Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster - 2005. This work is the intellectual property of.

Published byCecily Ford Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster - 2005. This work is the intellectual property of."— Presentation transcript:

1 IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster - 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Questions I’d like to Answer ► Why do we care about IT security? ► What are some of our universities biggest challenges? ► What can universities do to address these challenges?

3 Why Do We Care? ► Current federal and state law  Family Educational Rights and Privacy Act (FERPA)  Health Insurance Portability and Accountability Act (HIPAA)  Gramm-Leach-Bliley Act (GLBA)  Compromise notification laws ► 12 states ► NYS Breech of Security Bill -- December, 2005

4 Why Do We Care? ► Growing social expectations due to rise in identity theft awareness ► Reputational concerns ► Growing possibility for lawsuits

5 Why Do We Care? ► First half of this year had 72 reported compromises  Education – 37  Business – 23  Government – 7  Healthcare – 5 ► Causes of the compromises  Hacking – 40  Stolen property – 16  Lost property – 6  Insider – 5  Fraud/social engineering – 2  Email – 1  Web – 1

6 Why Do We Care?

7

8

9

10 Our Biggest Challenges ► Understanding new threats ► Changing/emerging law ► Growing social expectations and requirements ► General “openness” of universities can make us an easier target ► Creating a common understanding about what data needs to be protected ► Complexity due to decentralized IT support complicates the identification of critical or sensitive resources/data ► Timely and accurate response to security incidents ► Institutional-level questions are difficult to get answered

11 Discovery: Keystroke Loggers ► Purpose  Capture every key pressed on any given computer  Keystrokes are stored in a file and either retrieved at a later time or sent automatically via e-mail or other mechanism  Such things as logins, passwords and credit cards are typically captured in this manner

12 Exploitation: Spreading Viruses ISP in New Haven, CT

13 Exploitation: Spreading Viruses ISP in New Haven, CT

14 Exploitation: Spreading Worms ► Worms spread by  Using techniques of system and port scanning  Find vulnerable systems  Automatically exploiting vulnerabilities

15 Use of Exploited Systems ► Systems are typically exploited for  File distribution ► Copyrighted material ► Warez  Exploiting other systems ► Sniffers ► Keystroke loggers ► Scanners  Creating a bot network

16 Use of Exploited Systems: BotNets BotNet Creation 1.Compromise system 2.Create Controller 3.Send out worm to many systems 4.Infected systems alert controller 5.Send commands as desired ControllerBot Commands

17 Use of Exploited Systems: BotNets ► Observed functions  Spreading copies  Denial of service attacks  Packet sniffing  Keystroke loggers  File distribution

18 Challenge: Changing/Emerging Law ► Response  Make friends with University Counsel  Develop a clear understanding and communicate what data needs to be protected  Periodic security awareness for at least those handling regulated data  Never miss a “learning” opportunity ► User/department notification  Make sure policy reflects current requirements ► Data Security/Management policy

19 Challenge: Growing Social Expectations and Requirements ► Response  Prepare your legal defense now ► Participate in internal and external audits ► Show consistent improvements ► Work to establish at least state-of-the-practice security technology, processes and procedures ► Develop analysis and incident handling standards and practices

20 Challenge: University “Openness” ► Response  Implement a security strategy that meets the business needs of the unit  Build trust and understanding across the community  Rise to the challenge ► Protected infrastructures DO NOT hinder research

21 Challenge: Understanding What Data Needs to be Protected ► Response  Data categories can help ► Regulated, Confidential and Public  Map specific data elements into each category  Work toward the identification of all IT resources that house each category  Communicate ► Awareness ► Policy ► “Educational” opportunities  The Audit Office can certainly help here

22 Challenge: Complexity Due to Decentralization ► Response  Building and maintaining trust is not an option  Establish best practices and strong recommendations  Gain the support of the University Audit Office  Support university-wide outreach ► IT Security Council ► Monthly Security Special Interest Group (SIG)

23 Challenge: Timely and accurate response to security incidents ► Response  Develop processes and procedures in advance  Ensure the procedures are universally available  Provide response training to local units  Ensure the central IT Security Office is involved with the incident  Automate as much of the response process as possible  Establish a Data Loss Response Team

24 Challenge: Answering Institutional Questions ► Response  Do not ask abstract questions  Work real world situations requiring action and decisions  Create a Data Loss Response Team

25 Responding to Incidents ► Clearly distinguish between IT security and data security ► Data Loss Response Team  Established to ensure the university responds appropriately  Members ► University AuditUniversity Counsel ► Public RelationsVP of IT ► Risk ManagementUniversity Police ► Data StewardsLocal Unit  Two meetings of this team per incident ► First meeting establishes understanding of incident and provides specific direction ► Second meeting weighs evidence and determines appropriate actions

26 Responding to Incidents ► Data Loss Response Team benefits  Helps answer tough questions for the university  Provides a balanced and effective decision making process  Helps establish minimum standards for analysis  Weighs in on established practices and procedures  Establishes a more thorough understanding of IT security challenges

27 Questions?

Download ppt "IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster - 2005. This work is the intellectual property of."

Similar presentations

Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Presented by: Dan Landsberg August 12, 2011. Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.

Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College Copyright Penn State University-2008. This work is the intellectual.

Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

Similar presentations

Ads by Google