Q: How has the proliferation of mobile devices
impacted security measures?
tion and provide authority to implement proce-
A layered approach is essential not only for
At CCRI, the college has adopted a security
perimeter security at the network and indi-
awareness program to both educate and justify
vidual workstation level as well. The use of
actions to the user community.
network access controls, data loss prevention
Q: There is a renewed push for companies to
weaken encryption methodologies so governments can more easily access data during investigations, what impact would such policies
have on your organization / constituents?
technologies and advanced persistent threat
monitoring are essential so that all activities
flowing through the network are being evaluated for potential malware or leaks of infor-
dures such as frequency of password changes.
mation. Stringent policies, with buy-in from
There may be privacy concerns with faculty,
executive leadership, outlining what behaviors
staff and students. The college’s practice and
are acceptable and which behaviors won’t be
policies has always been to practice due dili-
tolerated must be created. Employees need to
gence in terms of security while at the same
know of, and understand, the potential dangers
time imposing constraints that will protect
if their system or the network is compromised.
the exposure of personal identity information.
End users are on the front lines of keeping data
While this is not a big problem for the college
secure.
it will provide a new “backdoor” to the college
network. As such it is critical that the governBRUCE BARRETT
ment access be totally secure terms in terms
Director of Networking and
Telecommunications for
Information Technology,
Community College of RI
of people, process and technology to prevent
exploitation by hackers. The college recognizes
this as authorized access supported by writ-
What’s the value of your information
worth on the black market?
I N FO R MATI O N
VA L UE
ME T H OD
1,000 Stolen Email
Addresses
$0.50 — $10
Spam, Phishing
Credit Card Details
$0.50 — $20
Fraudulent Purchases
Scans of Real Passports
$1 — $2
Identity Theft
Stolen Gaming Accounts
$10 — $15
Attaining Valuable Virtual Items
Custom Malware
$12 — $3,500
Payment Diversions, Bitcoin
Stealing
1,000 Social Network
Followers
$2 — $12
Generating Viewer Interest
Stolen Cloud Accounts
$7 — $8
Hosting a Command-and-Control (C&C) Server
1 Million Verified Email Spam
Mail-outs
$70 — $150
Spam, Phishing
Registered and Activated
Russian Mobile Phone
SIM Card
$100
Fraud
ten legal authority from the government (i.e.,
Q: In such complex IT environments, how do
you balance security & usability?
In general, access management technology
limits the user access to only resources that he
or she has been previously approved to access
(as is required to perform their job function).
analogous to a search warrant).
Due diligence is always the practice in terms of
compliance requirements (which is taking an increasing amount of time and resources) and to
follow pre-established best practices and controls as already defined in the NIST Framework.
Such framework controls are also the justifica-
34
|
CURRENT 2015-2016
Stronger Together
|
35