Higher Education-Industry Collaborations to Improve Security

1
Higher Education-IndustryCollaborations to
Improve Security

• Joy Hughes, George Mason University
• Peter Siegel, University of California, Davis
• Jack Suess, UMBC

2
Security Task Force Goals

• The Security Task Force (STF) has been pursuing
  the following strategic goals since 2003
• Education and Awareness
• Standards, Policies, and Procedures
• Security Architecture and Tools
• Organization and Information Sharing

3
STF Priorities for 2007

• 2007 Strategic Plan Making Progress on Data
  Protection, Risk Assessment, Incident Response
  and Business Continuity
• Executive Commitment and Action
• Professional Development for Information Security
  Officers (ISOs)
• Awareness of Available Resources
• Security of Packaged Software
• New Tools and Technologies

4
Awareness of Resources

• EDUCAUSE/Internet2 Security Task
  Forcehttp//www.educause.edu/security
• Blueprint for Handling Sensitive Data
• Cybersecurity Awareness Resource Center
• Data Incident Notification Tool
• Information Security Governance Assessment Tool
• Risk Assessment Framework
• Security Discussion Group
• Research and Educational Networking Information
  Sharing and Analysis Center (REN-ISAC)
• EDUCAUSE Cybersecurity Resource
  Ctrhttp//www.educause.edu/cybersecurity
• Effective IT Security Practices
  Guidehttps//wiki.internet2.edu/confluence/displa
  y/secguide/

5
Security 2007

• April 10-12, 2007, Denver, Colorado
• Keynote Speakers
• Ira Winkler, authors of The Spies Among Us
• Pamela Fusco, Head Global InfoSec, CitiGroup
• Pre-Conference Seminars
• Continuity of Operations Planning, IT Disaster
  Planning, Wireless Security, DNS Security,
  Compliance Legal Issues, Establishing
  Information Security Program, Handling Sensitive
  Data, Incident Response Processes and Tools, and
  Privacy and Security Training
• Concurrent Sessions Campus Vendor
  Presentations
• Corporate Displays
• Human Networking
• BoFs, Roundtable Discussions, Reception, etc.

6
Why collaborate with Industry?

• Original Security Issues still there, some
  growing
• Problems in new areas- web/db apps
• Growing Complexity for end users a PR problem for
  us
• Challenge of professionalizing non-security
  staff on security issues
• Heightened state security requirements
• Are attacks more sophisticated? professional?
• organized crime?
• industrial espionage?

7
Most critical vendor areas?

• O/S Vendors in Redmond and Cupertino
• Unix vendors
• ERP Vendors
• Database companies
• Networking Vendors
• Web 2.0 suppliers
• Others???

8
Networking Vendors

• Convergence of networking and security products?
• Multiple vendors are now integral to the network

9
OS Vendors Microsoft

• Vista rollout
• Higher Education Advisory Group has been strong
  advocate for security.

10
How to Engage Vendors

• Common effective practices?
• Advisory groups?
• Checklists of key issues?
• Scream
• Identity Management - Collaboration opportunity?

11
Identity Management

• High-value collaboration opportunity?

12
ERP Security Checklist Topics

• Managing Roles and Responsibilities
• Passwords, IDs and PINs
• Data Standards and Integrity
• Process Documentation
• Exporting Sensitive Data

13
Sample from Roles/Responsibilities

• Is security controlled at the database level or
  is it left to the applications that are
  supposedly integrated with the ERP to each
  control security?
• How easy is it to set up role based access? e.g.
  can roles be associated with position categories
  can default roles be established?

14
Sample from Roles/Responsibilities

• Are there some features of the system that
  require that the user, no matter what their role,
  be given access to the underlying database? If
  so, how is security managed?
• Can context-sensitive roles be defined (i.e. the
  user can perform a function for specified records
  only at a specified point in the processing
  cycle)?

15
Sample from Roles/Responsibilities

• Is there a web-based tool that allows you to see
  the access that has been provided to a user with
  respect to the fields/tables/forms in the
  product, its underlying database, and integrated
  third party products and reporting tools?

16
Sample from Roles/Responsibilities

• Can the vendor provide you with the names of
  institutions similar to yours that have
  implemented role based security on a wide variety
  of roles so that you can assess the person hours
  that will be needed to implement and maintain
  role based security?

17
Sample from PINs/IDs/Passwords

• Does the system require strong passwords?
• Are the IDs randomly or sequentially generated?
  Are they at least 8 characters long?

18
Sample from Data Standards/Integrity

• Are data fields encrypted at the database
  level?
• Is each standardized data field adequately
  documented in a data dictionary?
• As the institution articulates the
  standards/rules that define a data field, do
  these standards/rules then become part of a data
  dictionary?

19
Sample from Data Standards/Integrity

• Can the vendor provide you with the names of
  institutions similar to yours that have
  implemented features such as- encrypted data
  fields- audit trails on data fields so that
  you can determine the effect on performance of
  implementing these features on all the fields
  that need to be protected?

20
Sample from Process Documentation

• Are there visual representations of processes,
  role approvals, security checkpoints, data flow,
  and tables touched/accessed during each process?
• Are there clear and complete work flow diagrams?

21
REN-ISAC

• Research and Education Networking Information
  Sharing and Analysis Center
• http//www.ren-isac.net/

22
REN-ISAC Mission

• Serve as a trusted connector hub for the security
  community to collaborate.
• Focus is to improve network security through
  information collection, analysis, dissemination,
  early warning, and response
• Unique capability to support the RE community
  because of NOC at Indiana University and
• Supports efforts to protect the U.S. national
  cyber infrastructure by participating in the
  formal ISAC structure.

23
REN-ISAC Members

• Membership is open and free to institutions of
  higher education, teaching hospitals, research
  and education network providers, and
  government-funded research organizations.
• http//www.ren-isac.net/membership.html
• Current membership
• 300 individual members
• 165 institutions
• Predominately research universities to date but
  increasingly new members are coming from
  non-research universities.
• Membership is aimed at security staff and vetted
  to insure trust relationship.

24
REN-ISAC Organization

• Hosted by Indiana University
• Three permanent staff
• Executive Advisory Group
• Technical Advisory Group
• Support and contributions from
• Indiana University, Internet2, EDUCAUSE
• Louisiana State University, Worchester
  Polytechnic Institute, University of
  Massachusetts Amherst
• And the members

25
Technical Advisory Group

• The REN-ISAC Technical Advisory Group (TAG)
• Chris Misra - University of Massachusetts Amherst
  (Chair)
• Tom Davis - Indiana University
• Phil Deneault - Worcester Polytechnic Institute
• Brian Eckman - University of Minnesota
• Stephen Gill - Team Cymru
• John Kristoff - UltraDNS
• Randy Raw - Missouri Research Education Network
  (MOREnet)
• Joe St Sauver - University of Oregon
• Michael Sinatra - University of California,
  Berkeley
• Ex-officio Members
• Doug Pearson - REN-ISAC/Indiana University
• Dave Monnier - REN-ISAC/Indiana University

26
Executive Advisory Group

• The REN-ISAC Executive Advisory Group
• Jack Suess - University of Maryland-Baltimore
  County (Chair)
• Brian Voss - Louisiana State University
• Theresa Rowe - Oakland University
• Marty Ringle - Reed College
• Ken Klingenstein - Internet2 University of
  Colorado
• Rodney Petersen - EDUCAUSE
• TBD - HPC center representative
• Ex-officio Members
• Mark Bruhn - REN-ISAC/Indiana University
• Chris Misra - TAG Chair, University of
  Massachusetts Amherst
• Focus is on developing business plan

27
External Relationships

• Internet2 and EDUCAUSE
• Other private threat collection and mitigation
  efforts, e.g. among ISPs, .edu regional groups,
  etc.
• Global Research NOC at Indiana University,
  servicing Internet2 Abilene, National LambaRail,
  and international connecting networks
• National ISAC Council and other sector ISACs
• Department of Homeland Security US-CERT
• Coming soon - vendors!

28
Vendor Relationships

• REN-ISAC is uniquely positioned to work with
  vendors by its status as an ISAC.
• Vendors wont and cant share security secrets
  with 2000 institutions, they will consider
  sharing with REN if we demonstrate we can be
  trusted.
• In final negotiations with one major vendor.

29
REN-ISAC Activities

• A vetted trust community for cybersecurity
• Information-sharing and communications channel
  for vendor security issues
• Information products aimed at protection and
  detection
• Participate in incident detection, response, and
  dissemination
• Develop tools for information sharing and
  response

30
Information Products

• Daily Weather Report provides situational
  awareness and actionable protection information.
• Alerts provide critical, timely, actionable
  protection information concerning new or
  increasing threat.
• Notifications identify specific sources and
  targets of active threat or incident involving
  member networks.
• Threat Information Resources provide information
  regarding known active sources of threat.

31
Information Products (2)

• Advisories inform regarding specific practices or
  approaches that can improve security posture.
• Instruction on technical topics relevant to
  security protection and response.
• Monitoring views provide aggregate information
  for situational awareness.

32
For More Information

• Visit
• EDUCAUSE/Internet2 Security Task
  Forcehttp//www.educause.edu/security
• Contact
• Joy Hughes, GMU, STF Co-Chairjhughes_at_gmu.edu
• Peter Siegel, UC-Davis, STF Co-Chairpmsiegel_at_ucda
  vis.edu
• Rodney Petersen, EDUCAUSE, STF Staffrpetersen_at_edu
  cause.edu