Stanford Computer Security and You

Higher Education

Higher education environment isopen, sharing, exploratory, experimental

Many information assets and resources Very complex and robust networking

and computing environment

Internet Internet environment is open, sharing,

exploratory, experimental Many information assets and resources Distributed management Can be “unsafe”

Partner to protect Stanford information assets and resources while supporting the institution’s broad and relatively open access requirements

Works with: Internal Audit Networking Risk Management Office of General Counsel Judicial Affairs Residential Computing Departments and Schools, … and You!

Information Security Services

Focus Meet legal requirements

Improve individual security knowledge and awareness

Improve administrative systems security

Improve overall SUNet security

Legislation: Support Issues FERPA

Protect private student information HIPAA

Protect personal health information (PHI) GLBA

Protect “banking” transaction information SEVIS

Provide foreign student information DMCA

Protect copyrighted information California Law

May not use SSN as identifier Must disclose compromise of private information

Improve Administrative Systems Security

Awareness Campaign

Postcards sent to every employee Web site <securecomputing.stanford.edu> Student focus in Fall

Approaching Stanford Packets on beds Residence hall contest

Ongoing activities Stanford 101 Communicating with returning students Technical security training Continuing to expand web site

Improve Individual Security Awareness

Improve Application Security

Participate with the project and support teams

Design security infrastructure

Participated in security reviews

Improve Administrative Systems Security

Categories of DataCriteria: Use these criteria to determine which data category is appropriate for a particular information or infrastructure system. A positive response to the highest category in any row is sufficient to place that system into that Category.

Category A (highest, most sensitive) Category B

(moderate level of sensitivity)

Category C(very low, but still some

sensitivity)

Legal requirementsProtection of data is required by law (see attached

list for specific HIPAA and FERPA data elements)

Stanford has a contractual obligation to protect the data

Reputation riskHigh Medium Low

Other Institutional RisksInformation which provides access to resources,

physical or virtual

Smaller subsets of Category A data from a school, large part of a school, department

Data about very few people or other sensitive data assets

Examples Medical Students Prospective Students Personnel Donor or prospect Financial Contracts Physical plant detail Credit Card numbers Certain management information

Information resources with access to Category-A data

Research detail or results that are not Category-A

Library transactions (e.g., catalog, circulation, acquisitions)

Financial transactions which do not include Category-A data (e.g., telephone billing)

Very small subsets of Category A data

Improve Administrative Systems Security

Firewall Architecture (conceptual)Improve Administrative Systems Security

A Zone

Category A Assets

(Typically protectsDatabases &

Services)

Only connects toZone B

B Zone

Category B Assets

(Typically protectsApplication Servers)

Connects toZone A and Zone C

C Zone

Category C Assets

(Typically protects Web Servers)

Connects to Zone B and Zone D (Internet)

D Zone

SUNet & Internet

Developers & PowerUsers inside

& outside SUNet

Faculty, Students, Staffinside & outside SUNet

Partners & PartnerApplications inside

& outside SUNet

Anyone else, anywhere

Principles? Category A assets are kept in the A

Zone (see Data Categorization formore information).

? Access between protected assetsand the Internet occurs in the CZone.

? Communications traffic only crossesone boundary (inter-zone) at a time.

Institutional Efforts Today Filtering extremely high-risk traffic at

the border

Proactive scanning

Security alerts

Sampling all five Internet feeds

Improve Overall SUNet Security

Significant Security PayoffImprove Overall SUNet Security

Network Traffic vs Successful Break-ins

371

27

0

500

1,000

1,500

2,000

2,500

3,000

3,500

2002 2003

Network Traffic

0

50

100

150

200

250

300

350

400

Successful Intrusions

Network sessions / hour (x 1,000) Hostile Scans / Hour Successful Intrusions / month

Individual Efforts Today Set good passwords on all machines

Keep NetDB entries current

Patch appropriately

Practice security at appropriate levels for the data you’re working with

http://securecomputing.stanford.edu

Beyond Today Continue to improve Stanford security

Health check Patch management Education

What’s Next

Contact Information:Security@Stanford.edu and 650 723-2911

http://security.stanford.edu

Contact Information:Security@Stanford.edu and 650 723-2911

http://security.stanford.edu

How We Can All Help Protect Stanford’s Information Resources

Be aware Keep your systems clean and healthy Lead by example