1

H. Morrow LongDirector, Information Security OfficeITS, Yale University

NERCOMP 2003 Annual Conference

Higher Education Contribution to the National Strategy to Secure Cyberspace

2

Copyright Statement

Copyright Educause/Internet2 Security Task Force 2003.

This work is the intellectual property of the Educause/Internet2 Security Task Force.

Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the Educause/Internet2 Security Task Force.

3

NERCOMP Annual Conference:

Higher Education Contribution to the National Strategy to Secure Cyberspace

History: Information Security Problems in Higher Ed Background: The Internet 1988-1998 Recent Events and Case Studies

Educause Information Security Activities Working Group 2000-2002 Educause/I2 Security Task Force 2002

NSF Sponsored Workshops 2002 National Strategy To Secure Cyberspace AN-MSI

Educause Information Security Initiatives in 2003 REN-ISAC

4

Internet Security History & HE IT

1986 – Major NSF funding for national backbone & regional supercomputer centers

1988 – Robert Morris & the Internet Worm 1988 – Creation of CERT at CMU 1989 – The Cornell Commission report 1989 – Clifford Stoll’s The Cuckoo’s Egg 1991 – CIX, commercial use, & Gopher

5

Internet History, cont’d

1993 – Mosaic browser released by UIUC 1993-4 ISP Sniffing attacks (PANIX, NearNet) 1994-5 Kevin Mitnick demos TCP Hijacking. 1995 – National backbone privatized 1995 – SATAN released by Farmer & Venema 1996 – PANIX, Internet Chess Server, and other web

sites shut down by SYN attacks. 1996 – Internet 2 consortium formed

6

2000-2001 Academic InfoSec Feb – Distributed Denial of Service (DDoS)

attacks bring down key .COM sites; university sites implicated (UC Davis, UCLA, Stanford, etc.)

June – SANS Top Ten list released. June-July – Univ. of Washington Medical Center

intrusion. 4000 medical records involved. No firewall protecting server.

Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records.

March – 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert.

7

Higher Education Computer Security 2000-2003 Hacker Steals Personal Data on Foreign Students at U.

of Kansas Chronicle of Higher Education, 1/24/2003

UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002

Why Was Princeton Snooping in Yale’s Web Site?Chronicle of Higher Education, 8/9/2002

Delaware Student Allegedly Changed Her Grades OnlineChronicle of Higher Education, 8/2/2002

8

. . . 2000-2003

Russian Mafia May Have Infiltrated Computers at Arizona State and Other CollegesChronicle of Higher Education, 6/20/2002

Hacker exposes financial information at Georgia TechComputerWorld, 3/18/2002

College Reveals Students’ Social Security NumbersChronicle of Higher Education, 2/22/2002

Hackers Use University’s Mail Server to Send Pornographic MessagesChronicle of Higher Education 8/10/2001

9

. . . 2000-2003

Review to ensure University of Montana Web securityMontana Kaimin, 11/14/2001

‘Code Red’ Worms Linger Chronicle of Higher Education, 9/14/2001

Students Fault Indiana for Delay in Telling Them About Stolen FilesChronicle of Higher Education, 3/16/2001

10

. . . 2000-2003

[UWashington] Hospital records hacked hardSecurityFocus.com, 7/12/2000

3 Universities in California Find Themesleves Linked to Hacker AttacksChronicle of Higher Education 2/25/2000

Hackers Attack Thousands of Computers on at Least 25 U.S. CampusesChronicle of Higher Education, 3/13/1998

UT Austin: 55,000 SSNs and Personal Records ‘data mined’ by intruder

Princeton University:

11

2001-2003 Worms

2001: CodeRed, CodeRed II, NIMDA Worms 2002: “Slapper” (A/B/C) Apache OpenSSL

Worm 2003: SQL Slammer / Sapphire Worm

12

The Current Situation

The Internet is a world-wide, increasingly mission-critical infrastructure

Internet’s underlying structure, protocols, & governance are still primarily open

Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS )

Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce

Many college & university networks are insecure

13

Information Security in HE Research universities: deployment of

workstations & servers by researchers whose talents are usually focused elsewhere

Smaller institutions: dearth of tech skills Dorm networking: little adult supervision Too few security experts; weak tools;

most institutions have no InfoSec office. Few policies regarding systems security

14

Information Security in US HE

3500+ Colleges and Universities > 1000 Community colleges < 100 major research universities 125+ University Medical Schools 400 Teaching Hospitals 150+ Institutional members of Internet2

15

Targets of Opportunity on US HE Computer Networks Sensitive Data

Credit Card #s, ACH (NACHA) bank #s patient records (SSN) student records (SSN) institution financial records Investment records donor records research data

16

Why US HE Computer Networks are attractive targets

Platforms for launching attacks Wired dorms (insecure Linux PCs, PC Trojans) High bandwidth Internet (Fract T3, T3, T3+) High computing capacity (scientific computing

clusters, even web servers, etc.). “Open” network security environment (no firewalls or

only “light” filtering routers on many high bandwidth WANs and LANs)

Trust relationships between departments at various Universitiess for research (e.g. Physics)

Univ research lab computers are often insecure and unmanaged.

17

Unique Challenges to implementing Information Security in Higher Ed

Academic “Culture” and tradition of open and free networking

Lack of control over users Decentralization (no mainframe anymore) Lack of financial resources Creative Network Anarchy – anyone can attach

anything to the network IT has not always been central to institutional mission

-- changing attitudes and getting “buy in” requires politics and leadership.

18

What should US HE IT be doing W.R.T. Information Security

Investigating network security methods. Investigating strong authentication methods

(e.g. smart cards, tokens). Evaluating “best practices” in:

Higher Education Corporations Government Military

Developing common recommended policies.

19

Trends in Academic InfoSec E-Commerce site threaten litigation against future

DDoS sites. Liability for negligence? Insurance companies begin to rewrite liability policies,

separate ‘cyber’ policies to require info security vulnerability assessments & changes.

Funding agencies to require firewalls, security? HIPAA is a “forcing function” in academic Medical

Centers. FERPA, COPPA, DMCA, Privacy legislation. If HE InfoSec doesn’t improve, will more federal

legislation be far behind?

20

InfoSec Trends Elsewhere

Some of the K-12 school system networks are the only sites (in the US) which have worse network and system security than .EDU sites.

Information security at State gov. agencies and municipal goverments is a mixed bag.

Outside US some academic institutions are more tightly controlled (e.g. Internet access is severely restricted), some not.

21

InfoSec Trends Elsewhere

.MIL sites take steps to secure data and servers (Mac web servers, data isolation/classification). Broke initial ground in IDS (Intrusion Detection Systems).

.GOV – NIST has released draft guidelines/recommendations for info security to be implemented at Federal Government agencies.

22

InfoSec Trends Elsewhere

.COM sites – Some web sites have poor security (even those outsourced), some (e.g. financial) strive to be state of the art.

Insurance/auditors requiring security assessments for policies.

BS 7799 / ISO/IEC 17799-1 InfoSec Mgt stds CISSP / CISA / SANS GIAC / Vendor

(Microsoft/Cisco/Checkpoint) certificationsof Information Security personnel

23

Corporate InfoSec Trends, (relatively rare in US HE)

Firewalls, proxies, user access control Network monitoring, bandwidth management Extensive logging, logfile analysis IDS – Intrusion Detection Systems VPNs (Virtual Private Networks)

PPTP, L2TP, IPSEC

Strong Authentication – PKI, Smartcards Vulnerability scanning (internal, external) Change Control / Management Managed Security Services (e.g. outsourced)

24

Why should higher ed care?

Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission

Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability

25

Higher Ed and Cybersecurity

Education and Training Centers of Academic Excellence Professional Training and Certification

Research and Development Cyberinfrastructure Basic and Applied Research

Securing Our Corner of Cyberspace!

26

GAO Designates Computer Security a High Risk

Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety.GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003)

27

Security Task Force

Formed Summer 2000 Respond to charges that higher education is lax and

dangerous Threat of blunt-edged regulations

Co-chairs, Steering Committee Web page, Listservs, Conferences Staff – EDUCAUSE/Internet2

28

Cybersecurity – Post Sept. 11th

Executive Order 13231 – October 2001Created the Presidents Critical Infrastructure Protection Board (PCIPB)

Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

USA PATRIOT Act

29

EDUCAUSE/I2 Security TF Initiatives Education/Awareness – Speakers; Developing or obtaining high quality

seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.), SPW Conference and tracks at conferences.

“Best” Practices Security Recommendations – Booklet to be published with Security Policies, Assessment, chapters, etc.

Assembling resources/licensing tools – Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc.

Federal (NSF) grant proposal funded meetings in 2002. Reports. REN-ISAC - http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html

National Strategy to Secure Cyberspace Higher Ed Contributionhttp://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html

Letter on Cybersecurity to University Presidents.http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm

Coordination with Federal (e.g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards). E.g. w/HE IT Alliance, “A Framework for Action” April 2002

30

EDUCAUSE/I2 Security TF Initiatives

Education/Awareness –

Speakers; Developing or obtaining high quality seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.), SPW Conference and tracks at conferences.

31

EDUCAUSE/I2 Security TF Initiatives

“Best” Practices Security Recommendations –

Booklet to be published with Security Policies, Assessment, chapters, etc.

32

EDUCAUSE/I2 Security TF Initiatives

Assembling resources/licensing tools –

Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc.

33

EDUCAUSE/I2 Security TF Initiatives

Federal (NSF) grant proposal funded meetings in 2002.

Reports on findings.

34

NSF Workshops

A More Complete Response to National Strategy Experts on academic values Experts on practices and policies Research scientists who use the networks Summit including all stakeholders

Foundation for Future Activities

35

Guiding Principles

Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility

36

Action Agenda

1. Identify Responsibilities for IT security, Establish Authority, and Hold Accountable

2. Designate an IT Security Officer3. Conduct Institutional Risk Assessments4. Increase Awareness and Provide Training to

Users and IT staff5. Develop IT Security Policies, Procedures, and

Standards

37

Action Agenda (cont’d)

6. Require Secure Products From Vendors7. Establish Collaboration and Information

Sharing Mechanisms8. Design, Develop, and Deploy Secure

Communication and Information Systems9. Use Tools: Scan, Intrusion Detection

Systems, Anti-Virus Software, etc.10. Invest in Staff and Tools

38

EDUCAUSE/I2 Security TF Initiatives

REN-ISAC –

http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html

39

EDUCAUSE/I2 Security TF Initiatives

National Strategy to Secure Cyberspace Higher Ed Contribution

http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html

40

National Strategy to Secure Cyberspace Draft announced September 18

See www.securecyberspace.gov Includes higher ed contribution

National, not a government, strategy Secure your own piece of cyberspace Market drive, not regulatory Best practice, information sharing

Final Strategy Release – TBD

41

Higher Education Contribution

Higher Education Interests: Teach security Invent technology Powerful networks and computers

Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy

Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf

42

EDUCAUSE/I2 Security TF Initiatives

Letter on Cybersecurity to University Presidents.

http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm

43

What Every President Must Do

Ensure the confidentiality, integrity, and availability of University assets and information

Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact

Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions

44

Security: Negative Deliverable

Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.

Jeffrey I. Schiller, MIT’s Security Architect

45

EDUCAUSE/I2 Security TF Initiatives

Coordination with Federal (e.g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards).

E.g. w/HE IT Alliance, “A Framework for Action” April 2002

46

Framework for Action

Make IT Security a higher and more visible priority in higher education

Do a better job with existing security tools, including revision of institutional policies

Design, develop and deploy improved security for future research and education networks

Raise the level of security collaboration among higher education, industry and government

Integrate higher education work on security into the broader national effort to strengthen critical infrastructure

47

EDUCAUSE/I2 Security TF Initiatives

“Standards.” (A poem).

Standards are good.Standards are true. There are many to choose from-If you don’t pick a standard,one will be chosen for you.

48

How You Can Participate

Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs!

Meetings, email, website one going up, white papers

<http://www.educause.edu/security> Security Professionals Workshop (SPW)

4/21-22 2003, Pechanga Resort & Casino Regional Educause Conferences (such as this one). Educause 2003 Annual Conference

Information Security related TrackNovember 4-7, 2003, Anaheim, CAhttp://www.educause.edu/conference/annual/2003/

49

Security Professionals Workshop (SPW)EDUCAUSE/Internet2 Security Task Force1st Annual Higher Ed Security Professionals Workshop

Pechanga Resort and Casino, Temecula CAApril 22-23, 2003 (1.5 days)

Preceding the 1st Annual Secure-IT Conference sponsored by California State University at San Bernardino

Registration: $100 ($125 after 3/24)

Audience:CISOs, IT Security and Policy Directors and Officers, Network Security Engineers and System Administrators.

50

SPW Agenda

Keynote : Information Assurance and IT Security Professionals in Higher Education

Session : A 10-Step Approach to Developing an Information Security Program

Session : Creating a Security Architecture Session : Using Open Source Tools Session : Creating an Incident Response Team Session : Best Practices for User Education BOFs (Birds of a Feather Sessions) Keynote: Legal Issues in Computer and Network Security Session : Security Policies and Procedures Panel Session : "Ask the Experts" Panel

51

Security Task Force ConferenceEDUCAUSE/Internet2 Security Task Force1st Annual Higher Ed Security Professionals Workshop

52

53

Questions?

54

Security Task Force Resources

EDUCAUSE/Internet2 Security Working Group(http://www.educause.edu/security/)

1st Annual Higher Ed Security Professionals WorkshopPechanga Resort and Casino, Temecula CAApril 22-23, 2003http://www.educause.edu/conference/security/2003/

Contact Info:Security-Task-Force@educause.edu

202.872.4200