Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDUCAUSE Systems Security Task Force - April 11, 2001 Educause Task Force on System Security Gordon Wishon Georgia Institute of Technology Networking 2001.

Published byLydia Foster Modified over 8 years ago

Similar presentations

Presentation on theme: "EDUCAUSE Systems Security Task Force - April 11, 2001 Educause Task Force on System Security Gordon Wishon Georgia Institute of Technology Networking 2001."— Presentation transcript:

1 EDUCAUSE Systems Security Task Force - April 11, 2001 Educause Task Force on System Security Gordon Wishon Georgia Institute of Technology Networking 2001

2 EDUCAUSE Systems Security Task Force - April 11, 2001 The Current Situation 3500+ Colleges and Universities > 1000 Community colleges < 100 major research universities 125+ University Medical Schools 400 Teaching Hospitals 150+ Institutional members of Internet2

3 EDUCAUSE Systems Security Task Force - April 11, 2001 The Current Situation The Internet is a world-wide, increasingly mission-critical infrastructure Internet’s underlying structure, protocols, & governance are still primarily open Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS ) Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce Many college & university networks are insecure

4 EDUCAUSE Systems Security Task Force - April 11, 2001 Information Security in Higher Education Research universities: deployment of workstations & servers by researchers whose talents and interests are usually focused elsewhere Smaller institutions: dearth of tech skills Dorm networking: little adult supervision Too few security experts; weak tools; most institutions have no InfoSec office. Few policies regarding systems security

5 EDUCAUSE Systems Security Task Force - April 11, 2001 Targets of Opportunity on US Higher Education Computer Networks Sensitive Data –Credit Card #s, ACH (NACHA) bank #s –Patient Records (SSN) –Student Records (SSN) –Institution Financial Records –Investment Records –Donor Records –Research Data & Other Intellectual Property

6 EDUCAUSE Systems Security Task Force - April 11, 2001 Recent Academic InfoSec Incidents Feb 2000 – Distributed Denial of Service (DDoS) attacks bring down key dot com sites; university sites implicated (UC Davis, UCLA, Stanford, etc.) June-July 2000 – Univ. of Washington Medical Center intrusion. 4000 medical records involved. No firewall protecting server. July 2000 -- Educause Task Force Formed Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records. March 2001– 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert.

7 EDUCAUSE Systems Security Task Force - April 11, 2001 Trends in Academic InfoSec E-Commerce site threaten litigation against future DDoS sites. Liability for negligence? Insurance companies begin to rewrite liability policies, separate ‘cyber’ policies to require info security vulnerability assessments & changes Funding agencies to require firewalls, security? HIPAA is a “forcing function” in academic Medical Centers FERPA, COPPA, DMCA, Privacy legislation Growing concern over government intervention

8 EDUCAUSE Systems Security Task Force - April 11, 2001 Corporate InfoSec Trends, (relatively rare in US HE) Firewalls, proxies, user access control Network monitoring, bandwidth management Extensive logging, logfile analysis IDS – Intrusion Detection Systems VPNs (Virtual Private Networks) –PPTP, L2TP, IPSEC Strong Authentication – PKI, Smartcards Vulnerability scanning (internal, external) Change Control / Management Managed Security Services (e.g. outsourced)

9 EDUCAUSE Systems Security Task Force - April 11, 2001 Why US Higher Ed Computer Networks are Attractive Targets Platforms for launching attacks –Wired dorms (insecure Linux PCs, PC Trojans) –High bandwidth Internet (Fract T3, T3, T3+) –Sophisticated computing capacity (scientific computing clusters, even web servers, etc.) –Unsophisticated user population –“Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) –Trust relationships between departments at various Universities for research (e.g. Physics community) –University research lab computers are often insecure and poorly managed

10 EDUCAUSE Systems Security Task Force - April 11, 2001 Unique Challenges in Higher Education Loose confederation of autonomous entities Academic “culture” and tradition of open access to information Lack of control over users Diversity Lack of financial resources Creative Network Anarchy – anyone can attach anything to the network IT has not always been central to institutional mission -- changing attitudes and getting “buy in” requires politics and leadership.

11 EDUCAUSE Systems Security Task Force - April 11, 2001 Unique Strengths of US Higher Education Intellectual Capital Culture of Open Access to Information Culture of Collaboration

12 EDUCAUSE Systems Security Task Force - April 11, 2001 Educause Task Force Announced to all member reps in July email from Mark Luker, VP for NetworkingAnnounced to all member reps in July email Co-chaired by Gordon Wishon, Associate VP & Associate Vice Provost for IT, Georgia Tech; & Dan Updegrove, VP for Information Technology, University of Texas at AustinDan Updegrove

13 EDUCAUSE Systems Security Task Force - April 11, 2001 General Plan of Attack Increase Awareness of Risks, Vulnerabilities, Liabilities Leverage Intellectual Capital Develop Community Reaction and Response Mechanisms Identify & Inform Community of Risks Associated with Emerging Technologies

14 EDUCAUSE Systems Security Task Force - April 11, 2001 Task Force Committees Education & Awareness –Michele Norin, University of Arizona –Gordon Wishon, VP & Vice Provost for IT, Georgia Tech Campus Policies –Mark S. Bruhn, IT Policy Officer, Indiana –Rodney Petersen, Dir, Policy & Planning, U of Maryland, College Park Detection, Prevention, & Response –Jack Suess, CIO, University of Maryland, Baltimore County –Steve Hansen, Security Policy Officer, Stanford Emerging Technologies –Clifford Collins, Ohio Academic & Research Network (OARnet) –Ken Klingenstein, University of Colorado & Chief Technologist/Middleware Project Director, Internet 2

15 EDUCAUSE Systems Security Task Force - April 11, 2001 Education & Awareness Increase Awareness of Risks, Vulnerabilities, Liabilities –Identify Constituent Groups, Audiences –Develop Messages Appropriate for Audiences –Utilize Existing Communication Vehicles (Educause Review, etc.) –Establish Partnerships with Higher Ed Leadership Groups (ACE, AAHE, NASULGC, NACUBO, etc.)

16 EDUCAUSE Systems Security Task Force - April 11, 2001 Leverage Intellectual Capital Policies –Evaluating best practices in Higher Education, Corporations, Government, Military –Developing common recommended policies Procedures –Physical Security –Computer Security –Network Security –Business Continuity/Disaster Planning Tools –Strong authentication methods (smart cards, tokens, etc.) –Vulnerability assessment (scanners) –DDoS zombie detectors –Patch tools

17 EDUCAUSE Systems Security Task Force - April 11, 2001 Develop Community Reaction, Response Mechanism Education ISAC, CERT –Real time information sharing mechanism –Security consulting –Vulnerability assessment –Emergency notification –Internet 911 services for academia?

18 EDUCAUSE Systems Security Task Force - April 11, 2001 Emerging Technologies Identify and inform community of risks Influence design of new technologies –Internet 2, HEPKI-PAG, HEPKI-TAG, CREN, etc.

19 EDUCAUSE Systems Security Task Force - April 11, 2001 Additional Areas Under Investigation Federal Funding Opportunities –NSF Grant? Partnering Opportunities –Federal Agencies (NIST, DOD, FBI NIPC, NSA etc.) –Security Interest Groups SANS Institute Computer Security Institute Forum of Incident Response & Security Teams System Administrators Guild of USENIX USENIX Security ConferenceUSENIX CERT Coordination Center Center for Internet Security O/S, Computer, Network, and Security Service Vendors

20 EDUCAUSE Systems Security Task Force - April 11, 2001 How You Can Participate Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs! Meetings, email, website, white papers http://www.educause.edu/security

Download ppt "EDUCAUSE Systems Security Task Force - April 11, 2001 Educause Task Force on System Security Gordon Wishon Georgia Institute of Technology Networking 2001."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10, 2008 1.

REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10,
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College.

Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National.

1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National.
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID THE NETWORK SECURITY CHALLENGE Jack Suess CIO University of Maryland Baltimore.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.

The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
EDUCAUSE Systems Security Task Force - March 19, 2001 Educause Task Force on System Security Dan Updegrove, University of Texas at Austin H. Morrow Long,

EDUCAUSE Systems Security Task Force - March 19, 2001 Educause Task Force on System Security Dan Updegrove, University of Texas at Austin H. Morrow Long,
EDUCAUSE Computer and Network Security Task Force Rodney J. Petersen Director, Policy and Planning Office of Information Technology University of Maryland.

EDUCAUSE Computer and Network Security Task Force Rodney J. Petersen Director, Policy and Planning Office of Information Technology University of Maryland.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.

Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

Similar presentations

Ads by Google