#MCN2017-F7 Lock It Down! Securing Your Museum In a Hackers World [PDF]

SLIDE 1

Lock It Down! Securing Your Museum In a Hacker’s World

Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams Friday, November 10th, 2017

#MCN2017-F7

SLIDE 2

Panelists

MCN 2017 02 Mara Kurlandsky Project Coordinator for Digital Engagement National Museum of Women in the Arts @mkurlandsky Adam Gegg Director of Information Technology

St. Louis

Art Museum adam.gegg@slam.org Angie Judge Chief Executive Officer Dexibit @angie_dexibit James Vitale Senior Solutions Architect L.A. County Museum of Art jvitale@lacma.org Jeff Williams Associate Director Technology Hammer Museum @cjeffw #MCN2017-F7

SLIDE 3

Agenda

MCN 2017 03

When the worst happens…

‒ Major breaches in 2017 ‒ Risk and consequence ‒ Lessons learned

Trends
Responding to museum security challenges in a digital age

‒ Infrastructure (plus Q&A) ‒ Software (plus Q&A) ‒ Users (plus Q&A)

The security checklist
Priorities and takeaways

#MCN2017-F7

SLIDE 4

A question not of if, but when

MCN 2017 04

73%

f Americans have fallen victim to cybercrime -

IF

why is executive sponsorship for investment in security such a hard sell?

#MCN2017-F7

SLIDE 5

When the worst happens...

Securing Your Museum in a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams MCN 2017 05

SLIDE 6 “There should have been a very comprehensive set of policies and procedures for what to do to respond” Jonathan Bernstein. President Bernstein Crisis Management” MCN 2017 06 #MCN2017-F7

SLIDE 7 “We live in the era of big data, where all software is tracked. In the face of a software vulnerability that may bring a portion of the world to a halt, we should expect more than the timely release of a patch.” - Alexander Urbelis, Security Expert MCN 2017 07 #MCN2017-F7

SLIDE 8 Most devices and routers rely on WPA2 to encrypt your WiFi traffic, so chances are you’re affected. MCN 2017 08 #MCN2017-F7

SLIDE 9 “Forget Bluejacking, Blueborn doesn’t require the hacker to pair with your device.” MCN 2017 09 #MCN2017-F7

SLIDE 10 “Misconfiguration isn’t a malicious hack in itself, but it is a critical and all too common cybersecurity risk for both institutions and individuals.” - Wired MCN 2017 010 #MCN2017-F7

SLIDE 11 “What should have been a service interruption error became a devastating data loss when the company discovered its back ups were ineffectual.” MCN 2017 011 #MCN2017-F7

SLIDE 12

Risks and consequences

MCN 2017 012

Loss of reputation Cost of ransom Loss of data Loss of time Cost of repair

#MCN2017-F7

SLIDE 13

Lessons learned

MCN 2017 013 What can we do to keep our museums safe?

Stay informed and listen to regular updates and announcements
Stay patched (including for bring your own device users)
Know your partners and what they’re doing to stay secure
Routinely audit your configurations
Monitor alerts

#MCN2017-F7

SLIDE 14

Institutional technology trends impacting security

MCN 2017 014 Mobile, BYOD and IoT Guest WiFi Telecommuting Cloud and

pen source

Social engineering #MCN2017-F7

SLIDE 15

How to respond to security vulnerabilities

MCN 2017 015 Infrastructure Software Users #MCN2017-F7

SLIDE 16

Responding to museum security: infrastructure

Securing Your Museum in a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams MCN 2017 016

SLIDE 17

Infrastructure

MCN 2017 017

What needs to be done?

Protecting Your Network

‒ Physical ‒ Wireless ‒ Wired

Protecting Your Desktop
Protecting Your Data

What is needed to do this?

Processes

‒ Documented ‒ Followed ‒ Audited

Hardware

‒ Firewall, switches, etc...

#MCN2017-F7

SLIDE 18

Infrastructure

MCN 2017 018

Protecting Your Network: Physical Site

‒ Work closely with security department to ensure staff and guests aren’t where they shouldn’t be: ▪ Visible ID Badges ▪ Secured Entry ▪ Monitored Access Logs ▪ Locking Offices ▪ Securing computers in public spaces

#MCN2017-F7

SLIDE 19

Infrastructure

MCN 2017 019

Protecting Your Network: Wireless Network Security

‒ Access Policies & Virtual Local Area Network (VLAN) Configuration ‒ Guest WiFi ‒ Corporate / Internal WiFi ▪ MAC Address filtering ▪ Domain Authentication

#MCN2017-F7

SLIDE 20

Infrastructure

MCN 2017 020

Protecting Your Network: Wired Network Security

‒ Ethernet Ports / Port Security ▪ Mac Address ‒ Access Policies & VLAN Configuration ‒ Network Authentication and User Management ▪ Active Directory ▪ Processes to ensure only active staff have active accounts ‒ Firewall & Security Appliances

Cisco 5585-X Adaptive Security Appliance: Firewall, VPN, and Intrusion Prevention System #MCN2017-F7

SLIDE 21

Protecting Your Network: Data Security

‒ Backup Policy ▪ RPO - Recovery Point Objective ▪ RTO - Recovery Time Objective ▪ DR/BC - Disaster Recovery / Business Continuity ‒ Backup Appliances ‒ Offsite / Onsite Options (Cloud considerations) ▪ AWS, Iron Mountain, etc...

Infrastructure

MCN 2017 021 #MCN2017-F7

SLIDE 22

Infrastructure

MCN 2017 022

Preventive

‒ Firewall (Network Intrusion) ‒ Data Backups (Ransomware Protection) ‒ Endpoint Protection ▪ “0-day” virus attacks ▪ Known virus attacks ▪ Email/Chat/Browser Clients ▪ File Attachments / Downloads / Quarantining Infected Files

#MCN2017-F7

SLIDE 23

Q&A

INFRASTRUCTURE MCN 2017 023

SLIDE 24

Responding to museum security: software

Securing Your Museum in a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams MCN 2017 024

SLIDE 25

Software

MCN 2017 025

Protecting Your Network

‒ Threat Avoidance & DNS ‒ Monitoring & Alerts

Protecting Your Desktop

‒ Antivirus / Endpoint Protection, Anti-Malware ‒ Application Whitelisting

Remote Access Solutions

#MCN2017-F7

SLIDE 26

Protecting Your Network: Threat Avoidance & DNS

MCN 2017 026

Domain Name System (DNS) is at the foundation of the internet All modern malware relies on DNS to function Cisco Umbrella (OpenDNS) - Network Protection as a service

100B. requests/day, 86M. daily active users
Ease of implementation / support
Policy based (staff v. guest wifi)
Protects remote users, laptop, iOS and Android

Threat Avoidance v. Content Filtering Stop threats before they reach your edge. Best single security investment. ($18/u/y)

#MCN2017-F7

SLIDE 27

Protecting Your Network: Domain Name System

MCN 2017 027 #MCN2017-F7

SLIDE 28

Protecting Your Network: Monitoring & Alerts

MCN 2017 028 Configure alerts so that you can focus on what matters and not spend all day reading logfiles. Active resource monitoring lets you spot performance problems before they affect production

Free: Spiceworks Enterprise: Solarwinds, Microsoft System Center Operations Manager (SCOM)

At SLAM we use SC0M for performance and security monitoring of our servers. SCOM integrates with Operations Manager in Azure to aggregate performance, health and security status on our servers and workstations and VMware and Network resources. #MCN2017-F7

SLIDE 29

Protecting Your Desktop: Anti-virus/Anti-malware

MCN 2017 029

Traditional v Next-Gen Antivirus

“A traditional AV solution is limited to detecting only the malware it knows. If the threat is not known, not analyzed and not recorded in the DAT file, or if the DAT file is not updated, or if the attack doesn’t use malware in the first place, the protection offered is nonexistent for that class of threats.” -SANS.ORG Traditional:

Less expensive
Needs more management - updates
Can be less effective

But used as one component in a larger cybersecurity stack traditional AV can be perfectly adequate. Next-Gen:

Can be much more expensive
Less management required
Novel technologies - machine learning, cloud

analytics, managed hunting Due to high cost, industries like finance and healthcare may be more appropriate for next-gen AV solutions. #MCN2017-F7

SLIDE 30

Protecting Your Desktop: Application Whitelisting

MCN 2017 030 Prevents programs from running unless they are specifically permitted by policy. This includes packaged apps, Executables, Installer Scripts and DLLs

AppLocker is built into Windows 10 (all flavors) and Windows 7 Ultimate and Enterprise (Not Professional)
Managed via Group Policy Object (GPO)
Deployed via AD Security Group
Filters by Publisher, Path or File Hash
Run it it Audit Mode and review the logs to see what would be blocked before you go live!

#MCN2017-F7

SLIDE 31

Remote access

MCN 2017 031

Three common methods of remote access -

Remote Desktop via Web VPN Client LogMeIn #MCN2017-F7

SLIDE 32

Remote access

MCN 2017 032

Remote Access methods compared

Technology: Remote Desktop via web LogMeIn VPN Strengths

No client software to install
Win/Mac/iOS friendly
No actual data transfer in/out
Users managed via A/D
Single Sign-On

Weaknesses

Complicated initial setup
Security concerns/firewall access
Requires deep IT knowledge to admin
Limited access to network storage
Puts remote PC on internal network
Win/Mac/iOS clients exist (mostly)
Access to network storage
Complicated set-up & management
Requires client software install
Enterprise apps must be on remote PC
Puts remote PC on internal network
Easiest setup & management
2-factor auth available
No client software to install
Easy access to network storage
Ties up an actual PC while in use
User management duplication

#MCN2017-F7

SLIDE 33

Q&A

SOFTWARE MCN 2017 033

SLIDE 34

Responding to museum security: users

Securing Your Museum in a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams MCN 2017 034

SLIDE 35

Keeping Users Secure

MCN 2017 035

Mobile Security
Endpoint Security
Online Behaviors
Offline Behaviors
IT / HR Partnership

#MCN2017-F7

SLIDE 36

Keeping Users Secure

MCN 2017 036

Mobile Security

‒ Enable extra layers of security

‒ Install and test location-finding software ‒ Install anti-virus software ‒ Regularly check for firmware and security updates

#MCN2017-F7

SLIDE 37

Keeping Users Secure

MCN 2017 037

Endpoint Security

‒ Anti-virus Solutions

‒ Anti-malware Solutions ‒ Effective ‒ Regularly check for firmware and security updates

#MCN2017-F7

SLIDE 38

Keeping Users Secure

MCN 2017 038

Online Behaviors

‒ Mindfulness around unfamiliar links ‒ Be a conscientious web browser ‒ Posting security-sensitive data on Social Media ‒ Social Media Authentication vs. Password Vault Solutions ‒ User Awareness Training: “If you see something, say something” ‒ Executive buy-in on user training

#MCN2017-F7

SLIDE 39

Keeping Users Secure

MCN 2017 039

Offline Behaviors

‒ Locking your PC ‒ Locking down your laptop (cable locks, keep out-of-site, etc.) ‒ Eliminate writing down passwords ‒ Printing secure documents and removing them from the workplace ‒ “Clear desk” policy ‒ External Storage Device policy (thumb drives, etc.)

#MCN2017-F7

SLIDE 40

Keeping Users Secure

MCN 2017 040

IT / HR Partnership

‒ Off-board / On-boarding ‒ Changes in Roles/Responsibilities ‒ Fraudulent Internal Security Threats ‒ Security Trainings and Threat Communications ▪ Frequency, Content and Format ▪ Target Audiences ▪ Certification, Test Drills, Compliance

#MCN2017-F7

SLIDE 41

Q&A

USERS MCN 2017 041

SLIDE 42

Takeaways

MCN 2017 042

Angie: “Make sure your security compliance and risk metrics are a core governance item”

@angie_dexibit | angie@dexibit.com

Adam: “Open DNS/Umbrella is the best security investment you can make (it’s FREE!!!)”

adam.gegg@slam.org

Mara: “Make sure someone is thinking of security. Know where to get advice. And: quit

sharing passwords.” @mkurlandsky | mkurlandsky@nmwa.org

James: “Always manually type in the URLs of websites you receive through email or IMs.”

jvitale@lacma.org

Jeff: “Our people are our greatest asset and risk when it comes to cyber security.”

@cjeffw | jwilliams@hammer.ucla.edu #MCN2017-F7

SLIDE 43

Thank you

MCN 2017 043