230 likes | 309 Views
Computer-Related Incidents in Colleges and Universities: Factors and Categorization. Virginia Rezmierski Daniel Rothschild The University of Michigan.
E N D
Computer-Related Incidents in Colleges and Universities: Factors and Categorization Virginia Rezmierski Daniel Rothschild The University of Michigan This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. CIFAC
Previous work, new questions • Building on earlier studies • Questions being asked today CIFAC
Building on earlier studies I-CAMP (Incident Cost Analysis and Monitoring Project) • How do we measure incident costs? • What are the costs associated with incidents? • Cost of 30 incidents: $1,015,810 CIFAC
Building on earlier studies I-CAMP II • What about smaller incident costs? • What is the frequency of different incidents? • Risk = Cost X Frequency • Mean costs of incidents: • Access compromise: $1,800 • Harmful code: $980 • DoS: $22,350 • Hacker attacks: $2,100 • Warez sites: $340 CIFAC
Building on earlier studies LAMP (Logging and Monitoring Privacy Project) • Do administrators log and monitor? • How far can we go within FERPA? • Inadequate training and resources • Inadequate protections • Liability when departments function in isolation CIFAC
Computer Incident Factor Analysis and Categorization Project • How do incidents compare across institutions? • How do other institutions handle similar incidents? • What are the causative and facilitative factors associated with different incident types? • What are the best practices available for incident prevention and management? CIFAC
Incidents and Models • What is an incident? • Why is this important? • Involving people from across campus • Disagreements within IT • Narrow definitions • CIFAC Methodology • 3 focus groups, 33 total participants CIFAC
An incident is an event that utilizes or exploits information technology resources or security flaws therein, either by accident or by design and through malice or otherwise, that causes, directly or indirectly, one or more of the following occurrences: • Compromise of proprietary, confidential, or protected data, • System disruption which impedes user(s)’ access to data or other IT resources, • Violates IT use policies set out and made known by the administrator(s) of the IT systems in question, • Violates norms commonly accepted within the community of system user(s) for use of IT resources, • Attempting or conspiring engage or represent oneself or another to be engaged in any aforementioned behavior. CIFAC
An incident is any action/event that takes place through, on, or involving information technology resources, whether accidental or purposeful, that has the potential to destabilize, violate, or damage, the resources, services, policies, or data of the community or individual members of the community. Such incidents may focus on/target individuals, systems/networks, or data resources and result in a policy, education, disciplinary, or technical action. CIFAC
Incidents and Models • Risk-management incident prevention • Burden placed on IT staff • Historically left isolated • Benefit-cost analysis: how to devote scarce resources • Thresholds: Codified rules of action • Reduces technologist liability • Devote time to the problem CIFAC
Incidents and Models • What’s happening in the literature? • Convergence of corporate and educational literature to holistic approach to management • Robert Austin and Christopher Darby, “The Myth of Secure Computing,” Harvard Business Review (June 2003), 120-126. • Focus on specific vulnerabilities and attack types • Categorization of incidents • Colleges and universities moving from lists to codification and modeling CIFAC
Seriousness • Short incidents and categorization • System-focused: 37% • Data-focused: 22% • People-focused: 42% • Roles and perception of seriousness CIFAC
Seriousness: Variables • Long incidents • Seriousness ratings • Three variables of interest: • Quantity or extent of loss • Rank of the people involved • Potential for further damage • Other identified variables CIFAC
Risk (or lack) of harm to people • Potential criminality • Not my job/role/responsibility • Policy issue/violation • Outside authority involvement • Number of people affected • Financial/monetary cost to university/department • Knowledge of quantity of damage • Opportunity cost/time to fix • Number of machines affected • Type of data affected • Fraud/Liability to uni/FERPA • Public relations/reputation • Types of machines affected • Types/rank of people affected • Other/misc CIFAC
Seriousness: Variables • Variables list • Most common variables: • Probability of danger to person(s) (84%) • Type and sensitivity of data involved (50%) • Probability of further access/damage (37%) • Cost to the department/college/university (15%) CIFAC
Getting Into Factors CIFAC
1) User education (i.e.: no education or poor education) 2) Policy existence/quality (i.e.: no policy or poor policy) 3) Too much access/inappropriate access level available 4) Physical security lacking Remainder unranked Policy enforcement/or ignorance of policy Ignorance of law/potential legal ramifications Failure to audit/examine logs Sysadmin training/performance; no or inadequate training Too much bandwidth Virtual security lacking Ease of (mis)use; absence of tech. impediment to inappropriate use IT department not consulted/left out of loop Password poor or exposed Human nature/behavior Access termination procedures lacking or faulty Inappropriate information in public directory Configuration error CIFAC
CIFAC/NSF • Second phase of CIFAC project: identifying causative and associative factors • Methodology • 36 colleges and universities, 18 corporations • Per respondent: three retrospective and three future incidents • Up to three respondents per institutions CIFAC
CIFAC/NSF: Questions • Are there common factors associated with • People-focused incidents? • Systems-focused incidents? • Data-focused incidents? • Is there a common set of variables used to rate seriousness? • What else can we find about the effects of role? CIFAC
CIFAC/NSF • Geographic clusters: • San Francisco Bay area • Chicago area • Atlanta area • Baltimore/DC area • Eastern Massachusetts area • Southeast Michigan/Northern Ohio area CIFAC
The CIFAC Project Gerald R. Ford School of Public Policy University of Michigan 712 Oakland Street Ann Arbor, MI 48104-3021 734-615-9595 cifac.staff@umich.edu Final report to EDUCAUSE http://www.educause.edu/asp/doclib/abstract.asp?ID=SEC0409 CIFAC