Security in the Enterprise.
It's Personal

TCEA Technology Leadership Summit

December 9, 2016

Bill Fitzgerald

 

Hashtags

#TCEA

#TCEASummit

Dolls and Fake News

This Year: Your Doll Is Calling

Remember Last Year?

"The information stored by the doll could allow hackers to take over a home Wi-Fi network and from there gain access to other internet connected devices, steal personal information and cause other problems for the owners, potentially without their knowledge."

Your Neighbors Across the World Say Hello: Shodan.io

Insecam.org

Our Toasters Resent Us

Source

Our Coffee Doesn't Like Us Either

2013 Source. 2015 Source.

2013: Theory

2015: Practice

And There Goes Our Healthcare

Hospital Equipment can be compromised.

 

With serious consequences.

Insecure Devices are Real, But the News? Not so much.

Source

Significant and Growing Percentage of People Get News Online

38%, as of July 2016

Facebook as Vector

Trust the URL.

AdTech as Engine for Fake News

Dark Patterns - http://darkpatterns.org/

We are only as secure as our least secure friend

Security in a Vacuum

Security Informed by Accurate Threat Modeling

  • What do you want to protect?
  • Who do you need to protect it from?
  • How much energy is required to protect it (implied question: is it worth it)
  • What protections are currently in place?
  • What are the consequences if the protections fail?

Guiding Questions

  • Compliance issues
  • Headlines (usually local, sometimes national)
  • Parent complaints
  • Social media attention
  • Affects in the classroom
  • Affects connectivity/network performance

Consequences Often Include

Affects student inquiry?

  • Filters
  • Bandwidth caps
  • Logging

Security precautions can create assets we now need to protect.

  • School Needs
  • District Needs
  • Curriculum Needs
  • Teacher Needs
  • Security Needs
  • Parent Needs
  • Vendor Needs

Where does the school environment end?

Where does the classroom end?

Where does the learning end?

Do we have different obligations along the spectrum?

Where do our obligations end?

Anyone who touches our network has needs that must be met, yet anyone who touches our network can compromise it.

Sometimes these tensions are irreconcilable. When that happens, what processes do we have in place for determining priority?

The World We Live In

  • https://www.privacyrights.org/data-breaches
  • https://www.databreaches.net/

Malware delivered by ad networks

Short Source. The Real Deal.

Ransomware

Changing passwords every X months

Can We Stop Doing This

Lost laptops

Lost thumbdrives

Demands for increased productivity can lead to unsound security practice

Laptops lead to unsound security practice

Mobile devices lead to unsound security practice

Can I get a shout out for free wireless with no password?

(not in a good way)

Risks posed by users

Risks we create ourselves

  • Our filter logs are a security risk and a privacy risk.
  • Do we know who can access them, and how?
  • Can we audit that trail?
  • What do our filters protect?

Question:

What is the shortest possible amount of time I will need this information?

So. What Can We Actually Do?

No silver bullets (sorry)

The Obvious Things

  • Threat Modeling/Risk Analysis
  • Identify Assets and Risks
  • Data Minimization
  • Malware Scans
  • Breach Notification Policies
  • Secure (Encrypted) Backups
  • If It Moves, Encrypt It
  • Regular Testing
  • Audit Vendors (and ask questions - lots of questions
  • Password Managers
  • etc

The People Problem: The answer lies in fake news

Safe Browsing Habits - it's good for our networks, it's good for our information access

Block AdTech, not Information

Give People the Tools to Break Filter Bubbles

Clear Data Use Training

what is PII, what is sensitive - and really, it's all sensitive

  • battery signatures
  • touch patterns

Battery, Source One and Two. Patterns, Source One and Two.

Clear policies and transparent process

(people should know who to talk to about issues they experience, and the decision making process should be clear)

Say "Yes" Whenever Possible; Say "No" Transparently

Questions? Comments?

Bill Fitzgerald

bill@funnymonkey.com

@funnymonkey

TCEA, December 9th, 2016

By billfitzgerald

TCEA, December 9th, 2016

  • 440
Loading comments...

More from billfitzgerald