* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Document
Information security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Information privacy law wikipedia , lookup
Trusted Computing wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Access control wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Data remanence wikipedia , lookup
Wireless security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Security and safety features new to Windows Vista wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Authentication wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
“Passwords are No Longer Sufficient” Brian Rivers University of Georgia  For systems that provide access to sensitive and restricted information systems  Requires something you have (hardware token) in addition to something you know (username + password)  Over 1700 employees currently using ArchPass to access these systems Session Outcomes  Understand how ordinary user credentials are no longer sufficient and how multi-factor authentication adds an additional layer of protection that would have prevented recent incidents  Understand how multi-factor authentication can integrate into complex, decentralized technical architectures in a timely and costeffective manner.  Understand the human dimension, placing the implementation in the context of business functions, user requirements, and involve critical stakeholders across the institution. Session Outcomes  This could save your bacon.  “So easy a caveman can do it.”  We really can play nice in the sandbox. The Threat Data Breaches in the News June 17th, 2013 20:53 GMT By Eduard Kovacs Victims by Location 73% Data breaches 2012 • • • • • Australia 7% Canada 3% UK 2% Brazil 1.2% Other 20.8% data source: Trustwave Global Security Report Attackers by Location 29% Originated in US • • • • Romania Ukraine China Unknown 33.4% 4.4% 3.9% 14.8% data source: Trustwave Global Security Report Phishing / Malicious Spam 10% @ Of spam emails sent daily are malicious • 14 billion malicious spam daily • 9.8 billion messages contain links to websites that will infect your computer data source: Trustwave Global Security Report Phishing Attacks Phishing Spear Phishing Whaling Target(s) Anyone Group or organization Specific person or team Research required Minimal Moderate Substantial Believability Medium High Very High Sophistication Minimal Moderate Substantial Goal Identities / access to system or network data source: http://markn.ca/2011/whaling/ The Response Changing the Culture  Creating awareness – “Information security is non-negotiable, and it’s everybody’s business”  Accept Change – “Institutions need to adopt common sense measures that move the pendulum back so that a balance is struck between user convenience and security”  Invest in Technology – “Tools such as anti-virus, digital loss prevention (DLP) software, and multi-factor authentication reduce attack surfaces dramatically” ArchPass - Business Functionality and User Impacts  UGA Culture and Background  UGA has a strong culture of compliance and a willingness to improve information security however,  ArchPass would need to overcome:  UGA’s decentralized administrative structures  Institutional skepticism and reluctance to add administrative burden Business Functionality and Impacts  Role of the Administrative Systems Advisory Council (ASAC)  Involve UGA business units and stakeholders with shared responsibility in the delivery and support of information technology, application, and data needs of the University community.  Represent the entire University when making administrative system recommendations. Thus ASAC has broad representation from each of Vice Presidents and major units and extends itself to gather feedback from special interest groups. Business Functionality and Impacts  ASAC Approach to ArchPass  Review initial proposal from the VP for IT for phase one of a multi-factor authentication program.  Recommend criteria for systems required to use ArchPass, policy and procedure, and an exception process. Business Functionality and Impacts  ASAC Approach to ArchPass (continued)  Gather input and feedback on the recommendations from University-wide user groups.  Provide this feedback to IT. This feedback was key to implementing a program with University-wide acceptance. The User community was part of the decision-making and the overall process. Business Functionality and Impacts  Key Concerns Expressed by Users and ASAC  Creating an exception process (both opt-in and opt-out) with appropriate vetting, risk assessment, and functional and technical management approval.  Access to systems from off-site locations, especially during emergencies.  University recognition that this was ‘Phase I’ and not ‘end state’. Need to monitor, adjust, and update policy/procedure over time. ArchPass - Business Functionality and User Impacts  Post Implementation Feedback  “It is easy to use.”  “Has become a way of life, just like using my UGA ID card for building access.”  Status Symbol of sorts – “My co-worker has an ArchPass, why don’t I have one?” Implementation Multifactor Authentication Strategy The University of Georgia elected to deploy a network (VPN) based 2-Factor authentication using hardware tokens. Decision Factors were  Timeliness of Deployment  Diversity and age of platforms being protected  Supportability of authentication platform Secure Zone Architecture Internet VPN External Firewall UGA Network Data Loss Security Prevention Event Monitoring 2 Factor Authenticated VPN Group · Dedicated IP range · Specific DC Firewall Permissions Vulnerability Assessment Internal Firewall F5 BigIP · Load Balancer · SSL termination BDC Secure Zone Virtual Desktop Network Monitoring · SSNCap · NetFlow · SNORT · ASSETs pcap ArchPass Project Timeline The Technology Network Level Multifactor  Pros:  No application modifications needed for integration (good option for legacy applications)  Central logging of network behaviors  Protects against application & OS authentication vulnerabilities  Leverages tried & true VPN security technology  Cons:  VPN client required for access  Possible spoofing risks if done incorrectly Hardware Token Solution  Pros:  Tried & true solution  Lower complexity in support model  Avoids BYOD support & function issues  Avoids multi-platform support issues  Cons:  Deployment overhead  Per Unit hardware/software cost is higher  Software Tokens are currently under investigation for Phase 2 Data Containment Strategy The University of Georgia deployed a Secure Virtual Desktop Infrastructure along with Data Loss prevention technology within the Secure Network zone.  Glove box for user data processing  Controlled desktop with application safe-listing  Highly restricted browser access  Detailed access and use logging Cost Estimates Below are possible cost estimates for a 500 user implementation. Estimates Initial Costs 500 Tokens $20,000 Incidentals $5,000 Annual Maint. 3 year Tco 5 year Tco $3,000 Cisco ASA 5555 $16,437 $2,250 Total $41,437 $5,250 $51,937 $62,437 UGA ongoing support estimates approximately 1/3rd FTE. Questions
 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
									 
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                             
                                            