1

Effective Cybersecurity Practices for Higher Education

Educause Southeast Regional Conference

Seminar 1A

June 6, 2005

Mary Dunker

Virginia Tech

Tammy Clark

Georgia State University

2

Seminar Agenda

EDUCAUSE/Internet2 Security Task Force initiativesThe Effective Security Practices Guide (ESPG)Questions and BreakSecuring Unmanaged ComputersQuestions and Feedback

3

Overview of Effective Security Practices

Educause/Internet2 Security Task Force background, working groups, initiatives

Tools, including Information Security Governance Assessment (ISG)

Effective Security Practices Guide

Risk assessment methodology from Virginia Tech

4

Strategic Goals

The Security Task Force received a grant from National Science Foundation to identify and implement a coordinated strategy for computer and network security for higher education. The following strategic goals have been identified:Education and AwarenessStandards, Policies, and ProceduresSecurity Architecture and ToolsOrganization, Information Sharing, and Incident Response

5

Security Task Force Groups

Awareness & Training Working Group

Effective Practices & Solutions Working Group

Policies & Legal Issues Working Group

Risk Assessment Working Group

High Performance & Advanced Networking Working Group (SALSA)

Security Conference Program Committee

6

National Cyber Security Awareness Month

The Security Task Force and the Higher Ed IT Alliance has endorsed October as National Cyber Security Awareness Month.The National Cyber Security Alliance is a unique partnership among the Federal government, leading private sector companies, trade associations and educational organizations that aims to educate Americans about the need for computer security and encourage all computer users to protect their home and small business systems.See www.StaySafeOnline.info

7

Annual Security Conference

EDUCAUSE/Internet2Security Professionals Conference

April 10-12, 2006Denver Marriott City Center HotelDenver, Colorado

Typical Program Content/Tracks Baseline & Advanced Technology Solutions Security Management and Operations Policy and Law

For more info, see www.educause.edu/conference/security

8

Information Security Governance Assessment Tool

The Information Security Governance (ISG) Assessment Tool is intended to help colleges and universities determine the degree to which they have implemented an ISG Framework at the strategic level within their institution. This tool is not intended to provide a complete and detailed list of information security policies or practices one must follow. Rather, it is intended to help institutional leadership identify general areas of concern as they relate to the ISG Framework. Sections within the Tool: Organizational Reliance on IT Risk Management People Processes Technology

http://www.educause.edu/ir/library/pdf/SEC0421.pdf

9

ISG: Reliance on IT

10

ISG: Risk Management

11

ISG: Final Score

12

Configuration Benchmarks

As a free service to EDUCAUSE Institutional Members, EDUCAUSE has entered into a cooperative agreement with the Center for Internet Security (CIS) to provide each EDUCAUSE Institutional Member with a license to redistribute CIS Benchmarks and Software Tools on college and university owned systems.The relationship entitles Institutional Members to redistribute CIS benchmarks and Software Tools to students, faculty and employees for use on computers owned by the students, faculty and employees. The CIS Benchmarks and Software Tools are resources for Institutional Members to assess and measurably improve the security configuration status of its IT systems and networks.

13

Implications of CIS Partnership

Encourage the adoption and deployment of widely-accepted, consensus technical control standards (benchmarks) for system security configuration in colleges and universities.

Establish technical control baselines that can be presented to software vendors and hardware suppliers as default security configurations for systems that colleges and universities purchase.

Expand participation in the CIS consensus development process by security specialists in EDUCAUSE member colleges and universities to ensure that college and university-unique needs are met.

http://www.cisecurity.org/

14

CIS Scoring Tool

15

Cyber Security Forumfor Higher Education

The purpose of the Cyber Security Forum for Higher Education is to create a forum for the discussion of higher education computer and network security issues between the corporate community and the EDUCAUSE/Internet2 Computer and Network Security Task Force with the goal of improving higher education cyber security through mutual efforts.

16

Vendor Engagement

Established Corporate Cyber Security Forum to create a dialogue with vendors on practices that have a significant impact on higher education security

Educause established the Corporate Cyber Security Forum to develop linkages with the vendor community. Members include - Microsoft, IBM, Dell, HP, Datatel, PeopleSoft, Oracle, Cisco, and SCT

Task force visited Microsoft in September ‘03 to explain the needs of higher education and engaged Microsoft for support during the SP2 rollout for Windows XP.

17

Effective Security Practices Guide

Balancing the need for security with the higher education tradition of open and collaborative networking

http://www.educause.edu/security/guide

18

Why Not Identify Best Practices

Higher education is too diverse in mission and size for a single best practice to be universally effective.

Even within a small group of like institutions, few would identify what they are doing now as “Best Practices.” Everyone feels there is room for improvement in what they are doing!

Threats are rapidly changing and these effective practices may have a limited shelf life. What might work today may be useless next year.

19

ESPG Overview

Practical approaches to preventing, detecting, and responding to security problems

Community driven and serving University ISOs and supporting staff Codify experiences of experts

Examples of success Potential models to follow Provide for various types of institutions

Modular resource Flexibility in presentation & implementation

20

ESPG Design and Development

ESP database

Corematerials

Case studysubmission

process

Futurecontributions

Seed case studiesPast workshops,discussions &

community vetting

Categories & keyword searches

Structuredpresentation

Suitability, editing,notification & update

21

Core Subject Areas

PolicyEducation, Training and AwarenessRisk Analysis and ManagementSecurity Architecture DesignNetwork and Host Vulnerability AssessmentNetwork and Host Security ImplementationIntrusion and Virus DetectionIncident ResponseEncryption, Authentication & AuthorizationAddendum: university & vendor resources

22

Effective Practices: Contributors

Bethune-Cookman Brown Cornell CSUSB GA Tech GWU Indiana University MSCD Notre Dame NC A&T

Penn State U Alabama Purdue UC Berkeley UCONN U Maryland, BC U Washington U Wisc, Madison Virginia Tech Yale University

23

ESPG Highlights

Evolution of Security Practices

24

Evolution of Security Practices

It is not always possible to jump to the most effective practices Can’t scan for policy violations without policies Can’t develop policies without mature security standards

Some practices require significant human resources Intrusion detection Incident response

Some practices become more effective over time Technical support becomes more effective with supporting

tools, security policies and architecture

25

Online Demonstrationhttp://www.educause.edu/security/guide

26

Risk Analysis

The most effective security practice given limited resourcesTypes of Risk•Strategic Risk•Financial Risk

•Legal Risk

•Operational Risk

•Reputation Risk

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

27

Ideal Risk Analysis & Management

Knowledge of all relevant regulationsTraining and awareness of staffDeveloping plans to audit individual units for complianceDeveloping and implementing a code of conduct for the organizationEstablishing control mechanisms to ensure compliance

Qayoumi, Mohammad H. “Mission Continuity Planning: Strategically Assessing and Planning for Threats to Operations,” NACUBO (2002).

28

Risk Analysis Overview

Risk = Threats x Vulnerability x Impact Need to weigh & prioritize risks to develop

strategyThreats Intruders, insiders, accidents, natural disasters

Vulnerabilities Weaknesses in design, implementation, or

operationImpact Level of harm to the institution

29

Practical Risk Analysis in Higher Education

• Preliminary Risk Analysis (year 1)● Gathering allies, data and support

• Risk Analysis of Critical Processes (year 2)

● Concentrating on high risk areas

• Institution-wide Risk Analysis (year 3+)● Broadening view to include the whole

institution

30

Virginia Tech STAR Risk Process

STAR - Security Targeting and Analysis of RisksDeveloped in-house several years agoPrioritized assets, risks, and controls Very detailed voting structure

Used color codes for complianceHad a control compliance matrixTemplates provided to reduce resistance

TODAY – same concept but we have simplified the process

31

Risk Analysis Process at Virginia Tech

Information Technology process IT Security Officer leads effort Annual process with detailed listings Lots of involvement with teams Evolved into individual risk analysis reports for other

departments

University departments Every 3 years / update major changes Annual reviews on progress All reports submitted to the IT Security Office

32

Keys to Success in the Risk Analysis Process

Secure senior management support

Select a strong risk analysis team

Provide risk analysis templates

Provide instruction and assistance

Specify a timetable for completion

Have a collection point for all reports

Take the risk analysis process seriously

33

Senior Management Support

Important to secure executive support

Executive should issue directive to all department heads

Directive should specify a time for final reports

Accountability for completing risk analyses

Executive will identify IT Security Office as providing leadership for effort

34

Assets Are More Than Machines

We are now linking Asset identification to the management org chart

Assets can be: Physical systems Groups of systems that support a service Business process that requires a group of systems Business process that depends on other business processes Data People

35

Asset Classification

Business Process A

Business Process B Business Process C

Oracle DB Forms Servers Auth Servers

Host A Host B Host C Host D Host E Host F

36

37

38

39

Asset Ranking

40

IT Common Risks

Twelve (12) common risks identified by VT IT:• System administration Training• Desktop Access Control• Operational Policies• Key Person Dependency• Bad Passwords• Data Disclosure• Internal Physical Security• External Physical Security• Cleartext• Spoofing/Forgery• Natural Disaster• Construction Mistakes

41

Sample Risk Ranking

42

Reference Risks to Critical Assets

Review list of critical assetsSimply determine which risks apply to which critical assetsCan get into more detail and map risks to critical assets by voting techniqueHelps determine what may need to be addressed first

43

Map Risks to Assets

44

Recommendations and Solutions

May be difficult to do at the time of report

Others need to be involved in the details Management, technical personnel, etc.

More detailed report may be needed Description of solution Impact statement A cost/benefit analysis Proposed dates

45

Recommendations

The risk(s) for an asset will be addressed within a specific timeframe and a brief explanation should be includedControls to address a risk (or risks) will not be implemented because of information obtained during analysis (new software, new location, etc.)Controls will not be implemented based on factors (time, budget, etc.) in the dept. or operating unitThere may not be a known solution at this time, or you don’t feel the risk is a real danger

46

Using STAR

Visit the Effective Security Practices Guide

Select the link to “Risk Analysis of Critical Areas and Processes”The STAR link will take you to http://www.security.vt.edu/playitsafe/riskanalysis/

All forms used by Virginia Tech are online

47

Additional Security Resources

EDUCAUSE/Internet2 Computer & Network Security Task Forcehttp://www.educause.edu/securitySecurity Discussion Grouphttp://www.educause.edu/cgEffective Security Practices Guidehttp://www.educause.edu/security/guideInternet2 Security Initiativeshttp://security.internet2.eduResearch and Education Networking Information Sharing and Analysis Center (REN-ISAC)http://www.ren-isac.netOperationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

http://www.cert.org/octave