Information Security for Educational Institutions.

Mark RaschMark.Rasch@FTIConsulting.com

Introduction

The threats are realMalware (e.g. viruses, worms, Trojan Horses) are becoming more

sophisticatedSecurity breaches and attacks are becoming more publicizedPeople are becoming more concerned with their online privacy…However, people still lack awareness on basic computer security

issues

A Typical Higher Education Computing Infrastructure

Traditionally “open”Critical for researchersCritical for students’ learningHigher education comprise of 15% of the Internet address spaceWired campus (dorms to Greek housing) with usually no network

authenticationMany institutions now offer campus-wide wireless accessTech-savvy students

Threat Matrix

Internal Threats•Illness of personnel•Illness of multiple personnel•Loss of key personnel•Loss of network services•Disgruntled employees•Disgruntled consultants•Labor dispute / unrest•User misuse / theft of data and resources•Malware (viruses, worms, Trojan Horses, rootkits)•Software bugs and flaws

External Threats•Lighting•Short-term utility outage•Long-term utility outage•Flood•Fire•Theft of hardware / disks / tapes•Theft of personnel desktop•Theft of personnel laptop•Computer vendor / developer failure (e.g. bankruptcy)•Random hackers / crackers•Terrorism

Overlapping Security Issues in Industry and Higher Education

Enormous disconnect between IT and general usersLack of awareness of computer security fundamentals (poor practices)Social engineeringInsider threatLack of low-tech and low-cost planningToo much focus on products for implementing computer securityLack of testing environments to understand threats and potential

security breachesSecurity is a reactive process

Risks in Higher Education

Openness = fertile ground for attacks and risksWeb hosting and file sharingDecentralizationLack of visibility for security and privacySecurity is looked at as a bad thing by professionals and students: tough sellMultiple roles of educational institutions

Educational – provider of servicesEducational – academic freedomFinancialHealth careGovernment contractReal estate ownerInternet service providerLaw enforcement agency

Hotspots

Data securityPrivacyNext generation of malwarePoisoned Peer-to-Peer (P2P) networks and torrentsCompliance and auditing

Next Generation of Malware

Now spreading through instant messaging, P2P, social networking sites, cell phone and SMS and MMS

Malware hybrids: fooling and cloaking malicious intent• Rootkit - Toolbox of tools for a cracker to keep root

access. Also hides and secures a cracker's presence on a system.

• Example: spyware that has a rootkit component• Can fool anti-virus or anti-spyware software

Next Generation of Malware (continued)

Kernel-based attack technique using hooks and layers • Kernel - Core of an operating system, Responsible for

resource allocation, low-level hardware interfaces, security, etc.

• Altering normal program control flow• The Microsoft Windows architecture makes this possible

Bottom line: malware becoming more lethal, and extremely more difficult to find!

Data Privacy

Mantras:• Provide prominent disclosure• Data minimization (collection, storage, and sharing)• Anonymity• Put users in charge of their data

Other components to a privacy framework:• Quality (accuracy and completion)• Security• Monitoring and enforcement

WHAT IS FERPA?

Family Educational Rights and Privacy Act of 1974 protects the privacy of student educational records.

FERPA applies to any higher education institution receiving federal funds administered by the Department of Education.

FERPA

Family Education Rights and Privacy Act20 U.S.C § 1232g 34 CFR Part 99

WHO IS PROTECTED UNDER FERPA?

Students who are currently enrolled in higher education institutions or formerly enrolled, regardless of their age or status in regard to parental dependency.

Students who have applied but have not attended an institution do not have rights under FERPA.

RIGHTS OF STUDENTS

Inspect and Review their Education RecordsExercise limited control over disclosure of Education Records

informationSeek to correct their Education RecordsReport violations of FERPA to the Department of EducationBe informed of their FERPA rights

EDUCATION RECORDS

“Education Records” generally include any records which contain information directly related to the student that is in the possession of the University. The records may be in printed form, handwritten, computer, magnetic tape, e-mail, film or some other medium.

WHAT IS NOT INCLUDED IN AN EDUCATION RECORD?

Records or notes in the sole possession of educational personnel not accessible to other personnel (i.e. contained in a faculty member’s notes)

Law enforcement or campus security records (University Police records)Records relating to individual’s employment by the University (Work Study

records ARE educational records)Medical treatment records (made or maintained by a Physician, Psychiatrist,

Psychologist or related paraprofessional)Alumni records

LIMITATIONS ON STUDENT’S RIGHT TO INSPECT AND REVIEW

Students may review their records by submitting a written request to the appropriate Record Custodian.

The Student is not permitted to inspect and review financial records of his/her parents.

2. The Student is not permitted to inspect and review confidential letters and recommendations in their education record (if the student signed a waiver).

The items listed above are to be removed from the file prior to the student’s review of his/her education record.

LIMITATIONS ON STUDENT’S RIGHT TO INSPECT AND REVIEW

3. Copies are not required unless it is unreasonable for the student to come in and inspect his/her records.

4. The University is responsible to provide the student’s records for inspection no later than 45 days after requested.

Disclosure

Written Consent

Of Student

DisclosureTo

Parents

DisclosureExceptions

WRITTEN CONSENT OF STUDENT

Voluntary written consent of Student to specific third parties. Document should be signed and dated by the Student and state the following:

--Specific records to disclose--Purpose of disclosure--Identity of party to whom disclosure is to be made

The consent will remain valid until the student requests that it be revoked.

DisclosureTo Parents

When Student is financially dependent on Parents as defined under Section 152 of Internal Revenue Code.

(Claimed as a dependent on Parent’s federal tax return)

When Student violates any Federal, State or Local law, or any rule or policy of the University governing the use or possession of alcohol or controlled substances if, the Student is under 21, and the Student has committed a disciplinary violation.

(Judicial Board)

DISCLOSURE EXCEPTIONS

University Faculty, Staff and Administrators with a “legitimateeducational interest”

Federal, State and Local Education Authorities involving an audit or evaluation of compliance with Education Programs

Results of disciplinary hearing to alleged victim of a crime of violence

Judicial Order or Subpoena

Health or Safety Emergency

Processing Financial Aid

Directory Information

Educational institutions where student seeks or intends to enroll

WHAT IS DIRECTORY INFORMATION?

The University may disclose information about a student without violating FERPA through what is known as “directory information”.

Annually the University is required to notify students in attendance of what information constitutes “directory information.” This notice must also provide procedures for students to restrict the University from releasing his/her directory information. This notice is provided in the annual Student Code of Conduct, on the Registrar’s website, in University Policy, and published in the student newspaper.

DIRECTORY INFORMATION

Student’s nameStudent’s addressTelephone numberMajor field of studyDegrees and awards receivedPrevious educational institutionsParticipation in officially recognized sports and activitiesWeight and height for athletesDates of attendanceElectronic mail addressStudent’s photograph

STUDENT’S REFUSAL TO PERMIT RELEASE OF DIRECTORY INFORMATION

Student can refuse to permit release of directory information by completing the form in the student paper or on the Registrar’s website or by forwarding the following statement to the University Registrar’s office at G-3 Thackeray Hall:

“I hereby request that no personal information included in my Directory Information be released.” This request must be signed and dated by the student with his/her name, address and social security number.

Once this request is received at the Registrar’s office, no future disclosures will be made without the student’s written consent.

The refusal to permit release of Directory Information is permanent.

A student may rescind this action in-person or by submitting a notarized request in writing to the Office of the University Registrar.

RECORDKEEPING REQUIREMENT

The University is required to keep a record of each request for access and disclosure of personally identifiable information from the education record of each student.

This record must be maintained with the education record of each student as long as the education record is maintained.

FERPA AND INTERNATIONAL STUDENTS

International students have the same rights to inspect their records and request amendments.

International students consent to release of their records to

certain governmental agencies on immigration forms.

CORRECTING EDUCATION RECORDS

Students are permitted to inspect and review their Education Records, and to seek to change any part that they believe is inaccurate, misleading, or in violation of their privacy rights.

a. If the requested change falls within the individual’s Academic Integrity Guidelines, then Academic Integrity Guidelines shall control the procedure to follow. FERPA gives the student the right to correct an inaccurately recorded grade, not to have the grade evaluated and changed.

b. If the requested change is not a violation of the Student or Faculty obligation, then the standard access and release of records will be followed

RIGHT TO REPORT VIOLATIONS TO THE U.S. DEPARTMENT OF EDUCATION

Any complaint filed by a Student regarding a violation of their FERPA rights is investigated and processed by the Family Policy Compliance Office of the U.S. Department of Education. If a determination is made that the University is in violation, both the University and the Student will be advised and informed of the measures to be taken in order to come into compliance with the law.

STUDENT’S RIGHT TO BE INFORMED OF THEIR FERPA RIGHTS

The University is required to annually inform student’s of their FERPA rights. The notification must also indicate the location of the student’s records and the procedure to be followed to inspect and review their record.

The privacy rights of an individual expires upon that individual’s death. FERPA does not apply and it is the University’s discretion to disclose any information of the deceased student.

DECEASED STUDENTS

How Come So Many Data Privacy Problems Recently?

Heavy usage and dependency of Social Security Numbers and credit card numbers

Poor web securityInsider threatsSocial engineering (scam artists, phishing)PharmingThird-part businessesLinkability

Common Compliance and Legal Frameworks

Health Insurance Portability and Accountability Act (HIPPA)Gramm-Leach-Bliley Act (GLBA)Computer Fraud and Abuse Act (CFAA)Sarbanes-Oxley ActUSA PATRIOT ActVisa USA Cardholder Information Security Program (CISP) /

MasterCard Site Data Protection Program / Payment Card Industry (PCI) Data Security Standard

Significance of the Compliance Frameworks

HIPAA security rule - Safeguarding of electronic protected health information

GLBA - Protects privacy of consumer information in the financial sectorSarbanes-Oxley Act - Executives need to report quickly and accuratelyUSA PATRIOT Act – Provides law enforcement agencies with greater

access to electronic communicationsColleges and universities have to comply with more regulations than

businesses

Impact of Breaches

Heavy network consumptionDirect impact on leadershipDirect impact on students’ learningWasted funding (private and public)Legal consequencesBad pressLoss of competitive edgeLong road to recovery

What You DON’T Want to Do

Pretend the problems will go awayEstablish reactive and short-term fixesPrimarily rely on a firewall, or just software solutions, for security

perimeter protectionFail to understand the relationship of information security to the

business problemAssign untrained people to maintain security and compliance

Short-Term: Awareness, Awareness, Awareness

Irony: provisions for education and training in SOX and the DMCAVery little money is spent on computer security education to the

publicSecurity is boring, difficult, and politicalAt fault: IT professionals, users, technologyLack of ownership on security and privacy issues by companiesEmerging technologies pose a serious threat if deployed naivelyUnfortunately, the infrastructure and architecture of current

computing systems, users do need to be informed

Short-Term: Awareness (continued)

Provide an undergraduate course in computer security, privacy, and politics:• Overlap of departments and groups in a

University (e.g. Computer Science, Law School)• Investment for students, the University, and for

the instructors of the course

Short-Term: Low-Cost and Low-Tech Improvements

First things first, ask yourself, and to management (revisit the questions):• What are your security goals?• What are you really protecting?• What are your priorities, especially in a product (e.g.

interface, administration, prevention)?

Short-Term: Low-Cost and Low-Tech Improvements (continued)

Write documentation in what system support staff and users need to do with respect to network and information security

Establish baseline security configurations for all appropriate technology platforms (e.g. web browser)

Establish a vulnerability management processUse vulnerability assessment tools to periodically conduct self-

assessmentsMonitor log files from critical systems on a daily basisSANS have excellent policy templates

Long-Term Opportunity: Develop Visualization Tools (continued)

Example projects/opportunities:• Security situation awareness• Profiling users and traffic• Linking relationships• Network traffic classification• Intrusion detection• Detecting abnormalities

For More Information

Mark D. RaschManaging Director – TechnologyFTI Consulting1201 Eye Street, NWWashington, D.C. 20005(301) 547-6925 tel(240) 209-5344 faxMark.Rasch@FTIConsulting.com