Possible changes to Federal Grant Language & Computer Security Bob Mahoney- MIT Network Security...
-
Upload
lewis-mccormick -
Category
Documents
-
view
212 -
download
0
Transcript of Possible changes to Federal Grant Language & Computer Security Bob Mahoney- MIT Network Security...
Possible changes toFederal Grant Language &
Computer Security
Bob Mahoney- MIT Network Security [email protected]
Common Solutions Group, January 2002
January 10, 2002 Grant Language Changes?
Background
• Possible changes to federal grant language to address concerns about the security of campus systems.
• February 2000 - large scale DOS attacks on eBay, Yahoo, Amazon, etc. puts university networks on the radar in a security context.
• Perception in some quarters that higher education sites are an evil swamp of “hacker bad guys”.
January 10, 2002 Grant Language Changes?
More Background
• Reports of university IT organizations complaining they cannot control security behavior of independent researchers.
• Characterized by authors as an “attempt to adjust the balance of power” in IT-researcher relationships
January 10, 2002 Grant Language Changes?
“Safe Computing Environment”
• ‘straw man’ proposal (initiated by SANS Institute’s Alan Paller) to unisog and SANS newsbites lists in October 2001.
• Proposed as amendment to Circular A-110, based on the ‘drug-free workplace’ requirements.
• Initial proposal was fairly insane, at least in terms of specific actions required (specific patch application deadlines, etc)
• Most recent draft shows improvement
January 10, 2002 Grant Language Changes?
Some high points:• Grantees are required to certify that they will
provide a “safe computing environment”.• SCE refers to both initial config and ongoing
maintenance of covered systems.• Changes to SC environment must be reported.• Requires statements of appropriate use to be given
to all employees.• Requires prompt notifications of “significant
events”.• Specifies actions to be taken for security events.
January 10, 2002 Grant Language Changes?
Quick Questions
• Is this real?
• Who is behind this?
• Where’s this going?
• Is legislation coming?
January 10, 2002 Grant Language Changes?
If you hear MIT referenced… Some proponents have referred to MIT as
displaying “best practices” in controlling security problems. This apparently refers to our response to discovered vulnerable/compromised hosts:
• Vulnerable hosts are warned/advised on next steps, then given response deadline. (EXCEPT for Windows/IIS,which are treated as compromised)
• Compromised hosts are disabled immediately; then advised on recovery steps.
January 10, 2002 Grant Language Changes?
Concerns
• More grant oversight imposes costs.
• Specific requirements troublesome given wide variety of systems and environments.
• General FUD
January 10, 2002 Grant Language Changes?
Response?
• Do we believe campus networks are a significant problem? (do we need help?)
• If so, are there less-burdensome approaches to increasing security?
• Community standards?
• Educating legislators/regulators?