Re: 2-Factor Authentication / FERPA

[Ben Marsden <bmarsden () SMITH EDU>]

Hi Nick,

   I have *no* problem with your list of important security controls.  I do
have a problem with your assertion that MFA "should only be considered
if..." all the elements in your list are already in place.

   I would contend that the increasing frequency of password-only-protected
user account compromise is a real and very tangible threat to both
financial and informational resources across the board to the institution
(and the individual too), and so mitigating that risk is at a strategic
level as important as other priority security controls.   Further,  I'll
suggest that implementing and supporting many of the items on your list
require a variety and commitment of Resources (big, inclusive "R") that may
or may not be as readily available to you as they deserve.  If there is
institutional will to implement 2FA/MFA, don't try and rechannel that will
and those resources to bolster other initiatives.  Take it and run with it.

   Just IMHO,

--Ben


On Fri, Mar 3, 2017 at 1:14 PM, Nicholas Garigliano <ngarigl8 () naz edu>
wrote:

> Hi Mike,
>
> I'm not really addressing your question directly, just adding my 2 cents
> worth if you are interested.  If I am stating the obvious I apologize.
>
> While 2FA can be a integral part of an overall security program, there are
> significant costs (capital, administrative and political).  Been there,
> done that.  Outside of remote access (VPN), where it should be a
> requirement, my feeling is that for internal access it should only be
> considered if the following are already in place:
>
> - Have a verifiable patch management process in place which includes
> categorizing and applying patches on a regular schedule.  This would
> include applying critical patches outside of the schedule.
> - Run regular authenticated vulnerability assessments to discover,
> inventory and asses systems on on your network.  This is also used to
> verify patching.
> - All sysadmins/domain admins/network admins/DBA's etc have dedicated
> accounts that are used for administrative functions only and do not have
> access to the internet.  In addition, they use dedicate workstations that
> do not have access to the internet.  This is especially critical if you are
> using AD.
> - Developers should not have direct access to sensitive data, i.e sql
> access to a database.
> - Have a centralized logging system in place from which you can generate
> alerts (SIEM like functionality).
> - Segment the network to put those systems containing sensitive
> information behind an enforcement point and control access to these systems
> from only dedicated workstations/servers using only the protocols/ports
> that are needed.
> - Systems which store sensitive data should be dedicated to this purpose
> and not used for other purposes as well.
> - Do not use shared service accounts to access data and monitor the use of
> these accounts.  Have a password management process in place which creates
> an audit trail for password use.
> - Do not use sensitive production data in non-production systems, if
> possible.
> - Have visibility into the traffic on your network (taps, aggregation
> switches, span ports etc).  Use a tool such as Bro to monitor this traffic.
> - Perform threat modeling/pen testing on the apps consuming the data.
> Yes, these are terms that can mean different things to different people.
> The app should undergo some basic assessment at the least.
>
> This list is by no means comprehensive and I'm aware that doing all of the
> above is no minor accomplishment.   For many institutions all or part might
> be unrealistic for all sorts of reasons.  But, from my experience it makes
> more since to direct limited resources into these areas before implementing
> something like 2FA.
>
>
> Nick Garigliano, CISSP, GCIH
> Network Security Engineer
> Enterprise & Network Solutions
> Nazareth College
> 585 389-2109 <(585)%20389-2109>
>
> On Fri, Mar 3, 2017 at 11:36 AM, Dodor, Michael <DodorM () uwstout edu>
> wrote:
>
> > Greetings,
> >
> >
> >
> > A number of regional campuses are in discussions on requiring 2-factor
> > for access to High Risk data and one of the elements would be non-directory
> > (private) FERPA records.
> >
> > The consensus concern with such a rollout would be usability on such a
> > large scale and backlash from Faculty.
> >
> >
> >
> > Has anyone implemented and required 2-factor authentication for faculty
> > accessing non-directory records? And if so, any tips?
> >
> >
> >
> > Thank you.
> >
> >
> >
> > Mike Dodor
> >
> > Network Administrator/Information Security
> >
> > Learning and Information Technology
> >
> > University of Wisconsin – Stout
> >
> > 327 Millennium Hall
> >
> > Menomonie, WI  54751
> >
> > Phone: 715-232-2671 <(715)%20232-2671>
> >
> > dodorm () uwstout edu


-- 
[}--> BEWARE of links and attachments in email!   *  Stop, Think before you
click *
============================================
Ben Marsden : Information Security Director, CISSP
ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
---------------------------------------------------------------------
=--> Any request to reveal your Smith password via email is fraudulent!