1
Effective Cybersecurity Practices for Higher Education
Educause Southeast Regional Conference
Seminar 1A
June 6, 2005
Mary Dunker
Virginia Tech
Tammy Clark
Georgia State University
2
Seminar Agenda
EDUCAUSE/Internet2 Security Task Force initiativesThe Effective Security Practices Guide (ESPG)Questions and BreakSecuring Unmanaged ComputersQuestions and Feedback
3
Overview of Effective Security Practices
Educause/Internet2 Security Task Force background, working groups, initiatives
Tools, including Information Security Governance Assessment (ISG)
Effective Security Practices Guide
Risk assessment methodology from Virginia Tech
4
Strategic Goals
The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified:Education and AwarenessStandards, Policies, and ProceduresSecurity Architecture and ToolsOrganization, Information Sharing, and Incident Response
5
Security Task Force Groups
Awareness & Training Working Group
Effective Practices & Solutions Working Group
Policies & Legal Issues Working Group
Risk Assessment Working Group
High Performance & Advanced Networking Working Group (SALSA)
Security Conference Program Committee
6
National Cyber Security Awareness Month
The Security Task Force and the Higher Ed IT Alliance has endorsed October as National Cyber Security Awareness Month.The National Cyber Security Alliance is a unique partnership among the Federal government, leading private sector companies, trade associations and educational organizations that aims to educate Americans about the need for computer security and encourage all computer users to protect their home and small business systems.See www.StaySafeOnline.info
7
Annual Security Conference
EDUCAUSE/Internet2Security Professionals Conference
April 10-12, 2006Denver Marriott City Center HotelDenver, Colorado
Typical Program Content/Tracks Baseline & Advanced Technology Solutions Security Management and Operations Policy and Law
For more info, see www.educause.edu/conference/security
8
Information Security Governance Assessment Tool
The Information Security Governance (ISG) Assessment Tool is intended to help colleges and universities determine the degree to which they have implemented an ISG Framework at the strategic level within their institution. This tool is not intended to provide a complete and detailed list of information security policies or practices one must follow. Rather, it is intended to help institutional leadership identify general areas of concern as they relate to the ISG Framework. Sections within the Tool: Organizational Reliance on IT Risk Management People Processes Technology
http://www.educause.edu/ir/library/pdf/SEC0421.pdf
9
ISG: Reliance on IT
10
ISG: Risk Management
11
ISG: Final Score
12
Configuration Benchmarks
As a free service to EDUCAUSE Institutional Members, EDUCAUSE has entered into a cooperative agreement with the Center for Internet Security (CIS) to provide each EDUCAUSE Institutional Member with a license to redistribute CIS Benchmarks and Software Tools on college and university owned systems.The relationship entitles Institutional Members to redistribute CIS benchmarks and Software Tools to students, faculty and employees for use on computers owned by the students, faculty and employees. The CIS Benchmarks and Software Tools are resources for Institutional Members to assess and measurably improve the security configuration status of its IT systems and networks.
13
Implications of CIS Partnership
Encourage the adoption and deployment of widely-accepted, consensus technical control standards (benchmarks) for system security configuration in colleges and universities.
Establish technical control baselines that can be presented to software vendors and hardware suppliers as default security configurations for systems that colleges and universities purchase.
Expand participation in the CIS consensus development process by security specialists in EDUCAUSE member colleges and universities to ensure that college and university-unique needs are met.
http://www.cisecurity.org/
14
CIS Scoring Tool
15
Cyber Security Forumfor Higher Education
The purpose of the Cyber Security Forum for Higher Education is to create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts.
16
Vendor Engagement
Established Corporate Cyber Security Forum to create a dialogue with vendors on practices that have a significant impact on higher education security
Educause established the Corporate Cyber Security Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT
Task force visited Microsoft in September ‘03 to explain the needs of higher education and engaged Microsoft for support during the SP2 rollout for Windows XP.
17
Effective Security Practices Guide
Balancing the need for security with the higher education tradition of open and collaborative networking
http://www.educause.edu/security/guide
18
Why Not Identify Best Practices
Higher education is too diverse in mission and size for a single best practice to be universally effective.
Even within a small group of like institutions, few would identify what they are doing now as “Best Practices.” Everyone feels there is room for improvement in what they are doing!
Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year.
19
ESPG Overview
Practical approaches to preventing, detecting, and responding to security problems
Community driven and serving University ISOs and supporting staff Codify experiences of experts
Examples of success Potential models to follow Provide for various types of institutions
Modular resource Flexibility in presentation & implementation
20
ESPG Design and Development
ESP database
Corematerials
Case studysubmission
process
Futurecontributions
Seed case studiesPast workshops,discussions &
community vetting
Categories & keyword searches
Structuredpresentation
Suitability, editing,notification & update
21
Core Subject Areas
PolicyEducation, Training and AwarenessRisk Analysis and ManagementSecurity Architecture DesignNetwork and Host Vulnerability AssessmentNetwork and Host Security ImplementationIntrusion and Virus DetectionIncident ResponseEncryption, Authentication & AuthorizationAddendum: university & vendor resources
22
Effective Practices: Contributors
Bethune-Cookman Brown Cornell CSUSB GA Tech GWU Indiana University MSCD Notre Dame NC A&T
Penn State U Alabama Purdue UC Berkeley UCONN U Maryland, BC U Washington U Wisc, Madison Virginia Tech Yale University
23
ESPG Highlights
Evolution of Security Practices
24
Evolution of Security Practices
It is not always possible to jump to the most effective practices Can’t scan for policy violations without policies Can’t develop policies without mature security standards
Some practices require significant human resources Intrusion detection Incident response
Some practices become more effective over time Technical support becomes more effective with supporting
tools, security policies and architecture
25
Online Demonstrationhttp://www.educause.edu/security/guide
26
Risk Analysis
The most effective security practice given limited resourcesTypes of Risk•Strategic Risk•Financial Risk
•Legal Risk
•Operational Risk
•Reputation Risk
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
27
Ideal Risk Analysis & Management
Knowledge of all relevant regulationsTraining and awareness of staffDeveloping plans to audit individual units for complianceDeveloping and implementing a code of conduct for the organizationEstablishing control mechanisms to ensure compliance
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
28
Risk Analysis Overview
Risk = Threats x Vulnerability x Impact Need to weigh & prioritize risks to develop
strategyThreats Intruders, insiders, accidents, natural disasters
Vulnerabilities Weaknesses in design, implementation, or
operationImpact Level of harm to the institution
29
Practical Risk Analysis in Higher Education
• Preliminary Risk Analysis (year 1)● Gathering allies, data and support
• Risk Analysis of Critical Processes (year 2)
● Concentrating on high risk areas
• Institution-wide Risk Analysis (year 3+)● Broadening view to include the whole
institution
30
Virginia Tech STAR Risk Process
STAR - Security Targeting and Analysis of RisksDeveloped in-house several years agoPrioritized assets, risks, and controls Very detailed voting structure
Used color codes for complianceHad a control compliance matrixTemplates provided to reduce resistance
TODAY – same concept but we have simplified the process
31
Risk Analysis Process at Virginia Tech
Information Technology process IT Security Officer leads effort Annual process with detailed listings Lots of involvement with teams Evolved into individual risk analysis reports for other
departments
University departments Every 3 years / update major changes Annual reviews on progress All reports submitted to the IT Security Office
32
Keys to Success in the Risk Analysis Process
Secure senior management support
Select a strong risk analysis team
Provide risk analysis templates
Provide instruction and assistance
Specify a timetable for completion
Have a collection point for all reports
Take the risk analysis process seriously
33
Senior Management Support
Important to secure executive support
Executive should issue directive to all department heads
Directive should specify a time for final reports
Accountability for completing risk analyses
Executive will identify IT Security Office as providing leadership for effort
34
Assets Are More Than Machines
We are now linking Asset identification to the management org chart
Assets can be: Physical systems Groups of systems that support a service Business process that requires a group of systems Business process that depends on other business processes Data People
35
Asset Classification
Business Process A
Business Process B Business Process C
Oracle DB Forms Servers Auth Servers
Host A Host B Host C Host D Host E Host F
36
37
38
39
Asset Ranking
40
IT Common Risks
Twelve (12) common risks identified by VT IT:• System administration Training• Desktop Access Control• Operational Policies• Key Person Dependency• Bad Passwords• Data Disclosure• Internal Physical Security• External Physical Security• Cleartext• Spoofing/Forgery• Natural Disaster• Construction Mistakes
41
Sample Risk Ranking
42
Reference Risks to Critical Assets
Review list of critical assetsSimply determine which risks apply to which critical assetsCan get into more detail and map risks to critical assets by voting techniqueHelps determine what may need to be addressed first
43
Map Risks to Assets
44
Recommendations and Solutions
May be difficult to do at the time of report
Others need to be involved in the details Management, technical personnel, etc.
More detailed report may be needed Description of solution Impact statement A cost/benefit analysis Proposed dates
45
Recommendations
The risk(s) for an asset will be addressed within a specific timeframe and a brief explanation should be includedControls to address a risk (or risks) will not be implemented because of information obtained during analysis (new software, new location, etc.)Controls will not be implemented based on factors (time, budget, etc.) in the dept. or operating unitThere may not be a known solution at this time, or you don’t feel the risk is a real danger
46
Using STAR
Visit the Effective Security Practices Guide
Select the link to “Risk Analysis of Critical Areas and Processes”The STAR link will take you to http://www.security.vt.edu/playitsafe/riskanalysis/
All forms used by Virginia Tech are online
47
Additional Security Resources
EDUCAUSE/Internet2 Computer & Network Security Task Forcehttp://www.educause.edu/securitySecurity Discussion Grouphttp://www.educause.edu/cgEffective Security Practices Guidehttp://www.educause.edu/security/guideInternet2 Security Initiativeshttp://security.internet2.eduResearch and Education Networking Information Sharing and Analysis Center (REN-ISAC)http://www.ren-isac.netOperationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
http://www.cert.org/octave