I like what you have in the document Andrew.

 

One thing we might add is the benefit of cross pollination that has happened between the schools because of the team structure. After an assessment team members are able to bring back ideas of best practices to their school, and weaknesses observed at the other school can be checked and hopefully corrected before the 2 year cycle rolls around again. We have all learned new tools and techniques from each other and put into practice things we have seen done exceptionally well at the other schools.

 

Jon

 

From: ushe-assess-bounces@lists.dixie.edu [mailto:ushe-assess-bounces@lists.dixie.edu] On Behalf Of Mark Walton
Sent: Wednesday, June 24, 2015 1:12 PM
To: Andrew Goble
Cc: USHE-assess@lists.dixie.edu
Subject: Re: [USHE-assess] CIO Presentation

 

I'm just looking for the scores so the report to the CIOs was fairly complete.  I know the SUU report won't be available for years to come.  And honestly, I'm not too worried about the scores.  At the worst, they stay the same, at the best, we slightly improve.  I don't think it will be a blindside either way for us.  So I just thought it would be fairly easy for the three people to give a score without worrying about the justifications or the write-ups.  But I'm good with either way.

 

Mark

 

On Wed, Jun 24, 2015 at 11:45 AM, Andrew Goble <goble@dixie.edu> wrote:

I don't have any scores back for SUU from the team, and even if I did, I still wouldn't have the report ready for you and Thom to look at first so I didn't want to put scores in and blindside you.



On 06/24/2015 11:38 AM, Mark Walton wrote:

One other thing.  The scoring for SUU for the SANS controls shows
Pending for the three I had evaluated.  Is there any way to at least get
the scores from everybody so that could be complete?

Mark

On Tue, Jun 23, 2015 at 4:06 PM, Andrew Goble <goble@dixie.edu

<mailto:goble@dixie.edu>> wrote:

    One last favor, I've dropped a couple of files on the dump under the
    CIO- June2015 folder, these will be used during the presentation to
    the CIOs on Friday.  If you have a moment, please take a look and
    fact and sanity check me.

    Thanks,
    Andrew


    On 06/23/2015 09:23 AM, Jon Barclay wrote:

        I second everything that's been said. Doing an assessment in
        August sounds great, and I'm up for a couple of tooling/prep days.

        I like the idea of being able to do recon work prior to being on
        campus. If we are allowed to begin things like phishing and
        recon earlier it would be important to have a scope then as well.

        The things we all seem to be weak at are detection of abuse of
        privileged accounts. We are not quiet on these assessments, but
        most of the time the scans are what get detected, not user
        accounts logging into hundreds of systems. Alerting on abnormal
        use of accounts would go a long way. It seems like PowerShell is
        the next frontier for attackers, and we've started to use it as
        well. Being able to detect abnormal PowerShell activity would
        also be a huge win.

        Thanks,

        Jon



        -----Original Message-----
        From: ushe-assess-bounces@lists.dixie.edu
        <mailto:ushe-assess-bounces@lists.dixie.edu>

        [mailto:ushe-assess-bounces@lists.dixie.edu
        <mailto:ushe-assess-bounces@lists.dixie.edu>] On Behalf Of Jake
        Johansen
        Sent: Tuesday, June 23, 2015 9:06 AM
        To: Andrew Goble; Chuck Kimber; ushe-assess@lists.dixie.edu
        <mailto:ushe-assess@lists.dixie.edu>
        Subject: Re: [USHE-assess] CIO Presentation

        Sounds good to me, on both suggestions

        Thanks
        Jake

        On 6/22/15, 4:57 PM, "Andrew Goble" <goble@dixie.edu

        <mailto:goble@dixie.edu>> wrote:

            Also, this will come up Friday as well... scheduling:

            First off, how does everyone feel about a 1.5 - 2 day team
            meeting in
            July somewhere centralish (UofU or UVU)?  Be an opportunity to
            distribute new hardware and work on tools without the
            distraction of
            actually being on an assessment.

            Second, I'd like to stick as best as possible to the order we
            established this last round:

            FY 2016
            Weber - Dixie - SLCC - Utah State

            FY 2017
            UofU - Snow - UVU - SUU

            I'd like to see if we can get to Weber in early August, with
            mid-to-late September as a backup.  That would put Dixie
            October /
            Novemberish (with the contingency of a new arrival in my
            family due in
            late November that might influence timing for me/Dixie.)
            Worst case
            scenario we'd be looking at Weber in the fall sometime and
            Dixie in
            January.  I just want to avoid a situation where we go 5 or
            6 months
            with no assessment.  We get rusty and have to cram them into
            the Spring.

            Thoughts?

            Thanks,
            Andrew



            On 06/22/2015 12:07 PM, Chuck Kimber wrote:

                On Mon, Jun 22, 2015 at 11:45 AM, Andrew Goble
                <goble@dixie.edu <mailto:goble@dixie.edu>

                <mailto:goble@dixie.edu <mailto:goble@dixie.edu>>> wrote:


                       From your point of view, what are the pervasively
                good, and
                      pervasively bad things we've found across the
                institutions?  (wifi
                      evil twin, etc)

                      What could we be spending money or effort on as a
                system to help fix
                      some of these issues (system-license of Duo,
                Cloudpath, etc


                Things I think everyone is struggling to do or affording
                where USHE
                bulk purchasing may help.

                IPS, IDS
                Logging
                Alerting, where logs do exist
                Detecting out of norm behaviours.  Softwares like Rapid7
                UserInsight.
                The Responder, broadcast stuff Jon has alerted us to and
                that we've
                massively exploited already and I can see is going to be
                trouble for
                everyone.  This is a config and mentality change, not
                necessarily
                something to spend money on as a body.

                      Will also bring up the idea of increasing the time
                we have available
                      to poke at stuff before we come on-site

                I still like this idea, if we can devote any time to it,
                as APT is
                such an issue these days.  It helps us give a sense of
                how an APT
                might play out, albeit on a shorter time period.

            _______________________________________________
            USHE-assess mailing list

            USHE-assess@lists.dixie.edu <mailto:USHE-assess@lists.dixie.edu>
            http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess


        _______________________________________________
        USHE-assess mailing list
        USHE-assess@lists.dixie.edu <mailto:USHE-assess@lists.dixie.edu>
        http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess
        _______________________________________________
        USHE-assess mailing list
        USHE-assess@lists.dixie.edu <mailto:USHE-assess@lists.dixie.edu>
        http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess

    _______________________________________________
    USHE-assess mailing list
    USHE-assess@lists.dixie.edu <mailto:USHE-assess@lists.dixie.edu>
    http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess