EITAC Cybersecurity program and IT Security updates November 11 2016 Denise Ernst, ISO

Background Queen’s has begun a two stage approach to reduce the risk of a cyberattack. Stage 1- Reduce the likelihood of IT Hijack (over 9 -12 months) Enhance our technical capabilities to prevent and detect IT hijack; Improve peoples’ ability to identify and resist hijack attempts; Begin to foster a security-aware culture Stage 2: Reduce the overall risk of a cyberattack (2-3 year program) transition Queen’s cybersecurity practices from reactive to preventative Details on initiatives will be provided in May 2017.

Program Management Updates Engaged Sr. Security Specialist consultant Drafted governance and reporting structure. Under review. Released RFP for professional services assistance. RFP closed November 8. Identified project outcomes - network security, email Executing Communication Plan: Social media campaign, meetings held with 7 stakeholder groups and large portfolio units, article in ITS Newsletter and upcoming article in Gazette, website notices, completed Cyber Security Awareness month campaign Status: GREEN (schedule, budget, outcomes). Celebrate successes: a. Ten companies intending to respond to request for assistance with program. b. Microsoft significantly reduced the cost of their email threat protection tool. c. Awareness of, and attention to, cybersecurity improving. Key challenge: d. Re-focus of IT resources on cybersecurity

Project Groups 1 and 2 Update Description Project Updates 1. Network Security 1.1 Network Access Control Phase-in network controls to prevent unprotected/unmanaged devices from accessing the Queen’s network. Designed device risk heatmap used to identify maximum risk reward. Proof of concept underway. 1.2 Network Security Architecture Begin to modernize the existing network design and configuration to provide additional layers of security. Drafted initial recommendations. Implementation will commence upon appointment of professional services. 2. Email Security 2.1 Advanced Threat Protection Enhance security of Queen’s email service to minimize the propagation of malicious messages.

To commence upon appointment of professional services. Project Group 3 - Update Group Project Description Project Updates 3. Endpoint Security 3.1 Security Monitoring Program Design and implement a program for the continuous monitoring of the IT environment to detect and prevent attacks against devices such as laptops, servers, mobile phones. To commence upon appointment of professional services. 3.2 Vulnerability Management Program Design and implement a program for the continuous management of technical vulnerabilities across campus. Initial recommendations drafted and under ITS review.

To commence upon appointment of professional services. Project Group 4 Update Group Project Description Project Updates   4. Security Awareness 4.1 Social Engineering Exercise Design and implement an exercise aimed to verify users’ ability to identify phishing emails and inform on best practices. To commence upon appointment of professional services. 4.2 Security Course Renew security awareness course. 4.3 Ransom Policy Develop and implement a policy for ransom demands. 4.4 Security Awareness Policy Develop and implement a policy for mandatory security awareness training.

Cybersecurity program – Email Security All Queen’s mail will be scanned and filtered through O365 Mail will flow through enterprise security measures prior to forwarding onto local mail service or local mailbox Mail reputational services will be enhanced to limit others from spoofing Queen’s mail Changes to mail flow will occur first, no user impact anticipated New enterprise security measures (e.g. configuration changes, new filters) will be phased in during 2017. An implementation plan is forthcoming. It will be important to inform ITS of any local mail service to avoid an impact to users Testing will begin in December

Email Security : Local mail service The goal is to have all Queen’s user communities benefit from additional enterprise security measures, designed to reduce the number of malicious messages a user receives. Do any of your applications use a mail service other than mail.queensu.ca? a. What business purpose? b. How many users? c. What is the daily/cyclical volume? d. Does it require mass mailing? e. Mail service name? f. Can it be decommissioned? Please provide this information to Terry Black by the end of November. Responses due by end of November If app is using enterprise don’t need to know

read, share, and promote e-waste procedures IT Security: E-Waste New procedures for e-waste coming soon http://www.queensu.ca/its/security/additional-security-services/hd-destruction-disposal http://www.queensu.ca/sustainability/campus-initiatives/recycling/electronic-waste Contact the Sustainability Office to arrange pickup and destruction of e-waste E-waste awaiting pickup: store in secure area, inaccessible to the public. Never leave e-waste unattended, in an unsecured area. read, share, and promote e-waste procedures Background The campus computer store provided a hard drive cleaning (degaussing) and disposal service. The service ceased upon store closure. Hard drives no longer need to be removed from computers prior to disposal E-waste will be shredded, off-site

IT Security: Printer Security Configuration changes required on printers to protect from cyber exploits. A number of printers were exploited this year resulting in printouts of offensive propaganda material across campus. Changes to printer security– Additional printer security configurations recommended Printers will move to secure IP address http://www.queensu.ca/its/security/printer-security  read, share, and promote printer security procedures

What you should know – Printer security Printers identified as being publicly accessible have been identified and the ITSC is in the process of identifying and contacting the owners of these devices. Our current process is to filter the leased Canon’s and Xerox printers to limit access to be only from within Queen’s All other printers will move to a private network, inaccessible from the internet. All other printers: Inform the IT Support Center (ITSC) if a printer requires internet access. For more information, please contact the ITSC.

Other updates Password policy enforcement Linux vulnerability Significant number of end of life or end of support technologies discoverable on network Mirai botnet (IoT)