With the Wyndham Worldwide and Target breaches and reliance by organizations on third party vendors, contractor risk is an increasing priority for boards, executives, IT and cybersecurity leaders. Not only are there risks to personal and financial data and IT systems, there are also risks to connected industrial control systems. How are boards viewing and addressing third party cyber risk? What are key considerations for developing a third party vendor cybersecurity management program? What are approaches to vendor evaluation, contracting and ongoing management. What are compliance considerations? How are efforts to strengthen the cybersecurity of vendor ecosystems progressing?
A high-level overview of the DNS firewall architecture and implementation at Virginia Tech and how the system is used to protect client machines from malicious sites and code on the Internet. The presentation will cover the design and infrastructure (hardware, software, networking), custom source code (database and API) and daily processes used to implement and operate the system.
Public-facing web applications can introduce vulnerability into an otherwise secure environment. Both open-source and commercial products can have hectic patch release schedules as new vulnerabilities are discovered, and application administrators can (and do) neglect upgrading for various reasons. The question becomes not if the application will be compromised, but when and how. Based on a recent investigation of a compromise of a CMS server, we will discuss various methodologies for verifying integrity of the application itself, inspecting back-end databases, and releasing content to the owner. We will also discuss strategies to protect and adequately log application activity.
With the emergence of DevOps models and cloud service provisioning, expediency in provisioning of services is one of the top priorities for many business units across organizations. The inability for IT to quickly meet the needs of these business units can often drive units to adopt shadow IT operations through other service providers, and thus lead to the potential loss of control on sensitive data and information. This presentation will follow VCU's journey in establishing a system provisioning process, and over the years transforming this process with the goal of providing the needed expediency to its customers while maintaining a reasonable expectation of quality and security for its assets. The presenters will discuss the evolution of the system provisioning process and the role of security, in addition to challenges and lessons learned through the transformation. Additionally, the presenters will discuss future plans for the process as it further matures.
Over the course of the past two years, the University of Virginia has worked to create a computer system and network that would be compliant with the NIST 800-171 standards for Controlled Unclassified Information (CUI). From a starting point of a high-level committee, through an inventory of current systems and networks and a process of establishing both what was required for compliance and how we met that control, we strove to meet compliance without creating a new, separate, compute system for researchers. This spring, with the help of an outside consultant, we completed our first Systems Security Plan (SSP) and Plan of Action and Milestones (POAM) for a DOD grant for our so-called Ivy-CUI compliant system. This talk will review the highlights of march to CUI compliance and look at some topics on the CUI horizon.
Maximize your IT Security office and operations with student internships. We will talk about our office culture and program in utilizing interns across our analyst and engineering operations. From hiring to integrating and making operational various roles to achieve better outcomes for your office as well as the individual student interns. At least one of our current interns will join the presentation and discussion. Please come see what it is like to work in our office as a student intern.
People are central to any cybersecurity strategy. Cybersecurity is a team sport. Yet people are often denigrated as the weakest link. We continue to spend countless funds on technology and not enough attention is devoted to people and governance. Through culture and teamwork fostered through leadership, people can be our greatest strength. Leadership is the key element of success of any organizational cybersecurity strategy.
In a piece recently published, Dr. Mansur Hasib explained why cybersecurity is people powered perpetual innovation. Such a culture makes cybersecurity and digital strategy powerful innovation, productivity, and revenue drivers for organizations.
In this session Dr. Hasib covers the following key topics: Role of people and innovation in cybersecurity Inspiring innovation and leadership in everyone Building teams of leaders
In today’s cyber landscape with both the frequency and cost of breaches rising, what can be done to harness the power of existing compute, network and storage infrastructure for the purpose of greater cybersecurity readiness? This session will explore the ability to up level an organization’s security posture by focusing on key aspects of data center architecture that enable greater visibility, protection and threat detection. By augmenting and instrumenting existing compute, network and storage components within the data center, analytical threat data can be greatly enhanced thereby increasing the speed and fidelity in which a response and recovery can be orchestrated. This enhanced visibility into application behavior and communication patterns allows the infrastructure to protect applications at a least privileged level thereby significantly narrowing the attack surface. The session will include examples of higher education institutions that have implemented this approach and discuss the benefits they have realized. Benefits include compliance with relevant higher education security standards to include NIST, PCI and HIPAA. Cyber-enabling data center architecture allows organizations to take the next step in maturing their approach to cybersecurity and establishing a secure and compliant IT landscape.
We all know that being compliant and auditable is not the same as being secure. Yet, we need to be prepared to defend our information security practice at any time if called into court or in response to a compromise. Our audit preparation is an exercise in defending out practice. No school has resources to administer an audit\compliance program that produces a complete audit trail for all of the services and systems across their technical ecosystem. A risk-based approach is essential to focusing the most effort on the highest risk. Data Classification and Business Impact Classifications are critical to identifying those risks. Data Governance that is codified in policies, standards and procedures are essential to defining Data Classifications and Business Impact Classifications. Audit preparation starts with our standards and applies risk-based practices that allow schools with limited resources to focus on securing and defending the highest risks, without spending precious resources on lower risk services and systems. Without proper audit prep, we will surely spend too much time on lower risks, and put our most vital resources at even greater risk!
We'll present our journey of rolling out an ITGRC tool to improve the security posture around Mason’s IT resources. We introduced workflows to ITS and distributed IT partners in phases, which include inventory and classification of University servers (CIS Control #1), and formalizing a risk management process via vulnerability and control information.
Overview of basic building blocks for resiliency, intelligence, detection, and response capabilities that lay the groundwork for more effective proactive hunting capabilities as organizations mature their cyber defense functions.
As you know, impostor email continues to be a challenge for most security professionals. We will discuss the various tactics used to impersonate a domain, brand, and supply chain partner. This session will discuss the email threat landscape, how to identify potential exposure and how to leverage authentication methods such as DMARC to protect your faculty, students, brand, and alumni.
The tools and appliances available within the IT landscape have expanded the analysis and monitoring capabilities available to IT security personnel. However, these tools, like FireEye, Nessus, Rapid7, Bro and Kibana, rarely integrate with each other and are often not designed to play well outside their defined scope. While Security Analysts have more power at their fingertips than ever before to identify and track down threats, without an automated way to connect these systems, numerous cycles are wasted performing tedious tasks that detract from time that could be spent better understanding and monitoring the security threats faced by the university.
The IT Security Office has developed several web applications and tools that leverage the APIs of various security appliances, Google Drive and Service-Now in order to provide connective tissue where appropriate and eliminate manual data entry whenever possible. Each tool facilitates the adoption of the CIS Controls and allows Security Analysts to focus on performing incident analysis rather than data entry or dealing with ticket system tedium.
FEINT, the FireEye ITSO Notification Tool, is part of ITSO’s Malware Defense, CIS Control 8. HOIST, the Hands-Off ITSO Scanning Tool, ties into ITSO’s Boundary Defense, CIS Control 12. CRIT, the Credential Reset Incident Tool, is a web application that addresses CIS Control 16. SLIC, the Security Log Incident Creator.
Mason has put together a group focused on reviewing incoming technology to identify risk, and mitigation strategies to reduce that risk. This includes working with internal university groups, vendors, and subject matter experts both inside and outside the IT departments. This presentation will go over a brief history of how and why the group was formed, its maturation process, and how the process has improved Mason’s security posture.
A contributing factor to leveling up your information security program is to understand and leverage independent external IT security audits, such as those provided by the Auditor of Public Accounts (APA). This presentation will provide an overview of the IT security audit function at the APA, including a behind the scenes look at planning audits, performing test work, and reporting audit results. The presentation will also examine security standards & best practices, designing technical audit programs, and automated control evaluation tools & resources. Lastly, attendees will be provided tips on how to prepare for an upcoming IT audit and an overview of current and potentially future trends in IT auditing.
Today’s market for anti-virus products has significantly changed over the last several years as existing vendors add new functionality to compete with “next-generation” entrants to the market built on machine learning and cloud-based threat intelligence sharing. To add further complexity, many endpoint detection and response (EDR) vendors have now adopted preventative capabilities. What decision points should your institution consider when determining if it is time to consider new solutions and how should you scope the search? Old Dominion conducted a thorough evaluation of the endpoint protection platform (EPP) market earlier this year to assess the effectiveness of new solutions versus what was currently deployed. This session will cover our approach to the evaluation, and provide some suggestions for how to conduct one at your institution.
You cannot really appreciate 'Leveling Up' without an understanding of where you have been. This presentation will highlight some of the 'basic principles' used in Cybersecurity today through true stories from the past where things did not always go right, including one story never told in public before.
Our presentation will illustrate how a survey platform may be used to help identify and measure risk and achieve compliance across an institution. We will cover specific Qualtrics use cases including a university-wide departmental risk management assessment, an analysis of the flow of Controlled Unclassified Information (CUI) across multiple information systems, and a third party risk evaluation of prospective hospital vendors.
Many of us are trying to do more with less headcount by adding functions to an already overwhelmed staff. The next thing you know you the team is faced with an enormous unplanned challenge: a new regulatory requirement, new operational challenges, or may an unfortunate event like a breach or malware explosion. Moving up the Capability Maturity Model is more than just reacting and increasing capabilities – its maturing processes to not only simplify but streamline for faster turnaround to allow more time to improve your environment (adding that new IAM system) or responding to internal requests or unplanned challenges. This presentation will walk through examples of how to improve or create processes to simplify security without “watering it down” and help security employees change how they view the “everyday” by examining what the time and effort is spent on and how to reduce or improve the through/output.
In June 2017, The National Institute of Science and Technology (NIST) Special Publication 800-63-3b established new guidelines with regard to how organizations should vet user passwords. Rather than composition policies that require a certain number of character sets, NIST now recommends that organizations check passwords against a list of banned passwords and reject those that are found on the list. As of July 2018, the list of known compromised passwords, alone, numbers more than half a billion strings. And, this number is expected to grow even larger as more online sites are compromised. The Virginia Tech IT Security Office solved this problem by using a bloom filter running in a small Docker container in AWS. This talk will discuss the design and operation of this new service. Full source code along with working examples will be provided.
This session will focus on Artificial Intelligence/Machine Learning and how these technologies relate to Information Security. Due to the wide range of readily available resources for creating malicious payloads, such as coders for hire and Software as a Service, malware is an exponentially growing issue. Threat actors are able to rapidly assemble and deploy high volumes and varieties of malicious code to unsuspecting users. Current malware management models are simply overwhelmed or incapable of providing complete protection while reducing false positives toward that magical zero rate. We will provide a view into a system comprised of highly efficient deep machine learning neural networks that are currently deployed and proactively defeating malware attacks. Learn about the future of this system and how it will be further leveraged into broader operational use. This system is not just a concept. It is an operational game changer.
The Virginia Cyber Range has a mission to enhance cybersecurity education in the Commonwealth's high schools and colleges. We provide cloud-based network infrastructure for experiential learning in isolated network environments, as well as courseware to enhance cybersecurity classes. We also provide capture-the-flag environments to educators across the state, and host multiple annual collegiate cybersecurity competitions. Our unique approach is cost-effective, user-friendly, and a model for others. During this talk and demo, we will describe our progress and discuss lessons learned while using cloud resources in a unique way. While we are currently a Virginia resource, we plan to expand availability in the coming year to users outside of Virginia.
The CAN-SPAM law was designed by Congress to set national standards for commercial email and help consumers cope with the onslaught of spammers. Fifteen years after this law’s enactment, both large and small businesses are either unaware or ignoring the detailed requirements of CAN-SPAM. This presentation will review the basics of CAN-SPAM and show university security professionals how to leverage this law to reduce spam and phish and hold companies accountable for their actions. Vendors should also attend this presentation to understand how to design more effective email communications.
Validating potential incidents or indicators of compromise (IOCs) in today’s fast paced environment can be somewhat overwhelming and difficult. Sometimes a team does not believe they have all of the tools and resources to quickly and accurately identify, verify, and rectify a potential indicator in their environment in time. Sometimes these investigations are performed yet may leave out valuable key pieces of data that would benefit the prevention or hardening against future similar attacks. Everyone wants the expensive and shiny tool that vendors offer, but sometimes budgets do not always allow teams access to the latest and greatest, and honestly, not all tools are equal. Relying on one piece of data for IOC validation is a bad idea, even if that resource is the best in the industry. The approach is to use not only the tools you have, but to augment them with existing open source tools that will enrich your investigation, provide accuracy, and supplement your ability to quickly and accurately respond to valid threats in order to increase your security team’s effectiveness. The purpose of this presentation will be to walk users through the value of Open Source Intel and how to use the tools available effectively to help research and identify potential issues during an incident response engagement.
