250 likes | 391 Views
Corporate Forum. Presented by EDUCAUSE/Internet2 Computer and Network Security Task Force & EDUCAUSE Center for Applied Research (ECAR). Introduction. Background of the Security Task Force Coordination with Higher Education IT Alliance ACE, AAU, NASULGC, AASCU, NAICU, AACC, etc.
E N D
Corporate Forum Presented by EDUCAUSE/Internet2 Computer and Network Security Task Force & EDUCAUSE Center for Applied Research (ECAR)
Introduction • Background of the Security Task Force • Coordination with Higher Education IT Alliance • ACE, AAU, NASULGC, AASCU, NAICU, AACC, etc. • Summary of Accomplishments • Framework for Action • Higher Education Contribution to the National Strategy • ACE Letter to Presidents • White Paper on Legal Issues • Leadership Strategies Book on Security • Introduction of Task Force Leadership
Cyber Security Forum for Higher Education The purpose of the Cyber Security Forum for Higher Education is to create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts.
Strategic Goals The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: • Education and Awareness • Standards, Policies, and Procedures • Security Architecture and Tools • Organization, Information Sharing, and Incident Response
Education and Awareness To increase the awareness of the associated risks of computer and network use and the corresponding responsibilities of higher education executives and end-users of technology (faculty, staff, and students), and to further the professional development of information technology staff.
Standards, Policies, & Procedures To develop information technology standards, policies, and procedures that are appropriate, enforceable, and effective within the higher education community.
Security Architecture and Tools To design, develop, and deploy infrastructures, systems, and services that incorporate security as a priority; and to employ technology to monitor resources and minimize adverse consequences of security incidents.
Organization, Information Sharing, and Incident Response To create the capacity for a college or university to effectively deploy a comprehensive security architecture (education, policy, and technology), and to leverage the collective wisdom and expertise of the higher education community.
Projects and Initiatives • Education and Awareness Initiative • Annual Security Professionals Workshop • Legal Issues and Institutional Policies • Risk Assessment Method and Tools • Effective Security Practices Guide • Research and Development Initiatives • Vendor Engagement and Partnerships • Research and Educational Networking Information Sharing & Analysis Center
The National Strategy to Secure Cyberspace The National Strategy encourages colleges and universities to secure their cyber systems by establishing some or all of the following as appropriate: • one or more Information Sharing and Analysis Centers to deal with cyber attacks and vulnerabilities; • an on-call point-of-contact to Internet service providers and law enforcement officials in the event that the school’s IT systems are discovered to be launching cyber attacks; • model guidelines empowering Chief Information Officers (CIOs) to address cybersecurity; • one or more sets of best practices for IT security; and, • model user awareness programs and materials.
Origins of ISACs The development of ISACs was encouraged by Presidential Decision Directive (Clinton PDD 63: Protecting America's Critical Infrastructures), to serve as the "mechanism for gathering of vulnerabilities, threats, intrusions, and anomalies" information from participating institutions, analyzing and developing a recommended response, and disseminating information so that the member institutions can better defend and secure their technology environment and operations.
The National Strategy on ISAC’s “The National Cyberspace Security Response System is a public-private architecture, coordinated by the Department of Homeland Security, for analyzing and warning; managing incidents of national significance; promoting continuity in government systems and private sector infrastructures; and increasing information sharing across and between organizations to improve cyberspace security. The National Cyberspace Security Response System will include governmental entities and nongovernmental entities, such as private sector information sharing and analysis centers (ISACs)."
Research and Education Networking ISAC at Indiana U The REN-ISAC acts as the security information collection, analysis, dissemination, and early-warning organization specifically designed to support the unique environment and needs of organizations connected to higher education and research networks. With various information inputs at its disposal, the REN-ISAC has a unique aggregate view of the current and near-future security situation in the higher education community. With these inputs and with appropriate synthesis and analytic tools, along with access to experienced incident response staff, the REN-ISAC is distinctively positioned to provide early warning about imminent threats, along with applicable response or self-defense advice, to the higher education and research networking community.
Receive and Analyze Operational Threat, Warning, and Attack Info • Received from the NIPC, other ISACs, and various other sources • Received from ISAC member campuses related to incidents on local network backbones • Received from network engineers related to incidents on national R&E network backbones • Derived from network instrumentation • Analysis would be performed by network and security engineers, and possibly by the Advanced Network Management Lab, related to: • Unscheduled outages and degraded operations • Security-related events such as DDoS attacks, virus alerts, systematic network vulnerabilities scanning, systematic spoofing • Other anomalies that constitute or may constitute a serious threat to the networks and associated systems of the REN-ISAC membership
What the REN-ISAC Needs From The Corporate Community • Information Sharing • Points of Contact • Early Notification of Vulnerabilities • Cooperative Agreements and Relationships (i.e., Partnerships) • The National Strategy to Secure Cyberspace has called for “voluntary partnerships among government, industry, academia, and nongovernmental groups to secure and defend cyberspace.”
Higher Ed IT Environments • Technology Environment • Distributed computing and wide range of hardware and software from outdated to state-of-the-art • Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges • Leadership Environment • Reactive rather than proactive • Lack of clearly defined goals (what do we need to protect and why) • Academic Culture • Persistent belief that security & academic freedom are antithetical • Tolerance, experimentation, and anonymity highly valued
Campus Incidents • “Damage Control: When Your Security Incident Hits the 6 O’Clock News” • Georgia Tech • University of Kansas • The University of Texas, Austin • Microsoft SQL Slammer Incident • Cisco Router Vulnerability • Microsoft RPC Vulnerability • Worms and Viruses!!!
Security Research Initiatives • Objective: Develop metrics that both identify the cost of security, the cost of not securing assets, and measures to account for progress. • Examples of Initiatives • Incident Cost and Analysis Modeling Projects – ICAMP-I (1998) and ICAMP-II (2000) • The Computer Incident Factor Analysis and Categorization Project or ICAMP-III • Effective Security Practices Guide • Risk Assessment Models and Tools • ECAR Security Study Report
Conclusions • Higher Education Cares About Security • Higher Education Security Is Extremely Complex • Higher Education Has Been Hit Very Hard By Recent Events • Higher Education Is Prepared To Make Tradeoffs Differently Today Than Previously • Higher Education Needs Help From The Vendor Community
Discussion • Question 1: What is the responsibility of the higher education community? • Question 2: What is the responsibility of the vendor community? • Question 3: How can we work together to improve security for higher education?
Question 1 Are there practices that higher education could adopt on a more widespread basis to improve computer and network security for the enterprise?
Question 2 What are the challenges, obstacles, and barriers (real or perceived) for hardware/software vendors providing institutions with secure products “out-of-the-box”? What strategies or solutions could the corporate community or EDUCAUSE pursue to overcome those challenges?
Question 3 How can corporate partners and EDUCAUSE, and the EDUCAUSE membership, work together to improve computer and network security? What do you think of the Cyber Security Forum for Higher Education? What does it mean for your organization to participate? How would you imagine participating?