Italo Valcy S Brito - Federal University of Bahia (UFBA)
MSc in Computer Science, is the Chief Security Officer at the Federal University of Bahia/Brazil (UFBA) responsible for the CSIRT operations, auditing and security policies definition. He is co-founder/collaborator of CERT.Bahia (CSIRT for Bahia/BR Academic Network - RNP) and he is involved in projects related to Forensic Analysis, Web Pentest, Secure Infrastructure and Routing, Phishing and Malicious Activity Detection and Software-Defined Networking.
Yuri Alexandro - Brazilian Educational and Research Network (CAIS/RNP)
InfoSec Management Specialist, has worked with IT since 2002 and for 9 years with informaton security, having experience in network security management and IT academic network's infrastructure and environment. He was member of InfoSec teams at UNEB (University of Bahia) and UFBA (Federal University of Bahia), and collaborating member of CERT.Bahia (Security Incident Response Team of Bahia State Academic Network). Today works with incident management, CSIRT development and security awareness at CAIS / RNP
Information Security has acquired significant attention over last years, mainly because of the awareness about the increased information value to people and organizations. Information loss, theft, unavailability, modification or unauthorized access may result in negative effects, impacts in operations and more precisely in organization's reputation or people's daily lives. In this way, a set of actions is necessary to establish an Information Security Organizational Plan and provide information and communication protection into organization. When it comes to research and education organizations, the network context is heterogeneous, usually has a decentralized administration and different types of users and access profiles. This environment leads to a raised challenge in balancing security protections and the heterogeneity and flexibility needed for education, research and extension activities. These challenges can be addressed through combined actions in three information security dimensions: processes, technology and people.
This paper presents the joint work experience of ETIR-UFBA and CAIS/RNP about the definition and adoption of cyber-security strategies for research and education organizations and users, focusing on aforementioned dimensions. Firstly, from processes point of view, we developed a complete guide to help the establishment of incident response teams (CSIRTs) and Acceptable Use Policy (AUP), considering the international standards, best current practices, Brazilian laws and R&E environment and challenges. We will present the results of applying this guide to establish and improve CSIRTs, as well as to define security policies. We’ll also discuss the creation and adoption of operational plans, such as "Incident Handling" and "Emergency Communication". Secondly, considering the technology dimension, we will show an overview of an infrastructure to provide malicious activity detection and support incident handling processes using open source tools. One important component for security incident response is rastreability, which may become a challenge considering BYOD, distributed and heterogeneous R&E networks and the use of DHCP, NAT or IPv6 SLAAC (very common in Brazilian institutions). We will present a set of tools developed to overcome this challenges, namely: TRAIRA (Automatic Network Incident Handling); L2M (Layer 2 Manager); PF/PFSense and Netfilter/IPTables NAT tracking. In terms of malicious activity monitoring, we will demonstrate the honeypot deployment in the internal networks and the use of distributed, coordinated intrusion detection systems (IDS) across RNP backbone.
Finally, we will discuss the dissemination of the information security culture among different users’ profiles. We will show some of the initiatives aimed to encourage good practices and safe technology usage for both end users and system administrators. We will also demonstrate that a combined use of communication strategies, such as workshops, talks, short courses and security awareness campaigns can effectively help to reduce security incidents.
