© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 1
Consortium for School NetworkingConsortium for
A CoSN Leadership Initiative In Partnership with
Mass Networks Education Partnership (MNEP)
www.securedistrict.cosn.org
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 2
Consortium for School NetworkingConsortium for
The Mission
Provide vendor-neutral tools to help policy makers and technology leaders work together for effective action to:
1) analyze their district’s level of Cyber Security preparedness and vulnerability;
2) prioritize and implement the steps needed to improve their security status;3) prepare to ensure operational continuity
when a problem slips through.…in ways that helps technology contribute to their school’s primary goal of teaching and learning
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 3
Consortium for School NetworkingConsortium for
Cyber Security Sponsorship
Additional support from:
BellSouth Foundation, Enterasys, Microsoft, Sonic Wall, Sun Microsystems, and media partner CMP’s Technology & Learning
magazine
In collaboration with the Northwest Regional Education Laboratory
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 4
Consortium for School NetworkingConsortium for
Attack Sophistication vs. Intruder Knowledge
Source: w
ww
.cert.org
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 5
Consortium for School NetworkingConsortium for
Why Worry?
A c c id e n ta l A c t io n s b y P e o p le
S t u d e n t s , s t a ff O u t s i d e r s I T s t a ff
D e l ib e ra te A c t io n s b y P e o p le S t u d e n t s S t a ff O u t s i d e r s A n o n y m o u s
R is k F a c to rs
P o te n t ia l O u tc o m e s
D i s c l o s u r e o r p u b l i c a t i o n o f s e n s i t i v e i n f o r m a t i o n
I n t e r r u p t i o n o f s e r v i c e o r a c c e s s
e m a i l , I n t e r n e t a d m i n i s t r a t i v e i n f o t e a c h i n g t o o l s , m a t e r i a l s
M o d i fi c a t i o n
o r c o r r u p t i o n o f
i n f o r m a t i o n s y s t e m s
D e s t r u c t i o n o r L o s s
i n f o r m a t i o n h a r d w a r e s o f t w a r e
S ys te m P ro b le m s
H a r d w a r e d e f e c t s N e t w o r k l i m i t s A p p l i c a t i o n d e f e c t s M a l w a r e a t t a c k s
P h ys ic a l P la n t , E n v iro n m e n t
p o w e r o u t a g e s h e a t , h u m i d i t y t e l e c o m m , I S P o u t a g e s F l o o d s , fi r e , e a r t h q u a k e s N o n - s e c u r e f a c i l i t i e s
A s s e t
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 6
Consortium for School NetworkingConsortium for
Safety vs. Security•Safety: Individual behavior- Teaching someone to drive safely.
* Don’t give out personal information
* How to handle “inappropriate” material
•Security: An organizational responsibility- Making sure the car functions properly.
* Preventing virus penetrations
* Maintaining operational continuity during a crisis
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 7
Consortium for School NetworkingConsortium for Website: Home Page
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 8
Consortium for School NetworkingConsortium for
The Planning Protocol
Outcome:Outcome:Security Project Description
goalsprocessesresourcesdecision-making standards
Phase 1: Set Security Goals
Outcome:Outcome:Prioritized Risk Assessment
A ranked list of vulnerabilities to guide Risk Reduction efforts
Phase 2: Risk Analysis
Outcome:Outcome:Implemented Security Plan
Risk Analysis and Risk Reduction Processes must be regularly repeated to ensure effectiveness
Phase 3: Risk Reduction
Outcome:Outcome:Crisis Management Plan
A blueprint for organizational continuity
Phase 4: Crisis Management
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 9
Consortium for School NetworkingConsortium for
Some of the Tools Ten Questions Superintendents Most Often
Ask Eight Questions A Superintendent Should
Ask the Chief Technology Officer Cyber Security: An Introductory Slide
Show Self-Assessment Checklist Cyber Security Planning Grid Security Planning Template Cautionary Tales Case Studies Newsletter Plus: Workshops, Webinars, and Articles
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 10
Consortium for School NetworkingConsortium for
Eight QuestionsEight Questions
Question 1:
How are we doing so far?
IncidentsIncidents.. Over the past year:
Was confidential data compromised?Was data lost or corrupted?Was equipment stolen or misused?Was email or Internet service interrupted?Did virus or spam attacks cause shutdowns?
Causes.Causes. Were problems caused by:
Inadequate technical safeguards?Insufficient staff training?Unauthorized access to or use of systems by insiders?Intrusion by outsiders?
Impact.Impact. Did security problems result in:
Loss of efficiency, productivity, or other costs?Failure to meet district educational objectives?Damage to reputation?Harm to students or staff?
A Superintendent Should Ask The Chief Technology Officer
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 11
Consortium for School NetworkingConsortium for
Eight QuestionsEight Questions
A Superintendent Should Ask The Chief Technology Officer
1. How are we doing so far?2. Do we have a security plan?3. Do we have adequate security and privacy policies in
place?4. Are our network security procedures and tools up to date?
5. Is our network perimeter secured against intrusion?6. Is our network physically secure?7. Have we made users part of the solution?8. Are we prepared to survive a security crisis?
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 12
Consortium for School NetworkingConsortium for
Five topic areas to get a handle on where the district is nowFive topic areas to get a handle on where the district is now
Topic Area
1. Management
2. Technology
3. IT Operations
4. Physical and Environmental Security
5. Users
District Security ChecklistDistrict Security Checklist
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 13
Consortium for School NetworkingConsortium for
Area Topic Points
1. Management
2. Technology
3. IT Operations
4. Physical and Environmental Security
5. Users
Topic Area Points
1. Management
Do you have a Security Plan, less than 12 months old, in place? 10
Have you performed a Security Audit in the past 12 months 5
Is security planned and managed by a Security Leadership Team?
6
Do you have an updated Crisis Management plan in place? 10
Do you have detailed District Security Policies in place? 4
District Security ChecklistDistrict Security Checklist
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 14
Consortium for School NetworkingConsortium for
District District Security Security ChecklistChecklist
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 15
Consortium for School NetworkingConsortium for
Risk Reduction
The Security Grid•Organized in Rubric format
• You know where you are• You know what are the
priority issues• You know what are the
next steps
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 16
Consortium for School NetworkingConsortium for
Security Planning Grid
Provides benchmarks for assessing key security preparedness Provides benchmarks for assessing key security preparedness factors factors
Uses the same topic areas for consistencyUses the same topic areas for consistency Helps prioritize security improvement action stepsHelps prioritize security improvement action steps
Security Area Basic Developing Adequate Advanced
Management
Leadership:
Little participation in IT security
Aware but little support provided
Supports and funds security
Aligns security with organizational mission
Technology
Network design and IT operations:
broadly vulnerable
security roll out is incomplete
mostly secure seamless security
Environmental & Physical:
Infrastructure:
not secure partially secure mostly secure secure
End Users
Stakeholders:
unaware of role in security
Limited awareness and training
Improved awareness, Mostly trained
Proactive participants in security
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 17
Consortium for School NetworkingConsortium for
Management
Basic Developing AdequateAdequate AdvancedAdvanced
District Leadership
Oversight:-- goals
No articulated security goals.Security goals sketched out.
Security goals stated clearly.Security goals stated clearly.
-- legal complianceAwareness of legal issues: basicExtent of compliance: unknown
Awareness: growingCompliance: OK at network level
Awareness: desktop to internetCompliance: not fully auditable
Awareness: desktop to internetCompliance: fully auditable
-- policyNo policy specifically targets technology use.
Policy in early stages, addresses legal issues.
Policy ties technology use to mission.
Policy meshes seamlessly with district mission.
Support: -- budget & staffing-- communication
No support specifically for security
“Security” is not a budget line item
Commitment to TCO-based budgeting and HR needs.Appropriate communication.
Strong support restrained by performance indicators.Effective communication.
Security Management
Security Team: Charter
No formal Security Team Team lacks formal authorization.
School Board approves Team purpose
School Board reviews Team accomplishments
Security Team: Members
Informal Team Stakeholder groups representedStrong leadership representation
Security Planning
Security Plan No security plan. Basic security plan.Security plan linked to goals & audit.
Security plan linked to goals & audit.
Security Audit No security audit.Internal security audit done.
External security audit done.External security audit done.
Crisis Management Plan
No Crisis Mgt Plan specifically for IT.
Basic IT Crisis Mgt Plan. Updated IT Crisis Mgt Plan.IT Crisis Mgt Plan fully tested.
Security Implementation
IT Staffing Levels staff - computer ratio 1:>750staff - computer ratio 1:750
staff - computer ratio 1:500 staff - computer ratio 1:250
Staff competency Generalists lacking expertiseGeneralists; few network specialists
Differentiated expertiseDifferentiated expertise, cross-trained
Security Staff No one paying attention to security
CTO or other management staff also deals with security
A staff person focuses on securityA Chief Security Officer exists
Security Planning GridSecurity Planning Grid
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 18
Consortium for School NetworkingConsortium for Phase Three: Risk
Reduction
ManagementManagement Basic Developing AdequateAdequate AdvancedAdvanced
District Leadership
Oversight:-- goals
No articulated security goals.
Security goals sketched out but little substance.
Security goals stated clearly.
Security goals stated clearly.
-- legal compliance
Awareness of legal issues: basicExtent of compliance: unknown
Awareness: growingCompliance: OK at network level
Awareness: desktop to internetCompliance: not fully auditable
Awareness: desktop to internetCompliance: fully auditable
-- policy No policy specifically targets technology use.
Policy in early stages, addresses legal issues.
Policy ties technology use to mission.
Policy meshes seamlessly with district mission.
Support: -- budget & staffing-- communication
No support or communication specifically for security.
Support is inconsistent. No budget line item for “Security”
Commitment to TCO-based budgeting and HR needs.Appropriate communication.
Strong support restrained by performance indicators.Effective communication.
Security Planning GridSecurity Planning Grid
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 19
Consortium for School NetworkingConsortium for Phase Three: Risk
Reduction
Management Basic Developing AdequateAdequate AdvancedAdvanced
Security Planning
Security Plan
No security plan.Basic security plan.
Security plan linked to goals & audit.
Security plan linked to goals & audit.
Security Audit
No security audit.Internal security audit done.
External security audit done.
External security audit done.
Crisis Management Plan
No Crisis Mgt Plan specifically for IT.
Basic IT Crisis Mgt Plan.
Updated IT Crisis Mgt Plan.
IT Crisis Mgt Plan fully tested.
Security Planning GridSecurity Planning Grid
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 20
Consortium for School NetworkingConsortium for
Technology Basic Developing AdequateAdequate AdvancedAdvanced
Architecture
Architecture: overview
Architecture at basic stage
Architecture lacks capacity for growth
Appropriate Architecture
Appropriate Architecture with room to grow.
Perimeter Defense
DMZ, Firewall, Virus Protection, Content and Spam Filters, VPN, Wireless Access
No DMZ.No Virus protection, content filtering at minimal levels
Basic DMZ. Firewall functions separated from servers; patch mgt remains manual.
Full DMZ. All email, web services protected. Automated patch management.
Full DMZ. All protection services are automated; network monitored in real time.
WAN Design
Plan:-- Authorization-- AuthenticationImplementation:-- Standardization-- Centralized Mgt
WAN incomplete;no redundancy or standardization
WAN almost complete; building LANs not standardized.Redundancy only on most critical network components
WAN complete; properly segmentedMost building LANs standardized.Centralized mgt is incomplete
Centralized WAN management. Redundancy for network components
Internet
Bandwidth, Internet Access
Minimal: may match current needs
Inadequate for accelerating demands
Bottlenecks occur during peak demand
Capacity for future demands
Security Planning GridSecurity Planning Grid Phase Three: Risk
Reduction
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 21
Consortium for School NetworkingConsortium for
End user computers
Installation, repair
Patch Mgt, Updates
Software Licensing
Password Mgt
User Support
End user computer security not enforceable or verifiable.
Manual patching: inconsistent updates.
Lack of user support severely limits productivity
End user computer security improved but not enforceable.
Patching is manual but consistent
User support frequently delayed
End user computer security enforceable or verifiable.
Automated patching and updates in most buildings
User support meets minimal requirements
End user computer security is effective throughout district
Fully automated updates or thin-client setup.
Multi-tier user support results in significantly improved outcomes.
IT Operations
LAN Mgt 'Fire-fighting' mode 'Growing pains' 'Reliable technology' ‘Growth-oriented'
Backups
Network Monitoring
Documentation
External Vendors
-- Backups not secure--Few standards or policies
--Systems occasionally down
--No preventive maintenance
--External vendors: not documented
-- some standards, few policies-- Systems usually reliable
-- monitoring & maintenanceon critical devices
-- External vendors: not verified
-- Standards & policies in place.-- Systems rarely down
-- routine maintenance butdocumentation still skimpy
-- External vendors: not audited
-- clear policies-- effective, flexible standardization
--Systems: highly reliable-- efficient maintenance-- appropriate documentation-- All vendors: fully audited
Security Planning GridSecurity Planning Grid Phase Three: Risk
Reduction
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 22
Consortium for School NetworkingConsortium forhttp://SecureDistrict/
CoSN.org
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 23
Consortium for School NetworkingConsortium for
NEW -- CoSN Leadership Initiative
Accessible Technologies for All Studentswww.accessibletech4all.org
Increased Achievement and Success for All Students through the Use of Accessible Technologies
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 24
Consortium for School NetworkingConsortium for
Taking Total Cost of Ownership (TCO) to the Classroomwww.classroomtco.cosn.org
Other CoSN Leadership Initiatives
Safeguarding the Wired Schoolhousewww.safewiredschools.cosn.org
3D: Vision to Know & Dowww.3d2know.cosn.org
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 25
Consortium for School NetworkingConsortium for
CoSN’s mission is to advance the K-12 education community’s capacity to effectively use technology to improve learning through advocacy, policy and leadership development
www.cosn.org
The Cyber Security project is done in partnership with: Mass Networks Education Partnership
www.massnetworks.org email: [email protected]
http://securedistrict.cosn.org
© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 26
Consortium for School NetworkingConsortium for
Keith Krueger,[email protected]
www.cosn.org1710 Rhode Island Avenue NWSuite 900Washington, DC 20036-3007
Top Related