120 likes | 210 Vues
The Threat from Within. Anne Oribello Brown University Anne_Oribello@Brown.Edu. The Threat from Within. Problems: departments want to compete with peers at other schools to incorporate technology into their programs
E N D
The Threat from Within Anne Oribello Brown University Anne_Oribello@Brown.Edu
The Threat from Within • Problems: • departments want to compete with peers at other schools to incorporate technology into their programs • vendors add web based front ends and insist users move to that platform for software support
Threat from Within (cont.) • Faculty read about new a technology and obtain it through grant monies or donation • business units within the university want to be more accessible by putting data on the Internet • How many of these activities are being done securely?
Issues • Lack of adequate training for some sysadmins • Reliance on vendors to properly configure server • Pressure to roll out a system by a deadline • Lack of funding by departments for security tools
Issues (cont.) • Lack of understanding of risks and issues by decision makers • Security had been viewed as an impediment to work • Culture of open access • Lack of sufficient security staff
Solutions • Establish realistic policies/guidelines • Educate the user community on evolving technologies • Scan servers • Perform security reviews
Establish Policies/Guidelines • Get support from key players • Establish incentives to conform • offer centralized services to reduce their work • establish user groups to develop (human) network • Create viable alternative for violators • Be specific in definition of conformity • Document dissemination effort
Educate Community • Face-to-face training for staff • Technical updates for decision makers • Articles in faculty/staff newsletter • Listserv mailings (BBoards seem to have lost “favor”)
Scan Servers • Schedule can depend on criticality of server • Internet Security Scaner • hacker tools (i.e. NMAP) • Isolate moving targets (i.e. students)
Perform Security Reviews • Offer as a service BEFORE they have an incident • Examine data security in entirety (electronic, printed data, physical) • Ensure that comments aren’t surprises • Allow responses from department • Follow up on progress
The Threat from Within • Make security support a service • Give end users the knowledge to have a secure system • Begin to change attitudes • If all else fails, tell them how much it will cost if there is a breach (time, research effort, reputation, money)
Helpful URLs • www.alw.nih.gov/Security/prog-full.html • firosoft.com/security/philez/exploits/any-unix/ • insecure.org • www.rootkit.com (WIN environment) • www.sans.org/