Effective Cybersecurity Practices for Higher Education

1
Effective Cybersecurity Practices for Higher
Education

• Educause Southeast Regional Conference
• Seminar 1A
• June 6, 2005

Mary Dunker Virginia Tech
Tammy Clark Georgia State University
2
Seminar Agenda

• EDUCAUSE/Internet2 Security Task Force
  initiatives
• The Effective Security Practices Guide (ESPG)
• Questions and Break
• Securing Unmanaged Computers
• Questions and Feedback

3
Overview of Effective Security Practices

• Educause/Internet2 Security Task Force
  background, working groups, initiatives
• Tools, including Information Security Governance
  Assessment (ISG)
• Effective Security Practices Guide
• Risk assessment methodology from Virginia Tech

4
Strategic Goals

• The Security Task Force received a grant from
  National Science Foundation to identify and
  implement a coordinated strategy for computer and
  network security for higher education. The
  following strategic goals have been identified
• Education and Awareness
• Standards, Policies, and Procedures
• Security Architecture and Tools
• Organization, Information Sharing, and Incident
  Response

5
Security Task Force Groups

• Awareness Training Working Group
• Effective Practices Solutions Working Group
• Policies Legal Issues Working Group
• Risk Assessment Working Group
• High Performance Advanced Networking Working
  Group (SALSA)
• Security Conference Program Committee

6
National Cyber Security Awareness Month

• The Security Task Force and the Higher Ed IT
  Alliance has endorsed October as National Cyber
  Security Awareness Month.
• The National Cyber Security Alliance is a unique
  partnership among the Federal government, leading
  private sector companies, trade associations and
  educational organizations that aims to educate
  Americans about the need for computer security
  and encourage all computer users to protect their
  home and small business systems.
• See www.StaySafeOnline.info

7
Annual Security Conference

• EDUCAUSE/Internet2Security Professionals
  Conference April 10-12, 2006
• Denver Marriott City Center Hotel Denver,
  Colorado
• Typical Program Content/Tracks
• Baseline Advanced Technology Solutions
• Security Management and Operations
• Policy and Law
• For more info, see www.educause.edu/conference/sec
  urity

8
Information Security Governance Assessment Tool

• The Information Security Governance (ISG)
  Assessment Tool is intended to help colleges and
  universities determine the degree to which they
  have implemented an ISG Framework at the
  strategic level within their institution. This
  tool is not intended to provide a complete and
  detailed list of information security policies or
  practices one must follow. Rather, it is
  intended to help institutional leadership
  identify general areas of concern as they relate
  to the ISG Framework.
• Sections within the Tool
• Organizational Reliance on IT
• Risk Management
• People
• Processes
• Technology
• http//www.educause.edu/ir/library/pdf/SEC0421.pdf
  

9
ISG Reliance on IT
10
ISG Risk Management
11
ISG Final Score
12
Configuration Benchmarks

• As a free service to EDUCAUSE Institutional
  Members, EDUCAUSE has entered into a cooperative
  agreement with the Center for Internet Security
  (CIS) to provide each EDUCAUSE Institutional
  Member with a license to redistribute CIS
  Benchmarks and Software Tools on college and
  university owned systems.
• The relationship entitles Institutional Members
  to redistribute CIS benchmarks and Software Tools
  to students, faculty and employees for use on
  computers owned by the students, faculty and
  employees.
• The CIS Benchmarks and Software Tools are
  resources for Institutional Members to assess and
  measurably improve the security configuration
  status of its IT systems and networks.

13
Implications of CIS Partnership

• Encourage the adoption and deployment of
  widely-accepted, consensus technical control
  standards (benchmarks) for system security
  configuration in colleges and universities.
• Establish technical control baselines that can be
  presented to software vendors and hardware
  suppliers as default security configurations for
  systems that colleges and universities purchase.
• Expand participation in the CIS consensus
  development process by security specialists in
  EDUCAUSE member colleges and universities to
  ensure that college and university-unique needs
  are met.
• http//www.cisecurity.org/

14
CIS Scoring Tool
15
Cyber Security Forumfor Higher Education

• The purpose of the Cyber Security Forum for
  Higher Education is to create a forum for the
  discussion of higher education computer and
  network security issues between the corporate
  community and the EDUCAUSE/Internet2 Computer and
  Network Security Task Force with the goal of
  improving higher education cyber security through
  mutual efforts.

16
Vendor Engagement

• Established Corporate Cyber Security Forum to
  create a dialogue with vendors on practices that
  have a significant impact on higher education
  security
• Educause established the Corporate Cyber Security
  Forum to develop linkages with the vendor
  community. Members include - Microsoft, IBM,
  Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and
  SCT
• Task force visited Microsoft in September 03 to
  explain the needs of higher education and engaged
  Microsoft for support during the SP2 rollout for
  Windows XP.

17
Effective Security Practices Guide

• Balancing the need for security with the higher
  education tradition of open and collaborative
  networking
• http//www.educause.edu/security/guide

18
Why Not Identify Best Practices

• Higher education is too diverse in mission and
  size for a single best practice to be universally
  effective.
• Even within a small group of like institutions,
  few would identify what they are doing now as
  Best Practices. Everyone feels there is room
  for improvement in what they are doing!
• Threats are rapidly changing and these effective
  practices may have a limited shelf life. What
  might work today may be useless next year.

19
ESPG Overview

• Practical approaches to preventing, detecting,
  and responding to security problems
• Community driven and serving
• University ISOs and supporting staff
• Codify experiences of experts
• Examples of success
• Potential models to follow
• Provide for various types of institutions
• Modular resource
• Flexibility in presentation implementation

20
ESPG Design and Development
Future contributions
Categories keyword searches
Structured presentation
Seed case studies
Past workshops, discussions community vetting
Suitability, editing, notification update
21
Core Subject Areas

• Policy
• Education, Training and Awareness
• Risk Analysis and Management
• Security Architecture Design
• Network and Host Vulnerability Assessment
• Network and Host Security Implementation
• Intrusion and Virus Detection
• Incident Response
• Encryption, Authentication Authorization
• Addendum university vendor resources

22
Effective Practices Contributors

• Penn State
• U Alabama
• Purdue
• UC Berkeley
• UCONN
• U Maryland, BC
• U Washington
• U Wisc, Madison
• Virginia Tech
• Yale University

• Bethune-Cookman
• Brown
• Cornell
• CSUSB
• GA Tech
• GWU
• Indiana University
• MSCD
• Notre Dame
• NC AT

23
ESPG Highlights
Evolution of Security Practices
24
Evolution of Security Practices

• It is not always possible to jump to the most
  effective practices
• Cant scan for policy violations without policies
• Cant develop policies without mature security
  standards
• Some practices require significant human
  resources
• Intrusion detection
• Incident response
• Some practices become more effective over time
• Technical support becomes more effective with
  supporting tools, security policies and
  architecture

25
Online Demonstration

• http//www.educause.edu/security/guide

26
Risk Analysis

• The most effective security practice given
  limited resources
• Types of Risk
• Strategic Risk
• Financial Risk
• Legal Risk
• Operational Risk
• Reputation Risk
• Qayoumi, Mohammad H. Mission Continuity
  Planning Strategically Assessing and Planning
  for Threats to Operations, NACUBO (2002).

27
Ideal Risk Analysis Management

• Knowledge of all relevant regulations
• Training and awareness of staff
• Developing plans to audit individual units for
  compliance
• Developing and implementing a code of conduct for
  the organization
• Establishing control mechanisms to ensure
  compliance
• Qayoumi, Mohammad H. Mission Continuity
  Planning Strategically Assessing and Planning
  for Threats to Operations, NACUBO (2002).

28
Risk Analysis Overview

• Risk Threats x Vulnerability x Impact
• Need to weigh prioritize risks to develop
  strategy
• Threats
• Intruders, insiders, accidents, natural disasters
• Vulnerabilities
• Weaknesses in design, implementation, or
  operation
• Impact
• Level of harm to the institution

29
Practical Risk Analysis in Higher Education

• Preliminary Risk Analysis (year 1)
• Gathering allies, data and support
• Risk Analysis of Critical Processes (year 2)
• Concentrating on high risk areas
• Institution-wide Risk Analysis (year 3)
• Broadening view to include the whole institution

30
Virginia Tech STAR Risk Process

• STAR - Security Targeting and Analysis of Risks
• Developed in-house several years ago
• Prioritized assets, risks, and controls
• Very detailed voting structure
• Used color codes for compliance
• Had a control compliance matrix
• Templates provided to reduce resistance ?
• TODAY same concept but we have simplified the
  process

31
Risk Analysis Process at Virginia Tech

• Information Technology process
• IT Security Officer leads effort
• Annual process with detailed listings
• Lots of involvement with teams
• Evolved into individual risk analysis reports for
  other departments
• University departments
• Every 3 years / update major changes
• Annual reviews on progress
• All reports submitted to the IT Security Office

32
Keys to Success in the Risk Analysis Process

• Secure senior management support
• Select a strong risk analysis team
• Provide risk analysis templates
• Provide instruction and assistance
• Specify a timetable for completion
• Have a collection point for all reports
• Take the risk analysis process seriously

33
Senior Management Support

• Important to secure executive support
• Executive should issue directive to all
  department heads
• Directive should specify a time for final reports
• Accountability for completing risk analyses
• Executive will identify IT Security Office as
  providing leadership for effort

34
Assets Are More Than Machines

• We are now linking Asset identification to the
  management org chart
• Assets can be
• Physical systems
• Groups of systems that support a service
• Business process that requires a group of systems
• Business process that depends on other business
  processes
• Data
• People

35
Asset Classification
Business Process A
Business Process B
Business Process C
Oracle DB Forms Servers Auth Servers
Host A Host B Host C Host D Host E
Host F
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
Asset Ranking
40
IT Common Risks

• Twelve (12) common risks identified by VT IT
• System administration Training
• Desktop Access Control
• Operational Policies
• Key Person Dependency
• Bad Passwords
• Data Disclosure
• Internal Physical Security
• External Physical Security
• Cleartext
• Spoofing/Forgery
• Natural Disaster
• Construction Mistakes

41
Sample Risk Ranking
42
Reference Risks to Critical Assets

• Review list of critical assets
• Simply determine which risks apply to which
  critical assets
• Can get into more detail and map risks to
  critical assets by voting technique
• Helps determine what may need to be addressed
  first

43
Map Risks to Assets
44
Recommendations and Solutions

• May be difficult to do at the time of report
• Others need to be involved in the details
• Management, technical personnel, etc.
• More detailed report may be needed
• Description of solution
• Impact statement
• A cost/benefit analysis
• Proposed dates

45
Recommendations

• The risk(s) for an asset will be addressed within
  a specific timeframe and a brief explanation
  should be included
• Controls to address a risk (or risks) will not be
  implemented because of information obtained
  during analysis (new software, new location,
  etc.)
• Controls will not be implemented based on factors
  (time, budget, etc.) in the dept. or operating
  unit
• There may not be a known solution at this time,
  or you dont feel the risk is a real danger

46
Using STAR

• Visit the Effective Security Practices Guide
• Select the link to Risk Analysis of Critical
  Areas and Processes
• The STAR link will take you to http//www.security
  .vt.edu/playitsafe/riskanalysis/
• All forms used by Virginia Tech are online

47
Additional Security Resources

• EDUCAUSE/Internet2 Computer Network Security
  Task Forcehttp//www.educause.edu/security
• Security Discussion Grouphttp//www.educause.edu/
  cg
• Effective Security Practices Guidehttp//www.educ
  ause.edu/security/guide
• Internet2 Security Initiativeshttp//security.int
  ernet2.edu
• Research and Education Networking Information
  Sharing and Analysis Center (REN-ISAC)
• http//www.ren-isac.net
• Operationally Critical Threat, Asset and
  Vulnerability Evaluation (OCTAVE)
• http//www.cert.org/octave