IT Security & Higher Education

Why should higher ed care?

Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission

Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability

Higher Ed and Cybersecurity

Education and Training Centers of Academic Excellence Professional Training and Certification

Research and Development Cyberinfrastructure Basic and Applied Research

Securing Our Corner of Cyberspace!

GAO Designates Computer Security a High Risk

Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety.GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003)

Higher Education Computer Security Incidents in the News Hacker Steals Personal Data on Foreign

Students at U. of Kansas Chronicle of Higher Education, 1/24/2003

UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002

Why Was Princeton Snooping in Yale’s Web Site?Chronicle of Higher Education, 8/9/2002

Delaware Student Allegedly Changed Her Grades OnlineChronicle of Higher Education, 8/2/2002

. . . in the News Russian Mafia May Have Infiltrated Computers

at Arizona State and Other CollegesChronicle of Higher Education, 6/20/2002

Hacker exposes financial information at Georgia TechComputerWorld, 3/18/2002

College Reveals Students’ Social Security NumbersChronicle of Higher Education, 2/22/2002

Hackers Use University’s Mail Server to Send Pornographic MessagesChronicle of Higher Education 8/10/2001

. . . in the News

Review to ensure University of Montana Web securityMontana Kaimin, 11/14/2001

‘Code Red’ Worms Linger Chronicle of Higher Education, 9/14/2001

Students Fault Indiana for Delay in Telling Them About Stolen FilesChronicle of Higher Education, 3/16/2001

. . . in the News [UWashington] Hospital records hacked

hardSecurityFocus.com, 7/12/2000

3 Universities in California Find Themesleves Linked to Hacker AttacksChronicle of Higher Education 2/25/2000

Hackers Attack Thousands of Computers on at Least 25 U.S. CampusesChronicle of Higher Education, 3/13/1998

Goals of IT Security Confidentiality - Computers, systems, and

networks that contain information require protection from unauthorized use or disclosure.

Integrity - Computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.

Availability - Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.

Higher Ed IT Environments Technology Environment

Distributed computing and wide range of hardware and software from outdated to state-of-the-art

Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges

Leadership Environment Reactive rather than proactive Lack of clearly defined goals (what do we need to protect and why)

Academic Culture Persistent belief that security & academic freedom are antithetical Tolerance, experimentation, and anonymity highly valued

A Risk Management Approach

Risk = Threats x Vulnerability x Impact

Threats

An adversary that is motivated to exploit a system vulnerability

and is capable of doing so

National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)

Examples of Threats

Hackers Insiders “Script Kiddies” Criminal Organizations Terrorists Enemy Nation States

Vulnerabilities

An error or a weaknessin the design, implementation, or

operationof a system.

National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)

Examples of Vulnerabilities

Networks – wired and wireless Operating Systems – especially

Windows Hosts and Systems Malicious Code and Viruses People

Impact

Risk refers to the likelihood that a vulnerability will be exploited or

that a threat may become harmful.

National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)

Impact: Types of Risk Strategic Risk Financial Risk Legal Risk Operational Risk Reputational Risk

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

Handling Risks

Risk Assumption Risk Control Risk Mitigation Risk Avoidance

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

Security Task Force

Formed Summer 2000 Respond to charges that higher

education is lax and dangerous Threat of blunt-edged regulations

Co-chairs, Steering Committee Web page, Listservs, Conferences Staff – EDUCAUSE/Internet2

Cybersecurity – Post Sept. 11th

Executive Order 13231 – October 2001Created the Presidents Critical Infrastructure Protection Board (PCIPB)

Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

USA PATRIOT Act

National Strategy to Secure Cyberspace Draft announced September 18

See www.securecyberspace.gov Includes higher ed contribution

National, not a government, strategy Secure your own piece of cyberspace Market drive, not regulatory Best practice, information sharing

Final Strategy Release – TBD

Higher Education Contribution Higher Education Interests:

Teach security Invent technology Powerful networks and computers

Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy

Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf

Framework for Action Make IT Security a higher and more visible

priority in higher education Do a better job with existing security tools,

including revision of institutional policies Design, develop and deploy improved security

for future research and education networks Raise the level of security collaboration among

higher education, industry and government Integrate higher education work on security

into the broader national effort to strengthen critical infrastructure

NSF Workshops

A More Complete Response to National Strategy Experts on academic values Experts on practices and policies Research scientists who use the networks Summit including all stakeholders

Foundation for Future Activities

Guiding Principles

Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility

Action Agenda

1. Identify Responsibilities for IT security, Establish Authority, and Hold Accountable

2. Designate an IT Security Officer3. Conduct Institutional Risk Assessments4. Increase Awareness and Provide

Training to Users and IT staff5. Develop IT Security Policies,

Procedures, and Standards

Action Agenda (cont’d)

6. Require Secure Products From Vendors7. Establish Collaboration and Information

Sharing Mechanisms8. Design, Develop, and Deploy Secure

Communication and Information Systems

9. Use Tools: Scan, Intrusion Detection Systems, Anti-Virus Software, etc.

10. Invest in Staff and Tools

Security: Negative Deliverable

Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.

Jeffrey I. Schiller, MIT’s Security Architect

What Every President Must Do

Ensure the confidentiality, integrity, and availability of University assets and information

Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact

Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions

For more information, contact:

EDUCAUSE/Internet2 Security Task Force

www.educause.edu/security

Security-Task-Force@educause.edu202.872.4200