1 / 11

THE NETWORK SECURITY CHALLENGE

Dive into the six stages of security awareness in institutions, from ignorance to practically secure. Learn about UMBC's journey and the EDUCAUSE/Internet2 Security Task Force initiatives.

mvera
Download Presentation

THE NETWORK SECURITY CHALLENGE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore County (UMBC)

  2. Achieving Nirvana - The Six Stages of Security • A recent EDUCAUSE ECAR research bulletin - High Stakes for Optimal IT Security Staffing, cited Glenn Fourie’s Stages of Institutional Security Awareness • Level 1 - Ignorance • Level 2 - Awareness • Level 3 - Vulnerability • Level 4 - Intrusion Detection • Level 5 - Forensics • Level 6 - Practically Secure

  3. Level 1 -- Ignorance • Blissfully ignorant of security issues. Common thoughts heard in this stage: • There has never been an issue an my institution and we don’t need to worry about this. • Security is something the IT people came up with to make us spend money -- just like that Y2K stuff • We are too small for anyone to bother us

  4. Level 2 - Awareness • Some event highlights institutional vulnerability. Common reasons in this stage: • Hello this is the Chronicle of Higher Ed -- I’d like to discuss the recent release of Student ID’s on the web. • The institutional web site is defaced with some pornographic picture. • RIAA or MPAA brings a lawsuit against one of your students. • A poor audit triggers questions from the trustees.

  5. Level 3 - Vulnerability • Institution is still in a “reactive” mode. As you begin to take action the institution begins to grasp the extent of the problem. Common issues that arise in this level • There are no policies to dictate what can or can’t be done. • Security is weak throughout and there is no one the CIO can turn too and say “fix this”. Hiring someone to lead security becomes a priority • Campuses begin to develop plans and budgets to “address the issue” • Vulnerability can last many years!

  6. Level 4 - Intrusion Detection • Institutions begin to be “proactive” in addressing the problem. Common elements in this stage are: • There is a person leading the security team. • Campuses redesign their network and information services with security in mind. • Policies and procedures are created to augment technology • Campus considers IT security to be a requirement for new services • Campuses start a security and awareness campaign

  7. Level 5 - Forensics • The campus has developed a deep understanding of its IT infrastructure. Forensics provides a feedback loop to augment and adapt your security infrastructure -- people, policies, and technology. • Real-time network security monitoring systems are introduced • The network has been architected to support “defense in depth” • Widely deployed host-based firewalls/IDS are deployed to protect systems • Operating system patching is automated

  8. Level 6 - Practically Secure • The institution is secure for current threats and has the adaptability to address new threats as they arise. • No institution has reached this stage so there are no examples!

  9. UMBC -- Where Are We • We are in entering Level 4. We are focusing on technology and policy to make us “Proactive” • We are spending 1.5 million to redesign our network and LAN architecture to support security AND performance • We are revamping policies and procedures to address security and augment what we can’t do with technology • We have a major program on security awareness under way based on “protecting yourself from Identity Theft” • We are working with our academic units to connect security into our curriculum in CSEE and IS

  10. EDUCAUSE/Internet2 Security Task Force • Our goal is to help institutions improve their network and computer security -- regardless of the level they are at today • Established in 2000, our goals are: • Education and Awareness • Standards, Policies, and Procedures • Security Architecture and Tools • Organization, Information Sharing, and Incident Response • Our focus has been to engage government, corporations, and other higher education organizations in promoting security.

  11. Current Security Task Force Initiatives • Education and Awareness Initiative • Annual Security Professionals Workshop • Legal Issues and Institutional Policies • Risk Assessment Method and Tools • Effective Security Practices Guide • Research and Development Initiatives • Vendor Engagement and Partnerships • Research and Educational Networking Information Sharing & Analysis Center

More Related