Docstoc

ACIS meeting April

Document Sample
ACIS meeting April Powered By Docstoc
					Stanford Computer
 Security and You
Higher Education
 Higher  education environment is
  open, sharing, exploratory, experimental
 Many information assets and resources
 Very complex and robust networking
  and computing environment
Internet
 Internet environment is open, sharing,
  exploratory, experimental
 Many information assets and resources
 Distributed management
 Can be “unsafe”
Information Security Services
   Partner to protect Stanford information assets and
    resources while supporting the institution’s broad and
    relatively open access requirements

   Works with:
       Internal Audit
       Networking
       Risk Management
       Office of General Counsel
       Judicial Affairs
       Residential Computing
       Departments and Schools,
       … and You!
Focus
   Meet legal requirements

   Improve individual security knowledge
    and awareness

   Improve administrative systems security

   Improve overall SUNet security
                                      Improve Administrative Systems Security


Legislation: Support Issues
   FERPA
       Protect private student information
   HIPAA
       Protect personal health information (PHI)
   GLBA
       Protect “banking” transaction information
   SEVIS
       Provide foreign student information
   DMCA
       Protect copyrighted information
   California Law
       May not use SSN as identifier
       Must disclose compromise of private information
                                     Improve Individual Security Awareness


Awareness Campaign
   Postcards sent to every employee
   Web site <securecomputing.stanford.edu>
   Student focus in Fall
       Approaching Stanford
       Packets on beds
       Residence hall contest
   Ongoing activities
       Stanford 101
       Communicating with returning students
       Technical security training
       Continuing to expand web site
                              Improve Administrative Systems Security


Improve Application Security
   Participate with the project and support
    teams

   Design security infrastructure

   Participated in security reviews
                                                                                  Improve Administrative Systems Security


 Categories of Data
Criteria: Use these criteria to determine which data category is appropriate for a particular information or
infrastructure system. A positive response to the highest category in any row is sufficient to place that
system into that Category.

 Category A                                                                                                                 Category C
 (highest, most sensitive)
                                                                                         Category B
                                                                                                                     (very low, but still some
                                                                            (moderate level of sensitivity)
                                                                                                                                  sensitivity)

 Legal requirements
 Protection of data is required by law (see attached   Stanford has a contractual obligation to protect
       list for specific HIPAA and FERPA data                the data
       elements)

 Reputation risk
                                                       Medium                                                 Low
 High
 Other Institutional Risks                                                                                    Data about very few people
 Information which provides access to resources,       Smaller subsets of Category A data from a
                                                                                                                    or other sensitive data
       physical or virtual                                   school, large part of a school, department
                                                                                                                    assets
 Examples
    Medical                                                Information resources with access to
    Students                                                Category-A data
    Prospective Students                                   Research detail or results that are not
    Personnel                                               Category-A
    Donor or prospect                                      Library transactions (e.g., catalog,
    Financial                                               circulation, acquisitions)
    Contracts                                              Financial transactions which do not
    Physical plant detail                                   include Category-A data (e.g., telephone
    Credit Card numbers                                     billing)
    Certain management information                         Very small subsets of Category A data
                                                                                         Improve Administrative Systems Security


Firewall Architecture (conceptual)
                                                                          D Zone

                                                                     SUNet & Internet


                                                                          C Zone
                                   Developers & Power                                                      Faculty, Students, Staff
                                      Users inside                   Category C Assets                     inside & outside SUNet
                                    & outside SUNet




                                                                          B Zone
Principles
 Category A assets are kept in the A                                Category B Assets
  Zone (see Data Categorization for
  more information).
 Access between protected assets
                                                                          A Zone
  and the Internet occurs in the C
  Zone.
                                                                     Category A Assets
 Communications traffic only crosses
  one boundary (inter-zone) at a time.
                                                                     (Typically protects
                                                                       Databases &
                                                                         Services)

                                                                      Only connects to
                                                                          Zone B

                                                                     (Typically protects
                                                                    Application Servers)

                                                                       Connects to
                                                                    Zone A and Zone C


                                                              (Typically protects Web Servers)

                                                          Connects to Zone B and Zone D (Internet)

                                    Partners & Partner
                                    Applications inside                                                    Anyone else, anywhere
                                     & outside SUNet
                                   Improve Overall SUNet Security


Institutional Efforts Today
   Filtering extremely high-risk traffic at
    the border

   Proactive scanning

   Security alerts

   Sampling all five Internet feeds
                                                                                                   Improve Overall SUNet Security


     Significant Security Payoff

                                        Network Traffic vs Successful Break-ins

                  3,500                                                                                              400

                                             371
                                                                                                                     350
                  3,000


                                                                                                                     300
                  2,500




                                                                                                                           Successful Intrusions
                                                                                                                     250
Network Traffic




                  2,000

                                                                                                                     200

                  1,500
                                                                                                                     150

                  1,000
                                                                                                                     100


                   500
                                                                                                                     50
                                                                                              27

                     0                                                                                               0
                                        2002                                             2003

                          Network sessions / hour (x 1,000)   Hostile Scans / Hour   Successful Intrusions / month
Individual Efforts Today
   Set good passwords on all machines

   Keep NetDB entries current

   Patch appropriately

   Practice security at appropriate levels
    for the data you’re working with

   http://securecomputing.stanford.edu
                                            What’s Next


Beyond Today
   Continue to improve Stanford security
     Health check
     Patch management
     Education
  How We Can All Help Protect
Stanford’s Information Resources

 Be aware
 Keep your systems clean and healthy
 Lead by example




                   Contact Information:
           Security@Stanford.edu and 650 723-2911
                   http://security.stanford.edu

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:20
posted:2/19/2012
language:English
pages:15