Security in the Enterprise.
It's Personal
TCEA Technology Leadership Summit
December 9, 2016
Bill Fitzgerald
Hashtags
#TCEA
#TCEASummit
Dolls and Fake News
This Year: Your Doll Is Calling

Remember Last Year?

"The information stored by the doll could allow hackers to take over a home Wi-Fi network and from there gain access to other internet connected devices, steal personal information and cause other problems for the owners, potentially without their knowledge."
Your Neighbors Across the World Say Hello: Shodan.io

Insecam.org

Our Toasters Resent Us

Our Coffee Doesn't Like Us Either


2013: Theory
2015: Practice
And There Goes Our Healthcare
Insecure Devices are Real, But the News? Not so much.
Significant and Growing Percentage of People Get News Online
38%, as of July 2016
Facebook as Vector
Trust the URL.
AdTech as Engine for Fake News
Dark Patterns - http://darkpatterns.org/
We are only as secure as our least secure friend
Security in a Vacuum
Security Informed by Accurate Threat Modeling
- What do you want to protect?
- Who do you need to protect it from?
- How much energy is required to protect it (implied question: is it worth it)
- What protections are currently in place?
- What are the consequences if the protections fail?
Guiding Questions
- Compliance issues
- Headlines (usually local, sometimes national)
- Parent complaints
- Social media attention
- Affects in the classroom
- Affects connectivity/network performance
Consequences Often Include
Affects student inquiry?
- Filters
- Bandwidth caps
- Logging
Security precautions can create assets we now need to protect.
- School Needs
- District Needs
- Curriculum Needs
- Teacher Needs
- Security Needs
- Parent Needs
- Vendor Needs
Where does the school environment end?
Where does the classroom end?
Where does the learning end?
Do we have different obligations along the spectrum?
Where do our obligations end?
Anyone who touches our network has needs that must be met, yet anyone who touches our network can compromise it.
Sometimes these tensions are irreconcilable. When that happens, what processes do we have in place for determining priority?
The World We Live In
- https://www.privacyrights.org/data-breaches
- https://www.databreaches.net/
Malware delivered by ad networks
Ransomware
Changing passwords every X months
Can We Stop Doing This
Lost laptops
Lost thumbdrives
Demands for increased productivity can lead to unsound security practice
Laptops lead to unsound security practice
Mobile devices lead to unsound security practice
Can I get a shout out for free wireless with no password?
(not in a good way)
Risks posed by users
Risks we create ourselves
- Our filter logs are a security risk and a privacy risk.
- Do we know who can access them, and how?
- Can we audit that trail?
- What do our filters protect?
Question:
What is the shortest possible amount of time I will need this information?
So. What Can We Actually Do?

No silver bullets (sorry)
The Obvious Things
- Threat Modeling/Risk Analysis
- Identify Assets and Risks
- Data Minimization
- Malware Scans
- Breach Notification Policies
- Secure (Encrypted) Backups
- If It Moves, Encrypt It
- Regular Testing
- Audit Vendors (and ask questions - lots of questions
- Password Managers
- etc
The People Problem: The answer lies in fake news
Safe Browsing Habits - it's good for our networks, it's good for our information access
Block AdTech, not Information
Give People the Tools to Break Filter Bubbles
Clear Data Use Training
what is PII, what is sensitive - and really, it's all sensitive
- battery signatures
- touch patterns
Clear policies and transparent process
(people should know who to talk to about issues they experience, and the decision making process should be clear)
Say "Yes" Whenever Possible; Say "No" Transparently
Questions? Comments?
Bill Fitzgerald
bill@funnymonkey.com
@funnymonkey
TCEA, December 9th, 2016
By billfitzgerald