I NFORMATION S ECURITY University of Notre Dame. W HAT D OES I NFOSEC D O ? University of Notre Dame.

Slides:

Advertisements

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Advertisements

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

7 Effective Habits when using the Internet Philip O’Kane 1.

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

Part 2 of Evil Lurking in Websites Data Security at the University of Wisconsin Oshkosh.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard

Network security policy: best practices

Instant Messaging Security Flaws By: Shadow404 Southern Poly University.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

Incident Response Updated 03/20/2015

Website Hardening HUIT IT Security | Sep

Norman SecureSurf Protect your users when surfing the Internet.

Presentation By Deepak Katta

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

General Awareness Training

PCI requirements in business language What can happen with the cardholder data?

Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

SPH Information Security Update September 10, 2010.

Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Data Breach: How to Get Your Campus on the Front Page of the Chronicle?

Topic 5: Basic Security.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office

Presenter: Le Quoc Thanh SPYWARE ANALYSIS AND DETECTION.

Network Security. Announcements Review Assignment - Assessment 3 (due Tuesday, before class) Assessment 3 – Next Thursday Reminders: Network Design Project.

Computer Crime: Identity Theft, Misuse of Personal Information, and How to Protect Yourself (Tawny Walsh, Irina Lohina, Renair Jackson, Jahmele Betterson,

ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.

Team Electronics Automation & Machinery S-17, DLF Ind. Area, Phase-1, Sec-32, Faridabad ,

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Defining your requirements for a successful security (and compliance

Performing Risk Analysis and Testing: Outsource or In-house

PCI-DSS Security Awareness

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment card industry data security standards

Critical Security Controls

Security Patching.

Secure Software Confidentiality Integrity Data Security Authentication

I S P S loss Prevention.

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Cyber Issues Facing Medical Practice Managers

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Validating Your Information Security Program (ISP 3 of 3)

Information Security Awareness

AppExchange Security Certification

Network Security Use Case

Information Protection

Security in mobile technologies

6. Application Software Security

UD PCI GUIDELINES A guide for compliance with PCI DSS and the University of Delaware Payment Card Program ALWAYS Process payments immediately using a solution.

Information Protection

Presentation transcript:

I NFORMATION S ECURITY University of Notre Dame

W HAT D OES I NFOSEC D O ? University of Notre Dame

I NFORMATION S ECURITY T EAM David Seidl James Smith Brandon Bauer Jaime Preciado-Beas Jason Williams Aaron Wilkey Kolin Hodgson

I NFORMATION S ECURITY T EAM Who do I contact if I have a question? Phone: In person: Visit the Duty Officer of the day. After hours: contact Ops

I NFRASTRUCTURE

N ETWORK F LOW E XAMPLE

N ETWORK F LOW TO I NDIA

S OME OF OUR S ERVICES Web Inspect Risk Assessment Compliance Support (PCI-FERPA-HIPAA) Advisories Vulnerability Management (Qualys) Data Center Firewall Management

C OMPUTER F ORENSICS We know what you did. YES YOU

C OMPUTER F ORENSICS Investigations occur after approval from the CIO, Office of General Counsel, and/or HR Investigations can occur on any electronic device Windows, MacOS, Linux based systems, and others Mobile devices Network devices Mostly HR or Incident Response

C ONSULTS Security Assessments Cloud/Vendor Security Assessments Virtualization Education

P OLICIES AND S TANDARDS Information Security Policy Highly Sensitive Information Responsible Use Security Configuration Standards

DNS B LACKLIST Implemented May 2012 Redirects URLs through DNS to prevent users from visiting malicious web pages URL lists (feeds) are from known security vendors, e.g. SANS Refreshed daily URLs can be white listed by contacting the help desk Manually blacklist as phishing attacks occur. To try this visit com from campus

DNS B LACKLIST

DNS B LACKLIST T ESTING

C REDIT C ARD S UPPORT P ROGRAM (CCSP) Separate network behind its own firewall Credit Card processing environment for ND merchants All ND merchants required to comply with PCI DSS Governance body Information: ccsp.nd.edu or

T EAM G HOST S HELL Project WestWind

W HO IS TEAM G HOST S HELL ? “Hactivists” focused on hacking to bring awareness for what they consider to be the greater good Team GhostShell has made successful dumps prior to Project West Wind IT Wall Street: Dumped 50,000 accounts to support the occupy Wall Street movement Project Dragonfly: Dumped 200,000 accounts to support freedom of speech in communist countries Project WestWind Target: 100 top universities across the world Purpose: To bring attention to the decaying status of higher education around the world Outcome: A massive dump of over 120k student/faculty/staff records pulled from university servers The Data: Usernames, passwords, phone numbers, class numbers, and more

T HE A TTACK ! SQL Injection: A code injection technique that exploits a security vulnerability in a website's software. GhostShell was able to take advantage of vulnerabilities in the web applications of the targeted universities to gain access to their servers The vulnerabilities were most likely exploited using SQL injection The attack took up to four months to prepare according to Aaron Titus of Identity Finder (Chief Privacy Officer)

The Damage Reputation: Anytime there is a data leak, the reputation of the institution is affected Reputation: GhostShell also found many of the machines were already exploited existing exploits. Some of these stored credit card information. Cost: Notification and credit monitoring for those whose information was leaked Sample of Affected Universities University of Michigan (7 servers) University of Wisconsin (4 servers) Cornell University (3 servers) Tokyo University (4 servers) Stanford (2 servers) Cambridge (2 servers) Arizona State (3 servers)

H OW N OTRE D AME A VOIDED THE I NCIDENT Vigilantly scanning all web applications using tools such as HP Webinspect Limited the exposure of public facing servers with the zone network project and other efforts across the university Luck?

W ILL G HOST S HELL GET CAUGHT ? It is unlikely that anyone from team GhostShell will get caught. The team used TOR (anonymity network) to extract and dump the data. This allowed them to mask their location through a network of anonymous proxies around the world.

Q UESTIONS Y OU A SKED

H OW DO N ET ID S GET C OMPROMISED ? Phishing

M ALWARE

P OOR P ASSWORDS

P OOR P ASSWORD GoIrish, GoIrish1, GoIrish! password, , , abc123, qwerty iloveyou jesus Trustno1, letmein ashley, Ashley1983 ninja, mustang, dragon

Q UESTIONS W E DIDN ’ T A NSWER 1. List all of the security software the University licenses There’s a lot: check the software downloads page for many approved software packages. If you have a specific need, drop us a line. 2. Common ePO troubleshooting steps Rather than talk to the entire room about these, we’ll schedule an ePO users group meeting.