Presentation on theme: "Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College."— Presentation transcript:
Challenges and Incidents in Higher Ed
About->Presenter Zach Jansen Information Security Officer, Calvin College
Help->About Calvin ~4200 Students –~2500 living on campus ~350 Faculty –0 living on campus? ~700 staff Off campus programs in 8 countries
Diverse User Needs Academic Administrative Student / Residential Network
Academic Environment Academia –Traditionally an open access environment –Few restraints or restrictions –Infrastructure designed to provide access –Faculty, Staff, and Students expect to be able to do whatever they need with their computers
Academic Environment (2) Faculty, Staff, and Students used to being able to: –Install software –Change/customize settings –Use machines for personal use –Store personal data on personal machines with an expectation of privacy
Academic Environment - Machines Many unmanaged machines on network. Received through a grant or donation Often run medical or scientific software. Frequently no updates available, or no money for updates. Personal machines frequently used.
Academic Environment - problems Restrict to least privilege? Support for custom web scripts? Provide a secure, but open, environment. Need to comply with increased regulation, yet still allow an educational environment. Large amounts of PII to protect
Administrative The business end of the college Responsible for personal, health, educational, and financial data From an IT perspective, managed very similarly to the academic part of the college. Causes problems: –Compliance –Securing data
Regulations FERPA – Family Educational Rights and Privacy Act Governs how colleges handle –Grades –Academic Performance –Directory Information A “no teeth” regulation What happens if you’re in violation?
HIPAA Health Services Student Health Information HIPAA specifically excludes protected health information in “education records” as subject to FERPA.
PCI, GLBA, etc The list of regulations goes on. PCI will continue to become a bigger issue as credit card companies and acquiring banks push this. Some schools comply by not processing credit cards. GLBA is again partially complied with by complying with FERPA.
Breach Notification Laws There are a lot of these Pushing a substantial investment in Information Security. Nobody wants to be the next school in the news.
Data Security - SSN It’s 3 o’clock, do you know where your SSN’s are? SSN used as primary identifier by many schools for many years. Many states have mandated that SSN not be used. Big problem for big schools.
Data Security – SSN(2) Tons of SSN’s –Have to collect SSN’s for loan processing with the Department of Education. Makes for expensive breach notification when they get stolen.
Students / Residential Network On campus housing for about 2500 students. Resnet needs to provide access to Calvin IT services Also needs to function as an ISP is the first year wireless used more than wired.
Students / Resnet (2) For general network health, there is a need to keep virus/malware activity to a minimum. Also need to protect academic and administrative areas from student PC’s.
Responsible Freedom What do you get when you combine the newfound freedom of: Living away from home A brand new computer A super fast internet connection
P2P Issues Huge bandwidth consumption Bittorrent and IDS sigs. DMCA takedown notices RIAA/MPAA subpoena’s. College Opportunity and Affordability Act –Force Higher Ed to offer legal alternative to P2P and implement network filtering.
Solutions Academic Administrative Students / Residential Network
Policy Needs to protect privacy of professors and students. Specific category in AUP for personal data. IT must have permission of data owner or 2 VP’s to view private data. Professor’s data, class/student notes, research, considered private.
Administrative – SSN’s Calvin hasn’t used it as primary identifier for over 18 years. –I still find them used occasionally. Some Schools use scanners like Spider to find sensitive data. –High false positives e.g. Japanese telephone numbers. Few staff with access to SSN’s. Data purge plans.
Resnet Both wired and wireless option Separate VLAN from the rest of campus –Some schools use completely separate networks. Use Bradford Campus Manager (NAC) to enforce use of AV, firewall, minimum patch level. –Exemptions for game consoles, linux.
P2P Solutions Many schools use traffic shaping Packeteer Traffic shaping: –Worked well for a while –Can’t handle encrypted protocols –Bandwidth caps instead Ruckus Not responsible for traffic traversing the network. Safe Harbor
P2P Wrapup Most schools don’t block p2p usage –Has some legitimate uses –Pretty hard to block effectively –Don’t want to be held liable –Academic freedom. Many restrict its use –Bandwidth hog –Little to no educational value. Alternatives.
Administrative Support Support of upper management is crucial. Calvin is blessed with a VP that understands the need for good InfoSec.
Incidents “I can’t think of a more dirty and dangerous network than one on a college campus.” – Colleague at Georgetown
Web site hack Fall 2007 In the spirit of academia, a professor was given permission to write cgi scripts on web server. CGI scripts were vulnerable. How did attacker get root? Bad news.