1 / 17

Stanford IT Security Program

Stanford IT Security Program. Re-aligning IT security to a modern threat environment. University IT Security. Firewalls VPN for off campus access Kerberos Encryption required for sensitive data Central AV/patching services Controlled access to data centers

Download Presentation

Stanford IT Security Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Stanford IT Security Program Re-aligning IT security to a modern threat environment

  2. University IT Security • Firewalls • VPN for off campus access • Kerberos • Encryption required for sensitive data • Central AV/patching services • Controlled access to data centers • But few central mandates and low visibility

  3. “The Steve Riley Slide”

  4. Our Wake-Up Call,A Visit From Uninvited Guests Phishing Vulnerable services Poor credential hygiene Pass-the-Hash

  5. Security Event Manager Data stored everywhere Consolidated

  6. Phishing → Multifactor • Existing multifactor system • Moving to Duo to cover more devices/scenarios

  7. Reducing Vulnerable Services / Machines (Part 1) • Eradication of Windows XP • Prioritized retirements of Windows Server 2003 R2 • Expansion of existing Whole-Disk encryption project

  8. Pass The Hash – One Scenario Oh, Dear! Let me log in remotely and see what’s wrong. Helpful Help Desk Important Server My Computer is acting funny New credentials detected, where can I get to now? Unsuspecting User

  9. Pass The Hash – Another Scenario Development Server Production Server Domain Controller

  10. Authentication Silos

  11. Personal Bastion Hosts • No inbound communications allowed / Limited outbound • Very strict application whitelisting rules • No DMA-based external interfaces • Whole disk encryption (TPM + PIN/Password) • Trusted vendor

  12. Mobile Device Management

  13. Reducing Vulnerable Services / Machines (Part 2) • EMET (4.0 -> 5.0) • Application Whitelisting • Qualys • Compliance Registry • Network Access Control You must be THIS tall to connect!

  14. Miscellaneous Projects • Replacement of SPAM/AV filtering for inbound email • Replacement of DLP system for outbound email • Replacement of the campus emergency alert system

  15. Physical Security • Dramatic decrease in number of cards allowed to access to Data Centers • Replacement/Expansion of camera system.

  16. Future projects in the program • Systems Administrator Training Standards • Systems Administration Practices • Centralized HIDS • Smartcard Implementation

  17. Questions

More Related