Looks good.  You've done a lot of work.  My only comment would be your bullet under "The Good" which talks about IDS/IPS at the institutions.  SUU is completely lacking a formal IDS/IPS solution.  We did have some other controls/tools that helped detect some of the team's activity when they were here.  But I'm afraid your bullet might give a false sense of capabilities, at least for SUU.  So if you're talking about general detection capabilities, then I wouldn't use the IDS/IPS acronym, as that implies (at least to me) a formal IDS/IPS solution.  

Mark


On Tue, Jun 23, 2015 at 4:06 PM, Andrew Goble <goble@dixie.edu> wrote:
One last favor, I've dropped a couple of files on the dump under the CIO- June2015 folder, these will be used during the presentation to the CIOs on Friday.  If you have a moment, please take a look and fact and sanity check me.

Thanks,
Andrew


On 06/23/2015 09:23 AM, Jon Barclay wrote:
I second everything that's been said. Doing an assessment in August sounds great, and I'm up for a couple of tooling/prep days.

I like the idea of being able to do recon work prior to being on campus. If we are allowed to begin things like phishing and recon earlier it would be important to have a scope then as well.

The things we all seem to be weak at are detection of abuse of privileged accounts. We are not quiet on these assessments, but most of the time the scans are what get detected, not user accounts logging into hundreds of systems. Alerting on abnormal use of accounts would go a long way. It seems like PowerShell is the next frontier for attackers, and we've started to use it as well. Being able to detect abnormal PowerShell activity would also be a huge win.

Thanks,

Jon



-----Original Message-----
From: ushe-assess-bounces@lists.dixie.edu [mailto:ushe-assess-bounces@lists.dixie.edu] On Behalf Of Jake Johansen
Sent: Tuesday, June 23, 2015 9:06 AM
To: Andrew Goble; Chuck Kimber; ushe-assess@lists.dixie.edu
Subject: Re: [USHE-assess] CIO Presentation

Sounds good to me, on both suggestions

Thanks
Jake

On 6/22/15, 4:57 PM, "Andrew Goble" <goble@dixie.edu> wrote:

Also, this will come up Friday as well... scheduling:

First off, how does everyone feel about a 1.5 - 2 day team meeting in
July somewhere centralish (UofU or UVU)?  Be an opportunity to
distribute new hardware and work on tools without the distraction of
actually being on an assessment.

Second, I'd like to stick as best as possible to the order we
established this last round:

FY 2016
Weber - Dixie - SLCC - Utah State

FY 2017
UofU - Snow - UVU - SUU

I'd like to see if we can get to Weber in early August, with
mid-to-late September as a backup.  That would put Dixie October /
Novemberish (with the contingency of a new arrival in my family due in
late November that might influence timing for me/Dixie.)  Worst case
scenario we'd be looking at Weber in the fall sometime and Dixie in
January.  I just want to avoid a situation where we go 5 or 6 months
with no assessment.  We get rusty and have to cram them into the Spring.

Thoughts?

Thanks,
Andrew



On 06/22/2015 12:07 PM, Chuck Kimber wrote:
On Mon, Jun 22, 2015 at 11:45 AM, Andrew Goble <goble@dixie.edu
<mailto:goble@dixie.edu>> wrote:


      From your point of view, what are the pervasively good, and
     pervasively bad things we've found across the institutions?  (wifi
     evil twin, etc)

     What could we be spending money or effort on as a system to help fix
     some of these issues (system-license of Duo, Cloudpath, etc


Things I think everyone is struggling to do or affording where USHE
bulk purchasing may help.

IPS, IDS
Logging
Alerting, where logs do exist
Detecting out of norm behaviours.  Softwares like Rapid7 UserInsight.
The Responder, broadcast stuff Jon has alerted us to and that we've
massively exploited already and I can see is going to be trouble for
everyone.  This is a config and mentality change, not necessarily
something to spend money on as a body.

     Will also bring up the idea of increasing the time we have available
     to poke at stuff before we come on-site

I still like this idea, if we can devote any time to it, as APT is
such an issue these days.  It helps us give a sense of how an APT
might play out, albeit on a shorter time period.
_______________________________________________
USHE-assess mailing list
USHE-assess@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess

_______________________________________________
USHE-assess mailing list
USHE-assess@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess
_______________________________________________
USHE-assess mailing list
USHE-assess@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess

_______________________________________________
USHE-assess mailing list
USHE-assess@lists.dixie.edu
http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess