1 / 20

Educause Task Force on System Security

This article discusses the current situation of system security in higher education, including the challenges and opportunities faced by colleges and universities. It highlights the targets of opportunity on US higher education computer networks and recent academic InfoSec incidents. The article also examines trends in academic InfoSec and the unique challenges and strengths of higher education in addressing system security.

Download Presentation

Educause Task Force on System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Educause Task Force on System Security Gordon Wishon Georgia Institute of Technology Networking 2001 <www.educause.edu/security> EDUCAUSE Systems Security Task Force - April 11, 2001

  2. The Current Situation • 3500+ Colleges and Universities • > 1000 Community colleges • < 100 major research universities • 125+ University Medical Schools • 400 Teaching Hospitals • 150+ Institutional members of Internet2 EDUCAUSE Systems Security Task Force - April 11, 2001

  3. The Current Situation • The Internet is a world-wide, increasingly mission-critical infrastructure • Internet’s underlying structure, protocols, & governance are still primarily open • Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS ) • Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce • Many college & university networks are insecure EDUCAUSE Systems Security Task Force - April 11, 2001

  4. Information Security in Higher Education • Research universities: deployment of workstations & servers by researchers whose talents and interests are usually focused elsewhere • Smaller institutions: dearth of tech skills • Dorm networking: little adult supervision • Too few security experts; weak tools;most institutions have no InfoSec office. • Few policies regarding systems security EDUCAUSE Systems Security Task Force - April 11, 2001

  5. Targets of Opportunity on US Higher Education Computer Networks • Sensitive Data • Credit Card #s, ACH (NACHA) bank #s • Patient Records (SSN) • Student Records (SSN) • Institution Financial Records • Investment Records • Donor Records • Research Data & Other Intellectual Property EDUCAUSE Systems Security Task Force - April 11, 2001

  6. Recent Academic InfoSec Incidents • Feb 2000 – Distributed Denial of Service (DDoS) attacks bring down key dot com sites; university sites implicated (UC Davis, UCLA, Stanford, etc.) • June-July 2000 – Univ. of Washington Medical Center intrusion. 4000 medical records involved. No firewall protecting server. • July 2000 -- Educause Task Force Formed • Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records. • March 2001– 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert. EDUCAUSE Systems Security Task Force - April 11, 2001

  7. Trends in Academic InfoSec • E-Commerce site threaten litigation against future DDoS sites. Liability for negligence? • Insurance companies begin to rewrite liability policies, separate ‘cyber’ policies to require info security vulnerability assessments & changes • Funding agencies to require firewalls, security? • HIPAA is a “forcing function” in academic Medical Centers • FERPA, COPPA, DMCA, Privacy legislation • Growing concern over government intervention EDUCAUSE Systems Security Task Force - April 11, 2001

  8. Corporate InfoSec Trends, (relatively rare in US HE) • Firewalls, proxies, user access control • Network monitoring, bandwidth management • Extensive logging, logfile analysis • IDS – Intrusion Detection Systems • VPNs (Virtual Private Networks) • PPTP, L2TP, IPSEC • Strong Authentication – PKI, Smartcards • Vulnerability scanning (internal, external) • Change Control / Management • Managed Security Services (e.g. outsourced) EDUCAUSE Systems Security Task Force - April 11, 2001

  9. Why US Higher Ed Computer Networks are Attractive Targets • Platforms for launching attacks • Wired dorms (insecure Linux PCs, PC Trojans) • High bandwidth Internet (Fract T3, T3, T3+) • Sophisticated computing capacity (scientific computing clusters, even web servers, etc.) • Unsophisticated user population • “Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) • Trust relationships between departments at various Universities for research (e.g. Physics community) • University research lab computers are often insecure and poorly managed EDUCAUSE Systems Security Task Force - April 11, 2001

  10. Unique Challenges in Higher Education • Loose confederation of autonomous entities • Academic “culture” and tradition of open access to information • Lack of control over users • Diversity • Lack of financial resources • Creative Network Anarchy – anyone can attach anything to the network • IT has not always been central to institutional mission -- changing attitudes and getting “buy in” requires politics and leadership. EDUCAUSE Systems Security Task Force - April 11, 2001

  11. Unique Strengths of US Higher Education • Intellectual Capital • Culture of Open Access to Information • Culture of Collaboration EDUCAUSE Systems Security Task Force - April 11, 2001

  12. Educause Task Force • Announced to all member reps in July email from Mark Luker, VP for Networking • Co-chaired by Gordon Wishon, Associate VP & Associate Vice Provost for IT, Georgia Tech; & Dan Updegrove, VP for Information Technology, University of Texas at Austin EDUCAUSE Systems Security Task Force - April 11, 2001

  13. General Plan of Attack • Increase Awareness of Risks, Vulnerabilities, Liabilities • Leverage Intellectual Capital • Develop Community Reaction and Response Mechanisms • Identify & Inform Community of Risks Associated with Emerging Technologies EDUCAUSE Systems Security Task Force - April 11, 2001

  14. Task Force Committees • Education & Awareness • Michele Norin, University of Arizona • Gordon Wishon, VP & Vice Provost for IT, Georgia Tech • Campus Policies • Mark S. Bruhn, IT Policy Officer, Indiana • Rodney Petersen, Dir, Policy & Planning, U of Maryland, College Park • Detection, Prevention, & Response • Jack Suess, CIO, University of Maryland, Baltimore County • Steve Hansen, Security Policy Officer, Stanford • Emerging Technologies • Clifford Collins, Ohio Academic & Research Network (OARnet) • Ken Klingenstein, University of Colorado & Chief Technologist/Middleware Project Director, Internet 2 EDUCAUSE Systems Security Task Force - April 11, 2001

  15. Education & Awareness • Increase Awareness of Risks, Vulnerabilities, Liabilities • Identify Constituent Groups, Audiences • Develop Messages Appropriate for Audiences • Utilize Existing Communication Vehicles (Educause Review, etc.) • Establish Partnerships with Higher Ed Leadership Groups (ACE, AAHE, NASULGC, NACUBO, etc.) EDUCAUSE Systems Security Task Force - April 11, 2001

  16. Leverage Intellectual Capital • Policies • Evaluating best practices in Higher Education, Corporations, Government, Military • Developing common recommended policies • Procedures • Physical Security • Computer Security • Network Security • Business Continuity/Disaster Planning • Tools • Strong authentication methods (smart cards, tokens, etc.) • Vulnerability assessment (scanners) • DDoS zombie detectors • Patch tools EDUCAUSE Systems Security Task Force - April 11, 2001

  17. Develop Community Reaction, Response Mechanism • Education ISAC, CERT • Real time information sharing mechanism • Security consulting • Vulnerability assessment • Emergency notification • Internet 911 services for academia? EDUCAUSE Systems Security Task Force - April 11, 2001

  18. Emerging Technologies • Identify and inform community of risks • Influence design of new technologies • Internet 2, HEPKI-PAG, HEPKI-TAG, CREN, etc. EDUCAUSE Systems Security Task Force - April 11, 2001

  19. Additional Areas Under Investigation • Federal Funding Opportunities • NSF Grant? • Partnering Opportunities • Federal Agencies (NIST, DOD, FBI NIPC, NSA etc.) • Security Interest Groups • SANS Institute • Computer Security Institute • Forum of Incident Response & Security Teams • System Administrators Guild of USENIX • USENIX Security Conference • CERT Coordination Center • Center for Internet Security • O/S, Computer, Network, and Security Service Vendors EDUCAUSE Systems Security Task Force - April 11, 2001

  20. How You Can Participate • Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs! • Meetings, email, website, white papers • <http://www.educause.edu/security> EDUCAUSE Systems Security Task Force - April 11, 2001

More Related