Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence
About ERM
About The Speaker Information Security Expert at ERM B.S. Software Engineering and Information Technology Recently Passed the CISSP Core Experience: Penetration Testing Regulatory Compliance and Standards Technical Security Assessment Social Engineering - University of Miami
Agenda Our Institutions Under Attack How it Works Compliance vs. Security Protecting Your Institution of Excellence
Money Is The Motive Tons of Sensitive Information Confidential Research Identity Theft
University Attacks in the News Team GhostShellclaimed credit for breaking into servers at 100 major universities from around the world Included U.S. News Top 10 universities A month ago, a large university reported that confidential files containing personal information on 72,000 people were hacked. A month ago, a major academic intution s Internet technology database was hacked and school officials made an announcement suggesting students and staff reset their passwords.
Types of Attacks Network Attack Physical Layer Social Engineering
NETWORK ATTACKS
DDoS Distributed Denial of Service Masters -system that is initially exploited due to a vulnerability Slaves Infected with malware distributed by the master Goal is to overload the network or a targeted application
Software Weaknesses SQL Injection Insertion of malicious SQL statements into an entry field Attacker attempts to dump the database contents to the attacker Zero-Day Exploits Exploits that exist in software in which patches have not yet been developed
BYOD (Bring-Your-Own-Device) Mobile Devices Access to sensitive information is authenticated by device Lost or Stolen Device Data Breach
Rouge Access Points BYOD part deux Bring your own wireless access point to campus Allow an attacker to see all traffic
PHYSICAL ATTACKS
Active Ports An attacker attempts to gain access to the wired network by testing for active Ethernet ports
Tailgating / Piggybacking Attempting to gain access to a secure premise through the exploitation of common courtesy or carelessness.
Dumpster Diving The act of searching through trash bins to discover sensitive information.
SOCIAL ENGINEERING
Social Engineering The art of manipulating people into performing actions or divulging confidential information. Relies on people s inability to keep up with a culture that relies heavily on information technology. Use your own employees to defeat your security controls and practices.
Social Engineering Attacks Phishing Malicious Email Attachment Click the link Fake Website Baiting Shoulder Surfing
Academic Institution Attack Scenario: Target DB Administrators and Finance AND you have 2 weeks Information Gathering: Google / LinkedIn: Name of all people in both departments Institution s Website: Lay out of entire building including desk location; Used PeopleSoft Application; Emails of identified staff; Dean s contact information, signature, and sample emails Attack: Phishing: Crafted a spoofed email pretending from the dean to the victims for a PeopleSoft training that they must take with a link to the site Fake Website: Victims entered their PeopleSoft credentials; took those credentials and logged into the institution s PeopleSoft site which happens to be externally facing.
Compliance vs. Security Annual grind is to become compliant with the numerous regulations Compliance and security are VERY DIFFERENT!! Implement security from the very foundation
Cloud Computing All about VENDOR MANAGEMENT Compliance is key Ensure that cloud computing companies comply with regulations (e.g. HIPAA, PCI, and GLBA) Compliance risk assessment
COUNTERMEASURES
Fight the DDoS Load Balancing Throttling Honeypots
Breach Health Check-ups Timely checkups for security breaches Bring in professionals who will analyze your network Large Organizations -> Once a quarter Smaller Organizations -> At least every six months
Data Assurance Data Destruction Origin of Data Data in Transit Identify and track the life cycle of information in the organization Ensure it is properly secured throughout the entire life cycle Data leakage prevention
Audits and Assessments Regular penetration testing Configuration assessments Patches, patches, patches!! Social Engineering Tests Physical Intrusion Tests Preventative Policies
Security Awareness Training
You re Not Alone Educause FBI College and University Security Effort (CAUSE) Multiple Tools
THE SECURITY OF YOUR ENTIRE INSTITUTION IS AS GOOD AS YOUR WEAKEST LINK!
Your go to advisors for all matters in information security. 800 S Douglas Road #940 Coral Gables, FL 33134 Phone: 305-447-6750 Email: info@emrisk.com www.emrisk.com