440 likes | 709 Views
IT Security & Higher Education. Why should higher ed care?. Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission
E N D
Why should higher ed care? • Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission • Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability
Higher Ed and Cybersecurity • Education and Training • Centers of Academic Excellence • Professional Training and Certification • Research and Development • Cyberinfrastructure • Basic and Applied Research • Securing Our Corner of Cyberspace!
GAO Designates Computer Security a High Risk Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety. GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003)
Higher Education Computer Security Incidents in the News • Hacker Steals Personal Data on Foreign Students at U. of Kansas Chronicle of Higher Education, 1/24/2003 • UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002 • Why Was Princeton Snooping in Yale’s Web Site?Chronicle of Higher Education, 8/9/2002 • Delaware Student Allegedly Changed Her Grades OnlineChronicle of Higher Education, 8/2/2002
. . . in the News • Russian Mafia May Have Infiltrated Computers at Arizona State and Other CollegesChronicle of Higher Education, 6/20/2002 • Hacker exposes financial information at Georgia TechComputerWorld, 3/18/2002 • College Reveals Students’ Social Security NumbersChronicle of Higher Education, 2/22/2002 • Hackers Use University’s Mail Server to Send Pornographic MessagesChronicle of Higher Education 8/10/2001
. . . in the News • Review to ensure University of Montana Web securityMontana Kaimin, 11/14/2001 • ‘Code Red’ Worms LingerChronicle of Higher Education, 9/14/2001 • Students Fault Indiana for Delay in Telling Them About Stolen FilesChronicle of Higher Education, 3/16/2001
. . . in the News • [UWashington] Hospital records hacked hardSecurityFocus.com, 7/12/2000 • 3 Universities in California Find Themesleves Linked to Hacker AttacksChronicle of Higher Education 2/25/2000 • Hackers Attack Thousands of Computers on at Least 25 U.S. CampusesChronicle of Higher Education, 3/13/1998
Goals of IT Security • Confidentiality - Computers, systems, and networks that contain information require protection from unauthorized use or disclosure. • Integrity - Computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification. • Availability - Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.
Higher Ed IT Environments • Technology Environment • Distributed computing and wide range of hardware and software from outdated to state-of-the-art • Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges • Leadership Environment • Reactive rather than proactive • Lack of clearly defined goals (what do we need to protect and why) • Academic Culture • Persistent belief that security & academic freedom are antithetical • Tolerance, experimentation, and anonymity highly valued
A Risk Management Approach Risk = Threats x Vulnerability x Impact
Threats An adversary that is motivated to exploit a system vulnerability and is capable of doing so National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
Examples of Threats • Hackers • Insiders • “Script Kiddies” • Criminal Organizations • Terrorists • Enemy Nation States
Vulnerabilities An error or a weaknessin the design, implementation, or operationof a system. National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
Examples of Vulnerabilities • Networks – wired and wireless • Operating Systems – especially Windows • Hosts and Systems • Malicious Code and Viruses • People
Impact Risk refers to the likelihood that a vulnerability will be exploited or that a threat may become harmful. National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
Impact: Types of Risk • Strategic Risk • Financial Risk • Legal Risk • Operational Risk • Reputational Risk Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Handling Risks • Risk Assumption • Risk Control • Risk Mitigation • Risk Avoidance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Security Task Force • Formed Summer 2000 • Respond to charges that higher education is lax and dangerous • Threat of blunt-edged regulations • Co-chairs, Steering Committee • Web page, Listservs, Conferences • Staff – EDUCAUSE/Internet2
Cybersecurity – Post Sept. 11th • Executive Order 13231 – October 2001Created the Presidents Critical Infrastructure Protection Board (PCIPB) • Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.USA PATRIOT Act
National Strategy to Secure Cyberspace • Draft announced September 18See www.securecyberspace.gov • Includes higher ed contribution • National, not a government, strategy • Secure your own piece of cyberspace • Market drive, not regulatory • Best practice, information sharing • Final Strategy Release – TBD
Higher Education Contribution • Higher Education Interests: • Teach security • Invent technology • Powerful networks and computers • Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy • Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf
Framework for Action • Make IT Security a higher and more visible priority in higher education • Do a better job with existing security tools, including revision of institutional policies • Design, develop and deploy improved security for future research and education networks • Raise the level of security collaboration among higher education, industry and government • Integrate higher education work on security into the broader national effort to strengthen critical infrastructure
NSF Workshops • A More Complete Response to National Strategy • Experts on academic values • Experts on practices and policies • Research scientists who use the networks • Summit including all stakeholders • Foundation for Future Activities
Guiding Principles • Civility and Community • Academic and Intellectual Freedom • Privacy and Confidentiality • Equity, Diversity, and Access • Fairness and Process • Ethics, Integrity, and Responsibility
Action Agenda • Identify Responsibilities for IT security, Establish Authority, and Hold Accountable • Designate an IT Security Officer • Conduct Institutional Risk Assessments • Increase Awareness and Provide Training to Users and IT staff • Develop IT Security Policies, Procedures, and Standards
Action Agenda (cont’d) • Require Secure Products From Vendors • Establish Collaboration and Information Sharing Mechanisms • Design, Develop, and Deploy Secure Communication and Information Systems • Use Tools: Scan, Intrusion Detection Systems, Anti-Virus Software, etc. • Invest in Staff and Tools
Security: Negative Deliverable Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.Jeffrey I. Schiller, MIT’s Security Architect
What Every President Must Do • Ensure the confidentiality, integrity, and availability of University assets and information • Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact • Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions
For more information, contact: EDUCAUSE/Internet2 Security Task Force www.educause.edu/security Security-Task-Force@educause.edu 202.872.4200