View
218
Download
0
Category
Tags:
Preview:
Citation preview
Stanford Computer Security and You
Higher Education
Higher education environment isopen, sharing, exploratory, experimental
Many information assets and resources Very complex and robust networking
and computing environment
Internet Internet environment is open, sharing,
exploratory, experimental Many information assets and resources Distributed management Can be “unsafe”
Partner to protect Stanford information assets and resources while supporting the institution’s broad and relatively open access requirements
Works with: Internal Audit Networking Risk Management Office of General Counsel Judicial Affairs Residential Computing Departments and Schools, … and You!
Information Security Services
Focus Meet legal requirements
Improve individual security knowledge and awareness
Improve administrative systems security
Improve overall SUNet security
Legislation: Support Issues FERPA
Protect private student information HIPAA
Protect personal health information (PHI) GLBA
Protect “banking” transaction information SEVIS
Provide foreign student information DMCA
Protect copyrighted information California Law
May not use SSN as identifier Must disclose compromise of private information
Improve Administrative Systems Security
Awareness Campaign
Postcards sent to every employee Web site <securecomputing.stanford.edu> Student focus in Fall
Approaching Stanford Packets on beds Residence hall contest
Ongoing activities Stanford 101 Communicating with returning students Technical security training Continuing to expand web site
Improve Individual Security Awareness
Improve Application Security
Participate with the project and support teams
Design security infrastructure
Participated in security reviews
Improve Administrative Systems Security
Categories of DataCriteria: Use these criteria to determine which data category is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Category.
Category A (highest, most sensitive) Category B
(moderate level of sensitivity)
Category C(very low, but still some
sensitivity)
Legal requirementsProtection of data is required by law (see attached
list for specific HIPAA and FERPA data elements)
Stanford has a contractual obligation to protect the data
Reputation riskHigh Medium Low
Other Institutional RisksInformation which provides access to resources,
physical or virtual
Smaller subsets of Category A data from a school, large part of a school, department
Data about very few people or other sensitive data assets
Examples Medical Students Prospective Students Personnel Donor or prospect Financial Contracts Physical plant detail Credit Card numbers Certain management information
Information resources with access to Category-A data
Research detail or results that are not Category-A
Library transactions (e.g., catalog, circulation, acquisitions)
Financial transactions which do not include Category-A data (e.g., telephone billing)
Very small subsets of Category A data
Improve Administrative Systems Security
Firewall Architecture (conceptual)Improve Administrative Systems Security
A Zone
Category A Assets
(Typically protectsDatabases &
Services)
Only connects toZone B
B Zone
Category B Assets
(Typically protectsApplication Servers)
Connects toZone A and Zone C
C Zone
Category C Assets
(Typically protects Web Servers)
Connects to Zone B and Zone D (Internet)
D Zone
SUNet & Internet
Developers & PowerUsers inside
& outside SUNet
Faculty, Students, Staffinside & outside SUNet
Partners & PartnerApplications inside
& outside SUNet
Anyone else, anywhere
Principles? Category A assets are kept in the A
Zone (see Data Categorization formore information).
? Access between protected assetsand the Internet occurs in the CZone.
? Communications traffic only crossesone boundary (inter-zone) at a time.
Institutional Efforts Today Filtering extremely high-risk traffic at
the border
Proactive scanning
Security alerts
Sampling all five Internet feeds
Improve Overall SUNet Security
Significant Security PayoffImprove Overall SUNet Security
Network Traffic vs Successful Break-ins
371
27
0
500
1,000
1,500
2,000
2,500
3,000
3,500
2002 2003
Network Traffic
0
50
100
150
200
250
300
350
400
Successful Intrusions
Network sessions / hour (x 1,000) Hostile Scans / Hour Successful Intrusions / month
Individual Efforts Today Set good passwords on all machines
Keep NetDB entries current
Patch appropriately
Practice security at appropriate levels for the data you’re working with
http://securecomputing.stanford.edu
Beyond Today Continue to improve Stanford security
Health check Patch management Education
What’s Next
Contact Information:Security@Stanford.edu and 650 723-2911
http://security.stanford.edu
Contact Information:Security@Stanford.edu and 650 723-2911
http://security.stanford.edu
How We Can All Help Protect Stanford’s Information Resources
Be aware Keep your systems clean and healthy Lead by example
Recommended