Effective Cybersecurity Practices for Higher Education Educause Southeast Regional Conference Seminar 1A June 6, 2005 Tammy Clark Georgia State University Mary Dunker Virginia Tech
Seminar Agenda • EDUCAUSE/Internet2 Security Task Force initiatives • The Effective Security Practices Guide (ESPG) • Questions and Break • Securing Unmanaged Computers • Questions and Feedback
Overview of Effective Security Practices • Educause/Internet2 Security Task Force background, working groups, initiatives • Tools, including Information Security Governance Assessment (ISG) • Effective Security Practices Guide • Risk assessment methodology from Virginia Tech
Strategic Goals The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified: • Education and Awareness • Standards, Policies, and Procedures • Security Architecture and Tools • Organization, Information Sharing, and Incident Response
Security Task Force Groups • Awareness & Training Working Group • Effective Practices & Solutions Working Group • Policies & Legal Issues Working Group • Risk Assessment Working Group • High Performance & Advanced Networking Working Group (SALSA) • Security Conference Program Committee
National Cyber Security Awareness Month • The Security Task Force and the Higher Ed IT Alliance has endorsed October as National Cyber Security Awareness Month. • The National Cyber Security Alliance is a unique partnership among the Federal government, leading private sector companies, trade associations and educational organizations that aims to educate Americans about the need for computer security and encourage all computer users to protect their home and small business systems. • See www.StaySafeOnline.info
Annual Security Conference • EDUCAUSE/Internet2Security Professionals Conference April 10-12, 2006 Denver Marriott City Center Hotel Denver, Colorado Typical Program Content/Tracks • Baseline & Advanced Technology Solutions • Security Management and Operations • Policy and Law • For more info, see www.educause.edu/conference/security
Information Security Governance Assessment Tool • The Information Security Governance (ISG) Assessment Tool is intended to help colleges and universities determine the degree to which they have implemented an ISG Framework at the strategic level within their institution. This tool is not intended to provide a complete and detailed list of information security policies or practices one must follow. Rather, it is intended to help institutional leadership identify general areas of concern as they relate to the ISG Framework. • Sections within the Tool: • Organizational Reliance on IT • Risk Management • People • Processes • Technology • http://www.educause.edu/ir/library/pdf/SEC0421.pdf
Configuration Benchmarks • As a free service to EDUCAUSE Institutional Members, EDUCAUSE has entered into a cooperative agreement with the Center for Internet Security (CIS) to provide each EDUCAUSE Institutional Member with a license to redistribute CIS Benchmarks and Software Tools on college and university owned systems. • The relationship entitles Institutional Members to redistribute CIS benchmarks and Software Tools to students, faculty and employees for use on computers owned by the students, faculty and employees. • The CIS Benchmarks and Software Tools are resources for Institutional Members to assess and measurably improve the security configuration status of its IT systems and networks.
Implications of CIS Partnership • Encourage the adoption and deployment of widely-accepted, consensus technical control standards (benchmarks) for system security configuration in colleges and universities. • Establish technical control baselines that can be presented to software vendors and hardware suppliers as default security configurations for systems that colleges and universities purchase. • Expand participation in the CIS consensus development process by security specialists in EDUCAUSE member colleges and universities to ensure that college and university-unique needs are met. • http://www.cisecurity.org/
Cyber Security Forumfor Higher Education The purpose of the Cyber Security Forum for Higher Education is to create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts.
Vendor Engagement • Established Corporate Cyber Security Forum to create a dialogue with vendors on practices that have a significant impact on higher education security • Educause established the Corporate Cyber Security Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT • Task force visited Microsoft in September ‘03 to explain the needs of higher education and engaged Microsoft for support during the SP2 rollout for Windows XP.
Effective Security Practices Guide Balancing the need for security with the higher education tradition of open and collaborative networking http://www.educause.edu/security/guide
Why Not Identify Best Practices • Higher education is too diverse in mission and size for a single best practice to be universally effective. • Even within a small group of like institutions, few would identify what they are doing now as “Best Practices.” Everyone feels there is room for improvement in what they are doing! • Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year.
ESPG Overview • Practical approaches to preventing, detecting, and responding to security problems • Community driven and serving • University ISOs and supporting staff • Codify experiences of experts • Examples of success • Potential models to follow • Provide for various types of institutions • Modular resource • Flexibility in presentation & implementation
Case study submission process Core materials ESP database ESPG Design and Development Structured presentation Categories & keyword searches Future contributions Past workshops, discussions & community vetting Seed case studies Suitability, editing, notification & update
Core Subject Areas • Policy • Education, Training and Awareness • Risk Analysis and Management • Security Architecture Design • Network and Host Vulnerability Assessment • Network and Host Security Implementation • Intrusion and Virus Detection • Incident Response • Encryption, Authentication & Authorization • Addendum: university & vendor resources
Effective Practices: Contributors • Bethune-Cookman • Brown • Cornell • CSUSB • GA Tech • GWU • Indiana University • MSCD • Notre Dame • NC A&T • Penn State • U Alabama • Purdue • UC Berkeley • UCONN • U Maryland, BC • U Washington • U Wisc, Madison • Virginia Tech • Yale University
ESPG Highlights Evolution of Security Practices
Evolution of Security Practices • It is not always possible to jump to the most effective practices • Can’t scan for policy violations without policies • Can’t develop policies without mature security standards • Some practices require significant human resources • Intrusion detection • Incident response • Some practices become more effective over time • Technical support becomes more effective with supporting tools, security policies and architecture
Online Demonstration http://www.educause.edu/security/guide
Risk Analysis The most effective security practice given limited resources Types of Risk Strategic Risk Financial Risk Legal Risk Operational Risk Reputation Risk Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Ideal Risk Analysis & Management • Knowledge of all relevant regulations • Training and awareness of staff • Developing plans to audit individual units for compliance • Developing and implementing a code of conduct for the organization • Establishing control mechanisms to ensure compliance Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
Risk Analysis Overview • Risk = Threats x Vulnerability x Impact • Need to weigh & prioritize risks to develop strategy • Threats • Intruders, insiders, accidents, natural disasters • Vulnerabilities • Weaknesses in design, implementation, or operation • Impact • Level of harm to the institution
Practical Risk Analysis in Higher Education • Preliminary Risk Analysis (year 1) • Gathering allies, data and support • Risk Analysis of Critical Processes (year 2) • Concentrating on high risk areas • Institution-wide Risk Analysis (year 3+) • Broadening view to include the whole institution
Virginia Tech STAR Risk Process STAR - Security Targeting and Analysis of Risks • Developed in-house several years ago • Prioritized assets, risks, and controls • Very detailed voting structure • Used color codes for compliance • Had a control compliance matrix • Templates provided to reduce resistance • TODAY – same concept but we have simplified the process
Risk Analysis Process at Virginia Tech • Information Technology process • IT Security Officer leads effort • Annual process with detailed listings • Lots of involvement with teams • Evolved into individual risk analysis reports for other departments • University departments • Every 3 years / update major changes • Annual reviews on progress • All reports submitted to the IT Security Office
Keys to Success in the Risk Analysis Process • Secure senior management support • Select a strong risk analysis team • Provide risk analysis templates • Provide instruction and assistance • Specify a timetable for completion • Have a collection point for all reports • Take the risk analysis process seriously
Senior Management Support • Important to secure executive support • Executive should issue directive to all department heads • Directive should specify a time for final reports • Accountability for completing risk analyses • Executive will identify IT Security Office as providing leadership for effort
Assets Are More Than Machines • We are now linking Asset identification to the management org chart • Assets can be: • Physical systems • Groups of systems that support a service • Business process that requires a group of systems • Business process that depends on other business processes • Data • People
Asset Classification Business Process A Business Process B Business Process C Oracle DB Forms Servers Auth Servers Host A Host B Host C Host D Host E Host F
IT Common Risks • Twelve (12) common risks identified by VT IT: • System administration Training • Desktop Access Control • Operational Policies • Key Person Dependency • Bad Passwords • Data Disclosure • Internal Physical Security • External Physical Security • Cleartext • Spoofing/Forgery • Natural Disaster • Construction Mistakes
Reference Risks to Critical Assets • Review list of critical assets • Simply determine which risks apply to which critical assets • Can get into more detail and map risks to critical assets by voting technique • Helps determine what may need to be addressed first
Recommendations and Solutions • May be difficult to do at the time of report • Others need to be involved in the details • Management, technical personnel, etc. • More detailed report may be needed • Description of solution • Impact statement • A cost/benefit analysis • Proposed dates
Recommendations • The risk(s) for an asset will be addressed within a specific timeframe and a brief explanation should be included • Controls to address a risk (or risks) will not be implemented because of information obtained during analysis (new software, new location, etc.) • Controls will not be implemented based on factors (time, budget, etc.) in the dept. or operating unit • There may not be a known solution at this time, or you don’t feel the risk is a real danger
Using STAR • Visit the Effective Security Practices Guide • Select the link to “Risk Analysis of Critical Areas and Processes” • The STAR link will take you to http://www.security.vt.edu/playitsafe/riskanalysis/ • All forms used by Virginia Tech are online
Additional Security Resources • EDUCAUSE/Internet2 Computer & Network Security Task Forcehttp://www.educause.edu/security • Security Discussion Grouphttp://www.educause.edu/cg • Effective Security Practices Guidehttp://www.educause.edu/security/guide • Internet2 Security Initiativeshttp://security.internet2.edu • Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) http://www.ren-isac.net • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) http://www.cert.org/octave