina is dealing with another data breach while it continues work to eliminate unnecessary use of Social Security numbers. USC sent letters this week to 6,300 students whose personal information, including Social Security numbers, could have been on a laptop stolen from the physics department.

8 Data Breach Fla. Dept. of Education Reports Breach - The Florida Department of Education reports that 47,000 participants in a teacher preparation program had personal information exposed on the Internet for 14 days during a data transfer between servers housed at Florida State University. Compromised information includes names, Social Security numbers, and, in some cases, addresses, according to a spokesperson for the Department of Education. The university is performing work under contract with the education department, according to a statement the Department of Education provided to DataBreachToday. Upon discovering the problem, the education department closed off access to the personal information, cleared all cached data files and ran security checks to ensure information was only accessible by authorized users, according to the statement. An investigation determined that the information may have been accessed 23 times via Google; that may have included unauthorized access, the statement acknowledges. Affected Individuals are being offered free credit monitoring services, the spokesperson said.

9 Network Security Documentation Physical security Is the server room locked? Are the cabinets locked? Are switches/routers in a locked cabinet with controlled access? VLAN Design By building? By Network segment? By usage? Are servers on their own VLAN? Segmented by Firewall? DHCP Snooping Trusted interfaces are the only responders to requests. SLPP (Avaya) and BPDU Guard (Cisco) disable any port that receives a BPDU message, helps prevent loops.

10 Network Security Layer 2 Always use a dedicated VLAN ID for all trunk ports. Avoid using VLAN 1. Set all user ports to access. Deploy port security when possible for user ports. Enable STP attack mitigation (BPDU Guard, Root Guard, SLPP). Disable all unused ports and put them in an unused VLAN. Ensure DHCP attack prevention where needed.

11 Network Firewalls Checkpoint Firewall Model 4800 Running Gaia R75.40 Multiple Security Zones Server Area BYOD DMZ VPN Capable Statefull Firewall Feature Availability IPS capable, Application Awareness, Identity Awareness

12 Network Firewalls Firewall Rules

13 Network Firewalls Firewall Logs Real-time and historical

14 VPN Access Multiple methods for VPN Access Contivity, ASA, Firewall How do you control and log access? Is it tied to your directory structure? Who has access? When and from where was it accessed? MOST IMPORTANT What access do the end-users have? Very Important that the access and user accounts are audited on a regular basis. Recommend every quarter but should be done annually as a minimum.

15 Content Filtering Lightspeed Systems URL Filtering P2P Networks Proxy Blocking Port Blocking Blocked File Extensions Blocked Search Keywords Reports, Reports, Reports Search Queries and Suspicious Search Queries Web Activity Peer 2 Peer Report option Summary Reports

16 Content Filtering - Options

17 Content Filtering Blocked File Extensions

18 Content Filtering Blocked Search Keywords

19 Content Filtering - Reports

20 Content Filtering - Reports

21 Content Filtering - Reports

22 BYOD What do we do???

23 BYOD School Board Policy? Is there one? Do we need to update? Is there an AUP for Staff or Students? E1B Policy Group can Assist. Where do we put these devices? BYOD network? Off the firewall? What type of authentication should be used, if any? What level of filtering should they have? How do we track these individuals?

24 Transfer of Data How is data moved in our District? Do we know where all of our PII is kept? Do we know when it is moved? Is it moved securely? Remember the CIA Triad. Do we know who has access to this data? What permissions are on the folders, files, shares? Are we using cloud services? Are you sure??? Dropbox SkyDrive Google Drive icloud

25 Security What system do you use? How is it accessed? Is it available from outside the District? Is the client or web based access encrypted? Are you using a SPAM service? Do you have clear rules about use? Establish and promote a robust policy AUP i.e. Do not forward inappropriate material, not for personal use, limit attachment size to X MB s Present the dangers clearly. Viruses, trojans, bots, spam and phishing attacks. Hat , bullying, other inappropriate actions. Illegal or copyright file transmission. Regulatory breaches FERPA, HIPPA

26 Security Etiquette Train the user regularly What to send. Who to send to. Reply vs Reply All vs BCC Scan all s and attachments for viruses Prevent data loss through Block attachments by file type. Add disclaimers and banners to s in both directions. Ensure your system is not being abused by unknown or malicious users.

27 Passwords Password Policy!!! What is an acceptable compromise between security and your end-users?

28 Contact People WNYRIC Service Desk (716) or (800) WAN Seniors ON Region Dave Buettner E1 Region Chris Siniscalchi E2 Region Pat Gugino CA/GST Regions Kyle Lyon Buffalo Ken Koch Content Filtering Barb Fedchak Ron Ternowski

29 Data Security Symposium Questions??