Upload
katen
View
36
Download
0
Embed Size (px)
DESCRIPTION
IT Security & Higher Education. Why should higher ed care?. Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission - PowerPoint PPT Presentation
Citation preview
IT Security & Higher Education
Why should higher ed care?
Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission
Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability
Higher Ed and Cybersecurity
Education and Training Centers of Academic Excellence Professional Training and Certification
Research and Development Cyberinfrastructure Basic and Applied Research
Securing Our Corner of Cyberspace!
GAO Designates Computer Security a High Risk
Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety.GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003)
Higher Education Computer Security Incidents in the News Hacker Steals Personal Data on Foreign
Students at U. of Kansas Chronicle of Higher Education, 1/24/2003
UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002
Why Was Princeton Snooping in Yale’s Web Site?Chronicle of Higher Education, 8/9/2002
Delaware Student Allegedly Changed Her Grades OnlineChronicle of Higher Education, 8/2/2002
. . . in the News Russian Mafia May Have Infiltrated Computers
at Arizona State and Other CollegesChronicle of Higher Education, 6/20/2002
Hacker exposes financial information at Georgia TechComputerWorld, 3/18/2002
College Reveals Students’ Social Security NumbersChronicle of Higher Education, 2/22/2002
Hackers Use University’s Mail Server to Send Pornographic MessagesChronicle of Higher Education 8/10/2001
. . . in the News
Review to ensure University of Montana Web securityMontana Kaimin, 11/14/2001
‘Code Red’ Worms Linger Chronicle of Higher Education, 9/14/2001
Students Fault Indiana for Delay in Telling Them About Stolen FilesChronicle of Higher Education, 3/16/2001
. . . in the News [UWashington] Hospital records hacked
hardSecurityFocus.com, 7/12/2000
3 Universities in California Find Themesleves Linked to Hacker AttacksChronicle of Higher Education 2/25/2000
Hackers Attack Thousands of Computers on at Least 25 U.S. CampusesChronicle of Higher Education, 3/13/1998
Goals of IT Security Confidentiality - Computers, systems, and
networks that contain information require protection from unauthorized use or disclosure.
Integrity - Computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.
Availability - Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.
Higher Ed IT Environments Technology Environment
Distributed computing and wide range of hardware and software from outdated to state-of-the-art
Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges
Leadership Environment Reactive rather than proactive Lack of clearly defined goals (what do we need to protect and why)
Academic Culture Persistent belief that security & academic freedom are antithetical Tolerance, experimentation, and anonymity highly valued
A Risk Management Approach
Risk = Threats x Vulnerability x Impact
Threats
An adversary that is motivated to exploit a system vulnerability
and is capable of doing so
National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
Examples of Threats
Hackers Insiders “Script Kiddies” Criminal Organizations Terrorists Enemy Nation States
Vulnerabilities
An error or a weaknessin the design, implementation, or
operationof a system.
National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
Examples of Vulnerabilities
Networks – wired and wireless Operating Systems – especially
Windows Hosts and Systems Malicious Code and Viruses People
Impact
Risk refers to the likelihood that a vulnerability will be exploited or
that a threat may become harmful.
National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
Impact: Types of Risk Strategic Risk Financial Risk Legal Risk Operational Risk Reputational Risk
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Handling Risks
Risk Assumption Risk Control Risk Mitigation Risk Avoidance
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Security Task Force
Formed Summer 2000 Respond to charges that higher
education is lax and dangerous Threat of blunt-edged regulations
Co-chairs, Steering Committee Web page, Listservs, Conferences Staff – EDUCAUSE/Internet2
Cybersecurity – Post Sept. 11th
Executive Order 13231 – October 2001Created the Presidents Critical Infrastructure Protection Board (PCIPB)
Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
USA PATRIOT Act
National Strategy to Secure Cyberspace Draft announced September 18
See www.securecyberspace.gov Includes higher ed contribution
National, not a government, strategy Secure your own piece of cyberspace Market drive, not regulatory Best practice, information sharing
Final Strategy Release – TBD
Higher Education Contribution Higher Education Interests:
Teach security Invent technology Powerful networks and computers
Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy
Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf
Framework for Action Make IT Security a higher and more visible
priority in higher education Do a better job with existing security tools,
including revision of institutional policies Design, develop and deploy improved security
for future research and education networks Raise the level of security collaboration among
higher education, industry and government Integrate higher education work on security
into the broader national effort to strengthen critical infrastructure
NSF Workshops
A More Complete Response to National Strategy Experts on academic values Experts on practices and policies Research scientists who use the networks Summit including all stakeholders
Foundation for Future Activities
Guiding Principles
Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility
Action Agenda
1. Identify Responsibilities for IT security, Establish Authority, and Hold Accountable
2. Designate an IT Security Officer3. Conduct Institutional Risk Assessments4. Increase Awareness and Provide
Training to Users and IT staff5. Develop IT Security Policies,
Procedures, and Standards
Action Agenda (cont’d)
6. Require Secure Products From Vendors7. Establish Collaboration and Information
Sharing Mechanisms8. Design, Develop, and Deploy Secure
Communication and Information Systems
9. Use Tools: Scan, Intrusion Detection Systems, Anti-Virus Software, etc.
10. Invest in Staff and Tools
Security: Negative Deliverable
Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.
Jeffrey I. Schiller, MIT’s Security Architect
What Every President Must Do
Ensure the confidentiality, integrity, and availability of University assets and information
Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact
Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions
For more information, contact:
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security