Effective Cybersecurity Practices for Higher Education - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

Effective Cybersecurity Practices for Higher Education

Description:

The National Cyber Security Alliance is a unique partnership among the Federal ... The relationship entitles Institutional Members to redistribute CIS benchmarks ... – PowerPoint PPT presentation

Number of Views:130
Avg rating:3.0/5.0
Slides: 48
Provided by: tammylclar
Category:

less

Transcript and Presenter's Notes

Title: Effective Cybersecurity Practices for Higher Education


1
Effective Cybersecurity Practices for Higher
Education
  • Educause Southeast Regional Conference
  • Seminar 1A
  • June 6, 2005

Mary Dunker Virginia Tech
Tammy Clark Georgia State University
2
Seminar Agenda
  • EDUCAUSE/Internet2 Security Task Force
    initiatives
  • The Effective Security Practices Guide (ESPG)
  • Questions and Break
  • Securing Unmanaged Computers
  • Questions and Feedback

3
Overview of Effective Security Practices
  • Educause/Internet2 Security Task Force
    background, working groups, initiatives
  • Tools, including Information Security Governance
    Assessment (ISG)
  • Effective Security Practices Guide
  • Risk assessment methodology from Virginia Tech

4
Strategic Goals
  • The Security Task Force received a grant from
    National Science Foundation to identify and
    implement a coordinated strategy for computer and
    network security for higher education. The
    following strategic goals have been identified
  • Education and Awareness
  • Standards, Policies, and Procedures
  • Security Architecture and Tools
  • Organization, Information Sharing, and Incident
    Response

5
Security Task Force Groups
  • Awareness Training Working Group
  • Effective Practices Solutions Working Group
  • Policies Legal Issues Working Group
  • Risk Assessment Working Group
  • High Performance Advanced Networking Working
    Group (SALSA)
  • Security Conference Program Committee

6
National Cyber Security Awareness Month
  • The Security Task Force and the Higher Ed IT
    Alliance has endorsed October as National Cyber
    Security Awareness Month.
  • The National Cyber Security Alliance is a unique
    partnership among the Federal government, leading
    private sector companies, trade associations and
    educational organizations that aims to educate
    Americans about the need for computer security
    and encourage all computer users to protect their
    home and small business systems.
  • See www.StaySafeOnline.info

7
Annual Security Conference
  • EDUCAUSE/Internet2Security Professionals
    Conference April 10-12, 2006
  • Denver Marriott City Center Hotel Denver,
    Colorado
  • Typical Program Content/Tracks
  • Baseline Advanced Technology Solutions
  • Security Management and Operations
  • Policy and Law
  • For more info, see www.educause.edu/conference/sec
    urity

8
Information Security Governance Assessment Tool
  • The Information Security Governance (ISG)
    Assessment Tool is intended to help colleges and
    universities determine the degree to which they
    have implemented an ISG Framework at the
    strategic level within their institution. This
    tool is not intended to provide a complete and
    detailed list of information security policies or
    practices one must follow. Rather, it is
    intended to help institutional leadership
    identify general areas of concern as they relate
    to the ISG Framework.
  • Sections within the Tool
  • Organizational Reliance on IT
  • Risk Management
  • People
  • Processes
  • Technology
  • http//www.educause.edu/ir/library/pdf/SEC0421.pdf

9
ISG Reliance on IT
10
ISG Risk Management
11
ISG Final Score
12
Configuration Benchmarks
  • As a free service to EDUCAUSE Institutional
    Members, EDUCAUSE has entered into a cooperative
    agreement with the Center for Internet Security
    (CIS) to provide each EDUCAUSE Institutional
    Member with a license to redistribute CIS
    Benchmarks and Software Tools on college and
    university owned systems.
  • The relationship entitles Institutional Members
    to redistribute CIS benchmarks and Software Tools
    to students, faculty and employees for use on
    computers owned by the students, faculty and
    employees.
  • The CIS Benchmarks and Software Tools are
    resources for Institutional Members to assess and
    measurably improve the security configuration
    status of its IT systems and networks.

13
Implications of CIS Partnership
  • Encourage the adoption and deployment of
    widely-accepted, consensus technical control
    standards (benchmarks) for system security
    configuration in colleges and universities.
  • Establish technical control baselines that can be
    presented to software vendors and hardware
    suppliers as default security configurations for
    systems that colleges and universities purchase.
  • Expand participation in the CIS consensus
    development process by security specialists in
    EDUCAUSE member colleges and universities to
    ensure that college and university-unique needs
    are met.
  • http//www.cisecurity.org/

14
CIS Scoring Tool
15
Cyber Security Forumfor Higher Education
  • The purpose of the Cyber Security Forum for
    Higher Education is to create a forum for the
    discussion of higher education computer and
    network security issues between the corporate
    community and the EDUCAUSE/Internet2 Computer and
    Network Security Task Force with the goal of
    improving higher education cyber security through
    mutual efforts.

16
Vendor Engagement
  • Established Corporate Cyber Security Forum to
    create a dialogue with vendors on practices that
    have a significant impact on higher education
    security
  • Educause established the Corporate Cyber Security
    Forum to develop linkages with the vendor
    community. Members include - Microsoft, IBM,
    Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and
    SCT
  • Task force visited Microsoft in September 03 to
    explain the needs of higher education and engaged
    Microsoft for support during the SP2 rollout for
    Windows XP.

17
Effective Security Practices Guide
  • Balancing the need for security with the higher
    education tradition of open and collaborative
    networking
  • http//www.educause.edu/security/guide

18
Why Not Identify Best Practices
  • Higher education is too diverse in mission and
    size for a single best practice to be universally
    effective.
  • Even within a small group of like institutions,
    few would identify what they are doing now as
    Best Practices. Everyone feels there is room
    for improvement in what they are doing!
  • Threats are rapidly changing and these effective
    practices may have a limited shelf life. What
    might work today may be useless next year.

19
ESPG Overview
  • Practical approaches to preventing, detecting,
    and responding to security problems
  • Community driven and serving
  • University ISOs and supporting staff
  • Codify experiences of experts
  • Examples of success
  • Potential models to follow
  • Provide for various types of institutions
  • Modular resource
  • Flexibility in presentation implementation

20
ESPG Design and Development
Future contributions
Categories keyword searches
Structured presentation
Seed case studies
Past workshops, discussions community vetting
Suitability, editing, notification update
21
Core Subject Areas
  • Policy
  • Education, Training and Awareness
  • Risk Analysis and Management
  • Security Architecture Design
  • Network and Host Vulnerability Assessment
  • Network and Host Security Implementation
  • Intrusion and Virus Detection
  • Incident Response
  • Encryption, Authentication Authorization
  • Addendum university vendor resources

22
Effective Practices Contributors
  • Penn State
  • U Alabama
  • Purdue
  • UC Berkeley
  • UCONN
  • U Maryland, BC
  • U Washington
  • U Wisc, Madison
  • Virginia Tech
  • Yale University
  • Bethune-Cookman
  • Brown
  • Cornell
  • CSUSB
  • GA Tech
  • GWU
  • Indiana University
  • MSCD
  • Notre Dame
  • NC AT

23
ESPG Highlights
Evolution of Security Practices
24
Evolution of Security Practices
  • It is not always possible to jump to the most
    effective practices
  • Cant scan for policy violations without policies
  • Cant develop policies without mature security
    standards
  • Some practices require significant human
    resources
  • Intrusion detection
  • Incident response
  • Some practices become more effective over time
  • Technical support becomes more effective with
    supporting tools, security policies and
    architecture

25
Online Demonstration
  • http//www.educause.edu/security/guide

26
Risk Analysis
  • The most effective security practice given
    limited resources
  • Types of Risk
  • Strategic Risk
  • Financial Risk
  • Legal Risk
  • Operational Risk
  • Reputation Risk
  • Qayoumi, Mohammad H. Mission Continuity
    Planning Strategically Assessing and Planning
    for Threats to Operations, NACUBO (2002).

27
Ideal Risk Analysis Management
  • Knowledge of all relevant regulations
  • Training and awareness of staff
  • Developing plans to audit individual units for
    compliance
  • Developing and implementing a code of conduct for
    the organization
  • Establishing control mechanisms to ensure
    compliance
  • Qayoumi, Mohammad H. Mission Continuity
    Planning Strategically Assessing and Planning
    for Threats to Operations, NACUBO (2002).

28
Risk Analysis Overview
  • Risk Threats x Vulnerability x Impact
  • Need to weigh prioritize risks to develop
    strategy
  • Threats
  • Intruders, insiders, accidents, natural disasters
  • Vulnerabilities
  • Weaknesses in design, implementation, or
    operation
  • Impact
  • Level of harm to the institution

29
Practical Risk Analysis in Higher Education
  • Preliminary Risk Analysis (year 1)
  • Gathering allies, data and support
  • Risk Analysis of Critical Processes (year 2)
  • Concentrating on high risk areas
  • Institution-wide Risk Analysis (year 3)
  • Broadening view to include the whole institution

30
Virginia Tech STAR Risk Process
  • STAR - Security Targeting and Analysis of Risks
  • Developed in-house several years ago
  • Prioritized assets, risks, and controls
  • Very detailed voting structure
  • Used color codes for compliance
  • Had a control compliance matrix
  • Templates provided to reduce resistance ?
  • TODAY same concept but we have simplified the
    process

31
Risk Analysis Process at Virginia Tech
  • Information Technology process
  • IT Security Officer leads effort
  • Annual process with detailed listings
  • Lots of involvement with teams
  • Evolved into individual risk analysis reports for
    other departments
  • University departments
  • Every 3 years / update major changes
  • Annual reviews on progress
  • All reports submitted to the IT Security Office

32
Keys to Success in the Risk Analysis Process
  • Secure senior management support
  • Select a strong risk analysis team
  • Provide risk analysis templates
  • Provide instruction and assistance
  • Specify a timetable for completion
  • Have a collection point for all reports
  • Take the risk analysis process seriously

33
Senior Management Support
  • Important to secure executive support
  • Executive should issue directive to all
    department heads
  • Directive should specify a time for final reports
  • Accountability for completing risk analyses
  • Executive will identify IT Security Office as
    providing leadership for effort

34
Assets Are More Than Machines
  • We are now linking Asset identification to the
    management org chart
  • Assets can be
  • Physical systems
  • Groups of systems that support a service
  • Business process that requires a group of systems
  • Business process that depends on other business
    processes
  • Data
  • People

35
Asset Classification
Business Process A
Business Process B
Business Process C
Oracle DB Forms Servers Auth Servers
Host A Host B Host C Host D Host E
Host F
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
Asset Ranking
40
IT Common Risks
  • Twelve (12) common risks identified by VT IT
  • System administration Training
  • Desktop Access Control
  • Operational Policies
  • Key Person Dependency
  • Bad Passwords
  • Data Disclosure
  • Internal Physical Security
  • External Physical Security
  • Cleartext
  • Spoofing/Forgery
  • Natural Disaster
  • Construction Mistakes

41
Sample Risk Ranking
42
Reference Risks to Critical Assets
  • Review list of critical assets
  • Simply determine which risks apply to which
    critical assets
  • Can get into more detail and map risks to
    critical assets by voting technique
  • Helps determine what may need to be addressed
    first

43
Map Risks to Assets
44
Recommendations and Solutions
  • May be difficult to do at the time of report
  • Others need to be involved in the details
  • Management, technical personnel, etc.
  • More detailed report may be needed
  • Description of solution
  • Impact statement
  • A cost/benefit analysis
  • Proposed dates

45
Recommendations
  • The risk(s) for an asset will be addressed within
    a specific timeframe and a brief explanation
    should be included
  • Controls to address a risk (or risks) will not be
    implemented because of information obtained
    during analysis (new software, new location,
    etc.)
  • Controls will not be implemented based on factors
    (time, budget, etc.) in the dept. or operating
    unit
  • There may not be a known solution at this time,
    or you dont feel the risk is a real danger

46
Using STAR
  • Visit the Effective Security Practices Guide
  • Select the link to Risk Analysis of Critical
    Areas and Processes
  • The STAR link will take you to http//www.security
    .vt.edu/playitsafe/riskanalysis/
  • All forms used by Virginia Tech are online

47
Additional Security Resources
  • EDUCAUSE/Internet2 Computer Network Security
    Task Forcehttp//www.educause.edu/security
  • Security Discussion Grouphttp//www.educause.edu/
    cg
  • Effective Security Practices Guidehttp//www.educ
    ause.edu/security/guide
  • Internet2 Security Initiativeshttp//security.int
    ernet2.edu
  • Research and Education Networking Information
    Sharing and Analysis Center (REN-ISAC)
  • http//www.ren-isac.net
  • Operationally Critical Threat, Asset and
    Vulnerability Evaluation (OCTAVE)
  • http//www.cert.org/octave
Write a Comment
User Comments (0)
About PowerShow.com