Title: Effective Cybersecurity Practices for Higher Education
1Effective Cybersecurity Practices for Higher
Education
- Educause Southeast Regional Conference
- Seminar 1A
- June 6, 2005
Mary Dunker Virginia Tech
Tammy Clark Georgia State University
2Seminar Agenda
- EDUCAUSE/Internet2 Security Task Force
initiatives - The Effective Security Practices Guide (ESPG)
- Questions and Break
- Securing Unmanaged Computers
- Questions and Feedback
3Overview of Effective Security Practices
- Educause/Internet2 Security Task Force
background, working groups, initiatives - Tools, including Information Security Governance
Assessment (ISG) - Effective Security Practices Guide
- Risk assessment methodology from Virginia Tech
4Strategic Goals
- The Security Task Force received a grant from
National Science Foundation to identify and
implement a coordinated strategy for computer and
network security for higher education. The
following strategic goals have been identified - Education and Awareness
- Standards, Policies, and Procedures
- Security Architecture and Tools
- Organization, Information Sharing, and Incident
Response
5Security Task Force Groups
- Awareness Training Working Group
- Effective Practices Solutions Working Group
- Policies Legal Issues Working Group
- Risk Assessment Working Group
- High Performance Advanced Networking Working
Group (SALSA) - Security Conference Program Committee
6National Cyber Security Awareness Month
- The Security Task Force and the Higher Ed IT
Alliance has endorsed October as National Cyber
Security Awareness Month. - The National Cyber Security Alliance is a unique
partnership among the Federal government, leading
private sector companies, trade associations and
educational organizations that aims to educate
Americans about the need for computer security
and encourage all computer users to protect their
home and small business systems. - See www.StaySafeOnline.info
7Annual Security Conference
- EDUCAUSE/Internet2Security Professionals
Conference April 10-12, 2006 - Denver Marriott City Center Hotel Denver,
Colorado - Typical Program Content/Tracks
- Baseline Advanced Technology Solutions
- Security Management and Operations
- Policy and Law
- For more info, see www.educause.edu/conference/sec
urity
8Information Security Governance Assessment Tool
- The Information Security Governance (ISG)
Assessment Tool is intended to help colleges and
universities determine the degree to which they
have implemented an ISG Framework at the
strategic level within their institution. This
tool is not intended to provide a complete and
detailed list of information security policies or
practices one must follow. Rather, it is
intended to help institutional leadership
identify general areas of concern as they relate
to the ISG Framework. - Sections within the Tool
- Organizational Reliance on IT
- Risk Management
- People
- Processes
- Technology
- http//www.educause.edu/ir/library/pdf/SEC0421.pdf
9ISG Reliance on IT
10ISG Risk Management
11ISG Final Score
12Configuration Benchmarks
- As a free service to EDUCAUSE Institutional
Members, EDUCAUSE has entered into a cooperative
agreement with the Center for Internet Security
(CIS) to provide each EDUCAUSE Institutional
Member with a license to redistribute CIS
Benchmarks and Software Tools on college and
university owned systems. - The relationship entitles Institutional Members
to redistribute CIS benchmarks and Software Tools
to students, faculty and employees for use on
computers owned by the students, faculty and
employees. - The CIS Benchmarks and Software Tools are
resources for Institutional Members to assess and
measurably improve the security configuration
status of its IT systems and networks.
13Implications of CIS Partnership
- Encourage the adoption and deployment of
widely-accepted, consensus technical control
standards (benchmarks) for system security
configuration in colleges and universities. - Establish technical control baselines that can be
presented to software vendors and hardware
suppliers as default security configurations for
systems that colleges and universities purchase. - Expand participation in the CIS consensus
development process by security specialists in
EDUCAUSE member colleges and universities to
ensure that college and university-unique needs
are met. - http//www.cisecurity.org/
14CIS Scoring Tool
15Cyber Security Forumfor Higher Education
- The purpose of the Cyber Security Forum for
Higher Education is to create a forum for the
discussion of higher education computer and
network security issues between the corporate
community and the EDUCAUSE/Internet2 Computer and
Network Security Task Force with the goal of
improving higher education cyber security through
mutual efforts.
16Vendor Engagement
- Established Corporate Cyber Security Forum to
create a dialogue with vendors on practices that
have a significant impact on higher education
security - Educause established the Corporate Cyber Security
Forum to develop linkages with the vendor
community. Members include - Microsoft, IBM,
Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and
SCT - Task force visited Microsoft in September 03 to
explain the needs of higher education and engaged
Microsoft for support during the SP2 rollout for
Windows XP.
17Effective Security Practices Guide
- Balancing the need for security with the higher
education tradition of open and collaborative
networking - http//www.educause.edu/security/guide
18Why Not Identify Best Practices
- Higher education is too diverse in mission and
size for a single best practice to be universally
effective. - Even within a small group of like institutions,
few would identify what they are doing now as
Best Practices. Everyone feels there is room
for improvement in what they are doing! - Threats are rapidly changing and these effective
practices may have a limited shelf life. What
might work today may be useless next year.
19ESPG Overview
- Practical approaches to preventing, detecting,
and responding to security problems - Community driven and serving
- University ISOs and supporting staff
- Codify experiences of experts
- Examples of success
- Potential models to follow
- Provide for various types of institutions
- Modular resource
- Flexibility in presentation implementation
20ESPG Design and Development
Future contributions
Categories keyword searches
Structured presentation
Seed case studies
Past workshops, discussions community vetting
Suitability, editing, notification update
21Core Subject Areas
- Policy
- Education, Training and Awareness
- Risk Analysis and Management
- Security Architecture Design
- Network and Host Vulnerability Assessment
- Network and Host Security Implementation
- Intrusion and Virus Detection
- Incident Response
- Encryption, Authentication Authorization
- Addendum university vendor resources
22Effective Practices Contributors
- Penn State
- U Alabama
- Purdue
- UC Berkeley
- UCONN
- U Maryland, BC
- U Washington
- U Wisc, Madison
- Virginia Tech
- Yale University
- Bethune-Cookman
- Brown
- Cornell
- CSUSB
- GA Tech
- GWU
- Indiana University
- MSCD
- Notre Dame
- NC AT
23ESPG Highlights
Evolution of Security Practices
24Evolution of Security Practices
- It is not always possible to jump to the most
effective practices - Cant scan for policy violations without policies
- Cant develop policies without mature security
standards - Some practices require significant human
resources - Intrusion detection
- Incident response
- Some practices become more effective over time
- Technical support becomes more effective with
supporting tools, security policies and
architecture
25Online Demonstration
- http//www.educause.edu/security/guide
26Risk Analysis
- The most effective security practice given
limited resources - Types of Risk
- Strategic Risk
- Financial Risk
- Legal Risk
- Operational Risk
- Reputation Risk
- Qayoumi, Mohammad H. Mission Continuity
Planning Strategically Assessing and Planning
for Threats to Operations, NACUBO (2002).
27Ideal Risk Analysis Management
- Knowledge of all relevant regulations
- Training and awareness of staff
- Developing plans to audit individual units for
compliance - Developing and implementing a code of conduct for
the organization - Establishing control mechanisms to ensure
compliance - Qayoumi, Mohammad H. Mission Continuity
Planning Strategically Assessing and Planning
for Threats to Operations, NACUBO (2002).
28Risk Analysis Overview
- Risk Threats x Vulnerability x Impact
- Need to weigh prioritize risks to develop
strategy - Threats
- Intruders, insiders, accidents, natural disasters
- Vulnerabilities
- Weaknesses in design, implementation, or
operation - Impact
- Level of harm to the institution
29Practical Risk Analysis in Higher Education
- Preliminary Risk Analysis (year 1)
- Gathering allies, data and support
- Risk Analysis of Critical Processes (year 2)
- Concentrating on high risk areas
- Institution-wide Risk Analysis (year 3)
- Broadening view to include the whole institution
30Virginia Tech STAR Risk Process
- STAR - Security Targeting and Analysis of Risks
- Developed in-house several years ago
- Prioritized assets, risks, and controls
- Very detailed voting structure
- Used color codes for compliance
- Had a control compliance matrix
- Templates provided to reduce resistance ?
- TODAY same concept but we have simplified the
process
31Risk Analysis Process at Virginia Tech
- Information Technology process
- IT Security Officer leads effort
- Annual process with detailed listings
- Lots of involvement with teams
- Evolved into individual risk analysis reports for
other departments - University departments
- Every 3 years / update major changes
- Annual reviews on progress
- All reports submitted to the IT Security Office
32Keys to Success in the Risk Analysis Process
- Secure senior management support
- Select a strong risk analysis team
- Provide risk analysis templates
- Provide instruction and assistance
- Specify a timetable for completion
- Have a collection point for all reports
- Take the risk analysis process seriously
33Senior Management Support
- Important to secure executive support
- Executive should issue directive to all
department heads - Directive should specify a time for final reports
- Accountability for completing risk analyses
- Executive will identify IT Security Office as
providing leadership for effort
34Assets Are More Than Machines
- We are now linking Asset identification to the
management org chart - Assets can be
- Physical systems
- Groups of systems that support a service
- Business process that requires a group of systems
- Business process that depends on other business
processes - Data
- People
35Asset Classification
Business Process A
Business Process B
Business Process C
Oracle DB Forms Servers Auth Servers
Host A Host B Host C Host D Host E
Host F
36(No Transcript)
37(No Transcript)
38(No Transcript)
39Asset Ranking
40IT Common Risks
- Twelve (12) common risks identified by VT IT
- System administration Training
- Desktop Access Control
- Operational Policies
- Key Person Dependency
- Bad Passwords
- Data Disclosure
- Internal Physical Security
- External Physical Security
- Cleartext
- Spoofing/Forgery
- Natural Disaster
- Construction Mistakes
41Sample Risk Ranking
42Reference Risks to Critical Assets
- Review list of critical assets
- Simply determine which risks apply to which
critical assets - Can get into more detail and map risks to
critical assets by voting technique - Helps determine what may need to be addressed
first
43Map Risks to Assets
44Recommendations and Solutions
- May be difficult to do at the time of report
- Others need to be involved in the details
- Management, technical personnel, etc.
- More detailed report may be needed
- Description of solution
- Impact statement
- A cost/benefit analysis
- Proposed dates
45Recommendations
- The risk(s) for an asset will be addressed within
a specific timeframe and a brief explanation
should be included - Controls to address a risk (or risks) will not be
implemented because of information obtained
during analysis (new software, new location,
etc.) - Controls will not be implemented based on factors
(time, budget, etc.) in the dept. or operating
unit - There may not be a known solution at this time,
or you dont feel the risk is a real danger
46Using STAR
- Visit the Effective Security Practices Guide
- Select the link to Risk Analysis of Critical
Areas and Processes - The STAR link will take you to http//www.security
.vt.edu/playitsafe/riskanalysis/ - All forms used by Virginia Tech are online
47Additional Security Resources
- EDUCAUSE/Internet2 Computer Network Security
Task Forcehttp//www.educause.edu/security - Security Discussion Grouphttp//www.educause.edu/
cg - Effective Security Practices Guidehttp//www.educ
ause.edu/security/guide - Internet2 Security Initiativeshttp//security.int
ernet2.edu - Research and Education Networking Information
Sharing and Analysis Center (REN-ISAC) - http//www.ren-isac.net
- Operationally Critical Threat, Asset and
Vulnerability Evaluation (OCTAVE) - http//www.cert.org/octave