it security & higher education. why should higher ed care? improperly secured computers and...
TRANSCRIPT
![Page 1: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/1.jpg)
IT Security & Higher Education
![Page 2: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/2.jpg)
Why should higher ed care?
Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission
Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability
![Page 3: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/3.jpg)
Higher Ed and Cybersecurity
Education and Training Centers of Academic Excellence Professional Training and Certification
Research and Development Cyberinfrastructure Basic and Applied Research
Securing Our Corner of Cyberspace!
![Page 4: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/4.jpg)
GAO Designates Computer Security a High Risk
Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety.GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003)
![Page 5: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/5.jpg)
Higher Education Computer Security Incidents in the News Hacker Steals Personal Data on Foreign
Students at U. of Kansas Chronicle of Higher Education, 1/24/2003
UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002
Why Was Princeton Snooping in Yale’s Web Site?Chronicle of Higher Education, 8/9/2002
Delaware Student Allegedly Changed Her Grades OnlineChronicle of Higher Education, 8/2/2002
![Page 6: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/6.jpg)
. . . in the News Russian Mafia May Have Infiltrated Computers
at Arizona State and Other CollegesChronicle of Higher Education, 6/20/2002
Hacker exposes financial information at Georgia TechComputerWorld, 3/18/2002
College Reveals Students’ Social Security NumbersChronicle of Higher Education, 2/22/2002
Hackers Use University’s Mail Server to Send Pornographic MessagesChronicle of Higher Education 8/10/2001
![Page 7: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/7.jpg)
. . . in the News
Review to ensure University of Montana Web securityMontana Kaimin, 11/14/2001
‘Code Red’ Worms Linger Chronicle of Higher Education, 9/14/2001
Students Fault Indiana for Delay in Telling Them About Stolen FilesChronicle of Higher Education, 3/16/2001
![Page 8: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/8.jpg)
. . . in the News [UWashington] Hospital records hacked
hardSecurityFocus.com, 7/12/2000
3 Universities in California Find Themesleves Linked to Hacker AttacksChronicle of Higher Education 2/25/2000
Hackers Attack Thousands of Computers on at Least 25 U.S. CampusesChronicle of Higher Education, 3/13/1998
![Page 9: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/9.jpg)
Goals of IT Security Confidentiality - Computers, systems, and
networks that contain information require protection from unauthorized use or disclosure.
Integrity - Computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification.
Availability - Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.
![Page 10: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/10.jpg)
Higher Ed IT Environments Technology Environment
Distributed computing and wide range of hardware and software from outdated to state-of-the-art
Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create unique security challenges
Leadership Environment Reactive rather than proactive Lack of clearly defined goals (what do we need to protect and why)
Academic Culture Persistent belief that security & academic freedom are antithetical Tolerance, experimentation, and anonymity highly valued
![Page 11: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/11.jpg)
A Risk Management Approach
Risk = Threats x Vulnerability x Impact
![Page 12: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/12.jpg)
Threats
An adversary that is motivated to exploit a system vulnerability
and is capable of doing so
National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
![Page 13: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/13.jpg)
Examples of Threats
Hackers Insiders “Script Kiddies” Criminal Organizations Terrorists Enemy Nation States
![Page 14: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/14.jpg)
Vulnerabilities
An error or a weaknessin the design, implementation, or
operationof a system.
National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
![Page 15: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/15.jpg)
Examples of Vulnerabilities
Networks – wired and wireless Operating Systems – especially
Windows Hosts and Systems Malicious Code and Viruses People
![Page 16: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/16.jpg)
Impact
Risk refers to the likelihood that a vulnerability will be exploited or
that a threat may become harmful.
National Research Council CSTB Report: Cybersecurity Today and Tommorrow: Pay Now or Pay Later (2002)
![Page 17: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/17.jpg)
Impact: Types of Risk Strategic Risk Financial Risk Legal Risk Operational Risk Reputational Risk
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
![Page 18: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/18.jpg)
Handling Risks
Risk Assumption Risk Control Risk Mitigation Risk Avoidance
Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).
![Page 19: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/19.jpg)
Security Task Force
Formed Summer 2000 Respond to charges that higher
education is lax and dangerous Threat of blunt-edged regulations
Co-chairs, Steering Committee Web page, Listservs, Conferences Staff – EDUCAUSE/Internet2
![Page 20: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/20.jpg)
Cybersecurity – Post Sept. 11th
Executive Order 13231 – October 2001Created the Presidents Critical Infrastructure Protection Board (PCIPB)
Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
USA PATRIOT Act
![Page 21: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/21.jpg)
National Strategy to Secure Cyberspace Draft announced September 18
See www.securecyberspace.gov Includes higher ed contribution
National, not a government, strategy Secure your own piece of cyberspace Market drive, not regulatory Best practice, information sharing
Final Strategy Release – TBD
![Page 22: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/22.jpg)
Higher Education Contribution Higher Education Interests:
Teach security Invent technology Powerful networks and computers
Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy
Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf
![Page 23: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/23.jpg)
Framework for Action Make IT Security a higher and more visible
priority in higher education Do a better job with existing security tools,
including revision of institutional policies Design, develop and deploy improved security
for future research and education networks Raise the level of security collaboration among
higher education, industry and government Integrate higher education work on security
into the broader national effort to strengthen critical infrastructure
![Page 24: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/24.jpg)
NSF Workshops
A More Complete Response to National Strategy Experts on academic values Experts on practices and policies Research scientists who use the networks Summit including all stakeholders
Foundation for Future Activities
![Page 25: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/25.jpg)
Guiding Principles
Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility
![Page 26: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/26.jpg)
Action Agenda
1. Identify Responsibilities for IT security, Establish Authority, and Hold Accountable
2. Designate an IT Security Officer3. Conduct Institutional Risk Assessments4. Increase Awareness and Provide
Training to Users and IT staff5. Develop IT Security Policies,
Procedures, and Standards
![Page 27: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/27.jpg)
Action Agenda (cont’d)
6. Require Secure Products From Vendors7. Establish Collaboration and Information
Sharing Mechanisms8. Design, Develop, and Deploy Secure
Communication and Information Systems
9. Use Tools: Scan, Intrusion Detection Systems, Anti-Virus Software, etc.
10. Invest in Staff and Tools
![Page 28: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/28.jpg)
Security: Negative Deliverable
Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.
Jeffrey I. Schiller, MIT’s Security Architect
![Page 29: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/29.jpg)
What Every President Must Do
Ensure the confidentiality, integrity, and availability of University assets and information
Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact
Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions
![Page 30: IT Security & Higher Education. Why should higher ed care? Improperly secured computers and networks present considerable institutional risk and can impact](https://reader036.vdocument.in/reader036/viewer/2022081603/56649f225503460f94c3b0e9/html5/thumbnails/30.jpg)
For more information, contact:
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security