Information Security Awareness

I am in Hershey Pa, attending the SunGard PABUG conference. This is a conference for Banner users at university’s. Banner is a way to access data from from information systems like an Oracle RDBMS. I just got out of talk titled “The Value of IT Security” from Chris Walcutt of Advanced SunGard Higher Education. The talk was fine, but lacking one thing. Wireless security. He knew all about govt regulations and steps to take after a breach. He talked about stolen data from physical devices; phones, laptops, computers. He mentioned Social Engineering and how his firm is always granted access to buildings when dressed as Terminix employees. Poor Terminix, LOL, they are used so often as a decoy… But what about WiFi? Being a shared medium, this is like a HUGE open door to any campus. Once in, you can PWN machines, pivot, pass the hash, etc. the possibilities are endless. Here are four things that stuck out at me as SUPER important for I.S.:

1. There are data breach legislations set in some states that say that the owner of the victim server is responsible for notifying those persons whose data has been stolen. Now, if your customers, students, clients, etc are from those states and you are not in one of said states, you NEED to notify them. This reminds me of the time the DB at the Mozilla Store was cracked into. I was notified. Pennsylvania IS one of them. Anyways, that an awesome thing to keep in mind!

2. You NEED a designated person in charge of security. This can be any person in your institution. They don’t necessarily need to be Ethical Hacker Certified, or certified at all. They just need to be okay with doing research when they don’t know something security-wise. This is because of the frantic things and emotions that can happen after a breach. Having many people in your institution will just break down. Awesome point!

3. Don’t use your work machine for Forensics purposes. In fact, don’t even use a networked machine at all for forensics purposes. This is so obvious it shouldn’t have been mentioned, but I guess this is all part of the “Awareness!” – Good point!

4. Keep logs and records of “baseline assessments.” This is the very basic assessment. You can have anyone do these. I would have added more specific suggestions like these to his talk: Run nikto, simple SQL injections utilities (some of which are simply Firefox plug-ins now) , metasploit (well, I’d instruct to use FastTrack for speed for these really basic tests), run other suites like Nessus, Core, etc. Then simply log everything you find.

It was a good talk and well worthy of retelling it. But, wireless networks! I have bypassed the most advanced security systems using a simple wireless phishing attack! I guess a lot of things slip people’s minds in this field. It makes sense, because there is just far too much stuff to keep up with. Security Awareness in IT is a huge topic. One that should never die. Thank you for the great presentation, Chris!


5 thoughts on “Information Security Awareness

  • Douglas,

    Thank you for the feedback! I appreciate your comments and your knowledge of the subject. Input from knowledgeable colleagues is part of what makes the IS field so great. Having said that, your point is well taken…Wi-Fi security is a potential point of entry, particularly in higher education. As a point of reference, my background includes the complete Wi-Fi architecture and deployment for another very large enterprise (15,000 users in a corporate environment) and I couldn’t agree with you more regarding the need to secure it.

    What I commonly find is that many of our higher education partners and clients have segregated the student and guest wireless (untrusted) from the employee and faculty wireless (trusted). It is not unusual to see the former requiring some manner of registration but otherwise being fairly open. The latter is typically much more highly secured, including the utilization of protocols not known to be cracked. It is also not unusual for the student Wi-Fi to make use of the student Internet connection, which may not be the same as the faculty/staff iteration. This dichotomy employs the 80/20 rule. Solving 80% of the security equation takes 20% of the resources and solving the other 20%…well, you know the rule. Because of this, the rule of diminishing returns also applies. How far should an institution of higher education, with an already constrained budget, go to solve the problem? Typically the answer with the “trusted wireless” is as far as it takes and the answer with the “untrusted wireless” is best effort. The rest is up to proper network security architecture on the wired side.

    As to the presentation you attended, it has a very specific purpose; to raise awareness of Infosec issues in the community. It is not intended to be a deep dive into any subset topic, nor is it intended to be all-inclusive of the issues our clients face. What we hope attendees take away from it is exactly what you have, some thoughts. We want people who may not be thinking about information security to start thinking about it. My goal as an Infosec professional is to raise awareness without using FUD (Fear, Uncertainty, and Doubt) to do so.

    As a result of this singular goal, I purposely avoid utilizing the names of vendors we employ in our services and I make particular attempts to make certain attendees don’t walk away feeling like they just left a timeshare sales pitch…slightly dirty. Rest assured, we are well aware of wireless security as an issue and our services include a complete wireless assessment utilizing cutting edge technical assessment tools. While I’m not comfortable plugging any one vendor publicly in a forum such as this, I am more than happy to share the products we utilize to support our clients if anyone cares to contact me directly (see below).

    I very much appreciate the feedback and will make a note that we should include some additional wireless-specific content in our future presentations. You are correct that insecure Wi-Fi poses a major risk to the greater user community at large. Please feel free to contact me with questions of comments.


    Christopher Walcutt, CISSP
    Manager – Information Security Deployment
    SunGard Higher Education
    Chris (dot) Walcutt (at) SunGardHE (dot) com
    four zero seven – four two nine – nine two nine four

    • I’m honored! I absolutely had to post about that on my weblog. That was first experience with the Banner User Group Conference and I have to say, Chris, your talk was the most beneficial and meaningful to me. Thank you! People really just need to know, I can’t stress this enough. :)


Leave a Reply

Your email address will not be published. Required fields are marked *