Penn Continues To Invest In Initiatives To Prevent Cyber-Attacks
August 19, 2013 :: Joshua Beeman, University Information Security Officer, ISC
News stories about computer security and data breaches are at an all time high. Whether they are international reports of hackers commanding high prices for newly discovered vulnerabilities, or more local news about peers in Higher Ed losing tens of thousands of user records, many of these stories can be traced to common methods of attack: compromised accounts, unpatched machines, poorly monitored systems, vulnerable third party software, and human error.
Penn continues to invest in a number of initiatives to help mitigate these risks, including:
- Stronger credentialing – Beginning this July, anyone with a PennKey (Penn's unique credential that protects online resources) can choose to participate in a "two step verification" pilot program. This option, which prompts users for a unique code generated on their smartphone, makes PennKey more resistant to brute-force (guessing) attacks, phishing, and other forms of credential theft.
- Centralized client management - This year ISC will establish a service to help Schools and Centers centrally manage every faculty and staff computer (laptops and desktops). This service will monitor and patch systems, allowing Local Support Providers to more effectively maintain secure configurations without having to physically visit each computer.
- Improved visibility - Complimenting the extremely successful Intrusion Detection System deployed last year, ISC plans to host a service that will collect, correlate and analyze logs from systems and applications around campus. Together, these two technologies will dramatically support proactive detection and rapid investigation of security events.
- Clearer boundaries of trust – ISC continues to work with campus-wide IT groups, the Office of General Counsel, Privacy, and Purchasing to improve our confidence in 3rd party vendor offerings (including cloud vendors) through the ongoing development and maturity of vendor assessment tools. In addition, ISC continues to establish a portfolio of vetted cloud services (e.g., Amazon, Box, Google, Microsoft, etc.) that the campus can leverage immediately, knowing that the relevant protections have been established and documented in Penn-specific contracts.
- Help and guidance – Penn maintains a large network of people, tools and processes to help secure our networks, systems, and data. In support of Local Support Providers (LSPs), ISC provides in-person training, publishes guidance and policy, and has established working groups and "Security Liaisons" to promote best practices. This year three "ready-to-use" slide decks that cover key security awareness topics (phishing, mobile device security, and the cloud) are available for use or in-person presentations by School and Center security personnel. Also available are in-person presentations about how to best secure web applications.
For more information about any of these initiatives, please contact firstname.lastname@example.org.