Tag Archives: information security

Social engineering and hacking humans

Sebastian Barnes
IT Support Specialist
Leeds Beckett University

Sebastian Barnes was funded to attend this event as a 2017 UCISA bursary winner

SCHOMS Day 3 – IT Security Challenges

The end of SCHOMS 2017 conference was a half day, containing presentations and speeches as well as my favourite presentation of the week from psychologist, Jenny Radcliffe; what a speaker! Jenny delivered a presentation on Social Engineering, telling us about her life experiences in her field of work. It was amazing to listen to and very engaging, which resulted in me making very few notes.

Jenny explained how technology can have amazing security which makes it impossible to hack, however, why hack the technology when you can hack the human? If you know the password, you can bypass! Jenny explained scenarios she has been in where she has had to read body language and pretend to be someone she wasn’t to get the information she wanted. From what I remember, she was able to gain access to an account by just using Facebook; security questions are personal and unique to the person, but most of the time they are listed on Facebook! Mother’s maiden name? Within seconds she able to find this out using the family feature within Facebook. With this information she was able to reset the password and enter the account.

After watching this presentation, I was seriously considering entering this field of work. That’s how good it was!

 

Consequences for an IT Department of the General Data Protection Regulation (GDPR)


 

 

 

 

Ed Stout
Support Services Manager
Leeds Beckett University
 

EUNIS 2017

Ed Stout was funded to attend this event as a 2017 UCISA bursary winner

 

 

 

 

 

 

 

During his EUNIS 2017 keynote ‘General Data Protection Regulation – Consequences for an IT Department’, Rainer W. Gerling, CISO of the Max Planck Society & Honorary professor for IT Security in the department of Computer Science and Mathematics at the Munich University of Applied Sciences, took us on a journey to better understand the soon to be fully in force General Data Protection Regulation (GDPR) within the European Union. In 2012, the European Commission tabled an initial proposal to regulate data protection within the EU and by the end of 2015, the European Commission, European Council and European Parliament had come to an agreement to take it forward. At this point in 2017, we are currently residing within the grace period before it formally comes into full force on 25th May 2018… this leaves all of us with not a lot of time to get our houses in order!


 

 

 

 

 

 

Microsoft within the development of their Windows 10 operating system now offer more than 50 native data protection settings within the ‘Privacy Settings’ however, Rainer stressed that it is highly important that we in HE review these settings to adjust from defaults.

 

 

 

 

 

 

 

Given the serious nature of the proposed fines, which can be as much as €20 million if found in breach of the regulations, it is certainly worth taking the new legislation very, very seriously. Encryption is paramount in accordance with GDPR Article 32 and what needs to be encrypted? Well, pretty much everything!!

 

 

 

 

 

 

 

Technically, standards which are considered ‘state of the art’ only remain so for a limited lifespan as new and improved solutions are developed, as is demonstrated in the below in relation to cryptographic protocols. It is therefore, important that we continually review to ensure that we are meeting legislative requirements.

 

 

 

 

 

 

 

So what should we be doing now? We should be:

  • Contacting our relevant data protection officers to discuss the implications of the legislation in line with our own institutions technical configuration.
  • Acknowledging that it is not simply the IT departments’ responsibility to ensure that we meet the relevant legislative needs but that the University as a whole is responsible.
  • Documenting our technical measures in line with ISO27000.
  • Collaborating with other HE institutions.

And we should be…

  • Improving our technical measures and accepting that state of the art is a moving target.

Rainer suggests that the current technical recommendations are:

(Click on photo to expand)

 

 

 

 

 

 

 

This blog post first appeared on http://www.edstout.co.uk/2017/06/27/day-3-reflections/

Digital transformation in action

Sara Somerville

 

Sara Somerville
Information Solutions Manager
University of Glasgow

 

AIIMing to get the best out of an amazing opportunity

As an information professional working in an IT department and providing document management solutions and services across the university, I have always found AIIM (Association for Information and Image Management) the best professional fit for my mix of skills. The one-day AIIM UK roadshow) (held in London every year) always proves illuminating. It offers a great selection of practical case studies and keynotes, alongside an exhibition comprising a wide range of enterprise content and document management technology vendors. Finding out about UCISA’s bursary scheme last year opened up the amazing possibility of being funded to attend the much bigger AIIM International conference held over three days in the US.  I was absolutely delighted when I heard that my application was successful!

This year the AIIM conference is being held in New Orleans from 26-28 April, with the added bonus of being sandwiched in between the two weekends of the Jazz festival. The title of this year’s conference is ‘Digital Transformation in Action,’ and the themes centre around automating business processes, protecting and securing information with governance, and gaining insight to better engage customers and employees. As with the UK event, there is a good mix of keynotes, panel Q&As, round table discussions, and real-life case studies, alongside the exhibition by technology vendors.

Like many other institutions, my university is addressing issues around information governance and management at an enterprise level, including the retention and deletion of data across business systems. With the provision of a wide range of on- and off-site services, and the increase in the use of personal mobile devices, the current challenge for the university is ensuring its data is stored in the right way while remaining accessible over the longer term.  I’m hoping the conference will provide some new and interesting insights into tackling these issues, and give me additional skills and knowledge to enhance my current involvement in improvement projects regarding corporate business process.

In particular I’m looking forward to hearing the keynotes from Erik Qualman  (author of ‘What Happens in Vegas Stays on YouTube’) and the futurist Jacob Morgan (author of ‘The Future of Work’). Erik is a social media expert who believes that privacy is dead, and who provides new rules for building our digital reputations, while Jacob works with the world’s most forward-thinking companies to explore how the workplace is changing and how it might look in the future.

From the sessions, I’m hoping to get answers about the consumerization of IT from Goodbye Applets, Hello HTML5 Document Viewing and Information Management is Hard. Guess What? Your Customers Don’t Care.  And I hope to hear about agile approaches to keeping up with the fast pace of change in technology from How Do You Disrupt a Disrupter?

Even before leaving the UK I have already learned from the conference agenda what the ‘SMAC stack’ is (Social, Mobile, Analytics and Cloud Services), so I can’t wait to dive further in.

I will be tweeting from the conference (you can follow me @InfoSherlockUK for updates), and please do tweet me questions to ask on your behalf. I will also be posting on the UCISA blog.

Somebody will go to jail

The start of a new year is always a time for predictions and forecasts for the year to come – one that caught my eye was the Top 10 Cybersecurity predictions from Richard Starnes. The list makes some grim reading, starting as it does with Somebody will go to jail.

Second on his list was a prediction that information security management training will become the new silver bullet. Citing the IBM 2015 Cyber Security Intelligence Index he notes that over 40% of the average companies’ breaches were mostly due to inadequately or improperly trained personnel. UCISA has taken steps to try and address this, as Jerry Niman advised in an update in December to the UCISA Directors list, by reaching agreement with Leo to make the licence for their Information Security Awareness Learning Suite available to all UCISA full member organisations in perpetuity. The agreement includes reasonable updates for the first three years. This will be fully funded by UCISA, and will be available for institutions to host on the LMS of their choice. There will be no cost to institutions unless further customisation or hosting is required. We are working towards making the suite available in the first quarter this year.

Making the training available is one part of the solution – making sure those that need to take it do is another challenge. A number of institutions have policies that state that all staff should take information security training but not all follow it through and ensure that the policy is fully implemented. Chapter 9 of the UCISA Information Security Management Toolkit highlights the role awareness activities play in managing risk within the institution and highlights how the effectiveness of such activities can be demonstrated.

Starnes’ list highlighted particular challenges around health data but he noted that one implication of an increased focus on cyber security was that the market for information security professionals will tighten, making recruiting experienced professionals more costly. As personnel become more expensive, so the need to understand the importance of the roles and the functions they perform and support increases. Clearly this understanding requires context; that context being provided by recognition of the value of the information and the risk to the institution of a breach of security or loss of data. Will it take somebody going to jail to focus minds?

Looking to the future: sustainable IT and HE web presence

simon

Simon Geller
Senior Project Manager
University of Sheffield
Member of UCISA-PCMG

Day Two at Educause

I started the day at 8am – the Yanks get up early! – with a session on Google Apps. Sheffield was an early adopter of Google so I had an in on this but the session got a bit bogged down in questions about account creation and deletion rather than the potential for collaboration.

Sustainable IT
Then I moved on to a discussion session about sustainable IT. This doesn’t get talked about so much these days – I think one of the reasons for this is that the movement into cloud services means that institutions aren’t quite so conscious of their energy footprint. Also, IT shouldn’t beat itself up too much about how green it is – we enable so much green activity in other areas, from maps and journey planners on smartphones that make people feel more comfortable about walking and using public transport rather than driving, pool bike schemes that you register for online, to smart energy management systems and systems that make industrial processes much more efficient. The future is Green IT that you don’t even notice.

A presentation from the University of Edinburgh on helping non-project managers to deliver success
In the afternoon, I thought I’d better support our Edinburgh colleagues and went to their presentation  on how they provide support for non-vocational project managers. Although the AV wasn’t being helpful the level of resource they had brought to the issue was impressive.

Then I continued on my quest to discover where the web would take us in the next 10 years. The key message from What Will Your .Edu Site Look Like in 10 Years?  is that your web presence will be going out and looking for your customers rather than waiting for them to come to you.

Later I found myself in a compliance session I hadn’t really intended to go, but thought I’d take risk and stick with it. The message I took away from that is that there are two types of institutions – those that have been hacked, and those that had been hacked and don’t know about it. Scary!

The final session I attended that day was a trend analysis run by journalists from the Chronicle of Higher Education , and the takeaway from that was that we used to talk about the for-profit sector, now, in the US at least, the whole area is for-profit. Plus two questions to ask suppliers: “What research is (that assertion) based on? and “What’s the upgrade cycle?” – cutting edge tech doesn’t stay there for long.

 

A practical approach to risk management – two perspectives

Tim Banks
Faculty IT Manager
University of Leeds

 

This is a write-up of a session  I attended on Wednesday at Educause 2015  which was delivered by Bill Arnold, Information Security Analyst at the University of Tampa, and Dr Lawrence Dobranski, ICT Security Access & Compliance, University of Saskatchewan (Canada).

Introduction

The University of Tampa, Florida, is a liberal arts institution and has a student population of around 8,000 students, 65% of whom live on campus. There are 1,200 staff and the annual turnover is c. $235m with an estimated annual economic impact of around $850 million. They formally launched their Information Security Program 3 years ago with the appointment of a Chief Information Security Officer, who reports directly to the President (Vice-Chancellor). Their stated aim is to build a culture of risk management, security awareness and data protection, and as part of this, they have created a cyber-security lab. They achieved ISO/IEC 27001:2013 accreditation in July 2015.

The (often misspelt) University of Saskatchewan is one of the top 15 research universities in Canada with 22,500 students from over 100 countries. They have a 16:1 student:staff ratio and an annual budget in excess of $1bn which includes $9.2m of scholarships and bursaries. They have 120 Graduate Degree Programs (taught postgraduate) and over 200 undergraduate degree programs. It snows regularly and can get very cold! They formally launched their information security program in June 2012, which is centred around the following three areas:

  • IT Security
  • IT Compliance
  • IT Access

It is a risk based program, meaning that priorities for investment and action are based around a risk score. Bill observed that in 2014, cybersecurity criminals were making more money than drug cartels.

A number of barriers to progress were noted which included:

  • Lack of executive support
  • Inadequate investment
  • Ineffective information security leadership
  • Information security ‘unaware’ community
  • Information security gaps especially with respect to 3rd party service providers

Practical steps

  • Ask the right questions to the right people
  • Don’t adopt every aspect of a rigorous standard (like ISO27001), use common sense
  • Focus on information lifecycle
  • Insights will come quickly once you start working with your stakeholders. These will inform your future strategy.
  • Advance planning and effective communication are absolutely essential
  • Don’t use mass surveys (if you actually want people to provide useful information)
  • Decide how you will engage – either in person or through focused surveys
  • Keep the process simple
  • Focus on business processes and impacts on information (e.g. loss / unauthorised access) rather than using technical jargon

The University of Tampa developed a very simple spreadsheet that included each major business unit on campus, each major process within the units and the process owner. The process owner was asked to rank each of their processes on a scale of 1-5 in three areas:

  • Degree of sensitivity of the data
  • Impact of loss of integrity
  • Impact of loss of availability

The average was taken of each of the three scores for each process to arrive at a risk score for the process. A discussion was held with the process owner about the information handling lifecycle involved with each process which covered:

  • Accessing the data
  • Processing the data
  • Transmitting the data
  • Sharing the data
  • Storing the data (in both paper and electronic forms)

They also looked into whether there were any compliance requirements associated with the type of information that was being stored, and determined whether the University IT department or a third party provided the service.

Summary (University of Tampa)
Bill provided the following summary of the University of Tampa’s risk based approach to managing information security.

  • Data Discovery – find out where your confidential data resides
  • Opening the Doors to positive change in University departments. You should be seen not as people who stop departments from doing things, but the people who help them to do it securely.
  • Re-engineering information handling, which will require a change in mindset from both IT and the business
  • Getting everyone to participate
  • Security Awareness (education is key)
  • Once they trust you, they will come (bringing information about risks right to your door)
  • Rinse, wash repeat (continual process)
  • Collaborate to reduce risks

Blog_4__slide1Always remember there are a lot of things we don’t know that we don’t know, as demonstrated by this slide.

 

 

 

 

Summary (University of Saskatchewan)
Lawrence focussed mainly on the best way to present information security risks to University senior management. This is done most effectively when the senior officers of the University understand and accept the cyber-risk. In addition:

  • The information presented must be in a familiar format, as we cannot afford for the busy people we are trying to communicate with wasting time trying to understanding the presentation format.
  • We need to focus on risk information and focus on the high risk areas when talking to the University executive group.
  • Don’t make the visuals too complicated or people will stop listening to you and start focussing all their attention on trying to understand the graphics.
  • Read the IEEE publication (Slide Rules)

During their audit, they discovered an internet accessible incubator control unit with a built in web server. On further investigation, if this had been hacked and the incubators shut down, then thousands of cute little chicks would have died (and research would be put back two to three years). They also found a robot roaming the hall talking to patients which the department was trying to control remotely by adding it to the wireless network. This robot was big enough to cause serious injury to somebody if an authorised person managed to take control of it.

Blog 4_slide2The key stakeholders that Laurence identified were cyber security professionals (never be afraid to ask for help) and the staff and students at the University. It is vital that those closest to the business processes are closely involved in the threat and risk/privacy impact assessment process. The world of cyber security is a fast changing one, so dedicated cyber security professionals, either internal or external are vital in order to keep abreast of emerging threats and techniques to combat them. As an institution, we need to own risk and manage it.

Some particular suggestions for ways in which to present the information security risks included using a Gartner-style quadrant with likelihood on one axis and impact on the other. Then encourage your senior team to only focus on the top-right quadrant, whilst being able to see at a glance the entire risk landscape.

slide3

An alternative is to use a radar plot to display how well the University is doing with multiple aspects of a particular IT security concern.

Overall this was a very informative session with some practical takeaways on how to both manage information security risks and communicate this to senior managers.

 

 

 

 

Insights from US and Canadian institutions on risk management and information security

michelle

 

 

Michelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

 

 

Here are some highlights from a session I attended today about the application of practical risk management strategies, presented by the University of Tampa and the University of Saskatchewan.

    Overview – University of Tampa

  • Tampa – 8000 students from 50 states and 140 countries
  • 65% of full time students live in campus housing
  • Information security programme was started three years ago
  • CISO (Chief Information Security Officer) reports to the UT President
  • Co-manages a cyber security lab
  • Only school in the States that has reached full ISO/IEC 27001:2013 accreditation
    Overview – University of Saskatchewan

  • Member of Canada’s U15, top 15 research universities
  • 22,500 students from 100 countries
  • 16:1 faculty to student ratio
  • Info security programme formed in June 2012
  • Three representatives – ICT Security, ICT Compliance and ICT Access
  • Risk based programme not enforced
  • SSO (Single Sign-On) – for all systems that is managed by five staff
  • Cyber security challenges – Profit, risk and loss
    Risk management should focus on:

  • Lack of executive support
  • Inadequate investment
  • Inefficient investment
  • Inefficient info security leadership
  • Info security gaps
    Risk management challenges:

  • Things you don’t know/realize
  • Things you realize you don’t know
  • Things you realize you know
    Practical approach to risk management:

  • Answers are at your fingertips
  • Don’t worry about adopting every aspect of a rigorous standard approach
  • Focus on Info security lifecycle
  • Get Exec level buy-in
  • Get the stakeholders’ perspective on risk – admin staff and faculty

Resource:
Educause security awareness resources

Cyber security – top table interest

The risk cyber crime presents to the higher education sector was highlighted to Vice-Chancellors at the Universities UK Conference in 2012. Since then, there have been a series of round table discussions which have looked at the ability of the UK higher education sector to respond to cyber crime attacks. I attended the most recent of these which focused on the outcomes of a self-assessment exercise UUK promoted earlier in the year.

Those institutions that had completed the exercise will receive individual reports in the near future and a briefing will be circulated to Vice-Chancellors reflecting on the exercise. The briefing will include an additional report giving details of a number of UCISA resources that support institutions in their cyber security initiatives. The detailed results of the exercise are embargoed until the institutions have received their individual reports but, although it is clear that there is work to be done, there are some encouraging signs that cyber security is being taken seriously at a senior level within many institutions.
There are a number of factors that support this assessment. Firstly over sixty institutions took part in the exercise. In addition to these institutions, I am aware of a number of others that did not take part as they had already carried out similar work either utilising already published controls (such as the CPNI’s twenty controls for cyber defence) or by engaging external consultants.

Secondly there was a good level of interest shown in security and risk related topics by delegates at the Universities UK Conference this year. UCISA exhibits at the Conference to promote our resources and activities. Two publications that drew particular interest were the revised Model Regulations for the use of institutional IT systems and the Information Security Toolkit. Effective information security is underpinned by effective regulations and the Model Regulations give institutions a template to utilise locally. The current version of the Information Security Toolkit provides specimen policies for institutions to revise. The delegates were also interested in the Major Projects Governance Assessment Toolkit – effective governance reduces the risk of projects failing to deliver their anticipated benefits, or having major cost or time overruns.

So there are positive signs that risk and cyber security are being taken seriously. Care is needed though that cyber security is not just seen as an IT problem – people and processes are also important components in implementing effective information security measures. This is something that will be highlighted in the revised Information Security Toolkit – there is a need for senior management ownership and good governance in order for information security to be successfully managed. We also need to guard against IT only featuring at the top table for ‘problem’ issues – we need to work to ensure that the role IT can play in enhancing the student experience, delivering efficiencies is also understood by senior institutional managers.

Postscript – work is currently in progress on a revision of the Information Security Toolkit. It is anticipated that the new version will be launched at the UCISA15 Conference in March 2015.

Comments welcome on new structure for the UCISA Information Security Toolkit

We would like to invite comment from the community on the revised structure and content of the UCISA Information Security Toolkit which was agreed by the project group at a meeting last month.

photo_cropped1

The UCISA Information Security Toolkit  has been very successful, providing much needed assistance to information security professionals across the sector. Since the original funding application for the project in 2004, there have been a number of iterations of the document,  based upon changing standards and sector wide activity.  The last Toolkit was published in 2007 (third edition).

A number of factors have prompted a rewrite and expansion of the document: cloud technologies, PCI DSS, data classification and supportive practical advice in the form of appropriate feedback cycles (for example Plan/Do/Check/Act). The largest factor was the release of the BS ISO/IEC 27001:2013 standard in the autumn of last year.

The group comprising of colleagues from University College London, University of Oxford, Loughborough University, Cardiff University, the University of York and Janet have met regularly in person and via Skype in order to generate new content.   The revised Toolkit will include a number of practical case studies demonstrating what works and does not work in practice. Topics include: policy development;  raising user awareness;  investigations and research security.

The new Toolkit will be launched in March 2015 to coincide with  UCISA 2015, Edinburgh and Janet Networkshop43,  Exeter.

Matt Cook, Chair, UCISA Networking Group
Head of Infrastructure and Middleware,
Loughborough University, IT Services

Securing card payments

Peter Tinson, UCISA’s Executive Secretary, attended the PCI DSS SIG conference this week to find out more about the standard which is intended to protect payment card data and processes. The PCI (Payment Card Industry) Data Security Standard is a global standard; compliance with the standard reduces the risk of credit card fraud and the resultant cost (both financial and reputational) to the organisation.

The scale of the problem cannot be underestimated. A Government report on the results of a survey on information security breaches revealed that over 90% of large organisations (those employing over 250 people) were affected by security breaches with an average of 113 breaches per organisation in 2012. This is perhaps indicative of the growth in cyber crime which can range from the sale of credit card numbers through to sophisticated schemes to steal on a large scale.

There was great mention of risk throughout the day. Clearly a starting point has to be that the institution needs to know where payments (or card details) are being taken and whether or not the information is stored. Once the location of information is known, an assessment can then be made of the risk (and impact) of its loss and proportional measures introduced to protect and secure it. There was general agreement that the potential loss of payment card data should be included in the institution’s risk register and so be clearly visible to the governing body.

Implementing technical measures to protect data is only part of the solution. The report on information security breaches notes that over a third of breaches were the result of inadvertent staff error. Training of staff is critical to ensure that staff are aware of their responsibilities; this needs to take place at the start of employment (including when there has been a role change within the institution) and at regular points thereafter (the suggestion was at least annually).

Whilst poorly trained staff present a risk to security breaches, so too do poor processes. One of the recommendations made at the conference was to review business processes to see whether they could be re-engineered so that it was not necessary to use card data. Obviously if card data is not being used in a process, then the risk of its loss disappears and so too does the need to comply with the DSS.

This summary only gives a brief snapshot of some of the issues being faced by institutions seeking to implement the standard. It was clear that institutions are at different stages in their adoption of the standard and that the barriers to adoption are not always technical. UCISA is looking to work with the PCI DSS SIG and with our sister organisation for Finance Directors, BUFDG, to promote best practice in this area and so reduce the risk of our institutions falling victim to fraud.