Title: What Is Outstanding In Your Security and Compliance Practice
1What Is Outstanding In Your Security and
Compliance Practice?
- Ming Chow
- NERCOMP Achieving Optimal Security Compliance
In Higher Education - Tufts University
- mchow_at_cs.tufts.edu
2Introduction
- The threats are real
- Malware (e.g. viruses, worms, Trojan Horses) are
becoming more sophisticated - Security breaches and attacks are becoming more
publicized - People are becoming more concerned with their
online privacy - However, people still lack awareness on basic
computer security issues
3About Myself
- Graduated from Tufts University
- BS in Computer Science and Mathematics, 2002
- MS in Computer Science, 2004
- Areas of interest Computer Security, Game
Development, Computer Science in Education - Taught course Security, Privacy, and Politics in
the Computer Age in Spring 2005 - Have been involved in all facets of higher
education as a student, instructor, and
personnel supporting a universitys central
administration (current)
4A Typical Higher Education Computing
Infrastructure
- Traditionally open
- Critical for researchers
- Critical for students learning
- Higher education comprise of 15 of the Internet
address space - Wired campus (dorms to Greek housing) with
usually no network authentication - Many institutions now offer campus-wide wireless
access - Tech-savvy students
5Threat Matrix
6Overlapping Security Issues in Industry and
Higher Education
- Enormous disconnect between IT and general users
- Lack of awareness of computer security
fundamentals (poor practices) - Social engineering
- Insider threat
- Lack of low-tech and low-cost planning
- Too much focus on products for implementing
computer security - Lack of testing environments to understand
threats and potential security breaches - Security is a reactive process
7Risks in Higher Education
- Openness fertile ground for attacks and risks
- Web hosting and file sharing
- Decentralization
- Lack of visibility for security and privacy
- Security is looked at as a bad thing by
professionals and students tough sell
8Hotspots
- Data security
- Privacy
- Next generation of malware
- Poisoned Peer-to-Peer (P2P) networks and torrents
- Compliance and auditing
9Next Generation of Malware
- Now spreading through instant messaging (e.g. AOL
IM) - Malware hybrids fooling and cloaking malicious
intent - Rootkit - Toolbox of tools for a cracker to keep
root access. Also hides and secures a cracker's
presence on a system. - Example spyware that has a rootkit component
- Can fool anti-virus or anti-spyware software
10Next Generation of Malware (continued)
- Kernel-based attack technique using hooks and
layers - Kernel - Core of an operating system,
Responsible for resource allocation, low-level
hardware interfaces, security, etc. - Altering normal program control flow
- The Microsoft Windows architecture makes this
possible - Bottom line malware becoming more lethal, and
extremely more difficult to find!
11Data Privacy
- Mantras
- Provide prominent disclosure
- Data minimization (collection, storage, and
sharing) - Anonymity
- Put users in charge of their data
- Other components to a privacy framework
- Quality (accuracy and completion)
- Security
- Monitoring and enforcement
12How Come So Many Data Privacy Problems Recently?
- Heavy usage and dependency of Social Security
Numbers and credit card numbers - Poor web security
- Insider threats
- Social engineering (scam artists, phishing)
- Pharming
- Third-part businesses
- Linkability
13Common Compliance and Legal Frameworks
- Health Insurance Portability and Accountability
Act (HIPPA) - Gramm-Leach-Bliley Act (GLBA)
- Computer Fraud and Abuse Act (CFAA)
- Sarbanes-Oxley Act
- USA PATRIOT Act
- Visa USA Cardholder Information Security Program
(CISP) / MasterCard Site Data Protection Program
/ Payment Card Industry (PCI) Data Security
Standard
14Significance of the Compliance Frameworks
- HIPAA security rule - Safeguarding of electronic
protected health information - GLBA - Protects privacy of consumer information
in the financial sector - Sarbanes-Oxley Act - Executives need to report
quickly and accurately - USA PATRIOT Act Provides law enforcement
agencies with greater access to electronic
communications - Colleges and universities have to comply with
more regulations than businesses
15Impact of Breaches
- Heavy network consumption
- Direct impact on leadership
- Direct impact on students learning
- Wasted funding (private and public)
- Legal consequences
- Bad press
- Loss of competitive edge
- Long road to recovery
16Recent Consequences
- Tennessee payroll service PayMaxx was called
incompetent by a Boston-area company for its
poor web security. One can access sensitive
personal information by simply typing in random
numbers into PayMaxxs login screen - Failure to comply with VISA CISP standards or to
rectify a security issue can result in - Fines (50,000 for the 1st violation 100,000
for the 2nd violation) - Restrictions on the merchant
- Permanent prohibition of the merchant or service
provider's participation in Visa programs.
17Recent Consequences (continued)
- October 2003, The University of Texas at Austin
regrets that one of its administrative databases
was breached in March by a deliberate attack
through the Internet. Thousands of names and
Social Security numbers were illegally accessed
and downloaded to a personal computer. - April 2005, Alumni of Tufts University in Boston
have been notified that personal information
stored on a server used by the university for
fund raising could have been exposed to
intruders. The university detected a possible
security breach in an alumni and donor database
after noticing abnormal activity on the server in
October and December.
18What (Still) Needs to be Done
- Compliance is expensive
- IT is critical to manage and enable compliance
- Short-term (now to 2 years)
- Educating and informing general users
- Low-cost and low-tech improvements
- Long-term (3 to 5 years)
- Empower users to manage their privacy and
security - Create visualization tools
19Goals
- Be proactive in security and privacy
- Prepare for new revisions to current regulations
(e.g. SOX 2.0) - Use technology properly and efficiently
- Lower costs in the long-run
- Create a culture of good security and privacy
practices in your college/university - Make students, professionals, and staff become
better citizens - Build trust
20What You DONT Want to Do
- Pretend the problems will go away
- Establish reactive and short-term fixes
- Primarily rely on a firewall, or just software
solutions, for security perimeter protection - Fail to understand the relationship of
information security to the business problem - Assign untrained people to maintain security and
compliance
21Short-Term Awareness, Awareness, Awareness
- Irony provisions for education and training in
SOX and the DMCA - Very little money is spent on computer security
education to the public - Security is boring, difficult, and political
- At fault IT professionals, users, technology
- Lack of ownership on security and privacy issues
by companies - Emerging technologies pose a serious threat if
deployed naively - Unfortunately, the infrastructure and
architecture of current computing systems, users
do need to be informed
22Short-Term Awareness (continued)
- Provide an undergraduate course in computer
security, privacy, and politics - Overlap of departments and groups in a University
(e.g. Computer Science, Law School) - Investment for students, the University, and for
the instructors of the course
23Short-Term Low-Cost and Low-Tech Improvements
- First things first, ask yourself, and to
management (revisit the questions) - What are your security goals?
- What are you really protecting?
- What are your priorities, especially in a product
(e.g. interface, administration, prevention)?
24Short-Term Low-Cost and Low-Tech Improvements
(continued)
- Write documentation in what system support staff
and users need to do with respect to network and
information security - Establish baseline security configurations for
all appropriate technology platforms (e.g. web
browser) - Establish a vulnerability management process
- Use vulnerability assessment tools to
periodically conduct self-assessments - Monitor log files from critical systems on a
daily basis - SANS have excellent policy templates
25Short-Term Create Test Environments
- One problem in the field of computer security
research lack of good test data and testing
environment - Can be made possible by virtualization (VMware)
- Inexpensive
- Incubation
- Run multiple operating systems
- Excellent for penetration testing
- Test the security of baseline server
configuration, as well as web applications
26Tools Available
- Open Source Software for assessment
- Snort (intrusion detection)
- Nessus (network vulnerability scanner)
- John the Ripper (password cracker)
- Visa Cardholder Information Security Program
(CISP) forms and specifications - Enterprise
- Sophos PureMessage
- Enterprise-wide policy enforcement
27Long-Term Opportunity Usable Privacy
- In 2003, the Computer Research Association (CRA)
listed on of the computing grand challenges - For the dynamic, pervasive computing environments
of the future give end-users - Security they can understand
- Privacy they can control
- http//www.cra.org/Activities/grand.challenges/sec
urity/
28Long-Term Opportunity Usable Privacy (continued)
- Example Have you used the Security Settings in
Microsoft Internet Explorer? - Online help!
- Privacy settings
- Strategies
- Use fewer objects and actions
- Clearer feedback about decisions
- Show consequences of decisions
29Long-Term Opportunity Develop Visualization Tools
- Human perceptual skills are vast, fast, and
remarkable - However, they are very underutilized in computing
- Mantra overview, zoom-and-filter,
details-on-demand - Examples
- SmartMoney.coms Map of the Market
- Sourcefires Real-time Network Awareness (RNA)
Visualizer
30Long-Term Opportunity Develop Visualization
Tools (continued)
- Example projects/opportunities
- Security situation awareness
- Profiling users and traffic
- Linking relationships
- Network traffic classification
- Intrusion detection
- Detecting abnormalities
31Resources
- Privacy What Developers and IT Professionals
Should Know, J.C. Cannon (ISBN 0321224094) - Security, Privacy, and Politics in the Computer
Age (my course) website http//www.cs.tufts.edu/
mchow/excollege - SecurityFocus (http//www.securityfocus.com)
- SANS Institute (http//www.sans.org)
- Freedom-to-Tinker (by Professor Ed Felten
http//www.freedom-to-tinker.com) - Professor Ben Schneiderman, U. of Maryland
32Conclusion
- There is still a lot to be done with computer
security and compliance - The first line of defense is to protect your
systems - Being proactive in security and compliance is
invaluable - No matter what you are doing to improve security,
it will not work if the people are not informed - There are many opportunities to improve security
and privacy in your existing critical
applications, or by creating new tools - A culture of good security and privacy practices
will give your University a competitive edge
33Questions?