Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 1 Defining Risk and Fixing the Top 20 Security 101 for a small school.

Similar presentations


Presentation on theme: "November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 1 Defining Risk and Fixing the Top 20 Security 101 for a small school."— Presentation transcript:

1 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 1 Defining Risk and Fixing the Top 20 Security 101 for a small school

2 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 2 Copyright 2003 John Bruggeman Copyright John Bruggeman, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 3 John Bruggeman –Hebrew Union College – Jewish Institute of Religion Seminary and Graduate School –National Director of Information Systems (97 – Present) GSEC Certified February 2003 –4 Locations – Cincinnati, Jerusalem, Los Angeles, New York 500 Students, 350 Rabbinic, 150 Graduate –Small Staff 1 support staff in Cincinnati, New York Part Time Contractor in LA and Jerusalem

4 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 4 Agenda What is at risk? Who can do what? What are the Top 20 issues

5 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 5 Overview Risk – Data CIA –Data Confidentiality –Data Integrity –Data Availability The Top 20 vulnerabilities –http://www.sans.org/top20http://www.sans.org/top20 Security Policy –You can’t enforce what you haven’t defined

6 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 6 Types of Risk Data Confidentiality –Keep private information private Data Integrity –Making sure your data is correct Data Availability –Hardware failure, fire, flood

7 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 7 Types of Risk cont. Legal liability –What legal issues exist? HIPAA, FERPA (monitoring conversations)http://www.clm.com/pubs/pub _2.html (grade manipulation ) Professional credibility –What would be the impact of a security breach?

8 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 8 Risk Assessment Risk = Threat x Vulnerability Would someone have to be on campus to attack? What could they do on campus vs. off campus (Internet) Why would they target my institution and what would they want? Vulnerabilities are the Gateways by which threats are manifested

9 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 9 Risk Assessment Who –Allow access, restrict access What –Grade information, passwords, payroll info When –Forever or just for a few months

10 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 10 Risk Assessment cont. –Where A network server or a PC in an office or a Zip drive? –Why FERPA, legal liability, reputation –How 3DES, AES, VPN, will vary by value of the data and where the data resides

11 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 11 Risk Assessment cont. Who –Not just one departments job or one manager Ongoing, organic process –Identification, Authentication, Authorization –Define who has access and who doesn’t Roles not people Who has access helps define where data is stored Data shouldn’t be in more than one place Can define who might want to hack

12 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 12 Risk Assessment cont. What do you need to protect? –Departmental review Registrar, Alumni, Development –Student, Alumni data (FERPA) –Grades, personal information Financial data –Institution, student, donor Health information (HIPAA) –Employees, Students Information Technology (system data) –Root password, admin password

13 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 13 Risk Assessment cont. When –How long do you need to keep the data secure? Create a disposal date bin/print_hit_bold.pl/admin_manual/code/rule_6 7.htmlhttp://www.uiuc.edu/cgi- bin/print_hit_bold.pl/admin_manual/code/rule_6 7.html Secure Archives –Encrypted tape backups –Outsource off site storage providers

14 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 14 Risk Assessment cont. Where On a file server –with server file permissions On a workstation – no access controls or logging On a zip drive or memory stick? –No control, no logging, portable and reproducible On a laptop or PDA? Encrypted? Backed up? Auditing turned on?

15 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 15 Risk Assessment cont. Why –FERPA : Student data –HIPAA : Health records –User trust : passwords, , policy issues –Legal liability

16 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 16 Risk Assessment cont. How –File access controls (Novell, MS, Apple ) –Encryption –Physical isolation –Limit access to office or system –Remote access VPN, Dial Up access –Cost is determined by the value of the data

17 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 17 Risk Assessment cont. Availability –Would you know if data was changed? Intentionally Accidentally Student grade changes Address changes –What if you couldn’t access your data (BCP) Business Continuity Planning For an hour, a day, a week? What would be the impact?

18 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 18 Other types of Risk Other risks to your Institution –Natural Disasters Fire –California fire of 2003 Flood –Chicago city flood April 13 th, 1992 Power Outage –East Coast August 14 th 2003

19 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 19 Other types of Risk cont. Personnel changes –Key personnel leave President, network administrator Legal charges –Providing data for lawsuits What could you provide if you had to What would you want to be able to provide

20 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 20 Resources for Risk Assessment Carnegie Mellon OCTAVE approach –OCTAVE = Operationally Critical, Threat, Asset, and Vulnerability Evaluation –http://www.cert.org/octave/http://www.cert.org/octave/ –Self guided tool for Risk assessment –Asset based risk assessment –Tool for both large and small institutions –Free though you can purchase consulting

21 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 21 Resources for Risk Assessment –COBRA method C & A Systems Security Ltd. Self Assessment tool Follows ISO guidelines Costs $895 - $1995

22 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 22 Resources for Risk Assessment FRAP Method –Facilitated Risk Assessment Process –Thomas Peltier, –Book form or training class –$595-$695 for class –Approximately $70 for his book

23 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 23 Resources for Risk Assessment SANS Reading Room Overview of Risk –Quantitative Cost per Incident and expected frequency Asset Value * Exposure Factor * Frequency –Qualitative Rates the impact of the asset File Server vs. Personal PC

24 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 24 The FBI / SANS Top 20! Common Security vulnerabilities in Windows, Unix and Macintosh Very well known, scripts exist to exploit each vulnerability All vulnerabilities can be re-mediated by fully patching the OS

25 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 25 Windows Top IIS 4.0 and 5.0 fully patched 2. Microsoft Data Access Components (MDAC) 3. Microsoft SQL Server 4. Net BIOS – Unprotected Shares 5. Anonymous Logons 6. LAN Manager Authentication 7. Windows Authentication 8. Internet Explorer 9. Remote Registry Access 10. Windows Script Hosting

26 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 26 Macintosh Top Web servers with Dynamic Content 2. Mac OS X and Internet Explorer Microsoft Word 4. AppleShare IP6 Pass Protocol 5. Macintosh Manager 6. OS X StuffIT Expander Security Update 8. Mac OS X client 9. Open SSH 10. Apache Web Server

27 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 27 Unix Top Remote Procedure Calls 2. Apache Web Server (Nose job) 3. Secure Shell 4. SNMP (Simple Network Management Protocol 5. FTP 6. Remote login services (RLOGIN) 7. Line Printer Daemon (LPD) 8. Sendmail 9. BIND/DNS 10. General Unix Authentication

28 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 28 Creating a Security Policy The Policy flows from the Risk Assessment –It is organic, it will change over time It should inform users as well as educate –Give them the why and how What data needs to be secure and from whom Policy will have layers of defense

29 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 29 Summary Define your Risks! –Answer the basic Who, What, When, Where, Why, How Fix the Top 20 (or 30?)! Create a Security Policy –Get buy-in from the Top and involve all departments Feedback

30 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 30 Where to Get More Information Web resources Sans (SysAdmin, Audit, Network, Security) Computer Emergency Response Team Internet Storm Center tracking site Windows Network Security Unix, Windows, Virus, IDS

31 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 31 Where to Get Information Lists –www.counterpane.com Bruce Schneierwww.counterpane.com –Monthly digest of Computer security issues –www.ntbugtraq.comwww.ntbugtraq.com –Windows NT security list –www.intrusions.orgwww.intrusions.org –Daily digests of port probes and good discussions –www.microsoft.com/securitywww.microsoft.com/security –Links to Microsoft’s security page

32 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 32 HIPAA Information HIPAA Security Policy Development: A Collaborative Approach –http://www.sans.org/rr/policy/HIPAA_policy.phphttp://www.sans.org/rr/policy/HIPAA_policy.php Administrative simplification under HIPAA. –http://www.hhs.gov/news/press/2002pres/hipaa.h tmlhttp://www.hhs.gov/news/press/2002pres/hipaa.h tml Sample HIPAA compliance statement –

33 November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 33 FERPA Information Protecting the Privacy of Student Records, Guidelines for Education Agencies. –http://nces.ed.gov/pubs97/p97527/CONTENTS.HTMhttp://nces.ed.gov/pubs97/p97527/CONTENTS.HTM Guidelines for Compliance with the Family Educational Rights and Privacy Act. –http://www.nyu.edu/apr/ferpa.htmhttp://www.nyu.edu/apr/ferpa.htm School Sample –http://www.oberlin.edu/archive/records/retention/departments.html


Download ppt "November 7th, 2003 John Bruggeman - EDUCAUSE 2003 Conference 1 Defining Risk and Fixing the Top 20 Security 101 for a small school."

Similar presentations


Ads by Google