Brief Security Defenses Survey for Upcoming Talk

["Kyrouz, Bill J." <Bill.Kyrouz () JENZABAR COM>]

Hello,

I am trying to gather some data on security defenses in Higher Ed specific to inhibiting lateral movement.  Can you 
help?

My name is Bill Kyrouz and I am the Director of Information Security at Jenzabar and I'm putting together a talk 
similar to one I gave in the legal industry after NotPetya wreaked havoc.

Below is a very brief survey on different security controls you may have in use at your institution.  Please fill it 
out and send it back to me at bill.kyrouz () jenzabar com<mailto:bill.kyrouz () jenzabar com>.  The adoption rate for 
each will be incorporated into the talk, along with an "effectiveness" rating from a well-regarded penetration tester.  
 Please also note:

  *   Individual responses will not be shared with anyone else (even within Jenzabar)
  *   This is not about selling a product or service, it is about leveraging security staff and security-minded people 
in this community to discuss what we can do to better protect ourselves
  *   If you wish to discuss this request, you can call me directly at 617.492.9099 ext. 65263
Survey
For each security control below, please indicate with an "X" in the Deployed column if this has been substantially 
deployed (at least 30% of your network) at your institution.  Then in the Ease column, provide a rating from 1-5 on the 
ease of implementation of this control.  Consider time, effort, cost, administrative overhead and any student/staff 
resistance where:
1 = Highest Difficulty
2 = Very Difficult
3 = Moderate
4 = Somewhat Difficult
5 = Easy

Control & Description
Deployed
(X only)
Ease
(1-5)
Private VLANs
Network switches are manually configured to prevent workstations from communicating directly with other workstations 
(they can only reach server networks).


Network Access Control (NAC)
Automated network isolation whereby devices are dynamically assigned to a pre-configured VLAN.  Examples include 
Forescout, Cisco ISE


Microsegmentation
A different approach where automation is applied to the endpoint, limiting it's communication with other devices.  
Examples: Illumio, Guardicore


Endpoint Firewall Management
Using an operating system native or third party firewall on endpoints (blocking peer-to-peer communication both on and 
off-site)


Credential Management with Microsoft LAPS
Free Microsoft tool that automatically assigns unique Administrator passwords to all participating devices


Credential Management with a Third Party Tool
Management of powerful accounts using a tool such as BeyondTrust, Thycotic, or CyberArk


Block local account remote usage
Via Windows security policy, prevent local accounts from being able to access devices remotely.


Patch and Protect RDP
All publicly exposed RDP servers are fully patched, NLA is enabled, and RDP is either locked down to a small number of 
subnets or protected by MFA.


Lockdown of "Access this computer from the network"
Tightly restrict the ability to access workstations through this setting in Windows policy


Application Whitelisting
e.g. Carbon Black, Lumension, Ivanti, Applocker


Disabling Legacy Protocols
Neutralize these protocols that ease the way for intruders:  LLMNR, mDNS, NetBIOS, WPAD, and SMBv1


Enforce SMB Signing
To prevent SMB Relay attacks


Microsoft Credential Guard
Microsoft's protection against credential theft with requirements that include Windows 10 Enterprise and TPM 2.0.



Thank you for your help!

Regards,
Bill Kyrouz


William J. Kyrouz
Director of Information Security
Jenzabar
O - 617.492.9099  x65263
[cid:image0]<https://www.jenzabar.com/>
Connect with us!  [cid:image1] <https://www.facebook.com/Jenzabar/>   [cid:image2] 
<https://www.linkedin.com/company/jenzabar/>   [cid:image3] <https://twitter.com/Jenzabar>   [cid:image4] 
<https://www.instagram.com/jenzabar1>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community