Privileged Access Management (PAM): moving from Project to Program

This group presentation will provide an overview of ongoing efforts to integrate PAM principles, practices, and technologies at Tufts. We will review key milestones, current initiatives, and upcoming steps in the transition from a project-based approach to a broader, programmatic strategy. Along the way, we will highlight the challenges encountered and lessons learned.

Harvard’s approach to risk based vulnerability management

In 2023, Harvard embarked on a three-year initiative to modernize its vulnerability management approach. The effort centered on shifting from a high-volume, resource-intensive model to a risk–based strategy. The program positions the university to prioritize vulnerabilities based on standard risk factors, ensuring more efficient resource allocation. The transformation represented a cultural change as much as it did a technology challenge. A dedicated, university-wide program team has carefully aligned key stakeholders and leadership behind new approach and now midway through the program’s implementation, the first set of schools and units are adopting this new way of life. The team will first present our problem, balancing increasing demands of vulnerability and exposure management amid a constantly evolving threat landscape with the pressures of today’s funding environment and the scarcity of resources. Next, the team will present a brief history of the solution’s design, build, and implementation before opening a demonstration of the technology. The demonstration will simultaneously communicate how the solution works and the solution’s scaled impact across the university. This portion of the presentation will underscore the importance of managing risks over lists and clearly communicate a path to building that capability. Finally, we will conclude the session with a focus on lessons learned and a summary of key organizational change management activities.

Outsmarting Our Future Selves: Boston College Information Technology Services and the Journey to an Enterprise Password Manager

Passwords, passkeys, API credentials, and SSH keys are more than just tech buzzwords – they’re daily realities. Join us as we discuss the journey of Boston College Information Technology Services (ITS) from merely the idea of an enterprise password manager to the rollout of a full fledged solution for the department. We will begin with why we chose to procure this type of tool, what should be considered when choosing a vendor for your own environment, then move to a lessons learned section, and finish with next steps for our use of the product. We hope this talk provides listeners with a forum for those who struggle with credential management but don’t yet have a clear business case for an enterprise password manager, and a place for those who are using an enterprise password manager to think about what’s next for their own tool.

Incident Response Tabletop Exercises: They’re not just a game.

Incident response tabletop exercises are an efficient and effective way to test your organization’s incident response plan. They provide a low-stakes opportunity for your staff to learn to respond to incidents in your environment and identify areas of improvement in your incident response process. Tabletop exercises also help highlight the need for collaboration among various roles and teams during an incident. Attendees will learn the fundamentals of planning and facilitating an incident response tabletop exercise with the goal of increasing their organization’s resilience to information security risk. A small portion of this session (<5 minutes) will be dedicated to discussing the value of REN-ISAC’s Information Security Assessment and Advisory Services’ tabletop exercise offerings.

Shane Albright began his career as an IT Support Center computer consultant at Indiana University twenty years ago. After a few years working as an infrastructure specialist in enterprise IT for a software company, he returned to IU as a senior system administrator at the Student Health Center where, for over a decade, he was a leader in the management and security of IT infrastructure and services and the protection of electronic protected health information (ePHI). Shanejoined the REN-ISAC in 2021 as a principal security engineer. For the last year and a half, he’s facilitated REN-ISAC‘s Information Security Assessment and Advisory Services’ tabletop exercises.

GitLeaks

Duo Hunter

Linux Server Secrets Management with Systemd, Python, and Hashicorp Vault

Alexan Mardigian is a CISSP-certified Information Security Engineer at Boston University, where he has served since March 2020 developing and maintaining custom security tools.  His experience spans developing hardware emulators for the U.S. Air Force, building secure web solutions for diverse clients, security architecture, and creating AI-powered security tools.  He is also dedicated to making cybersecurity accessible and understandable, bridging the gap between technical expertise and clear communication.  He is currently pursuing his masters degree in computer science, with a focus in cyber security.  Outside of his duties at Boston University, he is an avid DJ of electronic music and scuba diver.

Brian Gerdon is a Security Analyst in the SOC at Boston University. Over the past 20 years, Brian has held a variety of roles at BU, including Desktop Support, Network Engineering and Operations, and now Information Security. His primary focus areas are Digital Forensics, Incident Response, and managing the university’s Firewall Services.

Mallory Ren is a Linux Systems Administrator at Boston University. She has been working with Linux, configuration management, and infrastructure for the last ten years and is interested in solving for quality and scale at organizations both big and small.