Getting Started With Information Security A Shared Agenda Cedric Bennett Kent Wada EDUCAUSE Western...
-
Upload
prudence-paul -
Category
Documents
-
view
214 -
download
0
Transcript of Getting Started With Information Security A Shared Agenda Cedric Bennett Kent Wada EDUCAUSE Western...
Getting Started With Information Security
A Shared Agenda
Cedric BennettKent Wada
EDUCAUSE Western Regional Conference
March 3, 2004
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 2
Some(!) real life areas of shared responsibility
Electronic communicationsPrivacy
Freedom of speech
Education
Outsourcing
AuthenticationResponsible use
E-business
Academic freedom
Records management
Asset Management
IP, Copyright, DMCA
Online CC payments
“The Web”
ResNet
Authorization
Bandwidth management
SpamIdentity theft
Policy, procedures
Risk management
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 3
Second half agenda
Privacy Electronic records and court orders Policy and procedures The mobile user Incident response Pulling it all together Futures
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 4
Privacy
… the right to be left alone … US Supreme Court Justice Louis Brandeis
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 5
Chip implant gets cash under your skinhttp://news.com.com/2100-1041-5111637.htmlStory last modified November 25, 2003, 9:32 AM PST
Applied Digital Solutions of Palm Beach, Fla., is hoping that Americans can be persuaded to implant RFID chips under their skin to identify themselves when going to a cash machine or in place of using a credit card. The surgical procedure, which is performed with local anesthetic, embeds a 12-by-2.1mm RFID tag in the flesh of a human arm.
Matthew Cossolotto, a spokesman for ADS who says he's been “chipped,” argues that competing proposals to embed RFID tags in key fobs or cards were flawed. “If you lose the RFID key fob or if it's stolen, someone else could use it and have access to your important accounts,” Cossolotto said. “VeriPay solves that problem. It's subdermal and very difficult to lose. You don't leave it sitting in the backseat of the taxi.”
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 6
Some legislation
Health Insurance Portability and Accountability Act (HIPAA) – personally identifiable patient information
Gramm–Leach–Bliley Act – financial information Federal Family Educational Rights and Privacy Act
(FERPA) – student information California Information Practices Act
SB1386 – disclosure of breaches of computerized personal information
cf. European privacy directive
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 7
Other external drivers
National Strategy to Secure Cyberspace “Should consideration be given to tying State or Federal
funding to [institutions of higher education] to compliance with certain cybersecurity benchmarks?”http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf
NASA IT Security Clause Final Rule in the Federal Register (67 FR 48814-48815) on
July 26, 2002
VISA Cardholder Information Security Program The “Digital Dozen:” 12 basic security requirements
http://www.usa.visa.com/business/merchants/cisp_index.html?it=il_/personal/secure_with_visa/securecommerceprogram.html
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 8
Some privacy challenges and overrides
Law enforcement
Security
Market research
Technology
Business need
Policy
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 9
Challenge: Business Need
The Perils of Privacy“Down the hall in the billing department, a clerk uses a lunch break to scan the Web for information on abuse victims. The information retrieved also flashes onto a screen in the boss's office, revealing a secret the employee never told anyone.”
Source: PC World, December 28, 1999
http://www.pcworld.com/news/article/0,aid,14557,00.asp
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 10
Challenge: Technology
Delete Should Mean Deletehttp://www.nytimes.com/2000/10/05/technology/06CYBERLAW.html
The geniuses who designed the modern world's computers probably thought they were doing mankind a favor when they decided that nothing, in fact, would ever be deleted when a computer user presses the Delete button. At least one prominent jurist, however, thinks Delete should mean just that.
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 11
Challenge: Law enforcement
Subpoenas, search warrants, summons oh my!
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 12
It’s not just email [A] group of technologists and policy wonks met … to discuss a
matter that some say is just as important to Internet privacy as any of the monolithic omniscient supercomputers being hatched in Washington... The humble Web server log.
Or more to the point, the countless thousands of logs routinely kept by servers throughout the Internet, each marking every visit to a given website, identifying what pages were viewed, what transactions made, and the Internet IP address of the visitor. Recent laws have made it easier for government agencies to get their hands on server log entries, and civil litigators are increasingly finding logs a valuable target for subpoenas.
From The trails left in Web server logs - and who's seeing themhttp://www.theregister.co.uk/content/55/30114.html
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 13
Electronic records retention
How long should email be kept? What about email server logs? Web server logs? Surveillance tapes? Voicemail messages? Etc. etc. etc.
Consider how to keep data only as long as it is needed, and no longer, lest it become a liability (the library model)
Who are your institutional partners in thinking about privacy and balancing institutional obligations?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 14
Records
Electronic records must be seen in the context of all records (not just retention) But records such as server logs often flummox
the traditional framework Who is your institutional partner in this effort?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 15
USA PATRIOT Act
Amends more than fifteen statutes (including FERPA)
Was intended in part to update wiretap and surveillance laws for the Internet era
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 16
Not just a theoretical issue
Since the Sept. 11, 2001, attacks, the Justice Department and FBI have dramatically increased the use of two little-known powers that allow authorities to tap telephones, seize bank and telephone records and obtain other information in counterterrorism investigations with no immediate court oversight, according to officials and newly disclosed documents.Washington Post, March 24, 2003
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 17
Policy, procedures and practices
Do you know what to do if an FBIagent shows up with a search warrant
for a computer?
Does the student employee sitting at the front desk of the library at 8PM on a Monday
evening know?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 18
“IT” policies cover more than IT
IT affects everyone For example: before, advertising policies affected few
people on campus; now, potentially every web page is a marketing opportunity
Therefore, the IT policy process: is a collaboration between subject matter experts and
IT involves much wider review than many other policies makes meaningful promulgation a bigger challenge
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 19
Campus police
They are law enforcement They are also part of the campus
What does that mean?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 20
Identity theft
The California Employment Development Department notified 90,600 people this week that their personal information, including Social Security numbers, may have been compromised by a hacker who accessed a state computer server in January.
From the San Francisco Chronicle, Saturday, February 14, 2004www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/02/14/
BUGEN510EG1.DTL
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 21
SB1386
New provision of the California Information Practices Act requiring disclosure of computer security breaches involving personal information of California residents About reducing identity theft Effective July 1, 2003
Federal legislation coming…?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 22
Straightforward in concept, but the devil is in the details
Data is everywhere! What exactly is a security breach? Computer viruses and trojan horses Encryption of data What will the courts say?
Who are your institutional partners?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 23
The mobile user
Telecommuters, visitors, etc. The equipment isn’t necessarily the
institution’s Relying on unreliable support Risks still accrue to the institution What about SB1386?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 24
The mobile user
What are the institution’s rights? What are the tradeoffs?
Who are your institutional partners?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 25
http://www.wired.com/wired/archive/11.07/slammer.html
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 26
Incident response
“When computer security problems occur, it is critical for the affected organization to have a fast and effective means of responding.” “incident analysis and response, vulnerability handling,
intrusion detection, risk assessments, security consulting, and penetration testing.”
Organizational Models for Computer Security Incident Response Teamswww.sei.cmu.edu/publications/documents/03.reports/03hb001.html
Who are your institutional partners?
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 27
A bigger picture
Can’t look at this piecemeal – will overwhelm you
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 28
EDUCAUSE Effective Security Practices Guide
www.educause.edu/security/guide
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 29
Futures
Some knotty problems
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 30
A policy-neutral core
In August 2002, the Recording Industry Association of America (RIAA) sued a group of U.S.-based Internet service providers, seeking to block access to a music-copying site in China. The suit was dropped when the offending site was shut down, but the event was widely regarded as a pivotal moment.
http://www.infoworld.com/article/03/11/21/46FEtroublefuture_1.html
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 31
The “nightmare” of anonymity JENIN, West Bank, Aug. 19 /PRNewswire/ -- … Earthstation 5
is at war with the Motion Picture Association of America (MPAA) and the Record Association of America (RIAA), and to make our point very clear that their governing laws and policys have absolutely no meaning to us here in Palestine, we will continue to add even more movies for FREE. … "File-sharers world-wide are learning that our Earthstation 5 software hides the identities of its users and their IP addresses so they can now freely share their music and movies online without the threat of a lawsuit from the RIAA and/or the MPAA," said Kabair. … Earth Station 5 is located both in Gaza and in the Jenin Refugee Camp of Palestine.http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK2.story&STORY=/www/story/08-19-2003/0002003023&EDATE=TUE+Aug+19+2003,+06:14+AM
March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 32
The balancing act
Security protects privacy and reduces risk, legal and fiscal exposures
Security is now often mandated
Security is seen to intrude on privacy, academic freedom and freedom of speech
Security can reduce convenience and functionality
Security is often controversial at many levels