CyberSecurity - Linda Sharp
-
Upload
schooldude-editors -
Category
Technology
-
view
755 -
download
1
description
Transcript of CyberSecurity - Linda Sharp
![Page 1: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/1.jpg)
SchoolDude University 2009
Cyber Security
Linda SharpCoSN Cyber Security
Project Director
![Page 2: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/2.jpg)
SchoolDude University 2009
Understanding the Issues
Four Reasons to Pay Attention to K-12 Four Reasons to Pay Attention to K-12 Network SecurityNetwork Security
1. Protect data 2. Prevent misuse of resources 3. Prevent interruption of operations (Protecting the Core Mission: Learning)
4. Keep kids safe
![Page 3: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/3.jpg)
SchoolDude University 2009
Reliance on Technology
• For instructional activities• For business operations• For student data and recordkeeping• For assessment and accountability• For internal and external communication
Other areas of reliance in your schools?
![Page 4: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/4.jpg)
SchoolDude University 2009
The Evolution of Intent From Hobbyists to Professionals
THR
EAT
SEVE
RIT
Y
1990 1995 2000 2005 WHAT’S NEXT?2007
Threats becoming increasingly difficult to detect and mitigateFINANCIAL:Theft & Damage
FAME:Viruses and Malware
TESTING THE WATERS:Basic Intrusions and Viruses
![Page 5: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/5.jpg)
SchoolDude University 2009
Financial Impact
• 2004 – Cyber Attack impact in business was $226 billion
• 2008 – One of top 4 US priority security issues.
• Cyber Crime has overtaken drugs for financial impact.
![Page 6: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/6.jpg)
SchoolDude University 2009
Legal Impact
• FERPA• CIPA• HIPAA• COPA• FRCP 34
![Page 7: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/7.jpg)
SchoolDude University 2009
Legal Impact
• Data– Personal, Private, Sensitive Information
• Information Sharing– Internal – External
• Backup/Restore– Where and how
![Page 8: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/8.jpg)
SchoolDude University 2009
Legal Impact
• Acceptable Use Policies (AUP)– Who should sign AUP?– What should be included?
• Internet usage• Data protection and privacy• Rules/regulations• Consequences
![Page 9: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/9.jpg)
SchoolDude University 2009
Safety vs. Security
• Safety: Individual behavior
• Security: An organizational responsibility
![Page 10: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/10.jpg)
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected?
![Page 11: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/11.jpg)
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses?
![Page 12: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/12.jpg)
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses? • What are we protecting against?
![Page 13: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/13.jpg)
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses? • What are we protecting against? • What happens if protection fails?
![Page 14: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/14.jpg)
SchoolDude University 2009
Five Guiding Questions
• What needs to be protected? • What are our weaknesses? • What are we protecting against? • What happens if protection fails? • What can we do to eliminate
vulnerabilities and threats and reduce impacts?
![Page 15: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/15.jpg)
SchoolDude University 2009
Three Strategic Areas
People
Policy
Technology
![Page 16: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/16.jpg)
SchoolDude University 2009
Three Action Themes
Prevention Monitoring Maintenance
![Page 17: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/17.jpg)
SchoolDude University 2009
Questions to Ask
• Do we have a security plan?
![Page 18: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/18.jpg)
SchoolDude University 2009
Questions to Ask
• Do we have adequate security and privacy policies in place? –District Security Rules–Legal Review–External Controls
![Page 19: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/19.jpg)
SchoolDude University 2009
Questions to Ask
• Are our network security procedures and tools up to date? –Hardware–Software–Monitoring
![Page 20: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/20.jpg)
SchoolDude University 2009
Questions to Ask
• Is our network perimeter secured against intrusion? –Design–Laptops–Wireless Security–Passwords
![Page 21: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/21.jpg)
SchoolDude University 2009
Questions to Ask
• Is our network physically secure? • Environmental Hazards• Physical Security
![Page 22: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/22.jpg)
SchoolDude University 2009
Questions to Ask
• Have we made our users part of the solution? –Awareness–Training –Communications
![Page 23: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/23.jpg)
SchoolDude University 2009
Questions to Ask
• Are we prepared to survive a security crisis? –Backups–Redundant Systems–Communications Plan–Preparedness
![Page 24: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/24.jpg)
SchoolDude University 2009
Security Planning Protocol
Outcome:Outcome:Security Project Description goals
processes resources decision-making standards
Phase 1: Create Leadership Team & Set Security Goals
Outcome:Outcome:Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase
Phase 2: Risk Analysis
Outcome:Outcome:Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness
Phase 3: Risk Reduction
Outcome:Outcome:Crisis Management Plan A blueprint for organizational continuity
Phase 4: Crisis Management
![Page 25: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/25.jpg)
SchoolDude University 2009
Leadership Team• Create Leadership Team and Set
Security Goals• Purpose:: Clarify IT’s role in district
mission
• Scope:: Set boundaries and budgets
• Values:: Define internal expectations and external requirements for security
![Page 26: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/26.jpg)
SchoolDude University 2009
Leadership Team
Leadership Team Personnel• IT Leadership• Administrators – district and building• Legal counsel • Human resources • Public relations representative • Teachers
![Page 27: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/27.jpg)
SchoolDude University 2009
District Security Checklist
• Self Assessment Checklist
![Page 28: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/28.jpg)
SchoolDude University 2009
Risk Analysis
• What’s at risk? • Vulnerabilities and Threats
–Identify impacts to »System»People»IT organizational issues»Physical plant
• Stress Test
![Page 29: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/29.jpg)
SchoolDude University 2009
Security Planning GridSecurity Area Basic Developing Adequate Advanced
Management
Leadership:
Little participation in IT security
Aware but little support provided
Supports and funds security
Aligns security with organizational mission
Technology
Network design and IT operations:
broadly vulnerable
security roll out is incomplete
mostly secure
seamless security
Environmental & Physical:
Infrastructure:
not secure partially secure
mostly secure
secure
End Users
Stakeholders:
unaware of role in security
Limited awareness and training
Improved awareness, Mostly trained
Proactive participants in security
![Page 30: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/30.jpg)
SchoolDude University 2009
Security Planning Grid
• Provides benchmarks for assessing key security preparedness factors
• Uses the same topic areas for consistency
• Helps prioritize security improvement action steps
![Page 31: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/31.jpg)
SchoolDude University 2009
Planning Security Grid
• Prioritize solutions
• Action plan
• Revise SOP
![Page 32: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/32.jpg)
SchoolDude University 2009
Plan, Test, Plan, Test…..– Scenario: "Despite our best intentions..."
• Financial system backups stored within a vault below ground
• Vault walls are constructed of cinderblocks
• Fire destroys the building • Very cool to the touch
-- vault becomes sauna, backup tapes destroyed
![Page 33: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/33.jpg)
SchoolDude University 2009
Plan, Test, Plan, Test…..XXXXX School District
• Monday, February 11, 2008• Break-In at XXX. in XXX, CA• "Smash and Grab" -- 1 computer
stolen• One data file including personally
identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts
![Page 34: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/34.jpg)
SchoolDude University 2009
Plan, Test, Plan, Test…..
• Decision to notify and “how to respond?"
• Notification authority rests with the Superintendent
• Elected to follow aggressive path of notification and openness
• E-Mails, letters, contact person, Website (blog)
![Page 35: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/35.jpg)
SchoolDude University 2009
The worst case scenario . . .
NO PLAN!
![Page 36: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/36.jpg)
SchoolDude University 2009
Questions and Comments?
![Page 37: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/37.jpg)
SchoolDude University 2009
www.securedistrict.org
www.cosn.org
![Page 39: CyberSecurity - Linda Sharp](https://reader033.fdocuments.us/reader033/viewer/2022061121/546e0410af79595e068b5369/html5/thumbnails/39.jpg)
SchoolDude University 2009
Linda Sharp
CoSN Project ManagerCyber Security
IT Crisis Preparedness