320 likes | 328 Views
This article discusses the strategic goals and priorities of the Security Task Force (STF) in higher education, as well as the importance of collaborating with industry to address security issues. It also explores the challenges, critical vendor areas, and effective practices for engaging vendors in security efforts.
E N D
Higher Education-IndustryCollaborations to Improve Security Joy Hughes, George Mason University Peter Siegel, University of California, Davis Jack Suess, UMBC
Security Task Force Goals The Security Task Force (STF) has been pursuing the following strategic goals since 2003: • Education and Awareness • Standards, Policies, and Procedures • Security Architecture and Tools • Organization and Information Sharing
STF Priorities for 2007 2007 Strategic Plan: Making Progress on Data Protection, Risk Assessment, Incident Response and Business Continuity • Executive Commitment and Action • Professional Development for Information Security Officers (ISOs) • Awareness of Available Resources • Security of Packaged Software • New Tools and Technologies
Awareness of Resources • EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security • Blueprint for Handling Sensitive Data • Cybersecurity Awareness Resource Center • Data Incident Notification Tool • Information Security Governance Assessment Tool • Risk Assessment Framework • Security Discussion Group • Research and Educational Networking Information Sharing and Analysis Center (REN-ISAC) • EDUCAUSE Cybersecurity Resource Ctrhttp://www.educause.edu/cybersecurity • Effective IT Security Practices Guidehttps://wiki.internet2.edu/confluence/display/secguide/
Security 2007 • April 10-12, 2007, Denver, Colorado • Keynote Speakers • Ira Winkler, authors of The Spies Among Us • Pamela Fusco, Head Global InfoSec, CitiGroup • Pre-Conference Seminars • Continuity of Operations Planning, IT Disaster Planning, Wireless Security, DNS Security, Compliance & Legal Issues, Establishing Information Security Program, Handling Sensitive Data, Incident Response Processes and Tools, and Privacy and Security Training • Concurrent Sessions: Campus & Vendor Presentations • Corporate Displays • Human Networking • BoF’s, Roundtable Discussions, Reception, etc.
Why collaborate with Industry? • Original Security Issues still there, some growing • Problems in new areas- web/db apps • Growing Complexity for end users a PR problem for us • Challenge of “professionalizing” non-security staff on security issues • Heightened state security requirements Are attacks more sophisticated? professional? • organized crime? • “industrial” espionage?
Most critical vendor areas? • O/S Vendors in Redmond and Cupertino • Unix vendors • ERP Vendors • Database companies • Networking Vendors • Web 2.0 suppliers • Others???
Networking Vendors • Convergence of networking and security products? • Multiple vendors are now integral to the network
OS Vendors: Microsoft • Vista rollout • Higher Education Advisory Group has been strong advocate for security.
How to Engage Vendors • Common effective practices? • Advisory groups? • Checklists of key issues? • Scream Identity Management - Collaboration opportunity?
Identity Management • High-value collaboration opportunity?
ERP Security Checklist Topics • Managing Roles and Responsibilities • Passwords, IDs and PINs • Data Standards and Integrity • Process Documentation • Exporting Sensitive Data
Sample from Roles/Responsibilities • Is security controlled at the database level or is it left to the applications that are supposedly integrated with the ERP to each control security? • How easy is it to set up role based access? e.g. can roles be associated with position categories; can default roles be established?
Sample from Roles/Responsibilities • Are there some features of the system that require that the user, no matter what their role, be given access to the underlying database? If so, how is security managed? • Can context-sensitive roles be defined (i.e. the user can perform a function for specified records only at a specified point in the processing cycle)?
Sample from Roles/Responsibilities • Is there a web-based tool that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the product, its underlying database, and integrated third party products and reporting tools?
Sample from Roles/Responsibilities • Can the vendor provide you with the names of institutions similar to yours that have implemented role based security on a wide variety of roles so that you can assess the person hours that will be needed to implement and maintain role based security?
Sample from PINs/IDs/Passwords • Does the system require strong passwords? • Are the IDs randomly or sequentially generated? Are they at least 8 characters long?
Sample from Data Standards/Integrity • Are data fields encrypted at the database level? • Is each standardized data field adequately documented in a data dictionary? • As the institution articulates the standards/rules that define a data field, do these standards/rules then become part of a data dictionary?
Sample from Data Standards/Integrity • Can the vendor provide you with the names of institutions similar to yours that have implemented features such as:- encrypted data fields- audit trails on data fields so that you can determine the effect on performance of implementing these features on all the fields that need to be protected?
Sample from Process Documentation • Are there visual representations of processes, role approvals, security checkpoints, data flow, and tables touched/accessed during each process? • Are there clear and complete work flow diagrams?
REN-ISAC • Research and Education Networking: Information Sharing and Analysis Center • http://www.ren-isac.net/
REN-ISAC Mission • Serve as a trusted connector hub for the security community to collaborate. • Focus is to improve network security through information collection, analysis, dissemination, early warning, and response; • Unique capability to support the R&E community because of NOC at Indiana University; and • Supports efforts to protect the U.S. national cyber infrastructure by participating in the formal ISAC structure.
REN-ISAC Members • Membership is open and free to institutions of higher education, teaching hospitals, research and education network providers, and government-funded research organizations. • http://www.ren-isac.net/membership.html • Current membership • 300 individual members • 165 institutions • Predominately research universities to date but increasingly new members are coming from non-research universities. • Membership is aimed at security staff and vetted to insure trust relationship.
REN-ISAC Organization • Hosted by Indiana University • Three permanent staff • Executive Advisory Group • Technical Advisory Group • Support and contributions from: • Indiana University, Internet2, EDUCAUSE • Louisiana State University, Worchester Polytechnic Institute, University of Massachusetts Amherst • And the members
Technical Advisory Group • The REN-ISAC Technical Advisory Group (TAG) • Chris Misra - University of Massachusetts Amherst (Chair) • Tom Davis - Indiana University • Phil Deneault - Worcester Polytechnic Institute • Brian Eckman - University of Minnesota • Stephen Gill - Team Cymru • John Kristoff - UltraDNS • Randy Raw - Missouri Research & Education Network (MOREnet) • Joe St Sauver - University of Oregon • Michael Sinatra - University of California, Berkeley • Ex-officio Members • Doug Pearson - REN-ISAC/Indiana University • Dave Monnier - REN-ISAC/Indiana University
Executive Advisory Group • The REN-ISAC Executive Advisory Group • Jack Suess - University of Maryland-Baltimore County (Chair) • Brian Voss - Louisiana State University • Theresa Rowe - Oakland University • Marty Ringle - Reed College • Ken Klingenstein - Internet2 & University of Colorado • Rodney Petersen - EDUCAUSE • TBD - HPC center representative • Ex-officio Members • Mark Bruhn - REN-ISAC/Indiana University • Chris Misra - TAG Chair, University of Massachusetts Amherst • Focus is on developing business plan
External Relationships • Internet2 and EDUCAUSE • Other private threat collection and mitigation efforts, e.g. among ISPs, .edu regional groups, etc. • Global Research NOC at Indiana University, servicing Internet2 Abilene, National LambaRail, and international connecting networks • National ISAC Council and other sector ISACs • Department of Homeland Security & US-CERT • Coming soon - vendors!
Vendor Relationships • REN-ISAC is uniquely positioned to work with vendors by its status as an ISAC. • Vendors won’t and can’t share security secrets with 2000 institutions, they will consider sharing with REN if we demonstrate we can be trusted. • In final negotiations with one major vendor.
REN-ISAC Activities • A vetted trust community for cybersecurity • Information-sharing and communications channel for vendor security issues • Information products aimed at protection and detection • Participate in incident detection, response, and dissemination • Develop tools for information sharing and response
Information Products • Daily Weather Report provides situational awareness and actionable protection information. • Alerts provide critical, timely, actionable protection information concerning new or increasing threat. • Notifications identify specific sources and targets of active threat or incident involving member networks. • Threat Information Resources provide information regarding known active sources of threat.
Information Products (2) • Advisories inform regarding specific practices or approaches that can improve security posture. • Instruction on technical topics relevant to security protection and response. • Monitoring views provide aggregate information for situational awareness.
For More Information • Visit: • EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security • Contact: • Joy Hughes, GMU, STF Co-Chairjhughes@gmu.edu • Peter Siegel, UC-Davis, STF Co-Chairpmsiegel@ucdavis.edu • Rodney Petersen, EDUCAUSE, STF Staffrpetersen@educause.edu