Harvard CISO shares pearls of IT security wisdom

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerworld.com/article/2956036/security/harvard-ciso-shares-pearls-of-it-security-wisdom.html

Chief Information Security Officer Christian Hamer, who is responsible for
policy and awareness across Harvard University and whose team handles
security operations and incident response, took part on a panel last week
at the Campus Technology conference in Boston (Campus Technology’s Rhea
Kelly moderated; ESET researcher Lysa Myers was also an expert panelist).
Here’s a selection of Hamer’s more notable observations:

Most important steps for protecting your network: We think all too often
about IT security or information security [as being] about the bits and
bytes, and what kind of widget we put on the network or somebody’s computer
to protect it… But in general we have populations that want to do the right
thing. They’re a lot more aware of the threats now because a lot of them
have been in the media quite a bit recently. But they’re just not sure what
to do or how to do it. And that’s probably the No. 1 thing that people
could double down on. Does your community know what to do? Do they know how
to do it? And do they know who to ask if they have trouble understanding
that?

Mobile security: “There’s a great industry around mobile device management
and an interesting debate about whether this is something appropriate for
higher ed or not… I don’t see myself asking a faculty member to install
software on his or her personal phone. These things are really quite
personal -- if you’re not sure about that ask [New England Patriots
quarterback] Tom Brady about how he felt about his phone. That said, this
is an important area... that doesn't mean you can just ignore this. I think
it’s really about trying to abstract the data from the device. When you
think about bringing your own device and mobile, that’s the way you need to
think about it. I’ve heard plenty of people talk about these great MDM
programs that they’ve come up with in higher ed, and then I’ll ask them,
‘So how many faculty members are using it?” and that’s usually where the
conversation ends.”

Best practices for security awareness among end users: “We’re going to be
rolling out a campaign very soon focused around four best practices. (1) We
want them to apply updates whether that’s on their phone, on their
operating system on their computer, or for the individual pieces of
software. That’s probably one of the single best ways to protect yourself.
(2) We want them to use strong passwords, and that means unique and
difficult to guess. But we also want to offer them tools, whether it’s
things like password managers [Harvard has done an extensive pilot with
LastPass via Internet2] or pieces like 2-step verification. (3) We want to
make sure that people click wisely, going back to phishing issues. If we
can get the user to recognize that there might be something a little off
about this and not go there. (4) The last piece is about knowing your data.
It’s really important to understand what do you have, whether it’s on your
machine or a file share. Why do you have it? If you really still need it,
and if you don’t, how can you get rid of it securely.”

Convincing users to buy into best practices: “[One] way to enforce the
point is that these are just good practices that people should use in their
online life whether it’s at work, as a student or faculty member, or just
at home. There ought to be a lot of self interest there.”

The Internet of Things: “[This is] a giant issue. If you didn’t see the
news about Chrysler [a Jeep being remotely hacked] and weren’t sure about
how big an issue it is, it’s gigantic. I think the best thing we can do is
understand where these devices are and try to wall them off from things,
because at least in my experience they are not designed with security in
mind at all… [People] are surprised when we come by and say that thing that
they think is a digital sign actually has malware on it and needs to be
taken off the network. The real danger area is where those things can
intersect with critical data. We’ve seen proposals to put devices on our
network that would collect recyclables and involve credit cards somehow,
and that’s the part where you have to say OK, wait a minute, we need to
separate these two things… [The long view] is that smart devices make our
lives better and that’s fantastic but we need to understand that they’re
not designed at this point with security in mind.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!