1 Effective Cybersecurity Practices for Higher Education Educause Southeast Regional Conference Seminar 1A June 6, 2005 Mary Dunker Virginia Tech Tammy Clark Georgia State University
2 Seminar Agenda EDUCAUSE/Internet2 Security Task Force initiatives The Effective Security Practices Guide (ESPG) Questions and Break Securing Unmanaged Computers Questions and Feedback
3 Overview of Effective Security Practices Educause/Internet2 Security Task Force background, working groups, initiatives Tools, including Information Security Governance Assessment (ISG) Effective Security Practices Guide Risk assessment methodology from Virginia Tech
4 Strategic Goals The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization, Information Sharing, and Incident Response
5 Security Task Force Groups Awareness & Training Working Group Effective Practices & Solutions Working Group Policies & Legal Issues Working Group Risk Assessment Working Group High Performance & Advanced Networking Working Group (SALSA) Security Conference Program Committee
6 National Cyber Security Awareness Month The Security Task Force and the Higher Ed IT Alliance has endorsed October as National Cyber Security Awareness Month. The National Cyber Security Alliance is a unique partnership among the Federal government, leading private sector companies, trade associations and educational organizations that aims to educate Americans about the need for computer security and encourage all computer users to protect their home and small business systems. See
7 Annual Security Conference EDUCAUSE/Internet2 Security Professionals Conference April 10-12, 2006 Denver Marriott City Center Hotel Denver, Colorado Typical Program Content/Tracks Baseline & Advanced Technology Solutions Security Management and Operations Policy and Law For more info, see
8 Information Security Governance Assessment Tool The Information Security Governance (ISG) Assessment Tool is intended to help colleges and universities determine the degree to which they have implemented an ISG Framework at the strategic level within their institution. This tool is not intended to provide a complete and detailed list of information security policies or practices one must follow. Rather, it is intended to help institutional leadership identify general areas of concern as they relate to the ISG Framework. Sections within the Tool: Organizational Reliance on IT Risk Management People Processes Technology
9 ISG: Reliance on IT
10 ISG: Risk Management
11 ISG: Final Score
12 Configuration Benchmarks As a free service to EDUCAUSE Institutional Members, EDUCAUSE has entered into a cooperative agreement with the Center for Internet Security (CIS) to provide each EDUCAUSE Institutional Member with a license to redistribute CIS Benchmarks and Software Tools on college and university owned systems. The relationship entitles Institutional Members to redistribute CIS benchmarks and Software Tools to students, faculty and employees for use on computers owned by the students, faculty and employees. The CIS Benchmarks and Software Tools are resources for Institutional Members to assess and measurably improve the security configuration status of its IT systems and networks.
13 Implications of CIS Partnership Encourage the adoption and deployment of widely- accepted, consensus technical control standards (benchmarks) for system security configuration in colleges and universities. Establish technical control baselines that can be presented to software vendors and hardware suppliers as default security configurations for systems that colleges and universities purchase. Expand participation in the CIS consensus development process by security specialists in EDUCAUSE member colleges and universities to ensure that college and university-unique needs are met.
14 CIS Scoring Tool
15 Cyber Security Forum for Higher Education The purpose of the Cyber Security Forum for Higher Education is to create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts.
16 Vendor Engagement Established Corporate Cyber Security Forum to create a dialogue with vendors on practices that have a significant impact on higher education security Educause established the Corporate Cyber Security Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT Task force visited Microsoft in September ‘03 to explain the needs of higher education and engaged Microsoft for support during the SP2 rollout for Windows XP.
17 Effective Security Practices Guide Balancing the need for security with the higher education tradition of open and collaborative networking
18 Why Not Identify Best Practices Higher education is too diverse in mission and size for a single best practice to be universally effective. Even within a small group of like institutions, few would identify what they are doing now as “Best Practices.” Everyone feels there is room for improvement in what they are doing! Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year.
19 ESPG Overview Practical approaches to preventing, detecting, and responding to security problems Community driven and serving University ISOs and supporting staff Codify experiences of experts Examples of success Potential models to follow Provide for various types of institutions Modular resource Flexibility in presentation & implementation
20 ESPG Design and Development ESP database Core materials Case study submission process Future contributions Seed case studiesPast workshops, discussions & community vetting Categories & keyword searches Structured presentation Suitability, editing, notification & update
21 Core Subject Areas Policy Education, Training and Awareness Risk Analysis and Management Security Architecture Design Network and Host Vulnerability Assessment Network and Host Security Implementation Intrusion and Virus Detection Incident Response Encryption, Authentication & Authorization Addendum: university & vendor resources
22 Effective Practices: Contributors Bethune-Cookman Brown Cornell CSUSB GA Tech GWU Indiana University MSCD Notre Dame NC A&T Penn State U Alabama Purdue UC Berkeley UCONN U Maryland, BC U Washington U Wisc, Madison Virginia Tech Yale University
23 ESPG Highlights Evolution of Security Practices
24 Evolution of Security Practices It is not always possible to jump to the most effective practices Can’t scan for policy violations without policies Can’t develop policies without mature security standards Some practices require significant human resources Intrusion detection Incident response Some practices become more effective over time Technical support becomes more effective with supporting tools, security policies and architecture
25 Online Demonstration
26 Risk Analysis The most effective security practice given limited resources Types of Risk Strategic Risk Financial Risk Legal Risk Operational Risk Reputation Risk Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
27 Ideal Risk Analysis & Management Knowledge of all relevant regulations Training and awareness of staff Developing plans to audit individual units for compliance Developing and implementing a code of conduct for the organization Establishing control mechanisms to ensure compliance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
28 Risk Analysis Overview Risk = Threats x Vulnerability x Impact Need to weigh & prioritize risks to develop strategy Threats Intruders, insiders, accidents, natural disasters Vulnerabilities Weaknesses in design, implementation, or operation Impact Level of harm to the institution
29 Practical Risk Analysis in Higher Education Preliminary Risk Analysis (year 1) ● Gathering allies, data and support Risk Analysis of Critical Processes (year 2) ● Concentrating on high risk areas Institution-wide Risk Analysis (year 3+) ● Broadening view to include the whole institution
30 Virginia Tech STAR Risk Process STAR - Security Targeting and Analysis of Risks Developed in-house several years ago Prioritized assets, risks, and controls Very detailed voting structure Used color codes for compliance Had a control compliance matrix Templates provided to reduce resistance TODAY – same concept but we have simplified the process
31 Risk Analysis Process at Virginia Tech Information Technology process IT Security Officer leads effort Annual process with detailed listings Lots of involvement with teams Evolved into individual risk analysis reports for other departments University departments Every 3 years / update major changes Annual reviews on progress All reports submitted to the IT Security Office
32 Keys to Success in the Risk Analysis Process Secure senior management support Select a strong risk analysis team Provide risk analysis templates Provide instruction and assistance Specify a timetable for completion Have a collection point for all reports Take the risk analysis process seriously
33 Senior Management Support Important to secure executive support Executive should issue directive to all department heads Directive should specify a time for final reports Accountability for completing risk analyses Executive will identify IT Security Office as providing leadership for effort
34 Assets Are More Than Machines We are now linking Asset identification to the management org chart Assets can be: Physical systems Groups of systems that support a service Business process that requires a group of systems Business process that depends on other business processes Data People
35 Asset Classification Business Process A Business Process B Business Process C Oracle DB Forms Servers Auth Servers Host A Host B Host C Host D Host E Host F
36
37
38
39 Asset Ranking
40 IT Common Risks Twelve (12) common risks identified by VT IT: System administration Training Desktop Access Control Operational Policies Key Person Dependency Bad Passwords Data Disclosure Internal Physical Security External Physical Security Cleartext Spoofing/Forgery Natural Disaster Construction Mistakes
41 Sample Risk Ranking
42 Reference Risks to Critical Assets Review list of critical assets Simply determine which risks apply to which critical assets Can get into more detail and map risks to critical assets by voting technique Helps determine what may need to be addressed first
43 Map Risks to Assets
44 Recommendations and Solutions May be difficult to do at the time of report Others need to be involved in the details Management, technical personnel, etc. More detailed report may be needed Description of solution Impact statement A cost/benefit analysis Proposed dates
45 Recommendations The risk(s) for an asset will be addressed within a specific timeframe and a brief explanation should be included Controls to address a risk (or risks) will not be implemented because of information obtained during analysis (new software, new location, etc.) Controls will not be implemented based on factors (time, budget, etc.) in the dept. or operating unit There may not be a known solution at this time, or you don’t feel the risk is a real danger
46 Using STAR Visit the Effective Security Practices Guide Select the link to “Risk Analysis of Critical Areas and Processes” The STAR link will take you to All forms used by Virginia Tech are online
47 Additional Security Resources EDUCAUSE/Internet2 Computer & Network Security Task Force Security Discussion Group Effective Security Practices Guide Internet2 Security Initiatives Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)