1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual...
-
Upload
ethel-beasley -
Category
Documents
-
view
215 -
download
1
Transcript of 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual...
1
H. Morrow LongDirector, Information Security OfficeITS, Yale University
NERCOMP 2003 Annual Conference
Higher Education Contribution to the National Strategy to Secure Cyberspace
2
Copyright Statement
Copyright Educause/Internet2 Security Task Force 2003.
This work is the intellectual property of the Educause/Internet2 Security Task Force.
Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the Educause/Internet2 Security Task Force.
3
NERCOMP Annual Conference:
Higher Education Contribution to the National Strategy to Secure Cyberspace
History: Information Security Problems in Higher Ed Background: The Internet 1988-1998 Recent Events and Case Studies
Educause Information Security Activities Working Group 2000-2002 Educause/I2 Security Task Force 2002
NSF Sponsored Workshops 2002 National Strategy To Secure Cyberspace AN-MSI
Educause Information Security Initiatives in 2003 REN-ISAC
4
Internet Security History & HE IT
1986 – Major NSF funding for national backbone & regional supercomputer centers
1988 – Robert Morris & the Internet Worm 1988 – Creation of CERT at CMU 1989 – The Cornell Commission report 1989 – Clifford Stoll’s The Cuckoo’s Egg 1991 – CIX, commercial use, & Gopher
5
Internet History, cont’d
1993 – Mosaic browser released by UIUC 1993-4 ISP Sniffing attacks (PANIX, NearNet) 1994-5 Kevin Mitnick demos TCP Hijacking. 1995 – National backbone privatized 1995 – SATAN released by Farmer & Venema 1996 – PANIX, Internet Chess Server, and other web
sites shut down by SYN attacks. 1996 – Internet 2 consortium formed
6
2000-2001 Academic InfoSec Feb – Distributed Denial of Service (DDoS)
attacks bring down key .COM sites; university sites implicated (UC Davis, UCLA, Stanford, etc.)
June – SANS Top Ten list released. June-July – Univ. of Washington Medical Center
intrusion. 4000 medical records involved. No firewall protecting server.
Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records.
March – 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert.
7
Higher Education Computer Security 2000-2003 Hacker Steals Personal Data on Foreign Students at U.
of Kansas Chronicle of Higher Education, 1/24/2003
UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002
Why Was Princeton Snooping in Yale’s Web Site?Chronicle of Higher Education, 8/9/2002
Delaware Student Allegedly Changed Her Grades OnlineChronicle of Higher Education, 8/2/2002
8
. . . 2000-2003
Russian Mafia May Have Infiltrated Computers at Arizona State and Other CollegesChronicle of Higher Education, 6/20/2002
Hacker exposes financial information at Georgia TechComputerWorld, 3/18/2002
College Reveals Students’ Social Security NumbersChronicle of Higher Education, 2/22/2002
Hackers Use University’s Mail Server to Send Pornographic MessagesChronicle of Higher Education 8/10/2001
9
. . . 2000-2003
Review to ensure University of Montana Web securityMontana Kaimin, 11/14/2001
‘Code Red’ Worms Linger Chronicle of Higher Education, 9/14/2001
Students Fault Indiana for Delay in Telling Them About Stolen FilesChronicle of Higher Education, 3/16/2001
10
. . . 2000-2003
[UWashington] Hospital records hacked hardSecurityFocus.com, 7/12/2000
3 Universities in California Find Themesleves Linked to Hacker AttacksChronicle of Higher Education 2/25/2000
Hackers Attack Thousands of Computers on at Least 25 U.S. CampusesChronicle of Higher Education, 3/13/1998
UT Austin: 55,000 SSNs and Personal Records ‘data mined’ by intruder
Princeton University:
11
2001-2003 Worms
2001: CodeRed, CodeRed II, NIMDA Worms 2002: “Slapper” (A/B/C) Apache OpenSSL
Worm 2003: SQL Slammer / Sapphire Worm
12
The Current Situation
The Internet is a world-wide, increasingly mission-critical infrastructure
Internet’s underlying structure, protocols, & governance are still primarily open
Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS )
Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce
Many college & university networks are insecure
13
Information Security in HE Research universities: deployment of
workstations & servers by researchers whose talents are usually focused elsewhere
Smaller institutions: dearth of tech skills Dorm networking: little adult supervision Too few security experts; weak tools;
most institutions have no InfoSec office. Few policies regarding systems security
14
Information Security in US HE
3500+ Colleges and Universities > 1000 Community colleges < 100 major research universities 125+ University Medical Schools 400 Teaching Hospitals 150+ Institutional members of Internet2
15
Targets of Opportunity on US HE Computer Networks Sensitive Data
Credit Card #s, ACH (NACHA) bank #s patient records (SSN) student records (SSN) institution financial records Investment records donor records research data
16
Why US HE Computer Networks are attractive targets
Platforms for launching attacks Wired dorms (insecure Linux PCs, PC Trojans) High bandwidth Internet (Fract T3, T3, T3+) High computing capacity (scientific computing
clusters, even web servers, etc.). “Open” network security environment (no firewalls or
only “light” filtering routers on many high bandwidth WANs and LANs)
Trust relationships between departments at various Universitiess for research (e.g. Physics)
Univ research lab computers are often insecure and unmanaged.
17
Unique Challenges to implementing Information Security in Higher Ed
Academic “Culture” and tradition of open and free networking
Lack of control over users Decentralization (no mainframe anymore) Lack of financial resources Creative Network Anarchy – anyone can attach
anything to the network IT has not always been central to institutional mission
-- changing attitudes and getting “buy in” requires politics and leadership.
18
What should US HE IT be doing W.R.T. Information Security
Investigating network security methods. Investigating strong authentication methods
(e.g. smart cards, tokens). Evaluating “best practices” in:
Higher Education Corporations Government Military
Developing common recommended policies.
19
Trends in Academic InfoSec E-Commerce site threaten litigation against future
DDoS sites. Liability for negligence? Insurance companies begin to rewrite liability policies,
separate ‘cyber’ policies to require info security vulnerability assessments & changes.
Funding agencies to require firewalls, security? HIPAA is a “forcing function” in academic Medical
Centers. FERPA, COPPA, DMCA, Privacy legislation. If HE InfoSec doesn’t improve, will more federal
legislation be far behind?
20
InfoSec Trends Elsewhere
Some of the K-12 school system networks are the only sites (in the US) which have worse network and system security than .EDU sites.
Information security at State gov. agencies and municipal goverments is a mixed bag.
Outside US some academic institutions are more tightly controlled (e.g. Internet access is severely restricted), some not.
21
InfoSec Trends Elsewhere
.MIL sites take steps to secure data and servers (Mac web servers, data isolation/classification). Broke initial ground in IDS (Intrusion Detection Systems).
.GOV – NIST has released draft guidelines/recommendations for info security to be implemented at Federal Government agencies.
22
InfoSec Trends Elsewhere
.COM sites – Some web sites have poor security (even those outsourced), some (e.g. financial) strive to be state of the art.
Insurance/auditors requiring security assessments for policies.
BS 7799 / ISO/IEC 17799-1 InfoSec Mgt stds CISSP / CISA / SANS GIAC / Vendor
(Microsoft/Cisco/Checkpoint) certificationsof Information Security personnel
23
Corporate InfoSec Trends, (relatively rare in US HE)
Firewalls, proxies, user access control Network monitoring, bandwidth management Extensive logging, logfile analysis IDS – Intrusion Detection Systems VPNs (Virtual Private Networks)
PPTP, L2TP, IPSEC
Strong Authentication – PKI, Smartcards Vulnerability scanning (internal, external) Change Control / Management Managed Security Services (e.g. outsourced)
24
Why should higher ed care?
Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission
Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability
25
Higher Ed and Cybersecurity
Education and Training Centers of Academic Excellence Professional Training and Certification
Research and Development Cyberinfrastructure Basic and Applied Research
Securing Our Corner of Cyberspace!
26
GAO Designates Computer Security a High Risk
Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety.GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003)
27
Security Task Force
Formed Summer 2000 Respond to charges that higher education is lax and
dangerous Threat of blunt-edged regulations
Co-chairs, Steering Committee Web page, Listservs, Conferences Staff – EDUCAUSE/Internet2
28
Cybersecurity – Post Sept. 11th
Executive Order 13231 – October 2001Created the Presidents Critical Infrastructure Protection Board (PCIPB)
Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
USA PATRIOT Act
29
EDUCAUSE/I2 Security TF Initiatives Education/Awareness – Speakers; Developing or obtaining high quality
seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.), SPW Conference and tracks at conferences.
“Best” Practices Security Recommendations – Booklet to be published with Security Policies, Assessment, chapters, etc.
Assembling resources/licensing tools – Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc.
Federal (NSF) grant proposal funded meetings in 2002. Reports. REN-ISAC - http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
National Strategy to Secure Cyberspace Higher Ed Contributionhttp://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
Letter on Cybersecurity to University Presidents.http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm
Coordination with Federal (e.g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards). E.g. w/HE IT Alliance, “A Framework for Action” April 2002
30
EDUCAUSE/I2 Security TF Initiatives
Education/Awareness –
Speakers; Developing or obtaining high quality seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.), SPW Conference and tracks at conferences.
31
EDUCAUSE/I2 Security TF Initiatives
“Best” Practices Security Recommendations –
Booklet to be published with Security Policies, Assessment, chapters, etc.
32
EDUCAUSE/I2 Security TF Initiatives
Assembling resources/licensing tools –
Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc.
33
EDUCAUSE/I2 Security TF Initiatives
Federal (NSF) grant proposal funded meetings in 2002.
Reports on findings.
34
NSF Workshops
A More Complete Response to National Strategy Experts on academic values Experts on practices and policies Research scientists who use the networks Summit including all stakeholders
Foundation for Future Activities
35
Guiding Principles
Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility
36
Action Agenda
1. Identify Responsibilities for IT security, Establish Authority, and Hold Accountable
2. Designate an IT Security Officer3. Conduct Institutional Risk Assessments4. Increase Awareness and Provide Training to
Users and IT staff5. Develop IT Security Policies, Procedures, and
Standards
37
Action Agenda (cont’d)
6. Require Secure Products From Vendors7. Establish Collaboration and Information
Sharing Mechanisms8. Design, Develop, and Deploy Secure
Communication and Information Systems9. Use Tools: Scan, Intrusion Detection
Systems, Anti-Virus Software, etc.10. Invest in Staff and Tools
38
EDUCAUSE/I2 Security TF Initiatives
REN-ISAC –
http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
39
EDUCAUSE/I2 Security TF Initiatives
National Strategy to Secure Cyberspace Higher Ed Contribution
http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
40
National Strategy to Secure Cyberspace Draft announced September 18
See www.securecyberspace.gov Includes higher ed contribution
National, not a government, strategy Secure your own piece of cyberspace Market drive, not regulatory Best practice, information sharing
Final Strategy Release – TBD
41
Higher Education Contribution
Higher Education Interests: Teach security Invent technology Powerful networks and computers
Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy
Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf
42
EDUCAUSE/I2 Security TF Initiatives
Letter on Cybersecurity to University Presidents.
http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm
43
What Every President Must Do
Ensure the confidentiality, integrity, and availability of University assets and information
Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact
Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions
44
Security: Negative Deliverable
Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.
Jeffrey I. Schiller, MIT’s Security Architect
45
EDUCAUSE/I2 Security TF Initiatives
Coordination with Federal (e.g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards).
E.g. w/HE IT Alliance, “A Framework for Action” April 2002
46
Framework for Action
Make IT Security a higher and more visible priority in higher education
Do a better job with existing security tools, including revision of institutional policies
Design, develop and deploy improved security for future research and education networks
Raise the level of security collaboration among higher education, industry and government
Integrate higher education work on security into the broader national effort to strengthen critical infrastructure
47
EDUCAUSE/I2 Security TF Initiatives
“Standards.” (A poem).
Standards are good.Standards are true. There are many to choose from-If you don’t pick a standard,one will be chosen for you.
48
How You Can Participate
Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs!
Meetings, email, website one going up, white papers
<http://www.educause.edu/security> Security Professionals Workshop (SPW)
4/21-22 2003, Pechanga Resort & Casino Regional Educause Conferences (such as this one). Educause 2003 Annual Conference
Information Security related TrackNovember 4-7, 2003, Anaheim, CAhttp://www.educause.edu/conference/annual/2003/
49
Security Professionals Workshop (SPW)EDUCAUSE/Internet2 Security Task Force1st Annual Higher Ed Security Professionals Workshop
Pechanga Resort and Casino, Temecula CAApril 22-23, 2003 (1.5 days)
Preceding the 1st Annual Secure-IT Conference sponsored by California State University at San Bernardino
Registration: $100 ($125 after 3/24)
Audience:CISOs, IT Security and Policy Directors and Officers, Network Security Engineers and System Administrators.
50
SPW Agenda
Keynote : Information Assurance and IT Security Professionals in Higher Education
Session : A 10-Step Approach to Developing an Information Security Program
Session : Creating a Security Architecture Session : Using Open Source Tools Session : Creating an Incident Response Team Session : Best Practices for User Education BOFs (Birds of a Feather Sessions) Keynote: Legal Issues in Computer and Network Security Session : Security Policies and Procedures Panel Session : "Ask the Experts" Panel
51
Security Task Force ConferenceEDUCAUSE/Internet2 Security Task Force1st Annual Higher Ed Security Professionals Workshop
52
53
Questions?
54
Security Task Force Resources
EDUCAUSE/Internet2 Security Working Group(http://www.educause.edu/security/)
1st Annual Higher Ed Security Professionals WorkshopPechanga Resort and Casino, Temecula CAApril 22-23, 2003http://www.educause.edu/conference/security/2003/
Contact Info:[email protected]
202.872.4200