Docstoc

Security Planning for CIO's

Document Sample
Security Planning for CIO's Powered By Docstoc
					     Securing Your Campus: What Every
     CIO Should Be Doing


            Joy Hughes
     CIO, George Mason University
          jhughes@gmu.edu


         Peter M. Siegel
   CIO, University of California, Davis
        pmsiegel@ucdavis.edu

            Jack Suess
VP of IT, U of Maryland, Baltimore County
             jack@umbc.edu

                                            1
         Seminar Logistics

Seminar 11A - Securing Your Campus:
What Every CIO Should Be Doing
 8:30 to Noon
Please check your name off the list.
Break is at 10:00 - 10:15
Materials:
 Seminar booklet with slides
 CD containing security resources
                                       2
           Securing Your Campus: What
           Every CIO Should Be Doing

This seminar will focus on the senior IT leader's
role in securing the campus. It will leverage the
work produced by the Security Task Force to
help IT leaders understand current security
issues and future trends. Special emphasis will
be placed on using community resources to
improve handling of sensitive data, preventing
and responding to security incidents, and
establishing security awareness programs on
campus.
                                                    3
         Basic Principles

Pete Siegel




                            4
          Learning Objectives

Develop understanding of the importance of
proper incident handling when a security
incident occurs
Examine and discuss the ethical “gray areas”
associated with security incidents.
Review the security resources available to help
you at your campus.
Identify steps you can take now to improve
security at your campus
Review the role of privacy in campus planning

                                                  5
         What Is “Information Security?”


Programs, policies, and practices to maintain the
    Integrity, Availability and Confidentiality of
               Electronic Information




                            Robert Ono, UC Davis
                                                     6
                                                                10100001010010101010101001010
                                                                01101011000101001010101010001


                           IT Security
 Major Components of an of an Information
                                                                01000101001010001111001010100
                                                                01100101001010010001010100100
                                                                01100101001010010001010100100
          Major Components                                      10100001010010101010101001010


 Program Security Program
                                                                01101011000101001010101010001
                                                                01000101001010001111001010100
                                                                01100101001010010001010100100
                                                                10100001010010101010101001010
                                                                01101011000101001010101010001
                                                                01000101001010001111001010100
                                                                01100101001010010001010100100
                                                                10100001010010101010101001010
                                                                01101011000101001010101010001
                 Recovery                                       01000101001010001111001010100
                                                 Prevention /   01100101001010010001010100100

• Backup                                         Avoidance
                                                                10100001010010101010101001010
                                                                01101011000101001010101010001
                                                                01000101001010001111001010100
• Bypass                                            •
                                                                01010101010101001001001010101
                                                        Risk Assessment
                                                                01100101001010010001010100100
• Correction                                        •   Planning
                                                                10100001010010101010101001010
                                                                01101011000101001010101010001
                                                                01000101001010001111001010100
                                                    •   Policies01100101001010010001010100100
                                                                10100001010010101010101001010

                                                    •           01101011000101001010101010001
                                                        Practices
                                                                01000101001010001111001010100

                                                    •
                                                                01100101001010010001010100100

       Detection and
                                                        Software10100001010010101010101001010
                                                                01101011000101001010101010001

       Investigation                                •   Automated Tools
                                                                01000101001010001111001010100
                                                                01100101001010010001010100100
                                                    •   Awareness Training
                                                                10100001010010101010101001010
                                                                01101011000101001010101010001
                                                                01000101001010001111001010100
• Incident                                                      01100101001010010001010100100
                                                                10100001010010101010101001010
  Identification                                                01101011000101001010101010001
                                                                01000101001010001111001010100
                            Assurance
• Escalation                                                    01010101010101001001001010101
                                                                01000101001010001111001010100

• Incident Response             • Measurement                   01100101001010010001010100100
                                                                10100001010010101010101001010

• Notification                  • Verification                  01101011000101001010101010001
                                                                01000101001010001111001010100

                                • Reporting
                                                                01010101010101001001001010101
                                                                10101001011010101011101010011

                                                                                    7
                                        Robert Ono, UC COMPANY CONFIDENTIAL
                                                       Davis
         Security Checkpoint

How many of you in the past 18 months
have completed…
 A risk assessment?
 A comprehensive security plan?




                                        8
             ECAR Preliminary Results

In November 2005 ECAR replicated its study done in
2003. Some general findings:
 Security technology is being deployed as quickly as funding
  permits
 Staffing and funding for security has increased
 Only 51% reported having done a risk assessment.
 11% report having a comprehensive security plan
With this increase in funding why are things appearing to
get worse?
 People and process issues are always the hardest!



                                                                9
               Security Checkpoint

  How many information security staff (in FTEs) do you
  have?
  Has the number increased in the past 2 years?




    Quip of the Day:
“If you have to think about whether they are doing I.T.
    security or not, then don‟t count them.”
                                 Paraphrase of George Strawn, NSF CIO,
                                        Cybersecurity Summit, Sep 2004

                                                                    10
                              ECAR - Staffing compliment and
                                structure varies significantly




• 50% of respondents had at least one full time security staff member, with multi-person staffs most often
  reported at institutions with larger numbers of devices (10,000+) on their networks
• 66% of respondents indicated that they did not expect the size of their IT security staff to change in the
  next two years. 25% expected to add one staff member, and 9% expected to add two or more
                                                                                                          11
Security Responsibility
ECAR 2003 Results




                          12
Where IT Security Officer Reports
ECAR 2003 Results




                               13
         Major Components of an
         Information Security Program

One way to think about it…

       


                                        14
              Major Components of an
              Information Security Program

Metaphor of “FIREFIGHTING”
 Prevention / Avoidance                       Putting out fires

   • Fire codes, building codes, research
 Assurance
   • Building inspections, firedrills,
     assessment
 Response
   • Fire detectors, pulling alarms, getting
     everyone out, warning neighbors
   • Actually putting out fires!
 Recovery and Investigation
   • Cleanup, hotel stay, rebuilding
     according to code, code citations
                                                        15
          Actions We Recommend

By end of talk, you as…
 CIOs
 I.T. unit directors and managers
will have a set of “take-away” action items
identified as effective, community
practices



                                          16
                 Actions for CIOs

i. Designate an information security officer and organizationally place this
position in an effective location.
ii. Review your institutional security policy. Does the policy define security
governance? Is the policy clear with respect to requirements and
responsibilities?
iii. Review the security model which underlines your institution‟s security
program. Does the program address prevention, assurance, response and
recovery? Do security program initiatives correspond to the identified
system/network/data risks and regulatory controls?
iv. Review the process by which core institutional data is identified and
protected.
v. Review your institutional strategic plan and information security long-
term plans for congruence.



                                                                             17
                  Actions for IT unit directors and
                  Managers

i. Assign specific technical staff members to support your information
security program. Ensure that staff members understand their
responsibilities and are sufficiently trained to carry-out these responsibilities.

ii. Conduct unit security awareness for non-technical staff. Effective
security practices requires the participation of everyone in the unit.

iii. Conduct periodic risk assessments of your information systems and
data using a team of administrators and technical staff. Verify that security
work objectives will reduce vulnerabilities within high-risk security areas.

 iv. Adopt an organizational framework for security management. Review
information security work objectives and progress on a regular basis. Focus
measurement on reliable metrics wherever possible.

v. Align unit security practices with institutional requirements. Review unit
compliance to institutional security policies and regulations.


                                                                                18
            Information Security Challenges

The Challenges…
   Too few resources
   Too much to do
   We can‟t get everyone to buy in
   It will take time
   No, really, too few resources
Solution?


                                              19
            Challenges:
            Handling complexity by risk assessment


Solution
 Share the risk (and responsibility)
   • View the issues as campus issues, not as “I.T.”
     issues
 Carefully consider risks and address higher
  risk issues first and address progressively
  more
   • Not everything can be accomplished in a single
     year
   • Estimate risk against cost (including effort, local
     expertise)
                                                           20
                                                              01100101001010010001010100100
                                                              10100001010010101010101001010

            Information Security Challenges                   01101011000101001010101010001
                                                              01000101001010001111001010100


      Information Security Challenges
                                                              01100101001010010001010100100
                                                              01100101001010010001010100100
                                                              10100001010010101010101001010
                                                              01101011000101001010101010001
                                                              01000101001010001111001010100
                                                              01100101001010010001010100100
                                                              10100001010010101010101001010
                                                              01101011000101001010101010001

    High                                                      01000101001010001111001010100
                                                              01100101001010010001010100100
                                                              10100001010010101010101001010
                                                              01101011000101001010101010001
D                                                             01000101001010001111001010100
                                                              01100101001010010001010100100
                                                              10100001010010101010101001010
a                                                             01101011000101001010101010001
                                                              01000101001010001111001010100
n                                                             01010101010101001001001010101
                                                              01100101001010010001010100100
g                                                             10100001010010101010101001010
                                                              01101011000101001010101010001
e                                                             01000101001010001111001010100
                                                              01100101001010010001010100100

r                                                             10100001010010101010101001010
                                                              01101011000101001010101010001
                                                              01000101001010001111001010100
                                                              01100101001010010001010100100
                                                              10100001010010101010101001010
                                                              01101011000101001010101010001
L                                                             01000101001010001111001010100
                                                              01100101001010010001010100100

e                                                             10100001010010101010101001010
                                                              01101011000101001010101010001
                                                              01000101001010001111001010100
v                                                             01100101001010010001010100100
                                                              10100001010010101010101001010
e                                                             01101011000101001010101010001
                                                              01000101001010001111001010100
l                                                             01010101010101001001001010101
                                                              01000101001010001111001010100
                                                              01100101001010010001010100100
                                                              10100001010010101010101001010
    Low          Level of Effort                High          01101011000101001010101010001
                                                              01000101001010001111001010100
                                                              01010101010101001001001010101
                                                              10101001011010101011101010011


                                                     COMPANY CONFIDENTIAL
                                                                              21       6
                                   Robert Ono, UC Davis
            Information Security Challenges



               Discussion
                Low Effort       High Effort
High Risk


…


Low Risk




                                               22
Data Breaches




                23
A Sampling of Incidents




                          24
August 2007




              25
July 2007




            26
September 29, 2006




                     27
September 29, 2006




                     28
September 27, 2006




                     29
September 22, 2006




                     30
August 4, 2006




                 31
June 30, 2006




                32
June 16, 2006




                33
            The Crisis in Confidential
            Data Disclosure on Campus

To see just what the situation is:
www.privacyrights.org/ar/ChronDataBreaches.htm
Some Facts -
 January 2005 – August 2007
   • 159,054,253 private records disclosed
This represents only the tip of the iceberg,
and the problem is more substantial than
these data indicate

                                                 34
            Security Breaches are Increasing

More data available & at risk
 Institutions providing 24x7 Internet access
 Staff & faculty moving to laptops & wireless
 Internet increasingly hostile
   • Botnets & home broadband a bad combination
   • Organized crime now engaged - lucrative targets
HE gaps in policy, resources, & expertise
 Numerous breaches outside purview of central IT
 Some believe campuses are being targeted
Governing boards, legislators, public upset
                                                       35
          Funding Agencies becoming
          concerned

Granting agencies expecting more and
more sophisticated security plans are part
of grants
 NSF: Large Centers, but likely to expand
 NIH
Faculty need to be part of your campus
plan, not (in general) create their own


                                             36
               Laws and Policy – Privacy / Security


• HIPAA Privacy Rule - Health Insurance Portability and
  Accountability Act

• FERPA – Family Educational Rights and Privacy Act
• California* Information Practices Act
• Notification, 1798 California* Civil Code
• PCI – Payment Card Industry standards


                          * Your state goes here!     37
             Laws and Policies – Privacy / Security



• FISMA – Federal Information Security Management Act
• On your campus:
   • Privacy Standards / Policies
   • Communications Policies
   • Cyber-safety Policy and Security Standards



                                                        38
             Data Breaches – Good News

Academic institutions represent only about 2% of
the records exposed during breaches in 2007
Academic institutions report the largest number
of incidents (compared with business, medical,
K-12)
   Tradition of openness
   Relatively sophisticated detection
   Improving steadily
   More work needs to be done

                                              39
                 More States Require Notification

                                         35 States as of Jan 2007
Courtesy of U. of Georgia




                  http://infosec.uga.edu/policymanagement/breachnotificationlaws.php   40
           Notification an Ethical Response

Fear of Identity Theft
 Nearly 100m identities released in recent years!
 Press is making this a big issue, because their
  readers are concerned
 Companies see money to be made by “protecting
  people from ID theft” and hype threats
 Privacy groups want to use this issue to change data
  practices in companies
Result - average person, our students, faculty,
and staff are worried!
                                                     41
                   Identity Theft Is Big Business

Jan 22, 2007 14:23 ET
LifeLock Begins Working With Rush Limbaugh

TEMPE, AZ -- (MARKET WIRE) -- January 22, 2007 --
LifeLock, the leader in ID Theft prevention, today
announced a new radio advertising campaign with the
nationally syndicated radio program, "The Rush Limbaugh
Show," that will communicate a powerful, consistent
message about preventing the rapidly growing crime of
identity theft. …
       (http://www.marketwire.com/mw/release.do?id=725647&sourceType=1)



                                                                          42
Identify Theft is Big Business




                                 43
        Case Study

Jack Suess




                     44
         A Case Study

Based on real incident at large public
institution




                                         45
            2003 Incidents at UT

2003 – Central admin database system
breached; 45,000 names/SSNs exposed
 The importance of this incident was it was one of the
  first higher education data incidents to get national
  media coverage.
 It is also one of (possibly the only on in higher ed) to
  catch the person that did this and successfully
  prosecute them.
 Credit for these slides is to go to our colleague Dan
  Updegrove, VP of IT at UT during this period.

                                                             46
           2003 SSN Data Theft Chronology


Sun, Mar 2: initial observation of high-volume
database access from off-campus
Mar 3: Law enforcement & ISPs contacted
Mar 4: Evidence points to UT undergrad student
Mar 5: 2 residences searched by U.S. Secret
Service; press breaks story; UT “datatheft” website
Mar 14: Student arrested
Jun 10, 2005: Student convicted in Federal court
Sep 6, 2005: Student sentenced: 5 yrs community
svc, $170K restitution; sentence under appeal

                                                      47
         Case Study Overview

Why was UT vulnerable?
What did the attacker do?
How did UT respond?
Plea bargaining, trial, sentencing,
(appeal?)
What was the cost to UT?
Lessons learned from this incident?

                                      48
          Why UT was vulnerable

Used SSN as a primary key in some of its legacy
business system that validated your had
completed safety training.
To help another UT campus it created a
backdoor whereby you could enter your ssn to
view your safety training record.
As application evolved from mainframe to web
the developers didn‟t recognize the risk inherent
in this.
Irony in this is that one week later UT had
planned to shut down this application!
                                               49
         Break-in Discovered on Sunday

Application malfunctioned last week of Feb
Errors attributed to recent software mods
Applications analyst, checking the system
Sunday evening, March 2, observed
thousands of incremental SSN inputs, all
from same IP address, in Houston
Application shut down immediately

                                         50
         UT‟s Response - Sunday Night

Requested Houston ISP freeze logs
Contacted law enforcement
Reinstalled TXCLAS with dummy data
Analyzed prior week‟s logs, found similar
enumeration attack from one Austin ISP
Analyzed other system logs, identified
activity in authenticated systems from a
UT student with home address in Houston
                                        51
         Law Enforcement Engages -
         Monday

Subpoena verifies IP addresses in Austin
& Houston correspond to the student
UT provides technical report on nature,
origins, and impact of attack – 2.5M inputs
resulting in ~ 45K matches
Judge authorizes search warrants
Wed. evening: both residences searched,
desktop computer & related material
seized; student confesses
                                          52
         Press Engages- Wednesday

Story leaked to Austin American-
Statesman
Large breach; risk of ID theft to 45,000;
reporter agrees to publish a UT URL
AA-S story hits wire services Wed evening
“www.utexas.edu/datatheft/” launched
Press conference held Thursday, Mar 6
Suspect formally arrested Friday, Mar 14
                                        53
           Notifying the Victims

UT assigned highest priority to notifying all
45,000 individuals via U.S. mail if possible
Lacked current addresses for many, so
 Website requested current address
  information
 800 number setup 24x7 for several weeks
Key messages -- beyond “UT is sorry”:
 “Data theft” not necessarily “identity theft”
 No-cost fraud alerts recommended
                                                  54
           Notifying Victims - 2

Many letters returned for obsolete addresses
UT purchased addresses from com services
Some of these addresses bounced as well
Not all victims fluent in English
Website (English & Spanish) provided updates
Some victims reported credit irregularities, but
none, to date, determined to be linked to SSNs



                                                   55
         Additional Forensic Analysis

Rogue TXCLAS activity from Austin IP
shown in daily logs back to Sept, 2002
Unusual patterns in weekly aggregate log
records from spring, 2002
No TXCLAS breaches documented from
other sources
No other systems breached from same IP
Same student had been cited three times
for AUP violations in UT dorm, spring 2002
                                        56
         Matching the PC to the Logs

Secret Service analysis of the PC showed
strong match to UT‟s system logs
Cracking program found
No evidence that vulnerability or data
were shared nor data exploited
Evidence of other rogue activity:
 Cracking other computers, incl businesses
 Downloading Texas genealogy data

                                              57
        20 Months of Delay

Suspect completed spring semester at UT
Lead US Attorney replaced twice
Intermittent plea bargaining
Suspect withdrew from UT
Indictment finally issued Nov. 2004




                                      58
         4-Count Federal Indictment

… accessed a protected computer without
authorization and recklessly caused
damage … at least $5,000 … $120,000 to
UT
… with intent to defraud possessed 15 or
more access devices … 37,000 SSNs
… “ … credit card, bank account, and/or
SSNs [not from UT]
… possessed 37,000 ID docs of U.S.
                                       59
             The Trial: June 6-10, 2005

Witnesses from UT:
   Applications Specialist who discovered break-in
   Information Security Officer
   Director of Systems
   Deputy CIO who managed victim notification
   CIO
Victims:
 A fellow UT student; parents of another student
 Business manager from an El Paso jewelry store

                                                      60
         Prosecution Arguments

Evidence from defendant‟s computer
revealed years of rogue behavior –
including 3 warnings from UT in 2002
UT break-in uncontested, and genealogy
data that could have been matched to UT
names & SSNs showed intent to defraud
Credit card data also showed fraud intent
Substantial harm to the community

                                            61
         Defense Arguments

Student loved computers wanted trophies
SSN script well-crafted, not “reckless”
No evidence of intent to defraud
 Data on hard drive for months/years
 No communication with other crackers
 Very simple life style
UT‟s TXCLAS system not secure
UT inflated damage claims: “no overtime”
                                           62
        Measuring the Damages

Overloaded system crashed ~ $1,240
Staff time to conduct damage assessment:
respond, inspect logs, search for other
possible breaches, etc. ~ $109,000
Staff time & hard-dollar costs to notify
victims: website, 800 number, help desk,
printing, mailing ~ $61,000
Staff time to support Secret Service, US
Attorney‟s Office ~ not counted
                                       63
         Damages: Different Dimensions

Guilt or innocence on 1st count: Greater
than $5,000 in damages?
Federal sentencing guidelines: step
function adds months in prison as
damages increase
Restitution: UT was advised that costs to
notify victims could be included
UT‟s reputation – priceless!
                                            64
             The Jury Decides

Guilty
 … accessed a protected computer … and recklessly
  caused damage … at least $5,000 … $120,000 to UT
 … possessed 37,000 ID docs of U.S. – but
  subsequently dismissed as statute was not in force in
  early 2003 [!]
Not guilty
 … with intent to defraud possessed 15 or more
  access devices … 37,000 SSNs
 … with intent to defraud possessed … credit card,
  bank account, and/or SSNs [not from UT]

                                                      65
           Sentencing

5 years probation, with no "un-monitored"
Internet access [how will this be enforced?]
500 hours community service
No fine
Full restitution to UT, in the amount of $170,056

(US Attorney's Office had sought Federal prison
time, and Judge stated that, under Federal
sentencing guidelines, attacker could have been
required to serve 15-21 months.)


                                                66
           Coda: An Appeal?

“[We] will appeal the conviction on the grounds
that he did not act „recklessly,‟ an adverb that
has no federal criminal definition,” said Austin
lawyer, who now represents the student.
He will, however begin probation immediately.
“He certainly didn't intend to cause the university
any damage - I don't think there's any doubt
about that,” Kirk said. “If the judge had thought
that, then he wouldn't have given probation.”


                                                   67
           What They Did Right

Maintained extensive logs
Contacted law enforcement quickly
Assembled response team:
   Central IT: ISO, Systems, Network, User Svcs
   Human Resources & Student Info Systems
   Legal Affairs
   Public Affairs
Alerted President‟s Office

                                               68
             Did Right - 2

Focused on mitigating risk to victims
 Key message to law enforcement & press
 Committed to disclosure (w/in legal limits)
 Created datatheft website asap
   •   Platform for University‟s official statements
   •   Advice to victims
   •   Feedback channel from victims, potential victims
   •   “Data theft” not necessarily “identity theft”


                                                          69
           Did Right - 3

Strong commitment to communication
   Link to email: over 2,000
   Link to data form: over 6,500
   Toll-free hotline: over 3,000
   Two email msgs to these groups
   U.S. mail to all with addresses
   Monitored news media daily
   Prepared graphics for testimony
Told the truth
                                      70
         Did Right - 4

Systematic logging of expenses & time:
 2,400 hours: conducting damage assessment
 1,500 hours: responding to the offense
Thorough documentation at each step:
 Essential when staff called to testify 27
  months after the offense
 Needed to support three separate prosecutors
  jury trial – and possible appeal

                                            71
          Lessons Learned

SSNs as university IDs are a bad idea
 Leads to SSN use in input, displays, reports
 Exposure of “U ID” risks identity theft
3 strikes, but student wasn‟t out – some
breakdown between ISO & Student
Judicial Services; should have required in-
person meetings & escalation of sanctions


                                                 72
            Lessons - 2

Software design/development/testing:
   Original application assumed trusted users
   No checks for bad or repeated inputs
   No logic checks when user base expanded
   Unified database: 1.5M records exposed
Web/Internet-enablement adds risk:
 Lost mainframe/3270 “security by obscurity”
 Anytime/anywhere presumed, even if
  unneeded

                                                 73
           Lessons - 3

Remote university accommodated:
 Unwise to offer unauthenticated access
 This access should have been restricted:
   • IP address range corresponding to campus only
   • Time of day
Each incremental change “reasonable”
 No one looked at the big picture
 Internet risks not front of mind for
  programmers
                                                     74
          Lessons - 4

Unified databases create their own risks
 Obscure app can expose the entire database
 Apps programmers don‟t necessarily know
  the extent of database records & fields
 Is it reasonable to keep retired records forever
  in the production database?
Intrusion Detection Systems in place now
– but not then

                                                75
             Lessons - 5

Security breaches are very costly
   Disruption of normal operations
   Diversion of staff: for 30 months in UT case
   Direct costs of victim notification
   Secondary diversion: additional audits, reports
Negative PR may be the biggest cost
 Security breaches makes news, especially ID theft
 Direct impact on your key constituents
 Your story can live for a very long time

                                                      76
          Wrap-Up

UT was fortunate
 Intruder acted alone & was local/identifiable
 Full restitution has been ordered
Victims were fortunate, apparently
 UT & law enforcement acted promptly
 Victims provided with risk mitigation info
 No evidence that data were exploited
Such “orderly” outcomes are very rare

                                                  77
         References

UT Austin data theft website –
www.utexas.edu/datatheft
Security Task Force –
www.educause.edu/security/




                                 78
        Incident Response Planning

Jack Suess




                                     79
          Incident Response Planning

No university can be certain they are
secure and immune from an incident.
As part of your security planning, you
should take time when it is not a crisis to
prepare your campus on how to respond.
Step 1.
 Incident response is a campus responsibility,
  involve them in the planning! Georgia Tech
  has a good collaborative approach

                                                  80
81
         Incident Response
         Technical Resources

NIST publication 800-61, Incident
Handling Guide is a good resource
SANS offers good technical courses on
incident response for technical staff
Security professionals conference will
have sessions on this
Take time to debrief staff on lessons
learned when an incident occurs
                                         82
         Incident Handling
         When Do You Notify?

CD contains resources on this from
different groups. In some states there is
little choice.
Better to err towards notification unless
you can look into a camera and have a
credible reason for why you didn’t notify.
Key to not notifying is evidence data was
not accessed -- logging and forensics are
essential to proving this.
                                             83
          Incident Notification -
          What to do When it Happens!

On your CD, STF document on Data
Notification Procedures
 Generate a press release
 Identify a spokesperson for institution
 Develop a notification letter to go out
 Develop incident specific website to refer
  people too
 Develop FAQ, resources for person to use
 Cost is between $4 and $10 per SSN

                                               84
          Incident Handling
          Dealing With the Stress

CIO‟s often are designated the point
person for these events.
 These are stressful events.
 People on campus are upset and feel
  betrayed. Don‟t take it personally.
 This has to be looked at as an institutional
  problem; the executive team must recognize
  this as a campus issue and provide support
  for increased funding, staffing, and policies. If
  not, update your resume and look elsewhere!
                                                  85
           Shared Governance Is Key


On some campuses (e.g. UC Davis, UIUC)
 The dean or vice chancellor of record (i.e. to which
  the unit with incident reports) is identified
  spokesperson
 College (or responsible unit) pays mitigation costs
 Campus safeguards (firewalls, incident response) not
  alternative to effective unit practices
 Provides strong incentives for other deans
  (“decimation principle of the Roman army”)



                                                     86
      BREAK
Return in 15 Minutes




                       87
           Ethical Security Challenges

Many security incidents cross into an
ethical “gray area” that can challenge
CIO‟s
   Was information really exposed?
   If not, do you need to notify?
   What about potential exposure?
   What about outside pressure?
The scenario that follows will highlight
these
                                           88
         Scenario – for discussion

Location - a state without mandatory
disclosure laws.
Background - Your campus is ready to
announce their latest fundraising
campaign at a gala event next month. The
CIO discovers that the alumni
development machine has been
compromised.
Roles - CIO and VP of Advancement
                                       89
           Scenario - Discussion Points

Policy and procedures are important, it is critical
from a legal standing to follow them.
A major security incident is not the time to begin
building a relationship with other executives.
Think- can I defend my actions when the local
TV news comes to interview me!
When in error, admit it, and take corrective
action to address the root causes.
No job is worth violating your own ethical
standards.

                                                  90
       Using Community Resources

Joy Hughes




                                   91
92
 Using Community Resources
I.    A Blueprint for Handling
        Sensitive Data
II.   Data Classification Schemes
I. A BLUEPRINT FOR
HANDLING SENSITIVE DATA



                      94
               A Blueprint for Handling Sensitive
               Data

https://wiki.internet2.edu/confluence/display/secguide/Confi
   dential+Data+Handling+Blueprint (see handout)


Step #1: Create a security risk-aware
 culture that includes an information
 security risk management program.
Sample Resource:
  https://wiki.internet2.edu/confluence/display/secguide/Ri
  sk+Assessment+Framework

                                                           95
          A Blueprint for Handling Sensitive
          Data


Step #2: Define institutional data
 types.

 Sample Resource:
 http://connect.educause.edu/library/abstra
 ct/SensitiveDataProtect/45162


                                               96
          A Blueprint for Handling Sensitive
          Data



Step #3: Clarify responsibilities and
accountability for safeguarding
confidential/sensitive data.

Sample Resource:
http://its.uncg.edu/Policy_Manual/Data/



                                               97
          A Blueprint for Handling Sensitive
          Data

Step #4: Reduce access to
confidential/sensitive data not
absolutely essential to institutional
processes.
Sample Resource:
http://connect.educause.edu/library/abstract/No
MoreSocialSecurity/38825


                                                  98
          A Blueprint for Handling Sensitive
          Data

Step #5: Establish and implement
stricter controls for safeguarding
confidential/sensitive data.
Sample Resource:
http://www.yale.edu/ppdev/Procedures/its/1607/
1607PR.01EndorseEncrirption.pdf



                                               99
        A Blueprint for Handling Sensitive
        Data


Step# 6: Provide awareness and
training.


Sample Resource:
http://www.educause.edu/content.asp?pag
e_id=5746

                                             100
           A Blueprint for Handling Sensitive
           Data



Step #7:Verify compliance routinely
with your policies and procedures.

Sample Resource:
https://wiki.internet2.edu/confluence/display/sec
guide/Data+Incident+Notification+Toolkit


                                                101
II. DATA CLASSIFICATION
  SCHEMES



                          102
             Data Classification Schemes


First, work with legal counsel, data stewards and
  campus stakeholders to create a Policy to
  provide the framework necessary to:
  Identify and classify data in order to assess risk
  and implement an appropriate level of security
  protection based on categorization.
  Comply with legislation, regulations, and internal
  policies that govern the protection of data.
  Facilitate and make the Incident Response
  process more efficient. The level in which the
  data is classified determines the level of       103
           Data Classification Schemes


Samples:

           George Washington University

           Stanford University

           U. of Texas - Austin



                                          104
                                           Data Classification at GW
                                     Privacy Levels
Operations        Public                  Official           Confidential
Levels
                                                               Highest Security
                                                              Highest Operations
Enterprise
 System
                       2                     2
                                                                     1

Department
                       3                      2                      1
  Server


                  Lowest Security
                 Lowest Operations
 Desktop/
                                              3                      2
 Laptop                4
                                                                                   105
        Note, numbers in boxes suggest the priority levels for mitigating risks.
Stanford Data Classification




                       106
U of Texas-Austin Data Categories




                            107
                         For more information



EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security
EDUCAUSE Center for Applied Research
www.educause.edu/ECAR
Blueprint for Handling Sensitive Data
wiki.internet2.edu/confluence/display/secguide



                                                 108
              Actions and Next Steps



Pete Siegel




                                 109
            Actions for CIOs- Strategic

Meet with your executive peers to educate them.
Create an executive incident advisory team.
Organize and educate YOUR staff around security
Educate other campus IT staff about security
Develop policies and guidelines on data classification
Perform a risk assessment across the institution focusing
on machines with sensitive data on them
Reallocate resources to implement proactive and
automated systems to protect machines



                                                       110
                 Actions for CIO- Programmatic

i. Designate an information security officer and organizationally place this
position in an effective location.
ii. Review your institutional security policy. Does the policy define security
governance? Is the policy clear with respect to requirements and
responsibilities?
iii. Review the security model which underlines your institution‟s security
program. Does the program address prevention, assurance, response and
recovery? Do security program initiatives correspond to the identified
system/network/data risks and regulatory controls?
iv. Review the process by which core institutional data is identified and
protected.
v. Review your institutional strategic plan and information security long-
term plans for congruence.
Review Each and Every Year-- Change is Rapid
                                                                            111
             Actions for IT Unit Directors and
             Managers – Strategic

Identify and prioritize security threats you see every day.
Develop tracking statistics and metrics to quantify these
threats and issues.
Imbed security into every technical activity in your
organization. Work with staff in other departments to
train them on appropriate techniques and tools (CIS)
Review the effective practices guide and discuss with
peers what steps others have found effective.
Create an incident response team (IRT) and develop
plans and procedures for when an incident occurs



                                                         112
                  Actions for IT Unit Directors and
                  Managers – Programmatic

i. Assign specific technical staff members to support your information
security program. Ensure that staff members understand their
responsibilities and are sufficiently trained to carry-out these responsibilities.

ii. Conduct unit security awareness for non-technical staff. Effective
security practices requires the participation of everyone in the unit.

iii. Conduct periodic risk assessments of your information systems and
data using a team of administrators and technical staff. Verify that security
work objectives will reduce vulnerabilities within high-risk security areas.

 iv. Adopt an organizational framework for security management. Review
information security work objectives and progress on a regular basis. Focus
measurement on reliable metrics wherever possible.

v. Align unit security practices with institutional requirements. Review unit
compliance to institutional security policies and regulations.


                                                                               113
                              Campus Focus – UC Davis
                              UC Data Security Policies

   UC Information Security Policy
                              Essential              Required              Deferrable
                              Resource               Resource              Resource
     Restricted Sensitivity    Access Security         Access Security       Access Security
                              Required. Include in    Required. May Be        Required. Not
                              Disaster Recovery      Included in DR Plan   Required for DR Plan
                                     Plan

Test conditions for „Restricted‟ information:
1. Does the data include information that identifies or describes an individual?
2. Would unauthorized access, modification or loss of the data seriously affect
    the University?
3. Would unauthorized access, modification or loss of the data seriously affect
    a business partner of the University?
4. Would unauthorized access, modification or loss of the data seriously affect
    the public?
5. Has the Proprietor chosen to protect the data from general access or
    modification?                                                              114
          UC Data Security Policies


Security Provisions for UC System
 Authentication & Authorization
 Background Checks
 Control Administrative Accounts
 Data Backup/Retention/Storage and Transit
  Encryption
 Disaster Recovery Plan
 Incident Response/Notification Plan
 Physical Security Controls & Media Controls


                                                115
              UC Davis Data Security Policy



 Software Vulnerabilities      Physical/Environment Controls Spam
                                 Generation
 Virus Infections
                                Open Proxy
 Non-secure Computer
  Programs/Services             Audit Logs
                                Backup/Recovery
 Authentication Measures
                                Security Training
 Insecure Personal
  Information                   Spyware Removal

 Firewall Services             Data Removal Prior to Hardware
                                 Retirement
                                Incident Response Plans -new
                                Web Application Security -new    116
                                         Sample Data Security Requirements (UC Davis)


Security Practice                          HIPAA Security   PCI (Credit cards)                 UC System            UCD Cyber-safety Policy
Patch Management                                NA                  X                          Proposed                       X
Malicious Program Control                        A                  X                      Proposed - AV only                 X
Remove Insecure NW Services                     NA                  X                           Proposed                      X
Authentication/Password Controls                 A                  X                               X                         X
Limit System Administrative Capability           A                  X                               X                         X
Personal Identity Information                  ePHI                 X                           Proposed                      X
Physical Security – Theft                        A                  X                           Proposed                      X
Physical Security – Unattended Account           R                  X                           Proposed                      X
Firewall Use                                    NA                  X                    Proposed Host-Based                  X
Email Relay                                     NA                 NA                           Proposed                      X

Web Proxy Servers                               NA                 NA                           Proposed                      X
Audit Logs                                       A                  X                           Proposed                      X
Backup, Recovery and Disaster Planning           R               Backup                             X                         X
Security Awareness Training                      A                  X                               X                         X
Data Removal from Surplus HW                     R                 NA                               X                         X
Incident Response Plans                          R                  X                               X                         X
Application Development Security                NA                  X                               X                         X
Designated Security Official                     R                 NA                               X                         NA
IDS/IPS                                         NA                  X                           Proposed                      NA
Risk Analysis & Management                       R                 NA                               X                         NA
Authorize Users                                  A                  X                               X                         NA


                                                                                                                                   117
                                                                          R: Required A: Addressable X: In Policy
                                         Sample Data Security Requirements – (UC Davis)
                                         Continued

Security Practice                            HIPAA Security   PCI                     UC System               UCD Cyber-safety Policy

Sanction Policy                                    R                                      NA                            NA

Workforce Clearance and Termination                A          X                           NA                            NA


Isolation of Health Care Clearinghouse             R          NA                          NA                            NA
Functions

Contingency Plan – Testing and Update              A          NA                          NA                            NA
and Assess Application and Data
Criticality
Business Associates Agreements                     R          X                           NA                  Personal Identity Data

Comprehensive Evaluation                           R          X                           NA                            NA

Facility Access Controls                           A          X                            X                            X

Transmission Security: Integrity Controls          A          X                            X                  Personal Identity Data,
and Encryption                                                                                                      Passwords

Group Health Plan Safeguards                       R          NA                          NA                            NA

Security Policies and Procedures                   R          X                           NA                            NA

Security Plan Documentation and                    R          X                           NA                            NA
Maintenance




                                                                                                                                  118
                                                                    R: Required A: Addressable X: In Policy
        Campus Focus – UC Davis to date


 Initiate Risk Assessment
 Prioritize Security Areas Needing
  Attention – Pareto Principle (80:20)
 Seek Input in Developing and
  Implementing a Campus Unit
  Security Plan
 Implement Security Plan
 Annually Review Security Plan
 Keep Up to Date with Security News
                                          119
             Campus Focus – UC Davis 2007-2008


Expand security survey required of all departments to
next stage– including lower risk items
Develop more sophisticated training and tools for web /
database-related security gaps
Implement more self-service and unit IT tools for finding
private data on web sites, in databases, etc
Implement more tools to protect campus from itself
 Intrusion detection systems
 Continue departmental firewall investments
Implement full IT audit capability at college and
departmental level (with campus auditors)
Improve dean-level oversight for college issues
                                                        120
               Security Checkpoint: your next steps


Identify five areas where you might plan additional
security activities over the coming year
   (training community, database security, unit-level security
   practices, research data integrity, …)
For the most important 2-3, what specific steps are you
proposing?
Who are the 2-3 most important stakeholders in
getting/making the commitment to move ahead




                                                                 121
        Survey of Security Practices

Jack Suess




                                       122
         Review of Security Resources



Borrowing from David Letterman, here are
my top ten resources that were developed
by the Security Task Force that your
institution can leverage for use at your
own institution.



                                        123
             10. Internet2 Security Site

security.internet2.edu/
Internet2 has made security on research networks a
priority. This site has an excellent collection of papers
and presentations on security challenges for research
networks. The netauth working group has excellent
papers on implementing network access control.
To do - if you are an Internet2 member, have your
security officer or network manager review SALSA &
Net-Auth archives; consider joining the initiative.



                                                            124
             9. Authentication Roadmap

www.nmi-edit.org/roadmap/draft-authn-roadmap-03/
The National Middleware Initiative consortium has developed an
excellent document to use for planning an authentication and
authorization strategy for your campus (on CD).
To do - Review this document with your staff responsible for
authentication and authorization.
  Consider sending some the campus architecture middleware
   planning events.
  http://www.educause.edu/CampusArchitecturalMiddllewarePlann
   ing(CAMP)Workshops/1607




                                                           125
             8. Security Awareness Toolkit

www.educause.edu/SecurityAwarenessResourceLibrary/8762

This site contains planning documents,
resources such as brochures, bookmarks,
posters, sample web sites, and links to
good resources development by the
government, industry and other higher
education institutions.
October is Cyber Security Awareness
Month!
                                                         126
                  8. Sample Student Video

 Out in the Open
http://www.researchchannel.org/mov/educ_con_outopen_250k_qt.mov




                                                                  127
               7. Effective Practices Guide/Wiki

www.educause.edu/EffectivePracticesandSolutionsinSecurity/1246

Released in 2004, the effective practices
guide has specific solutions to many of the
technical challenges facing institutions. In
addition to material on solutions the guide
integrates 45 case studies from institutions
on how they have solved the problem.
Coming soon, this will move to a wiki!
To do - make sure you technical team has
seen this and is aware of it as a resource.
                                                                 128
             6. Risk Assessment Framework

www.educause.edu/LibraryDetailPage/666?ID=CSD4380
The risk assessment framework provides a detailed
overview of establishing a risk assessment process on
your campus and breaks this down in phases and
discrete steps
On your CD are risk guides from NIST, Microsoft, and
the World Bank. Included is a tutorial on risk
management done in 2004.
To do - When you return to campus review the ISG self-
assessment tool with your direct reports.



                                                     129
              5. Data Notification Toolkit

www.educause.edu/DataIncidentNotificationToolkit/9320

This contains legal requirements, sample
policy and procedures, threshold advice
for notification, sample templates and web
sites, and additional resources.
Review this when you get back and run a
simulation of performing a notification to
make sure everyone understands their
role
                                                        130
            4. Executive Awareness
            Resources

http://www.educause.edu/executiveawareness
This site contains overview information on improving
executive awareness across the campus. This resource
has articles, presentations, and policies for supporting
awareness. The executive awareness videos (also on
CD), is included.
To do - use the executive awareness resources to meet
with key executives.




                                                       131
4. Executive Awareness Video




          QuickTime™ an d a
             decompressor
    are need ed to see this p icture .




                                         132
             3. Security Professionals
             Conference

http://www.educause.edu/sec07
Security Professionals Conference 2008
May 4–6, 2008
Arlington, Virginia
 This conference is focused specifically on security issues in
  higher education and is a great place for someone to meet and
  learn from other higher education security professionals.
To do - have someone submit a proposal to the
conference (due ca. Jan 2008)




                                                              133
           2. Security Discussion List

www.educause.edu/SecurityDiscussionGroup/979
The security discussion list has over 1800
subscribers and is among the most active
EDUCAUSE email discussion list.
You can search this list by keyword for
information on contacts.
To do - make sure your security team is
subscribed to the list. This is a great way
to leverage expertise
                                               134
              1. EDUCAUSE Security Task
              Force

www.educause.edu/security
Presently there are 60 people working on four major
working groups - effective practices, security awareness,
risk management, and policy and legal.
Co-chairs Pete Siegel (UC-Davis), Joy Hughes (GMU)
 Mely Tynan (Tufts). Focus is on:
 Data privacy and classification
 Incident detection, handling, and response.
To do - attend the open meeting of the task force here at
Educause 2007 on Thursday



                                                       135
         Funding and Staffing
         Resources and Questions

Resources on CD
 ECAR report on Optimal Security Staffing
 Security 101 for CIO‟s from 2001
 CISWG Security Metrics (under legal)




                                             136
         Policy and Legal
         Resources

On the CD
 UT-Austin Student privacy requirements by
  state
 NIST 800-60 data classification procedures
 ECAR Security Policy: Keys to Success
 Policy development primer
 Security policies from GMU, UT-Austin,
  UMBC, UC-Berkeley, and Georgia Tech

                                               137
             Security Professionals Media - 1

Educause/Internet2 Security Task Force
http://www.educause.edu/security)
Internet2 Security Initiative
http://security.internet2.edu/
SANS unisog security discussion list
https://lists.sans.org/mailman/listinfo/unisog
REN-ISAC membership http://www.ren-isac.net/


                                                 138
                 Security Professionals Media - 2

Educause
   Security Professionals Conference
     •   May 6-8l 2008, Arlington, VA
     •   http://www.educause.edu/securityconference
 Security discussion list
     • http://www.educause.edu/groups/security)
 Incident notification toolkit
     • http://www.educause.edu/DataIncidentNotificationToolkit/9320
 Risk assessment framework
     • http://connect.educause.edu/blog/vvogel/riskassessmentframew/1950
 Cyber-security resources
     • http://connect.educause.edu/blog/vvogel/riskassessmentframew/1950
 Effective security practices workgroup
     • http://www.educause.edu/Committees/959?CODE=SECURITY-EP




                                                                           139
The McCumber Cube Video




  http://www.educause.edu/7103


                                 140

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:10/15/2011
language:English
pages:140
tlyaappjdlag tlyaappjdlag
About