Site Menu
- BuckeyeSecure
- News
- Student Resources
- Faculty and Staff Resources
- Administrator and IT Resources
- Training
- Project Resources
- Policy Links
- FAQs
- Alternative Identifiers
- Data Classification and Access Control
- Gramm-Leach-Bliley Training
- Identity Theft Red Flags
- Identity Theft Red Flag Training
- Information Security FAQ
- Information Security Implementation Plan
- Institutional Data Policy
- Institutional Data Policy Training
- PGP
- Restricted Data
- Social Security Numbers
- Campus Resources
- Contact Us
- Site Map
What's New?
Phishing Scam. DO NOT REPLY! E-mails have been circulating from sources claiming to be from OIT or the university. These are phishing scams. OIT would NEVER ask for your password. More information at OIT Systems Status page.
GeoTrust SSL Certificate Purchasing Explained
Instructions on how to order SSL Certificates through GeoTrust can be found on this page
Hot Topics
- Phishing
- Institutional Data Policy Training
- University Security Standards (UCSS)
- How to Protect Myself
- Safe Computing
Incident Response
Information Security Day
The Ohio State University, Pfahl Executive Education Building Room 140
October 9th, 2008
Every year, during the month of October, the Office of the Chief Information Officer and the IT Security Group host speakers from around the state and the country who come to OSU to discuss topics surrounding Information Security at a "Security Day" event.
The October Security Day event is open to the public and members of the university staff, student body and faculty with an interest are welcome. Employees of local and state government as well as members of the general public can attend as well. The event is free and does not require prior registration.
This year the event is being held at The Blackwell Conference center's Pfahl Executive Education Building on the campus of The Ohio State University in room 140 from 9:00am until 4:00 in the afternoon.
We welcome any and all interested parties to attend our event. Information Security is a growing concern in not only education but our everyday lives and The Office of the Chief Information Officer at The Ohio State University is proud to promote and support information security education and networking events such as this security day.
Agenda | Topic Briefs | Speaker Bios | | Contact Us | Event Feedback
Security Day 2008 Agenda
9:00 Welcome & CIO Introduction – Kathy Starkoff, OSU CIO
9:15 The Dangers of Social Networks - David Shaw, CISO, Ohio Department of Education
10:00 Break (Coffee)
10:15 A Comparative Analysis of Three Years of Breach Reports by Breach Type and Industry - Lee Ayres, Security Analyst, Interhack
11:45 Lunch (on your own)
1:00 Targeted Malware Attacks Using MS Office Files - Rob Hensing, Microsoft
1:45 Break (Soda & Coffee)
2:00 ISO 27001 & 27002 - The OSU IT Security Framework - Shawn Sines & Charles Morrow-Jones, OSU CIO Security
3:45-4:00 Closing Comments and Thanks
Topic Briefs:
The Dangers of Social Networks,
David Shaw – Ohio Department of Education
Social Networking sites can provide an unlimited amount of networking opportunities but as with most technological advances, they bring with them certain risks. Malware-laden widgets or applications and privacy stealing grifters are probably the biggest risk but that photo of you dancing half-nude on a table may make a prospective employer think twice about their decision to hire you.
This presentation will focus on the risks associated with social networking sites and provide some common sense steps to ensure that you are not unwittingly giving away your privacy or destroying your professional reputation.
A Comparative Analysis of Three Years of Breach Reports
by Breach Type and Industry,
Lee Ayres - Interhack
A firm understanding of the rates at which types of breaches occur, proportionate to one another, helps with the distribution of limited security budgets, by helping guide the expenditure of capital to where it will have the greatest impact. A number of sources have been proposed with a view to helping with this decision making. Unfortunately, such sources sometimes tend towards anecdote, might be part of a marketing campaign, or lack the context needed to make truly informed decisions.
Following up on the creation of a taxonomy for the hierarchical classification of data losses, we explored the proportion of breach types in a subset of data losses accumulated by the Identity Theft Resource Center. Using the 2002 North American Industry Classification System (NAICS), we classified breach events according to the industry sector in which they occurred.
We discovered a statistically significant distinction between the types of breaches that occur in several of the industry sectors. The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts.
Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen hardware were well below the proportion common to the set as a whole. Public Administration's proportion of compromised host reports was below average, but their proportion of processing errors was well above the norm. The Finance and Insurance sector experienced the smallest overall proportion of processing errors, but the highest proportion of insider misconduct. Other sectors showed no statistically significant difference from the average, either due to a true lack of variance, or due to an insignificant number of samples for the statistical tests being used.
Targeted Malware Attacks Using MS Office Files,
Rob Hensing, Microsoft
In 2006, 2007 and 2008 malicious Microsoft Office documents have been involved in limited targeted attacks against specific Microsoft customers. In this presentation we will examine a real-world Microsoft Office document that exploited a former 0-day vulnerability (patched in March 2008) in order to install a backdoor on the vulnerable system and exfiltrate data.
In this presentation a malicious Excel document will be opened in a virtual machine running a less than fully patched version of Office 2003 on Windows XP and on Windows Vista in their default configurations. The privileges that are required for this attack to succeed will be discussed along with various mitigation strategies (such as the Microsoft Office Isolated Conversion Environment) that could be employed to reduce the damage potential that could result from opening malicious Office documents.
ISO 27001 & 27002 - The OSU IT Security Framework, \\ Shawn Sines & Charles Morrow-Jones – The Ohio State University Office of the Chief Information Officer IT Security Group
Information security is a topic that often is addressed in reaction to an event or series of events such as a loss of date or as an intrusion. The Ohio State University, in expectation of changes in the world of security threats and in order to better address and manage security risk, will begin implementing the ISO 27001 & 27002 frameworks over the next few years.
Before the process begins and in order to better lay the foundations of the not inconsiderable task ahead, Shawn Sines, Information Security Outreach Specialist and Director of IT Security, Charles Morrow-Jones will present the core concepts of the international standard and explain how the ISO will impact and aid The Ohio State University in creating a holistic security risk management environment.
Speaker Bios:
David Shaw, MBA CISSP CDMP
Information Security Officer, Ohio Department of Education
In his current role as Information Security Officer, David is responsible for the development, implementation and management of the agency's information security program, which is based on the ISO 27001 framework. David has served the Ohio Department of Education for the past nine years. In addition to his current role, David has held positions as a professional conduct investigator, conduct consultant, data coordinator, data manager, and assistant director for Information Policy and Management.
In addition, David has prior experience in management, law enforcement, and physical security equating to more than 13 years in the domains of information security. David received a master of business administration degree with a focus in management information systems from Franklin University, a bachelor of specialized studies degree in legal studies with a minor in interpersonal communications from Ohio University. David is a certified data management professional (CDMP) and certified information systems security professional (CISSP).
Lee Ayres, CISSP
Senior Analyst, Interhack Corporation
Lee Ayres joined Interhack as a Senior Analyst in January 2007, supporting both the Forensic Computing and Information Assurance practices. Using his experience as an application developer and systems analyst, he helps attorneys in litigation understand how to make use of the systems and data available to them as evidence.
For the past three years, Lee has been the lead developer at Mercury Markets in Chicago building automated trading systems for the global financial markets using proprietary algorithms.
His previous experience includes work as a developer and system engineer at I-DEP, building systems for taking depositions over the Internet and onShore Development, building Web applications in Common Lisp.
Lee holds a Bachelors Degree in Computer Science and Engineering from The Ohio State University.
Robert Hensing,
Software Security Engineer, Microsoft Corp.
A 10 year veteran of Microsoft, is a Software Security Engineer on the Microsoft Secure Windows Initiative team, a role which he has been in for the last 4 years. Robert works closely with the Microsoft Security Response Center with a focus on identifying mitigations and workarounds for product vulnerabilities that can be documented in advisories and bulletins to help protect customers from attacks.
Prior to working on the Secure Windows Initiative team, Robert was a senior member of the Customer Support Services Security team where he helped customers with incident response related investigations and spent most of his time engaged in hand to hand combat with miscreants who were always trying to steal our customers' lucky charms.
Contact Us
If you have any further questions or would like more information regarding the October Security Day event you may reach the event coordinator - Shawn Sines, Office of the CIO IT Security Information Security Outreach Specialist via e-mail.
Event Feedback
We want to thank everyone who attended the 2008 Security Day event. We had some excellent speakers and hope that the topics and discussions were interesting and informative.
In an effort to continue improving our Security Day events we welcome feedback from our attendees and encourage you to offer us helpful suggestions on topics you might like to see at next years event as well as ways we can make the event even better.
Also please feel free to fill out the contact information along with your feedback so that we might contact you for followup on your comments and suggestions. Our goal is to ensure that every year the Information Security Day event benefits our students, faculty, staff and community by offering opportunities to discuss and learn about the challenges and topics involved in Information Security.
