Christian Bruhn Rieper at Innovation Forum in Reykjavik, May 2012
Mark S. Bruhn Chief IT Security and Policy Officer Indiana University Some material based on...
-
Upload
bridget-horn -
Category
Documents
-
view
217 -
download
1
Transcript of Mark S. Bruhn Chief IT Security and Policy Officer Indiana University Some material based on...
Mark S. Bruhn
Chief IT Security and Policy OfficerIndiana University
Some material based on presentations prepared by Mark Bruhn and Michael A. McRobbie (IU VP/CIO)
IT Security
Copyright Indiana University 2002. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the person named as presenter above. To disseminate otherwise or to republish requires written permission from the person named as presenter above.
Preliminary StatementIn a perfect world, we shouldn’t have to restrict
activities on the Internet or on our campuses. But, in that same perfect world, we wouldn’t need bank guards or FBI agents; many of us doing work in areas related to operational assurance have other interests and would be happy doing something else. But, in the real world, we have to take reasonable steps to protect the interests of our institutions and our constituents.
Presentation Overview
VERY Brief Intro to Risk and Goal-Oriented Security
Them versus Us: The ThreatUs versus Us: Fertile Ground
Us versus Them: Losing Battle?
After risks are quantified or qualified, formally or informally, develop a response strategy based on goals and targets, not on presumptions of security requirements.
Do we have to secure our campuses like Ft. Knox to be successful?
The goal must be to minimize and mitigate risk. Attempting to eliminate risk will result in not only dramatic failure, but also in loss of critical credibility and momentum.
Typical University IT and Data Environments
• Large (often huge) number of networked devices• Very high-speed, high-capacity networks • Very diverse hardware and software set• Experimentation with new software• Physical security varies widely• Usually no device registration requirements• Usually no network user authentication • Sometimes no service user authentication
Typical University IT and Data Environments
• Independent departments• Independent researchers• Under-paid, under-trained, over-worked technicians• Inadequate or nonexistent security offices• Few IS/IT auditors on staff• No central data management structure• Thousands of people accessing or deriving data• No data extract and dissemination limits• Minimal training on data handling/protection
Wasting “Power of Many”?
Communities are not collectively:• Putting pressure on vendors• Putting pressure on governments
• Avoiding use of products with bad security record, and which cost much more in time and money to manage
• IU Faculty Research Information Database (1997)
• IU Office of the Bursar (2001)• IU School of Music (2001)• University of Michigan patient records.• University of Washington patient records.• UC Berkeley systems used against commercial
sites• Stolen passwords at Berkeley, UCLA, Harvard • Purdue University password files• Georgia Tech, Notre Dame, Indiana State• Many others not publicized.
Should it Take an Incident to Wake Us Up?
Awareness at the Top
• Typically executive management and
governing boards in universities are not
aware of these problems, which have the
potential to be very damaging to a university
both in reputation and potential liability
Easier to Crack/Hack• Veterans are “publishing” code for neophyte crackers• Operating system and application APIs • Complicated operating systems and software• Automated vulnerability probes• Cracker resources• “Script kiddies”
• Cracking for profit• Cracking for political reasons• Cracking as part of cyberwarfare• Cracking as part of criminal enterprise
Intrusion Consequences
• Unauthorized access to data• Installation of malicious code• Stashing illegal materials• Consumption of network resources• Loss of machine cycles• Inappropriate use of public resources• Defacement for political reasons• Distributed Denial of Service Attacks• Attacks waged on other enterprises • Decreased reputation of Higher Education
community
Actors
• National Security Threats• Info Warrior – Reduce U.S. Decision Space, Strategic Advantage,
Chaos, Target Damage• National Intelligence – Information for Political, Military, Economic
Advantage
• Shared Threats• Terrorist – Visibility, Publicity, Chaos, Political Change• Industrial Espionage - Competitive Advantage, Intimidation• Organized Crime – Revenge, Retribution, Financial Gain,
Institutional Change
• Local Threats• Institutional Hacker – Monetary Gain, Thrill, Challenge, Prestige• Recreational Hacker – Thrill, Challenge
Copyright 2000 by E. H. Spafford
Greatest Danger?
• Probes by automated programs
• Every Internet-connected device probed periodically
• Probes lead to compromise of poorly maintained devices
• Vulnerabilities discovered within hours
• Data on vulnerable devices is exposed
Institutional Recognition
Higher education institutions must recognize
that information technology is engrained in
ALL academic and administrative activities,
and that poor system, network, and data
security WILL have a direct and costly impact
on the mission.
It must be about “Institutional Risk”, not about technology…
• Reputation of higher education• Reputation of specific institutions• Harm to individuals• Loss of intellectual property• Premature disclosure of research results• Potential violation of government statutes • Waste of publicly-funded resources
• Contribution to vulnerability of national IT infrastructure
Institutional Attention
IT Leadership must help executive colleagues:• Understand that information assets are as critical
as capital and human resources• Understand the risks to the institution• Place visible and vocal priority on systems and
data protection• Ensure that IT security is included in calculation of
costs of activities • Ensure that technicians are trained, capable, and
have the time to secure systems
Inetd
Rpc.statd
Apache “chunking”
Uuencode
Telnet
Sendmail
IIS
CIO
PresidentsProvostsDeansTrusteesRegentsEtc.
• Recognition of authority by governing board(s)• Directive from President and/or Provost• Subsequent directives from the IT leadership• Formal partnership between IT leadership and office of
risk management and internal/external audit• Presentations by IT leadership to executive and other
high level administrators • Engage distributed technical managers and technicians• Develop FREE technician orientation and training
program• Develop Best Practices documents• Develop network isolation strategy
Critical Local Activities
Other Required Involvement• Policy officers
• IT policy officers
• Counsel
• Risk managers
• Auditors
• Student affairs officers
• Human resources officers
• EDUCAUSE/Internet2 Computer and Network Security Task Force
• Information Technology Critical Infrastructure in Higher Education: A Framework For Action
• Recognition by Federal government of critical educational sector
• National Strategy To Secure Cyberspace • Research and Educational Networking Information
Analysis and Sharing Center• Higher Education Information Analysis and Sharing
Center
New Supporting Activities