Security Assessments The Baylor University Experience.

Slides:



Advertisements
Similar presentations
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Advertisements

1 A Tale of 2 Tracks: #1 Social Engineering Your Students! Or…Dealing with a Series of Unfortunate Events Martin Manjak, ISO Justin Azoff, Network Analyst.
Managing A Secure Infrastructure – Tales From the Trenches November 6, 2003.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works
How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Unit 28- Website Development Assignment 1- THEORY P3
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Technical Training: DIR-615
Website Hardening HUIT IT Security | Sep
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Cyber Security Audit and Network Monitoring P.D. Mynatt Doug Brown March 19 th 2015.
Sravanthi Vattikuti Sri Harsha Devabhaktuni
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Botnets An Introduction Into the World of Botnets Tyler Hudak
Teaching Security via Problem- based Learning Scenarios Chris Beaumont Senior Lecturer Learning Technology Research Group Liverpool Hope University College.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Attacks on Computer Systems
Mastering Windows Network Forensics and Investigation Chapter 11: Text-Based Logs.
Security Services Agenda Overview of HEAnet security services HEAnet CERT (Computer Emergency Response) Anti-Spam RBL (Real time blacklist service) HEAnet.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
MIS Week 6 Site:
Managing Clients in the IEZ Quote System Objective: Become an expert in managing your clients in the IEZ Quote System.
APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security.
University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department Prepared By Ahmed Obaid Wassim Salem Supervised.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.
TZO Troubleshooting Training for Agents By Erik Collett
MIS Week 4 Site:
Customers Security in Context Microsoft & Office 365 / Azure Cloud Security Engagement Framework & References Real World application Frameworks.
MIS Week 6 Site:
CU – Boulder Security Incidents Jon Giltner. Our Challenge.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Frontline Enterprise Security
Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.
5/18/2006 Department of Technology Services Security Architecture.
TAXII SC Call Agenda Administrivia Month Behind Discussion Month Ahead.
Educause Security 2006 © Baylor University Security Assessments for Information Technology Bob Hartland Director of IT Servers and Network Services.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
IT Audit and Penetration Testing What’s the difference and why should I care?
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Information Security in Laurier Grant Li Wilfrid Laurier University.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Lab 11 Overview Windows Server Last Labs wk14
Proactive Incident Response
Switchvox SMB 4.6 for your peace of mind
Law Firm Data Security: What In-house Counsel Need to Know
Information Technology Acceptable Use An Overview
Introduction to ‘Insights to Behavior’
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
CYB 100 Teaching Effectively-- snaptutorial.com
Information Security Awareness 101
سيستم مديريت امنيت اطلاعات
Intro to Ethical Hacking
Intro to Ethical Hacking
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Security Essentials for Small Businesses
Applying for 6th Forms, Colleges and Apprenticeships in Kent.
Publishing your work on the web
Presentation transcript:

Security Assessments The Baylor University Experience

Baylor in Overview 13,800 students, 2000 employees 85 buildings networked Server farm in DMZ

Why an Assessment? Helps you stay out of the news! Legal and PR issues Defines a baseline for Risk Level

Choosing a Vendor Unbiased look at your system Expertise, experience Documentation -- Formal report Good -- documents your vulnerabilities, engages your people. Bad -- documents your vulnerabilities, now you’re on the hook!

Three types of vendors Tier Three Relatively inexpensive Relatively limited in scope, results. Tier Two External and internal scans medium to high cost.

The High Priced Spread Scope, scans are customizable Verification of vulnerabilities Detailed (380pp!) report with recommendations

Take-Away Lessons It’s about trust and confidence Remember non-disclosure agreements Redefine scope after first meeting Watch those sensitive times -- things may break! Name a point person to handle ALL issues

Take-away Lessons Social engineering will go on. Put ‘em in a hidden location, don’t warn rest of CIT. Social engineering is scary stuff! It takes a while, 2 weeks off-campus, 2 weeks on. Prioritize vulnerabilities and remediation

Was it worth it? Got the attention of the right people Be inclusive of findings IT personnel Departmental IT personnel General Counsel Executive staff Multi-year agreement can reduce cost

The BotHerd is Coming University of Albany Martin Manjak, ISO, Justin Azoff, Network Analyst University of Albany Martin Manjak, ISO, Justin Azoff, Network Analyst

About UAlbany 17,400 students, 700 faculty, 8000 residents September 2004 over 800 systems booted from network open tickets first week of class 3 week wait for remediation appointment

Never Again! Technical Track (later) Social Engineering Track More about people than technology Never stop working on awareness

Need a Narrative “Didn’t you read the letter we sent?” Technology is a turn-off to many. Craft a narrative where students can self- identify, “Did you hear the story about...” Focus on behaviour and change

Design is Key Attractive format, good graphics People, not screen shots. Series of brochures were created Trade ‘em, collect the whole set! Advertised the Network Survival Kit

The Security Quiz Online Quiz in Ethics and Security Required to gain Network access Must get 10 out of 10 right to pass Using the network means you passed, therefore you know the requirements, so No excuses when you’re kicked off.

2004 vs Results Cut September’s trouble tickets in half While network registrations increased 23%

Technology lags education XP SP2 Firewall, patches responsible for some reduction in vulnerabilities, but New threat vectors (AIM, Web links) are emerging. Patches won’t stop students (and staff!) from clicking Firewall on -- unable to scan it.

Technical Measures 80k HTTP flows and 1 IRC? (not 6667) Never-admit IRC on Packetshaper, with a whitelist of servers Scan IPs using blocked IRC, collecting banners, if open. Interesting things can be observed...

Not your father’s FTP server

IRC Bots come in 2^32 types Bots have one or more C&C IP addresses embedded in them IP based Whack-a-mole, easy to detect DNS based HA, load-balanced, redundant botnet!

You.GotPwndBy.us When DNS bots wake up, they must resolve that C&C address. Log your DNS queries Frequent flyers, bad hostname list hosts in.info,.us,.cx, not.com,.edu IDS, IPS also a help (they didn’t have)

Resources Conference site: Botnet slides: UNiversity Security Operations Group, ( REN-ISAC,

Shameless Plug Suggestions? Comments? Smaller Colleges -- Interested? Presentation Topics, Tracks, Training? Suggestions? Comments? Smaller Colleges -- Interested? Presentation Topics, Tracks, Training?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.