[PPT] - Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based PowerPoint Presentation

SLIDE 1

Cyb yber er Sec ecurity rity @ UN @ UNC

Industr stry y Based ed Broadening dening – Information rmation Operat rations ns

Denni nis s Schmid idt Assistant Vice Chancellor for Information Security and Privacy and Chief Information Security Officer

July ly 2019

SLIDE 2

Who We Are

Dennis Schmidt

– Assistant Vice Chancellor, Information Security and Privacy, and Chief Information Security Officer – 22 years at UNC – Retired Naval Officer (24 years active)

Larry Fritsche

– Manager, Security Operations – 15 years at UNC

Mel Radcliffe

– Manager, Risk Team – 3.5 years at UNC

Alex Everett

– Security Architect – 12 years at UNC

SLIDE 3

SLIDE 4

SLIDE 5

We are a Big Campus!

30,011 Students

– 19,117 Undergraduates – 10,894 Graduate & Professional

3,950 Faculty
8,791 Staff
120,000 devices
14 Professional Schools
729 acres on campus
~ 150 buildings

SLIDE 6

A Large and Complex Enterprise

 Millions of personally-identifiable records  1,600+ sensitive/mission-critical computer servers on campus  81 Departments have registered sensitive data servers

Billions of Intrusion Attempts Hundreds of Unique Phishing Campaigns Hundreds of Compromised Accounts 60 Sensitive / Mission Critical Incidents

SLIDE 7

By the numbers…

Intrusion Prevention Systems (IPS)

– On average we daily perform:

350,000 reputation-based blocks
170,000 signature-based blocks
6,400 ad hoc customized blocks
Block millions of additional system

connection attempts daily via our firewalls:

Month

Total Denies Average/day

August 2018

11.2 Billion 361.3 Million

September 2018

11.8 Billion 393.3 Million

October 2018

16.9 Billion 545.2 Million

November 2018

11.5 Billion 376.6 Million

August through November

51.4 Billion 421.3 Million

SLIDE 8 Manning K Cisco Kid Manning L Franklin L UNC School of Med UNC Datacenter Fluffy Fluffy Palo Alto 7050 Palo Alto 5060 Main Campus ResNET MCNC IPS IPS Research Computing Deny inbound Deny inbound Deny inbound Duo 2FA IDS IPS SCEP AV PGP Encryption Splunk Logging UNC HealthCare Med School Qualys Scanners Kerberos Auth LDAP Auth Shibboleth Auth Active Directory/ SCCM NAC Improv Auth KFBS Wireless Connect Carolina Verizon VoIP ADFS EnCase Forensics Granville IPS IPS General Administration 121 Ports Blocked 121 Ports Blocked MacMan MacMan Identity Finder Remote Sites ~20 Border Border NewKid NewKid Palo Alto 7050 Arista TagAgg Eleven Eleven Palo Alto 7050 DNS

F5 LB

DNS Aruba FW RENCI 121 Ports Blocked Business School VPN 121 Ports Blocked Wireless Office 365 Touchnet (Payments) HR Recruitment Departmental Firewall

Athletics Finance Human Resources ITS …

www WordPress CloudApps

F5 ASM Reputation Services

Grey Heller Firewall

SLIDE 9

Data Center Tour

SLIDE 10

ITS Operations Center

3rd Floor of ITS Manning
Staffed 24x7x365
Heart of ITS Network and

Security operations

Communications core during

system incidents and malfunctions

Monitors status of 100,000+

devices and systems

Backup for Alert Carolina

SLIDE 11

Manning Data Center

3rd Floor of ITS Manning
Built in 2007
11,000 square feet
700 tons cooling
Power divided between Ops and

Research

2 Megawatts available power
Generator/UPS backup for Ops
Building Power only for Research side

SLIDE 12

Franklin Data Center

Basement of ITS Franklin (440
W. Franklin)
Renovated in 2006
4,500 square feet
80 tons cooling
500 Kilowatts available power
900 KiloWatt Generator
UPS backup- Batteries and

Flywheels

SLIDE 13

Source: http://www.sourceups.co.uk/hot-aisle-cold-aisle-cooling-explained/

SLIDE 14

Our Top 5 Security Risks

1. Phishing/Vishing
2. Lack of User Awareness
3. Limited Resources
4. Persistent Threats from Internet
5. Disaster Recovery

SLIDE 15

Phishing/Vishing

Phishing attacks from professional teams
f criminal experts continue to plague us

– Spear phishing is becoming very common – Recent increases in “impersonation phishing”

Ex: chancellor.unc.edu@yahoo.com
Ex: asdean.unc.edu@gmail.com

– Vishing (phishing by phone) is not as common, but still an issue

2-Step verification has been our most

effective defense to date

SLIDE 16

2-Step Verification

Microsoft Multifactor Authentication for

Office 365 completed in December 2018

– Migrated 56,000 accounts in 9 months – Required for all faculty, staff, and students

Duo 2- Step Verification

– Enrolled 56,000 faculty, staff and students – Protection for ConnectCarolina, VPN, administrative accounts, student bill payments, self service bank deposits, etc.

SLIDE 17

2-Step is Very Effective!

Compromised accounts 2017 2018 2019 January 4 81 1 February 53 36 1 March 133 15 April 67 12 May 247 11 June 148 27 1 July 643 117 August 332 64 September 134 19 October 97 4 November 337 1 December 72

SLIDE 18

Phishers are Finding Workarounds

SLIDE 19

Persistent Threats from Internet

Evolving, sophisticated, targeted attacks
Cybercriminals, Nation States
Mitigation

– Increased firewall coverage – Domain Names Service (DNS) filtering (Akamai) – Enhanced Intrusion Prevention Service (IPS) – Wi-Fi Firewalling

SLIDE 20

Attacks Blocked Automatically: Firewall (Monthly totals)

SLIDE 21

Lack of User Awareness

Revamped security awareness program

rolling out in May 2019

– Compliance increase from 7% to 24%

https://safecomputing.unc.edu rolled out in

November 2018

Outreach to students at various events
“Gill the Phish” mascot
Training for Information Security Liaisons

SLIDE 22

Limited Resources

Increased requirements to do formal risk

assessments for federal and state studies

Typical assessment can take 5 weeks
Long lead times required for

– NIST 800-171/53 Assessments – Vendor assessments

Below zero unemployment makes

recruiting and retention of qualified security staff challenging

SLIDE 23

Disaster Recovery

Identified as a weakness by state audit
Comprehensive plan developed
Hard copy plan published in January 2019
Initial tabletop exercise March 2019
Larger scale tabletop planned for Summer

2019

SLIDE 24

Local Known Sensitive Data Incidents

SLIDE 25

Our Top Challenges (Different than Risk)

Staff recruiting and retention
Funding
Insider threats
Meeting growing regulatory requirements
Growing Phishing and social engineering

threat

Geopolitical attacks
Asset Management

SLIDE 26

Decentralized IT Environment

400 ITS Personnel
250 Do not report to ITS
Challenges

– Standardization – Compliance with Security policies – Visibility of Risks – Uncontrolled Proliferation of data, servers and storage

Governance starts at Provost level

SLIDE 27

IT Governance

Committee Committee Enterprise Applications Coordinating Committee Remedy Advisory Council Communication Technologies Coordinating Committee Information Security Coordinating Committee Enterprise Data Coordinating Committee CIO Advisory Committee Carolina Computing Initiative (CCI) Committee Research Computing Advisory Committee IT Infrastructure Coordinating Committee

SLIDE 28

Campus Advisory Groups

Group Group Deans of Research & Directors of Centers/Institutes University Committee for the Protection

f Personal Data (UCPPD)

Enterprise Resource Planning (ERP) Sponsors CERTIFI (PCI Advisory) ConnectCarolina Executive Committee IT Executive Council (ITEC) Faculty Advisory Committee (FITAC)

SLIDE 29

How we determine what is needed to secure our data

Risk assessments to determine weak

areas

Research, formal training, vendor

presentations, collaboration with peer institutions to gain knowledge.

Develop overall security strategy
Governance buy-in, funding

SLIDE 30

How we determine cyber standards for our data/systems

Regulatory requirements

– HIPAA – State Auditors – ISO 27001/2 – NIST 800-53/NIST 800-171 – NIST CSF – PCI – GDPR – Incident Lessons Learned

SLIDE 31

How we decide levels of cyber protection and where to invest

Best Practices
Risk Priorities
Funding available
Incidents
End of equipment life decisions
Incident Lessons Learned

SLIDE 32

How to we make decisions

Collaboration
Consultation
Governance

– ITEC – IT Infrastructure Coordinating Committee – ISO Advisory Committee

SLIDE 33

How we prioritize which data requires stronger protection

Data classification
Regulatory requirements
Reporting requirements
Best Practices

SLIDE 34

How we determine the balance between data security and user accessibility

Continuous conversation.
The work of the university must continue.
Too many draconian restrictions will stifle

the basic mission of the University and constituents will find work arounds

Instead of being the office of NO, we try to

figure out how best to get to YES.

SLIDE 35

Questions?

8/23/2019 35

SLIDE 36

15 Initiatives

1. Expand 2-step and improve phishing

education

2. Implement 1-year password change
3. Strengthen IT security policies
4. Improve user awareness training
5. Identify essential risk assessments
6. Improve risk assessment processes

SLIDE 37

15 Initiatives

7. Improve Disaster Recovery planning
8. Make changes proposed in NCOSA audit
9. Improve assessment processes for key IT

controls 10.Continue migrating systems behind firewalls 11.Expand tools and licenses, including vulnerability and preventative tools

SLIDE 38

15 Initiatives

12.Improve monitoring, detection and alert systems to support rapid response 13.Engage campus IT community to design IT systems that are safe 14.Work with System Office to help leverage economies of scale 15.Support training, desirable culture, flexible work schedule to recruit and retain IT security staff