Embed Size (px)
Citation preview
Information Security
Christian Hamer
Chief Information Security Officer
Agenda
• Context
• The Threat
• The Risk
• Our Strategy
• Progress
• Program Approach
• Program Highlights
• Additional Activities
• Awareness Campaign
• Updated Policy
• What YOU Can Do
Context
• We cannot do security FOR the community
• We WILL NOT do security TO the community
• We must do security WITH the community
The Threat: Higher education is a target for advanced attackers and cyber criminals.
“Universities are home to cutting-edge research and emerging technology patents; unfortunately, their networks are large and porous.”
Reports/Fireeye2013 p13
High-Value data:• Social Security numbers • Credit card numbers• Medical records • Employee records• Research
The scope:14,724,405 records disclosed in 745 reported higher education breaches since 2005.
Why?• Up to $45 per credit card number• Up to $3 per Social Security
number• Up to $50 per patient recordInfrastructure:
At Ohio State: “They did find evidence that the purpose of the unauthorized access was to launch cyberattacks on online business entities.”
Our Risk: Harvard’s people, data, and reputation put us at greater risk.
Harvard High-value Data
• Social Security Numbers• Credit card numbers• Employee records• Medical records
Research Data
• Commercial• Medical• Defense• Geo-Political• High-Visibility
Attacks against Harvard’s network in October were up 17% over last year.
Malware activity detected in October was up 69% from last year.
LulzSec
Syrian Electronic Army
Reputational Attacks
Automated Attacks
Our Strategy
Awareof the risks and responsibilities
Protectedfrom today’s threats
Readyto identify and respond to a threat
Reduce incidents, minimize impact.
Progress
Aware Elevated governance structure including URMC and Information Security Council
Created a simplified data classification system consistent across administrative and research data
Reviewed information security policies and translated them into requirements and “how-to” guides
Protected Reviewed, consolidated, and updated security tools and services
Deployed anti-phishing software
Ready Created a central Information Security team for the University
Developed incident response protocols
Program Approach: We are using a program approach to accelerate
progress and focus resources and deliverables on the highest risk.
FY15 Program Workstreams
Aware
Identify RiskUnderstand the state of information security risks University-wide
Communicate across the UniversityDeliver clear, consistent, and complete information to the community
Protected
Improve ServicesProvide the right services efficiently and effectively
Ready
Improve ProcessesEnhance our ability to respond to an incident or the needs of the community.
Program Highlights
• Develop a consolidated risk report by school
• Develop and launch a University-wide awareness campaign
• Conduct compromise assessment
• Improve incident response readiness and process
Additional Activities
• Enhance awareness campaign
• Conduct benchmark exercise
• Develop enhanced vendor management strategy that includes information security
• Conduct cybersecurity table top exercise
• Meet with FAS faculty groups
Additional Activities
• Establish University oversight committee on information security
• Accelerate two-factor authentication
• Integrate leadership into awareness campaign activities
Awareness Campaign
• WHY do we need an awareness campaign?
• WHAT are we trying to do?
• HOW will we approach it?
Why Awareness?
Security is something done for me.
I’m not sure where I report an incident.
Getting hacked is inevitable, it’s a losing battle.
Current State
Security is something done for me.
I’m not sure where I report an incident.
Getting hacked is inevitable, it’s a losing battle.
Security is everyone's responsibility.
I know where to get help and information.
There are things I can do to keep myself and the University secure.
Goal — Shift attitudes and behaviors
"Security is everyone's responsibility.”
“I know where to go to get help and information.”
“There are things I can do to keep myself and the University secure.”
Security is something done for me.
I’m not sure where I report an incident.
Getting hacked is inevitable, it’s a losing battle.
Information Security Policy
Security services
Security best practices
What we need to communicate
Click Wisely Know Your Data
Apply
Updates
Use Strong
Passwords
• Phishing• Handling
attachments
• Getting patched• Staying patched• “End of life”
systems
• Handling HRCI• What are you storing?• Don’t need it? Delete it!• Follow the Policy
• Password managers• Unique passwords• Multi-factor
authentication
Key messages
Awareness Strategy
• Quiet phase
– Staff: build towards IT Summit
• Begin with IT staff
– Faculty/students: build towards Fall startup
• Public launch
– October: National Cyber Security Awareness Month
– High level University support and visibility
Updated Policy
• policy.security.harvard.edu
• Highlights:
– Data Classification Table
– High Level Policy
– Requirements: WHAT you need to do
• Broken up by type
– How-Tos: HOW to meet the requirements
• Only if you want/need guidance
What YOU Can Do
Security is not just a service we can provide
for you, it is the goal we work toward with you
Aware
• Know Your Data– Use the Data Classification Table
– If you don’t need it, delete it! (securely)
• Click Wisely– Don’t open attachments or click on links in emails
you didn’t expect or from people you don’t know
• Spread the word
Protected
• Use Strong Passwords
– Use two-factor authentication where you can
– Use a password manager
– More to come on both of these
• Apply Updates
– To your desktop(s)
– To servers
• Make sure your laptops are encrypted
Ready
• Report suspicious activity
• If your department handles high-risk data, talk to us about other things you can do
