Re: 2-Factor Authentication / FERPA

["Shettler, David" <dshettle () HOLYCROSS EDU>]

Seconded. 2FA is fundamental in a post-Podesta world, far easier to
implement than half the items listed, and not mutually exclusive with any
of them.

That being said not all 2FA are created equal.  Enabling it for G Suite or
Office 365 is one thing, but doing a Duo deployment for ERP systems can be
trickier.

One tip I can offer is buy some hardware tokens. You won't need many (for
us, maybe 5% tops opt for them), but some percentage of the environment
will argue against using a smartphone or telephone number. We didn't
advertise tokens as an option, except to placate those who refused to use
their phones. Having it as an unadvertised tertiary option has facilitated
our deployment dramatically.

Current events are also helpful: "Don't be John Podesta".

Best,

David

On Fri, Mar 3, 2017 at 2:08 PM, Ben Marsden <bmarsden () smith edu> wrote:

> Hi Nick,
>
>    I have *no* problem with your list of important security controls.  I
> do have a problem with your assertion that MFA "should only be considered
> if..." all the elements in your list are already in place.
>
>    I would contend that the increasing frequency of
> password-only-protected user account compromise is a real and very tangible
> threat to both financial and informational resources across the board to
> the institution (and the individual too), and so mitigating that risk is at
> a strategic level as important as other priority security controls.
> Further,  I'll suggest that implementing and supporting many of the items
> on your list require a variety and commitment of Resources (big, inclusive
> "R") that may or may not be as readily available to you as they deserve.
> If there is institutional will to implement 2FA/MFA, don't try and
> rechannel that will and those resources to bolster other initiatives.  Take
> it and run with it.
>
>    Just IMHO,
>
> --Ben
>
>
> On Fri, Mar 3, 2017 at 1:14 PM, Nicholas Garigliano <ngarigl8 () naz edu>
> wrote:
>
> > Hi Mike,
> >
> > I'm not really addressing your question directly, just adding my 2 cents
> > worth if you are interested.  If I am stating the obvious I apologize.
> >
> > While 2FA can be a integral part of an overall security program, there
> > are significant costs (capital, administrative and political).  Been there,
> > done that.  Outside of remote access (VPN), where it should be a
> > requirement, my feeling is that for internal access it should only be
> > considered if the following are already in place:
> >
> > - Have a verifiable patch management process in place which includes
> > categorizing and applying patches on a regular schedule.  This would
> > include applying critical patches outside of the schedule.
> > - Run regular authenticated vulnerability assessments to discover,
> > inventory and asses systems on on your network.  This is also used to
> > verify patching.
> > - All sysadmins/domain admins/network admins/DBA's etc have dedicated
> > accounts that are used for administrative functions only and do not have
> > access to the internet.  In addition, they use dedicate workstations that
> > do not have access to the internet.  This is especially critical if you are
> > using AD.
> > - Developers should not have direct access to sensitive data, i.e sql
> > access to a database.
> > - Have a centralized logging system in place from which you can generate
> > alerts (SIEM like functionality).
> > - Segment the network to put those systems containing sensitive
> > information behind an enforcement point and control access to these systems
> > from only dedicated workstations/servers using only the protocols/ports
> > that are needed.
> > - Systems which store sensitive data should be dedicated to this purpose
> > and not used for other purposes as well.
> > - Do not use shared service accounts to access data and monitor the use
> > of these accounts.  Have a password management process in place which
> > creates an audit trail for password use.
> > - Do not use sensitive production data in non-production systems, if
> > possible.
> > - Have visibility into the traffic on your network (taps, aggregation
> > switches, span ports etc).  Use a tool such as Bro to monitor this traffic.
> > - Perform threat modeling/pen testing on the apps consuming the data.
> > Yes, these are terms that can mean different things to different people.
> > The app should undergo some basic assessment at the least.
> >
> > This list is by no means comprehensive and I'm aware that doing all of
> > the above is no minor accomplishment.   For many institutions all or part
> > might be unrealistic for all sorts of reasons.  But, from my experience it
> > makes more since to direct limited resources into these areas before
> > implementing something like 2FA.
> >
> >
> > Nick Garigliano, CISSP, GCIH
> > Network Security Engineer
> > Enterprise & Network Solutions
> > Nazareth College
> > 585 389-2109 <(585)%20389-2109>
> >
> > On Fri, Mar 3, 2017 at 11:36 AM, Dodor, Michael <DodorM () uwstout edu>
> > wrote:
> >
> > > Greetings,
> > >
> > >
> > >
> > > A number of regional campuses are in discussions on requiring 2-factor
> > > for access to High Risk data and one of the elements would be non-directory
> > > (private) FERPA records.
> > >
> > > The consensus concern with such a rollout would be usability on such a
> > > large scale and backlash from Faculty.
> > >
> > >
> > >
> > > Has anyone implemented and required 2-factor authentication for faculty
> > > accessing non-directory records? And if so, any tips?
> > >
> > >
> > >
> > > Thank you.
> > >
> > >
> > >
> > > Mike Dodor
> > >
> > > Network Administrator/Information Security
> > >
> > > Learning and Information Technology
> > >
> > > University of Wisconsin – Stout
> > >
> > > 327 Millennium Hall
> > >
> > > Menomonie, WI  54751
> > >
> > > Phone: 715-232-2671 <(715)%20232-2671>
> > >
> > > dodorm () uwstout edu
>
>
> --
> [}--> BEWARE of links and attachments in email!   *  Stop, Think before
> you click *
> ============================================
> Ben Marsden : Information Security Director, CISSP
> ITS, 201 Stoddard Hall, Smith College, Northampton, MA 01063
> ---------------------------------------------------------------------
> =--> Any request to reveal your Smith password via email is fraudulent!



-- 

*DAVID SHETTLER*
*Information Security Officer*
Information Technology Services
dshettle () holycross edu
*phone: *(508) 793-3073
One College Street
Box ITS
Worcester, Mass. 01610
www.holycross.edu

*Don't get Phished: Hover over links in your email to see where they go
BEFORE you click!  *

Do you have what it takes to spot a phish?
http://phishingchallenge.holycross.edu

Watch our online sessions on phishing identification:
http://phishmenot.holycross.edu/online-training

Follow us on Twitter: @hcinfosec