#MCN2017-F7 Lock It Down! Securing Your Museum In a Hackers World - PowerPoint PPT Presentation

#MCN2017-F7 Lock It Down! Securing Your Museum In a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams Friday, November 10th, 2017

Panelists Mara Kurlandsky Adam Gegg Angie Judge James Vitale Jeff Williams Project Coordinator for Director of Chief Executive Senior Solutions Associate Director Digital Engagement Information Technology Officer Architect Technology National Museum of St. Louis Dexibit L.A. County Hammer Museum Women in the Arts Art Museum Museum of Art @cjeffw @mkurlandsky adam.gegg@slam.org @angie_dexibit jvitale@lacma.org #MCN2017-F7 02 MCN 2017

Agenda • When the worst happens… ‒ Major breaches in 2017 ‒ Risk and consequence ‒ Lessons learned • Trends • Responding to museum security challenges in a digital age ‒ Infrastructure (plus Q&A) ‒ Software (plus Q&A) ‒ Users (plus Q&A) • The security checklist • Priorities and takeaways #MCN2017-F7 03 MCN 2017

A question not of if, but when 73% IF of Americans have fallen victim to cybercrime - why is executive sponsorship for investment in security such a hard sell? #MCN2017-F7 04 MCN 2017

When the worst happens... Securing Your Museum in a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams 05 MCN 2017

“There should have been a very comprehensive set of policies and procedures for what to do to respond” Jonathan Bernstein. President Bernstein Crisis Management” #MCN2017-F7 06 MCN 2017

“We live in the era of big data, where all software is tracked. In the face of a software vulnerability that may bring a portion of the world to a halt, we should expect more than the timely release of a patch.” - Alexander Urbelis, Security Expert #MCN2017-F7 07 MCN 2017

Most devices and routers rely on WPA2 to encrypt your WiFi traffic, so chances are you’re affected. #MCN2017-F7 08 MCN 2017

“Forget Bluejacking, Blueborn doesn’t require the hacker to pair with your device.” #MCN2017-F7 09 MCN 2017

“Misconfiguration isn’t a malicious hack in itself, but it is a critical and all too common cybersecurity risk for both institutions and individuals.” - Wired #MCN2017-F7 010 MCN 2017

“What should have been a service interruption error became a devastating data loss when the company discovered its back ups were ineffectual.” #MCN2017-F7 011 MCN 2017

Risks and consequences Loss of reputation Loss of time Cost of ransom Cost of repair Loss of data #MCN2017-F7 012 MCN 2017

Lessons learned What can we do to keep our museums safe? • Stay informed and listen to regular updates and announcements • Stay patched (including for bring your own device users) • Know your partners and what they’re doing to stay secure • Routinely audit your configurations • Monitor alerts #MCN2017-F7 013 MCN 2017

Institutional technology trends impacting security Mobile, BYOD Guest WiFi Telecommuting Cloud and Social and IoT open source engineering #MCN2017-F7 014 MCN 2017

How to respond to security vulnerabilities Users Software Infrastructure #MCN2017-F7 015 MCN 2017

Responding to museum security: infrastructure Securing Your Museum in a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams 016 MCN 2017

Infrastructure What is needed to do this? What needs to be done? • Processes • Protecting Your Network ‒ Documented ‒ Physical ‒ Followed ‒ Wireless ‒ Audited ‒ Wired • Hardware • Protecting Your Desktop ‒ Firewall, switches, etc... • Protecting Your Data #MCN2017-F7 017 MCN 2017

Infrastructure • Protecting Your Network: Physical Site ‒ Work closely with security department to ensure staff and guests aren’t where they shouldn’t be: ▪ Visible ID Badges ▪ Secured Entry ▪ Monitored Access Logs ▪ Locking Offices ▪ Securing computers in public spaces #MCN2017-F7 018 MCN 2017

Infrastructure • Protecting Your Network: Wireless Network Security ‒ Access Policies & Virtual Local Area Network (VLAN) Configuration ‒ Guest WiFi ‒ Corporate / Internal WiFi ▪ MAC Address filtering ▪ Domain Authentication #MCN2017-F7 019 MCN 2017

Infrastructure • Protecting Your Network: Wired Network Security ‒ Ethernet Ports / Port Security ▪ Mac Address ‒ Access Policies & VLAN Configuration Cisco 5585-X Adaptive Security ‒ Network Authentication and User Management Appliance: Firewall, VPN, and Intrusion Prevention System ▪ Active Directory ▪ Processes to ensure only active staff have active accounts ‒ Firewall & Security Appliances #MCN2017-F7 020 MCN 2017

Infrastructure • Protecting Your Network: Data Security ‒ Backup Policy ▪ RPO - Recovery Point Objective ▪ RTO - Recovery Time Objective ▪ DR/BC - Disaster Recovery / Business Continuity ‒ Backup Appliances ‒ Offsite / Onsite Options (Cloud considerations) ▪ AWS, Iron Mountain, etc... #MCN2017-F7 021 MCN 2017

Infrastructure • Preventive ‒ Firewall (Network Intrusion) ‒ Data Backups (Ransomware Protection) ‒ Endpoint Protection ▪ “0-day” virus attacks ▪ Known virus attacks ▪ Email/Chat/Browser Clients ▪ File Attachments / Downloads / Quarantining Infected Files #MCN2017-F7 022 MCN 2017

Q&A INFRASTRUCTURE 023 MCN 2017

Responding to museum security: software Securing Your Museum in a Hacker’s World Mara Kurlandsky, Adam Gegg, Angie Judge, James Vitale, Jeff Williams 024 MCN 2017

Software • Protecting Your Network ‒ Threat Avoidance & DNS ‒ Monitoring & Alerts • Protecting Your Desktop ‒ Antivirus / Endpoint Protection, Anti-Malware ‒ Application Whitelisting • Remote Access Solutions #MCN2017-F7 025 MCN 2017

Protecting Your Network: Threat Avoidance & DNS Domain Name System (DNS) is at the foundation of the internet All modern malware relies on DNS to function Cisco Umbrella (OpenDNS) - Network Protection as a service ● 100B. requests/day, 86M. daily active users ● Ease of implementation / support ● Policy based (staff v. guest wifi) ● Protects remote users, laptop, iOS and Android Threat Avoidance v. Content Filtering Stop threats before they reach your edge. Best single security investment. ($18/u/y) #MCN2017-F7 026 MCN 2017

Protecting Your Network: Domain Name System #MCN2017-F7 027 MCN 2017

Protecting Your Network: Monitoring & Alerts Configure alerts so that you can focus on what matters and not spend all day reading logfiles. Active resource monitoring lets you spot performance problems before they affect production Free: Spiceworks Enterprise: Solarwinds , Microsoft System Center Operations Manager ( SCOM ) At SLAM we use SC0M for performance and security monitoring of our servers. SCOM integrates with Operations Manager in Azure to aggregate performance, health and security status on our servers and workstations and VMware and Network resources. #MCN2017-F7 028 MCN 2017

Protecting Your Desktop: Anti-virus/Anti-malware Traditional v Next-Gen Antivirus “A traditional AV solution is limited to detecting only the malware it knows. If the threat is not known, not analyzed and not recorded in the DAT file, or if the DAT file is not updated, or if the attack doesn’t use malware in the first place, the protection offered is nonexistent for that class of threats.” - SANS.ORG Traditional: Next-Gen: ● ● Less expensive Can be much more expensive ● ● Needs more management - updates Less management required ● ● Can be less effective Novel technologies - machine learning, cloud analytics, managed hunting But used as one component in a larger Due to high cost, industries like finance and healthcare cybersecurity stack traditional AV can be may be more appropriate for next-gen AV solutions. perfectly adequate. #MCN2017-F7 029 MCN 2017

Protecting Your Desktop: Application Whitelisting Prevents programs from running unless they are specifically permitted by policy. This includes packaged apps, Executables, Installer Scripts and DLLs ● AppLocker is built into Windows 10 (all flavors) and Windows 7 Ultimate and Enterprise (Not Professional) ● Managed via Group Policy Object (GPO) ● Deployed via AD Security Group ● Filters by Publisher, Path or File Hash ● Run it it Audit Mode and review the logs to see what would be blocked before you go live! #MCN2017-F7 030 MCN 2017

Remote access Three common methods of remote access - Remote Desktop via Web VPN Client LogMeIn #MCN2017-F7 031 MCN 2017