What Is Outstanding In Your Security and Compliance Practice - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

What Is Outstanding In Your Security and Compliance Practice

Description:

Security breaches and attacks are becoming more publicized ... Poisoned Peer-to-Peer (P2P) networks and torrents. Compliance and auditing ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 34
Provided by: ming4
Category:

less

Transcript and Presenter's Notes

Title: What Is Outstanding In Your Security and Compliance Practice


1
What Is Outstanding In Your Security and
Compliance Practice?
  • Ming Chow
  • NERCOMP Achieving Optimal Security Compliance
    In Higher Education
  • Tufts University
  • mchow_at_cs.tufts.edu

2
Introduction
  • The threats are real
  • Malware (e.g. viruses, worms, Trojan Horses) are
    becoming more sophisticated
  • Security breaches and attacks are becoming more
    publicized
  • People are becoming more concerned with their
    online privacy
  • However, people still lack awareness on basic
    computer security issues

3
About Myself
  • Graduated from Tufts University
  • BS in Computer Science and Mathematics, 2002
  • MS in Computer Science, 2004
  • Areas of interest Computer Security, Game
    Development, Computer Science in Education
  • Taught course Security, Privacy, and Politics in
    the Computer Age in Spring 2005
  • Have been involved in all facets of higher
    education as a student, instructor, and
    personnel supporting a universitys central
    administration (current)

4
A Typical Higher Education Computing
Infrastructure
  • Traditionally open
  • Critical for researchers
  • Critical for students learning
  • Higher education comprise of 15 of the Internet
    address space
  • Wired campus (dorms to Greek housing) with
    usually no network authentication
  • Many institutions now offer campus-wide wireless
    access
  • Tech-savvy students

5
Threat Matrix
6
Overlapping Security Issues in Industry and
Higher Education
  • Enormous disconnect between IT and general users
  • Lack of awareness of computer security
    fundamentals (poor practices)
  • Social engineering
  • Insider threat
  • Lack of low-tech and low-cost planning
  • Too much focus on products for implementing
    computer security
  • Lack of testing environments to understand
    threats and potential security breaches
  • Security is a reactive process

7
Risks in Higher Education
  • Openness fertile ground for attacks and risks
  • Web hosting and file sharing
  • Decentralization
  • Lack of visibility for security and privacy
  • Security is looked at as a bad thing by
    professionals and students tough sell

8
Hotspots
  • Data security
  • Privacy
  • Next generation of malware
  • Poisoned Peer-to-Peer (P2P) networks and torrents
  • Compliance and auditing

9
Next Generation of Malware
  • Now spreading through instant messaging (e.g. AOL
    IM)
  • Malware hybrids fooling and cloaking malicious
    intent
  • Rootkit - Toolbox of tools for a cracker to keep
    root access. Also hides and secures a cracker's
    presence on a system.
  • Example spyware that has a rootkit component
  • Can fool anti-virus or anti-spyware software

10
Next Generation of Malware (continued)
  • Kernel-based attack technique using hooks and
    layers
  • Kernel - Core of an operating system,
    Responsible for resource allocation, low-level
    hardware interfaces, security, etc.
  • Altering normal program control flow
  • The Microsoft Windows architecture makes this
    possible
  • Bottom line malware becoming more lethal, and
    extremely more difficult to find!

11
Data Privacy
  • Mantras
  • Provide prominent disclosure
  • Data minimization (collection, storage, and
    sharing)
  • Anonymity
  • Put users in charge of their data
  • Other components to a privacy framework
  • Quality (accuracy and completion)
  • Security
  • Monitoring and enforcement

12
How Come So Many Data Privacy Problems Recently?
  • Heavy usage and dependency of Social Security
    Numbers and credit card numbers
  • Poor web security
  • Insider threats
  • Social engineering (scam artists, phishing)
  • Pharming
  • Third-part businesses
  • Linkability

13
Common Compliance and Legal Frameworks
  • Health Insurance Portability and Accountability
    Act (HIPPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Computer Fraud and Abuse Act (CFAA)
  • Sarbanes-Oxley Act
  • USA PATRIOT Act
  • Visa USA Cardholder Information Security Program
    (CISP) / MasterCard Site Data Protection Program
    / Payment Card Industry (PCI) Data Security
    Standard

14
Significance of the Compliance Frameworks
  • HIPAA security rule - Safeguarding of electronic
    protected health information
  • GLBA - Protects privacy of consumer information
    in the financial sector
  • Sarbanes-Oxley Act - Executives need to report
    quickly and accurately
  • USA PATRIOT Act Provides law enforcement
    agencies with greater access to electronic
    communications
  • Colleges and universities have to comply with
    more regulations than businesses

15
Impact of Breaches
  • Heavy network consumption
  • Direct impact on leadership
  • Direct impact on students learning
  • Wasted funding (private and public)
  • Legal consequences
  • Bad press
  • Loss of competitive edge
  • Long road to recovery

16
Recent Consequences
  • Tennessee payroll service PayMaxx was called
    incompetent by a Boston-area company for its
    poor web security. One can access sensitive
    personal information by simply typing in random
    numbers into PayMaxxs login screen
  • Failure to comply with VISA CISP standards or to
    rectify a security issue can result in
  • Fines (50,000 for the 1st violation 100,000
    for the 2nd violation)
  • Restrictions on the merchant
  • Permanent prohibition of the merchant or service
    provider's participation in Visa programs.

17
Recent Consequences (continued)
  • October 2003, The University of Texas at Austin
    regrets that one of its administrative databases
    was breached in March by a deliberate attack
    through the Internet. Thousands of names and
    Social Security numbers were illegally accessed
    and downloaded to a personal computer.
  • April 2005, Alumni of Tufts University in Boston
    have been notified that personal information
    stored on a server used by the university for
    fund raising could have been exposed to
    intruders. The university detected a possible
    security breach in an alumni and donor database
    after noticing abnormal activity on the server in
    October and December.

18
What (Still) Needs to be Done
  • Compliance is expensive
  • IT is critical to manage and enable compliance
  • Short-term (now to 2 years)
  • Educating and informing general users
  • Low-cost and low-tech improvements
  • Long-term (3 to 5 years)
  • Empower users to manage their privacy and
    security
  • Create visualization tools

19
Goals
  • Be proactive in security and privacy
  • Prepare for new revisions to current regulations
    (e.g. SOX 2.0)
  • Use technology properly and efficiently
  • Lower costs in the long-run
  • Create a culture of good security and privacy
    practices in your college/university
  • Make students, professionals, and staff become
    better citizens
  • Build trust

20
What You DONT Want to Do
  • Pretend the problems will go away
  • Establish reactive and short-term fixes
  • Primarily rely on a firewall, or just software
    solutions, for security perimeter protection
  • Fail to understand the relationship of
    information security to the business problem
  • Assign untrained people to maintain security and
    compliance

21
Short-Term Awareness, Awareness, Awareness
  • Irony provisions for education and training in
    SOX and the DMCA
  • Very little money is spent on computer security
    education to the public
  • Security is boring, difficult, and political
  • At fault IT professionals, users, technology
  • Lack of ownership on security and privacy issues
    by companies
  • Emerging technologies pose a serious threat if
    deployed naively
  • Unfortunately, the infrastructure and
    architecture of current computing systems, users
    do need to be informed

22
Short-Term Awareness (continued)
  • Provide an undergraduate course in computer
    security, privacy, and politics
  • Overlap of departments and groups in a University
    (e.g. Computer Science, Law School)
  • Investment for students, the University, and for
    the instructors of the course

23
Short-Term Low-Cost and Low-Tech Improvements
  • First things first, ask yourself, and to
    management (revisit the questions)
  • What are your security goals?
  • What are you really protecting?
  • What are your priorities, especially in a product
    (e.g. interface, administration, prevention)?

24
Short-Term Low-Cost and Low-Tech Improvements
(continued)
  • Write documentation in what system support staff
    and users need to do with respect to network and
    information security
  • Establish baseline security configurations for
    all appropriate technology platforms (e.g. web
    browser)
  • Establish a vulnerability management process
  • Use vulnerability assessment tools to
    periodically conduct self-assessments
  • Monitor log files from critical systems on a
    daily basis
  • SANS have excellent policy templates

25
Short-Term Create Test Environments
  • One problem in the field of computer security
    research lack of good test data and testing
    environment
  • Can be made possible by virtualization (VMware)
  • Inexpensive
  • Incubation
  • Run multiple operating systems
  • Excellent for penetration testing
  • Test the security of baseline server
    configuration, as well as web applications

26
Tools Available
  • Open Source Software for assessment
  • Snort (intrusion detection)
  • Nessus (network vulnerability scanner)
  • John the Ripper (password cracker)
  • Visa Cardholder Information Security Program
    (CISP) forms and specifications
  • Enterprise
  • Sophos PureMessage
  • Enterprise-wide policy enforcement

27
Long-Term Opportunity Usable Privacy
  • In 2003, the Computer Research Association (CRA)
    listed on of the computing grand challenges
  • For the dynamic, pervasive computing environments
    of the future give end-users
  • Security they can understand
  • Privacy they can control
  • http//www.cra.org/Activities/grand.challenges/sec
    urity/

28
Long-Term Opportunity Usable Privacy (continued)
  • Example Have you used the Security Settings in
    Microsoft Internet Explorer?
  • Online help!
  • Privacy settings
  • Strategies
  • Use fewer objects and actions
  • Clearer feedback about decisions
  • Show consequences of decisions

29
Long-Term Opportunity Develop Visualization Tools
  • Human perceptual skills are vast, fast, and
    remarkable
  • However, they are very underutilized in computing
  • Mantra overview, zoom-and-filter,
    details-on-demand
  • Examples
  • SmartMoney.coms Map of the Market
  • Sourcefires Real-time Network Awareness (RNA)
    Visualizer

30
Long-Term Opportunity Develop Visualization
Tools (continued)
  • Example projects/opportunities
  • Security situation awareness
  • Profiling users and traffic
  • Linking relationships
  • Network traffic classification
  • Intrusion detection
  • Detecting abnormalities

31
Resources
  • Privacy What Developers and IT Professionals
    Should Know, J.C. Cannon (ISBN 0321224094)
  • Security, Privacy, and Politics in the Computer
    Age (my course) website http//www.cs.tufts.edu/
    mchow/excollege
  • SecurityFocus (http//www.securityfocus.com)
  • SANS Institute (http//www.sans.org)
  • Freedom-to-Tinker (by Professor Ed Felten
    http//www.freedom-to-tinker.com)
  • Professor Ben Schneiderman, U. of Maryland

32
Conclusion
  • There is still a lot to be done with computer
    security and compliance
  • The first line of defense is to protect your
    systems
  • Being proactive in security and compliance is
    invaluable
  • No matter what you are doing to improve security,
    it will not work if the people are not informed
  • There are many opportunities to improve security
    and privacy in your existing critical
    applications, or by creating new tools
  • A culture of good security and privacy practices
    will give your University a competitive edge

33
Questions?
Write a Comment
User Comments (0)
About PowerShow.com