Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security in Higher Education Michael A. McRobbie PhD Vice President for Information Technology and Chief Information Officer Vice President for Research.

Published byAmberlynn Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Security in Higher Education Michael A. McRobbie PhD Vice President for Information Technology and Chief Information Officer Vice President for Research."— Presentation transcript:

1 IT Security in Higher Education Michael A. McRobbie PhD Vice President for Information Technology and Chief Information Officer Vice President for Research Professor of Computer Science & Professor of Philosophy Indiana University Secure-IT 2003 Temecula, California

2 Cybersecurity The threats to cybersecurity are real, whether it be at the level of the individual, department, university, or nation These threats are seldom benign The motivation for them can be theft (both of money and intellectual property), revenge, harassment, intimidation, character assassination, fraud, sabotage, crime and terrorism They can result in major financial and other losses and damages Universities are not immune to these threats – mostly unwittingly, they are among the most fertile grounds for cracker activities and attacks

3 Presentation Overview Reliance on IT in Higher Education Typical Technical and Data Management in Higher Education Higher Education: Ripe for Security Incidents Impact of Incidents What Must We Do as a Community? Indiana University’s Contribution Summary

4 Reliance on IT in Higher Education

5 Higher Education in General Higher education networks comprise an estimated 15% of the total advertised Internet address space Institutions in this sector vary in size, mission, locations, as well as in cultural and physical complexity Communities range from 1000 to 200,000 people Knowledge, deployment, and proper management of technologies vary dramatically Knowledge and application of security techniques and technologies vary dramatically Management understanding of (and means to allocate resources to) security vary dramatically Higher education and research networks connect a large set of technology-rich, complex, and traditionally “open” environments, in which the application of security has generally not yet been accepted as a critical part doing business

6 E-Research Research is becoming almost totally digital Data is being generated, collected, processed, analyzed, visualized and stored in digital form. Simulations and modeling are being carried out completely digitally Historical and contemporary archives of rsearch are all being converted into digital form as parts of digital libraries

7 Global Dimension of e-Research E-research is becoming completely international – it knows no boundaries: becoming progressively more global with network-enabled world-wide collaborative communities rapidly forming in a broad range of areas (Grids) based around a few expensive – sometimes unique – instruments or distributed complexes of sensors that produce vast amounts of data global communities carry out research based on this data using computation, storage and visualization facilities distributed world-wide (cyberinfrastructure) digital data of e-Science can be shared with collaborators not just on campus, but across cities, within states, nationally and internationally

8 Learning Online Course Management Systems are common and relied on extensively for assignments, grading, group projects, etc. Interactions among faculty and students are now mostly by email Interactions between advisors and other support staff is also via email Disabling a student’s computer access now has a dramatic impact on their academic progress, and is not done lightly (if at all)

9 Administration Nearly all business processes now have large IT components (finance, HR, student services) Manual backup processes are not being maintained – relying on automated processes Email unavailability for even a couple of hours can stop business processes Users (esp. students) expect services to be automated and available at all hours

10 Typical Technical and Data Management in Higher Education

11 Typical University IT Environments Extremely “open” by tradition & culture 25,000 to 70,000 networked devices Very high-speed, high-capacity networks with fast connections to the commercial Internet & regional, national, and international research networks (e.g. I-Light, Abilene, Geant) Residence Halls and Greek Houses wired Hardware and software deployed are significantly diverse Usually first to implement new technologies, before matured Physical systems locations vary widely, from under a secretary's desk to professional data centers Networked systems are being probed continually for vulnerabilities

12 Typical University IT Management Usually no device registration requirements – we do not generally know who connects devices to our networks In most instances no network-level user authentication requirements – we do not generally know who is using our network In many instances, no service-level user authentication requirements – allowing anonymous use of some systems

13 Typical University IT Management (more) Departments control local technology and have traditionally acted independently Under-paid, under-trained, over-worked technicians Nonexistent, organizationally buried, or understaffed technical security offices Minimal IS/IT auditors on staff

14 Typical University Data Management Thousands of people with authorization to access confidential information from central databases, or derive the data locally User can extract data to any networked device, to use local manipulation tools No one knows on which of the thousands of networked devices sensitive data is hosted Minimal training on data handling/protection. No central data management structure

15 Ripe for Security Incidents

16 Attacks on commercial web sites (ZDNet, CNN, Etc.) IU Office of the Bursar (2001) IU School of Music (2001) University of Michigan patient records University of Washington patient records Stolen passwords at Berkeley, UCLA, Harvard, Purdue Notre Dame, Indiana State, Georgia Tech, Montana… Attacks on root-name-servers amplified by several campuses Kansas SEVIS Data U Texas Austin student record compromise – 10,000s Georgia Tech – 57,000 Credit Cards Large “Mid-Western University” HR/Benefits Database Many others not publicized (or admitted to) Incidents Happen

17 Internet Probes Probes are attempts by automated programs to locate Internet-connected computers with known vulnerabilities We estimate that every networked device at IU is probed at least once daily Probes can and do lead to compromise of devices that are not appropriately maintained/secured “Honeypot” experiments show that certain vulnerabilities will be found and exploited in less than 24 hours Of course, data stored on vulnerable devices is exposed and perhaps has been already compromised When the 10 th of 10 new PCs is installed, the first has been compromised -- unless each is secured as they are installed

18 Notable Malicious Code Incidents Melissa, March 1999 Word 97, Word 2000 $300 million in damages Approximately 4 days, 150,000 systems ILOVEYOU, May 2000 Outlook As much as $10 billion in damages Approximately 24 hours, > 500,000 systems (“Brain” took 5 years to do $50 million in early 90s) SQL Slammer? Estimated 50,000 viruses; 100,000 by 2004 Copyright 2000 by E. H. Spafford

19 Impact of Incidents

20 Interruption of essential functions Unauthorized access to data, some Federally protected: FERPA (student) HIPAA (patient health) Gramm-Leach-Bliley (financial) Compromise of passwords (on the systems or in transit) Hosting illegal materials such as bootleg movies and music Consumption of network and system resources

21 Impact of Incidents Mangling of desired message (e.g., web defacement) Inappropriate use of public resources Installation of programs to support attacks on internal or external systems, e.g. DDoS zombies Possible (though not yet tested) liability for loss of business if campus systems are used in attacks

22 Impact of Incidents Compromise of research Premature disclosure of theories and protocols Release of unverified results Release of data on subjects Cause questions as to integrity of results Pressure to require uniform high level IT security as condition for Government grants in climate of increased concern about national security & cyberwarfare

23 What Must We Do as a Community?

24 Institutional Recognition Higher education leadership is beginning to understand that information technology is engrained in ALL academic and administrative activities, and that poor system, network, and data security WILL have a direct and costly impact on an institution’s mission.

25 Institutional Risks Trustees, Presidents, and governing bodies must understand that lax security: Threatens the reputation of higher education Threatens the reputation of their specific institution Increases the risk and associated liability for disclosure of information protected by Federal law Increases the risk of law suits being filed by commercial entities affected by campuses Wastes publicly-funded resources Contributes to vulnerability of national IT infrastructure

26 Institutional Attention Chancellors and Deans must: Understand that their information assets are as critical as capital and human resources Place visible and vocal priority on systems and data protection Ensure that technicians are trained, capable, and have the time to secure systems

27 Institutional Control The Chief Information Officer is pivotal, and must: Participate in executive administration. Be given a charge to assess security climate and the authority to carry out repairs Exercise visible and active control Understand the strategic threats Understand the technical threats Translate threats into institutional risks – in language colleagues in administration can understand Establish requirements and set standards Make tough and perhaps unpopular decisions Commit to providing assistance to departments and technicians right across the university

28 Continue Community Dialogue Many opportunities for technical security and policy staff to interact and learn from each other EDUCAUSE, Internet2, SANS, FIRST EDUCAUSE Security Professionals Workshop (preceded this conference) EDUCAUSE/Internet2 Computer and Network Security Task Force NSF Workshops Framework for Improving Security in Higher Education

29 Re-Visit Actions Previously Discounted in Higher Education Firewalls – now available to handle large campus connections Intrusion Detection – becoming more accurate in recognizing security events Centralization – systems supporting sensitive data or functions Central Authority for policies and standards

30 Indiana University’s Activities in Cybersecurity

31 IU’s Goals in Cybersecurity Goal 1: to ensure, as effectively as possible, the cybersecurity of the IT environment of all IU students, faculty and staff Goal 2: to contribute to national security by providing leadership in improving the cybersecurity of the higher education sector

32 Indiana University’s Internal Focus

33 Cybersecurity at IU Cybersecurity has been an institutional priority at IU for 6 years This followed an incident in March 1997; OVPIT commissioned a two part security audit Penetration analysis Major review chaired by Gene Spafford Spafford Review found IU cybersecurity in very poor shape – made extensive recommendations for improvements, these were all implemented Led to the formation of the IU IT Policy Office (ITPO) headed by University Chief IT Security and Policy Officer Mark Bruhn IU IT Security Office (ITSO) headed by University IT Security Officer Tom Davis

34 IU’s IT Strategic Plan Developed & approved in 1998 – implementation nearing completion Recognized importance of security as a component of planning and IT infrastructure Plan had a major recommendation & action items devoted to security and privacy Funding provided for staffing, hardware, tools, etc. Security operation, training, and staff Identification, authentication, and authorization Directory services Anti-virus, secure communications

35 Indiana University Organization Chief Information Officer reports to the President: Has formal authority directly from Trustees Proactive – set security policies and enforce standards Reactive – assume control of responses to incidents Has full support of the President Reports on state of security annually to the Board of Trustees in executive session

36 Indiana University CIO Organization The Policy Officer reports to the CIO: Coordinates policy issues, consults on technology deployment and usage issues, handles incident response, is a diplomat and negotiator, and acts as the “enforcer” with the authority to defend the University from security and other technical threats, including blocking incoming traffic and isolating insecure devices from the network when necessary The Security Officer reports to the Policy Officer and the CIO: Must be very technically capable, assesses and advises CIO on technical threat, provides consulting, coordinates technical security resources, and must not be viewed as “police” The computing organization reports to the CIO: Must keep it’s own house in excellent order. Must be prepared to provide assistance to departments struggling with security – or prepared to replace services that departments can’t provide securely

37 Mark Bruhn Chief IT Security and Policy Officer/ 6 Accounts Administrators Incident Response Coordinator Technical Investigators University Information Technology Policy Office Office of the Vice President for Information Technology Admin Asst Data Administrator Info Mgt Officer Tom Davis IT Security Officer Michael McRobbie VP/CIO Information Technology Security Office 1 Lead Data/ Applications Analyst 2 Senior Data/ Applications Analysts 2 Principal Security Engineers 2 Lead Security Engineers 2 Senior Security Analysts Disaster Recovery Program Manager Cross-Unit Recovery Planning Team Global Directory Services Team Computer Accounts Manager Merri Beth Lavagnino Deputy IT Policy Officer

38 Authority for IU’s Cybersecurity Was previously ill-defined In response to a number of incidents in 2001, the IU Board of Trustees passed a resolution on May 4, 2001... “ the Trustees direct the Office of the Vice President for Information Technology and CIO to… develop and implement policies necessary to minimize the possibility of unauthorized access to IU’s IT infrastructure assume leadership, responsibility, and control of responses to unauthorized access to IU’s IT infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the IU office involved…” www.itpo.iu.edu/Resolution.html VPIT has delegated this authority to ITPO/ITSO on a day-to-day basis

39 Directive from the CIO to Deans/Chancellors to eliminate unnecessary caches of Social Security Numbers Presentations to executive administrators Periodic presentations to technical managers and technicians Developed a technician certification program Developed Best Practices documents Server profiling/evaluation Working on implementation of a network isolation strategy – based on layered security Some Specific IU Activities

40 Indiana University’s Outward Focus

41 Three Principal Initiatives Advanced Network Management Laboratory (ANML) Research & Education Network Information Analysis Center (REN- ISAC) Center for Applied Cybersecurity Research (CACR)

42 The Advanced Network Management Lab (ANML) Initial funding through the Lilly Endowment Current funding includes Lilly, the US National Science Foundation, and the Department of Defense ($1.7M in external funding to date) Comprised of five researchers, five graduate students Focus on applied network research Technologies that have impact within a few years (at most) Leverage opportunities presented through IU’s leadership in high performance networking (Abilene, etc.)

43 ANML - a range of projects Network Security High performance file transfer protocols Network visualization Wireless network management and performance The next generation Internet Protocol: IPv6

44 Abilene NOC presented with an opportunity to partner with Asta Network and Arbor Networks via Internet2 Distributed Denial of Service (DDoS) detection equipment first installed at Indianapolis core node in 2000 DDoS detection equipment showed *many* DDoS incidents traversing Abilene each day Determined that this was a potential opportunity to provide more focus on security for the research and education network space ANML - Network Security

45 ANML is engaged in other areas of security research as well: Host Management system for Honeypots. Uses virtual host software (VMware) to emulate a number of Honeypots on a single physical machine. Automates the distribution of honeypot instances and the collection of activity to each honeypot Development of a modified Linux root kit known as Sebek to allow honeypot researchers to monitor attacker activity even when the attacker is using encrypted transmissions. ANML works closely with the Honeynet alliance. Development of Spoofwatch, a SNORT plug-in that detects and locates sources of spoofed IP addresses ANML- Network Security

46 REN-ISAC Research and Educational Networking Information Sharing and Analysis Center

47 ISAC Basics Sharing has long been known to improve operations in individual organizations Security information sharing was encouraged by Presidential (Clinton) Decision Directive 63 Various sectors of the economy experience different events and threats Sharing amongst sectors increases the scope and the resulting benefit of that sharing

48 ISAC Basics (con’t) Department of Homeland Security coordinates sharing centers representing various sectors Higher education was NOT represented in the initial structure Indiana University, EDUCAUSE, and Internet2 convinced government that higher education representation was critical The Educause/Internet2 joint security task force encouraged the creation of a “higher education sharing center”

49 IU and the Research and Educational Networking ISAC Indiana University has a unique view of various national and international R&E networks, including Abilene Global NOC monitors networks 24x7 Excellent network and security engineers Advanced Network Management Lab (Wallace) located at IU is involved in advanced security research Network instrumentation provides specific information about security events REN-ISAC a natural enhancement of security services provided by IU to the Internet2 community Hosting REN-ISAC (as part of national ISAC structure) at Indiana University was formalized in D.C. on February 21, 2003

50 REN-ISAC Signing

51 REN-ISAC “Members” REN-ISAC members are all U.S. universities and colleges that are connected to national R&E networks Campuses connected to Abilene are the initial core members Extended members are any universities and colleges interested in receiving ISAC reports Campuses will be given a means to register and maintain contact information REN-ISAC service will be 24x7 To make full use of REN-ISAC services, campuses are encouraged to identify a 24x7 contact person or persons, if they do not have a 24x7 operation

52 REN-ISAC: Basic Functions The ISAC will receive and analyze operational, threat and warning, and actual attack information: Received from the NIPC, other ISACs, and other sources Received from ISAC member campuses related to incidents on local network backbones Received from network engineers related to incidents on national R&E network backbones Derived from network instrumentation Analysis would be performed related to: Unscheduled outages and degraded operations Security-related events such as DDoS attacks, virus alerts, systematic network vulnerabilities scanning, systematic spoofing Other anomalies that constitute or may constitute a serious threat to the networks and associated systems of the REN- ISAC membership

53 REN-ISAC Reporting General periodic reports from the REN-ISAC will be sent to members as a result of An anomaly detected by staff of the “REN-ISAC Watch Desk” Reports of serious degradation from an as-yet- unknown cause Where organization report that their systems are being used to source, or are being victimized by, a network attack of some type Requests for information/analysis related to specific reports incidents

54 REN-ISAC: Reports to Members To campuses affected by a security event detected by the REN-ISAC, in real-time, so that those organizations can identify and stop the activity, and/or recover and repair To member campuses as soon as possible following an event, where that information would help improve security and/or avoid future impact To all or specific contacts in other national and regional ISACs, in real-time or as soon as possible during the following business days, where incident information could help members of those associations improve security and avoid future impact

55 REN-ISAC: Reports to the NIPC In real-time, for anomalies that are negatively impacting the operation of a number of member campuses Post-event, where an event did not, but had the potential to negatively impact the operation of a number of member campuses Significant network degradation -- failure of several nodes or unusual latency Loss or degradation of REN-ISAC network monitoring capability – portions of the networks are not visible Reporting to the NIPC will generally NOT identify specific member campuses, unless the campuses involved agree to have their identities included In cases where there is an active investigation by law enforcement, the involved campuses will be given contact information for the investigating agency and encouraged to make that contact unilaterally

56 ISAC Futures A Higher Education ISAC with a broader service set is needed, to deal with other campus security issues (system, virus, assessment, etc.) REN-ISAC may be/could be expanded to encompass these services

57 Center for Applied Cybersecurity Research (CACR) Serve as a focal point for cybersecurity research and teaching at IU, and a meeting ground for cybersecurity scholars and practitioners from all campuses Provide a clearinghouse for information on cybersecurity research, teaching, and practice at IU Link IU faculty and staff with external resources in cybersecurity and related fields Seek funding for cybersecurity research, instruction, and practice at IU Facilitate advanced cybersecurity research and the sharing ideas and information both inside and outside of the university Help coordinate the development of an innovative cybersecurity curriculum, including degree and joint-degree programs Partner with federal and state governments, business, and other education institutions to improve the quality of information assurance practice, research, and teaching

58 Summary We need to rethink some of the things we do – things that make our networks more attractive for intrusions We need to continue to balance security with convenience, our missions, and our cultures There are things that can and should be done There are other things that just can’t fit into our environments We need to talk more to and learn from each other Within higher education Within the greater cyber-infrastructure community We need to orient research to projects with shorter-term practical benefit to practitioners

59 IT Security in Higher Education Michael A. McRobbie Vice President for Information Technology and Chief Information Officer Vice President for Research Indiana University Secure-IT 2003 Temecula, California

Download ppt "IT Security in Higher Education Michael A. McRobbie PhD Vice President for Information Technology and Chief Information Officer Vice President for Research."

Similar presentations

UCSC History. UCSC: A brief history 60s University Placement Committee A lot of field trips/interaction with employers.

UCSC History. UCSC: A brief history 60s University Placement Committee A lot of field trips/interaction with employers.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Page 1 Organize for Success IST Organization Design January, 2013 MALCOLM BERNSTEIN CONSULTING.

Page 1 Organize for Success IST Organization Design January, 2013 MALCOLM BERNSTEIN CONSULTING.
Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.

Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.
1 The CMO – One Size Fits All? Jake Julia, Ph.D.Brenda Sprite Northwestern UniversityNavigator Management Partners Session Presented at the Inaugural Global.

1 The CMO – One Size Fits All? Jake Julia, Ph.D.Brenda Sprite Northwestern UniversityNavigator Management Partners Session Presented at the Inaugural Global.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
Mark S. Bruhn Chief IT Security and Policy Officer Indiana University Some material based on presentations prepared by Mark Bruhn and Michael A. McRobbie.

Mark S. Bruhn Chief IT Security and Policy Officer Indiana University Some material based on presentations prepared by Mark Bruhn and Michael A. McRobbie.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Similar presentations

Ads by Google