1. Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network Services Jon Allen Coordinator of IT Security Tommy Roberson Manager of Servers And IT Security

2. Southwest Educause 2003 © Baylor University 2003 Overview of Presentation Baylor University IT Security Security through technology/hardware Security through People Putting it all together

3. Southwest Educause 2003 © Baylor University 2003 Baylor University 14,221 Students 1,750 Full Time Employees Waco, Texas

4. Southwest Educause 2003 © Baylor University 2003 Information Technology Organizational Chart Dr. Robert Sloan President Mr. David Brooks CFO Dr. Reagan Ramsower CIO & Dean of Libraries Bob Hartland Director of IT Servers and Networking Services Data NetworksBroadband VideoTelephone Network IT Servers and Security Tommy Roberson Jon Allen

5. Southwest Educause 2003 © Baylor University 2003 What is IT Security? “…the concepts, techniques, technical measures and administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use…” [McDaniel - IBM Dictionary of Computing 1994] It is more beneficial to focus on good planning then it is to rely solely on fancy technology.

6. Southwest Educause 2003 © Baylor University 2003 Risks of Poor Security Loss of university productivity Public Relations problems Private Information (SSN, CC numbers, grades, etc.) Degradation or loss of client services

7. Southwest Educause 2003 © Baylor University 2003 Security– As Viewed by Industry Security is a priority (proactive) The ROI for security has become highly visible in the past 2-3 years. Compromise or downtime results in lost profits

8. Southwest Educause 2003 © Baylor University 2003 Security – As Viewed in an University Environment Threat to Academic Freedom A hindrance to research and education productivity Contention for funding

9. Southwest Educause 2003 © Baylor University 2003 Baylor’s Approach to IT Security Our security strategy can be divided into two parts Technology People

10. Southwest Educause 2003 © Baylor University 2003 Security through Technology Firewalls Intrusion Detection Systems VPN (encryption technologies) Logs Server Configuration Vulnerability Scanning

11. Southwest Educause 2003 © Baylor University 2003 Firewalls First line of network protection from outside world Must be strategically placed to be effective in universities One size does not fit all for firewall policies

12. Southwest Educause 2003 © Baylor University 2003 Firewall Recommendations Multiple firewalls are necessary in a university environment Firewall policies should be written with port level filtering.

13. Southwest Educause 2003 © Baylor University 2003 Intrusion Detection Systems Deployment must be highly targeted Networks and servers must be understood to limit false positives Not a substitute for good security practices

14. Southwest Educause 2003 © Baylor University 2003 Virtual Private Networks Ideal for limiting access and securing data transmission Great for extending the university network to students and remote campuses

15. Southwest Educause 2003 © Baylor University 2003 Logs Vital to identifying and resolving server and network problems Subtle or well planned attacks may only be seen through log evaluation Raises questions of academic freedom and big brother

16. Southwest Educause 2003 © Baylor University 2003 Server Configuration Servers should only run daemons/services that are necessary Use mailing lists and OS update services to maintain server patches Limit the services on servers that contain critical data

17. Southwest Educause 2003 © Baylor University 2003 Vulnerability Scanning Prioritize scans to focus on critical systems first. Be aware that false positives are common with scanning tools Scanning results can be used to point to weak points in networks and servers before they are abused

18. Southwest Educause 2003 © Baylor University 2003 Security through People Policies Procedures Education

19. Southwest Educause 2003 © Baylor University 2003 Policies-Creation Important to bring in other departments Anticipate problems Try to make policies broad enough to cover many issues

20. Southwest Educause 2003 © Baylor University 2003 Policies-Modification Be flexible Policies are an ongoing work There will always be exceptions to policy

21. Southwest Educause 2003 © Baylor University 2003 Policies-Enforcement Must have administrative backing for policies Helpful to explain this to various departments Must establish consistent method for dealing with student violations Document ALL enforcement actions taken

22. Southwest Educause 2003 © Baylor University 2003 Procedures When done appropriately-procedures can be used to prevent many problems These are very time consuming… …but can eventually save time and headaches by preventing obvious security lapses.

23. Southwest Educause 2003 © Baylor University 2003 Education End-User education Server admin education Support Staff education

24. Southwest Educause 2003 © Baylor University 2003 End-User Education Most important thing is educating end-user on sound password practices. Users are more likely to follow policies and rules if they understand reasons for them Teach users to notice things that don’t seem right

25. Southwest Educause 2003 © Baylor University 2003 Server Admin Education Teach importance of keeping systems up to date Encourage sound local account practices Try to bring other admins in other schools into the security community

26. Southwest Educause 2003 © Baylor University 2003 IT Staff Education Support Staff are many times ignorant of sound security practices Many IT users in general never consider security when doing their jobs. We must also try to bring them into the security community

27. Southwest Educause 2003 © Baylor University 2003 Security is everyone’s job!

28. Southwest Educause 2003 © Baylor University 2003 On the Horizon Proactive and correlative IDS Stricter laws forcing security in universities Probable increase in security incidents

29. Southwest Educause 2003 © Baylor University 2003 Summary Complete security solutions must address both technology and people Technology solutions are only as good as the policies they are enforcing Security strategies must depend upon and encourage cooperation from people in the organization

30. Southwest Educause 2003 © Baylor University 2003 Contributors: Bob Hartland Director for IT Servers and Network Services Bob_Hartland@Baylor.edu Speakers: Jon Allen Coordinator of IT Security Jon_Allen@Baylor.edu Tommy Roberson Manager of Servers and IT Security Tommy_Roberson@Baylor.edu

31. Southwest Educause 2003 © Baylor University 2003 Copyright Bob Hartland, Tommy Roberson, and Jon Allen 2003.This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.