Anti-Spam Discussion

Download Report

Transcript Anti-Spam Discussion 

Security Issues
Steve Lovaas, ACNS
IAC, 22 April 2008
Colorado State University
1
The big issues this month…
•Encryption
•
Utimaco SafeGuard Enterprise
•SQL
•
Injection, database attacks
WatchFire AppScan
•User
behavior and culture
Risk Analysis
•Background Checks
•SSN rescan and purge
•
Colorado State University
2
Encryption: Utimaco SafeGuard





Disk encryption product, protecting sensitive
data loss on mobile computers
Architecture in place, testing the deployment
process
Departments that participated in the January
training are beginning to deploy
Training for other departments coming soon
Network share encryption – new module
expected next month
Colorado State University
3
Web Apps: WatchFire AppScan

Web application vulnerability scanner





SQL injections [just had one this month!]
Cross-site scripting
IIS/Apache/.NET vulnerabilities
Complex tool, requires consultation for setup
and interpretation of results
Have scanned a number of departments,
contact ACNS if you’re interested
Colorado State University
4
Behavior/Culture: Risk Analysis


Have a draft tool, reviewing with Internal
Auditing
Goals for the first iteration




Responsibilities
Behavior
Controls
Test first round this summer
Colorado State University
5
Behavior/Culture: Background Checks




Last year, IAC strengthened sub-committee’s
recommendation: check ALL employees w/
access to sensitive data
New committee working on University-wide
policy
Seeking clarification on policy overlap
More details in April…
Colorado State University
6
Behavior/Culture: SSN scanning

Most colleges/departments are done


Huge amount of extra, unexpected work



Removed a substantial number of SSNs (mostly
from servers that didn’t get scanned last time
around)
Both necessary and greatly appreciated
A few larger departments are still finishing up
with removal/remediation
Remaining SSNs require an exception
request, and will need to be encrypted
Colorado State University
7
Please contact me


Dealing with security is my job – both
planning to prevent issues and responding to
issues after the fact…
Feel free!
[email protected]
6th Floor, USC Building
297-3707
Colorado State University
8