Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based ed Broadening dening – Information rmation Operat rations ns Denni nis s Schmid idt Assistant Vice Chancellor for Information Security and Privacy and Chief Information Security Officer July ly 2019
Who We Are • Dennis Schmidt – Assistant Vice Chancellor, Information Security and Privacy, and Chief Information Security Officer – 22 years at UNC – Retired Naval Officer (24 years active) • Larry Fritsche – Manager, Security Operations – 15 years at UNC • Mel Radcliffe – Manager, Risk Team – 3.5 years at UNC • Alex Everett – Security Architect – 12 years at UNC
We are a Big Campus! • 30,011 Students – 19,117 Undergraduates – 10,894 Graduate & Professional • 3,950 Faculty • 8,791 Staff • 120,000 devices • 14 Professional Schools • 729 acres on campus • ~ 150 buildings
A Large and Complex Enterprise Millions of personally-identifiable records 1,600+ sensitive/mission-critical computer servers on campus 81 Departments have registered sensitive data servers Billions of Intrusion Attempts Hundreds of Unique Phishing Campaigns Hundreds of Compromised Accounts 60 Sensitive / Mission Critical Incidents
By the numbers… • Intrusion Prevention Systems (IPS) – On average we daily perform: • 350,000 reputation-based blocks • 170,000 signature-based blocks • 6,400 ad hoc customized blocks • Block millions of additional system connection attempts daily via our firewalls: Month Total Denies Average/day 11.2 Billion 361.3 Million August 2018 11.8 Billion 393.3 Million September 2018 16.9 Billion 545.2 Million October 2018 11.5 Billion 376.6 Million November 2018 51.4 Billion 421.3 Million August through November
Duo Qualys 2FA Scanners MCNC Of fice 365 HR Recruitment Border Border Touchnet (Payments) Arista TagAgg IPS IPS 121 Ports 121 Ports General Blocked Blocked Administration IDS NewKid NewKid IPS Eleven Eleven RENCI Research Computing Aruba KFBS Wireless 121 Ports FW Wireless Blocked UNC School of Med Manning K Cisco Kid UNC Datacenter www WordPress CloudApps Business Fluffy Fluffy Remote Sites School ~20 VPN IPS NAC Franklin L Manning L Deny ResNET inbound F5 ASM Verizon Reputation VoIP MacMan MacMan DNS Services Deny inbound Deny DNS PGP inbound Main Campus Encryption F5 LB Palo Alto 5060 IPS Shibboleth Auth Palo Alto 7050 SCEP AV Granville Grey Heller Palo Alto 7050 Palo Alto 7050 Departmental 121 Ports Firewall Firewall Blocked UNC Connect Med School HealthCare Athletics Carolina Finance Kerberos Human Resources Auth ITS … LDAP Active Directory/ Improv EnCase Identity Splunk ADFS Auth SCCM Auth Forensics Finder Logging
Data Center Tour
ITS Operations Center 3 rd Floor of ITS Manning • • Staffed 24x7x365 • Heart of ITS Network and Security operations • Communications core during system incidents and malfunctions • Monitors status of 100,000+ devices and systems • Backup for Alert Carolina
Manning Data Center 3 rd Floor of ITS Manning • • Built in 2007 • 11,000 square feet • 700 tons cooling • Power divided between Ops and Research • 2 Megawatts available power • Generator/UPS backup for Ops • Building Power only for Research side
Franklin Data Center • Basement of ITS Franklin (440 W. Franklin) • Renovated in 2006 • 4,500 square feet • 80 tons cooling • 500 Kilowatts available power • 900 KiloWatt Generator • UPS backup- Batteries and Flywheels
Source: http://www.sourceups.co.uk/hot-aisle-cold-aisle-cooling-explained/
Our Top 5 Security Risks 1. Phishing/Vishing 2. Lack of User Awareness 3. Limited Resources 4. Persistent Threats from Internet 5. Disaster Recovery
Phishing/Vishing • Phishing attacks from professional teams of criminal experts continue to plague us – Spear phishing is becoming very common – Recent increases in “impersonation phishing” • Ex: chancellor.unc.edu@yahoo.com • Ex: asdean.unc.edu@gmail.com – Vishing (phishing by phone) is not as common, but still an issue • 2-Step verification has been our most effective defense to date
2-Step Verification • Microsoft Multifactor Authentication for Office 365 completed in December 2018 – Migrated 56,000 accounts in 9 months – Required for all faculty, staff, and students • Duo 2- Step Verification – Enrolled 56,000 faculty, staff and students – Protection for ConnectCarolina, VPN, administrative accounts, student bill payments, self service bank deposits, etc.
2-Step is Very Effective! Compromised accounts 2017 2018 2019 4 81 January 1 53 36 February 1 133 15 March 0 67 12 April 0 247 11 May 0 148 27 June 1 643 117 July 332 64 August 134 19 September 97 4 October 337 1 November 72 0 December
Phishers are Finding Workarounds
Persistent Threats from Internet • Evolving, sophisticated, targeted attacks • Cybercriminals, Nation States • Mitigation – Increased firewall coverage – Domain Names Service (DNS) filtering (Akamai) – Enhanced Intrusion Prevention Service (IPS) – Wi-Fi Firewalling
Attacks Blocked Automatically: Firewall (Monthly totals)
Lack of User Awareness • Revamped security awareness program rolling out in May 2019 – Compliance increase from 7% to 24% • https://safecomputing.unc.edu rolled out in November 2018 • Outreach to students at various events • “Gill the Phish” mascot • Training for Information Security Liaisons
Limited Resources • Increased requirements to do formal risk assessments for federal and state studies • Typical assessment can take 5 weeks • Long lead times required for – NIST 800-171/53 Assessments – Vendor assessments • Below zero unemployment makes recruiting and retention of qualified security staff challenging
Disaster Recovery • Identified as a weakness by state audit • Comprehensive plan developed • Hard copy plan published in January 2019 • Initial tabletop exercise March 2019 • Larger scale tabletop planned for Summer 2019
Local Known Sensitive Data Incidents
Our Top Challenges (Different than Risk) • Staff recruiting and retention • Funding • Insider threats • Meeting growing regulatory requirements • Growing Phishing and social engineering threat • Geopolitical attacks • Asset Management
Decentralized IT Environment • 400 ITS Personnel • 250 Do not report to ITS • Challenges – Standardization – Compliance with Security policies – Visibility of Risks – Uncontrolled Proliferation of data, servers and storage • Governance starts at Provost level
IT Governance Committee Committee Enterprise Applications Coordinating Remedy Advisory Council Committee Communication Technologies Information Security Coordinating Coordinating Committee Committee Enterprise Data Coordinating Committee CIO Advisory Committee Carolina Computing Initiative (CCI) Research Computing Advisory Committee Committee IT Infrastructure Coordinating Committee
Campus Advisory Groups Group Group Deans of Research & Directors of University Committee for the Protection Centers/Institutes of Personal Data (UCPPD) Enterprise Resource Planning (ERP) CERTIFI (PCI Advisory) Sponsors ConnectCarolina Executive Committee IT Executive Council (ITEC) Faculty Advisory Committee (FITAC)
How we determine what is needed to secure our data • Risk assessments to determine weak areas • Research, formal training, vendor presentations, collaboration with peer institutions to gain knowledge. • Develop overall security strategy • Governance buy-in, funding
How we determine cyber standards for our data/systems Regulatory requirements – HIPAA – State Auditors – ISO 27001/2 – NIST 800-53/NIST 800-171 – NIST CSF – PCI – GDPR – Incident Lessons Learned
How we decide levels of cyber protection and where to invest • Best Practices • Risk Priorities • Funding available • Incidents • End of equipment life decisions • Incident Lessons Learned
How to we make decisions • Collaboration • Consultation • Governance – ITEC – IT Infrastructure Coordinating Committee – ISO Advisory Committee
How we prioritize which data requires stronger protection • Data classification • Regulatory requirements • Reporting requirements • Best Practices
How we determine the balance between data security and user accessibility • Continuous conversation. • The work of the university must continue. • Too many draconian restrictions will stifle the basic mission of the University and constituents will find work arounds • Instead of being the office of NO, we try to figure out how best to get to YES.
35 8/23/2019 Questions?
15 Initiatives 1. Expand 2-step and improve phishing education 2. Implement 1-year password change 3. Strengthen IT security policies 4. Improve user awareness training 5. Identify essential risk assessments 6. Improve risk assessment processes
Recommend
More recommend