I am in Hershey Pa, attending the SunGard PABUG conference. This is a conference for Banner users at university’s. Banner is a way to access data from from information systems like an Oracle RDBMS. I just got out of talk titled “The Value of IT Security” from Chris Walcutt of Advanced SunGard Higher Education. The talk was fine, but lacking one thing. Wireless security. He knew all about govt regulations and steps to take after a breach. He talked about stolen data from physical devices; phones, laptops, computers. He mentioned Social Engineering and how his firm is always granted access to buildings when dressed as Terminix employees. Poor Terminix, LOL, they are used so often as a decoy… But what about WiFi? Being a shared medium, this is like a HUGE open door to any campus. Once in, you can PWN machines, pivot, pass the hash, etc. the possibilities are endless. Here are four things that stuck out at me as SUPER important for I.S.:
1. There are data breach legislations set in some states that say that the owner of the victim server is responsible for notifying those persons whose data has been stolen. Now, if your customers, students, clients, etc are from those states and you are not in one of said states, you NEED to notify them. This reminds me of the time the DB at the Mozilla Store was cracked into. I was notified. Pennsylvania IS one of them. Anyways, that an awesome thing to keep in mind!
2. You NEED a designated person in charge of security. This can be any person in your institution. They don’t necessarily need to be Ethical Hacker Certified, or certified at all. They just need to be okay with doing research when they don’t know something security-wise. This is because of the frantic things and emotions that can happen after a breach. Having many people in your institution will just break down. Awesome point!
3. Don’t use your work machine for Forensics purposes. In fact, don’t even use a networked machine at all for forensics purposes. This is so obvious it shouldn’t have been mentioned, but I guess this is all part of the “Awareness!” – Good point!
4. Keep logs and records of “baseline assessments.” This is the very basic assessment. You can have anyone do these. I would have added more specific suggestions like these to his talk: Run nikto, simple SQL injections utilities (some of which are simply Firefox plug-ins now) , metasploit (well, I’d instruct to use FastTrack for speed for these really basic tests), run other suites like Nessus, Core, etc. Then simply log everything you find.
It was a good talk and well worthy of retelling it. But, wireless networks! I have bypassed the most advanced security systems using a simple wireless phishing attack! I guess a lot of things slip people’s minds in this field. It makes sense, because there is just far too much stuff to keep up with. Security Awareness in IT is a huge topic. One that should never die. Thank you for the great presentation, Chris!