Higher Education-IndustryCollaborations to Improve Security

Joy Hughes, George Mason University

Peter Siegel, University of California, Davis

Jack Suess, UMBC

Security Task Force Goals

The Security Task Force (STF) has been pursuing the following strategic goals since 2003:

Education and Awareness

Standards, Policies, and Procedures

Security Architecture and Tools

Organization and Information Sharing

STF Priorities for 2007

2007 Strategic Plan: Making Progress on Data Protection, Risk Assessment, Incident Response and Business Continuity1. Executive Commitment and Action

2. Professional Development for Information Security Officers (ISOs)

3. Awareness of Available Resources

4. Security of Packaged Software

5. New Tools and Technologies

Awareness of Resources

EDUCAUSE/Internet2 Security Task Forcehttp://www.educause.edu/security Blueprint for Handling Sensitive Data Cybersecurity Awareness Resource Center Data Incident Notification Tool Information Security Governance Assessment Tool Risk Assessment Framework Security Discussion Group Research and Educational Networking Information

Sharing and Analysis Center (REN-ISAC)EDUCAUSE Cybersecurity Resource Ctrhttp://www.educause.edu/cybersecurityEffective IT Security Practices Guidehttps://wiki.internet2.edu/confluence/display/secguide/

Security 2007

April 10-12, 2007, Denver, ColoradoKeynote Speakers Ira Winkler, authors of The Spies Among Us Pamela Fusco, Head Global InfoSec, CitiGroup

Pre-Conference Seminars Continuity of Operations Planning, IT Disaster Planning, Wireless

Security, DNS Security, Compliance & Legal Issues, Establishing Information Security Program, Handling Sensitive Data, Incident Response Processes and Tools, and Privacy and Security Training

Concurrent Sessions: Campus & Vendor PresentationsCorporate DisplaysHuman Networking BoF’s, Roundtable Discussions, Reception, etc.

Why collaborate with Industry?

Original Security Issues still there, some growingProblems in new areas- web/db appsGrowing Complexity for end users a PR problem for usChallenge of “professionalizing” non-security staff on security issuesHeightened state security requirements

Are attacks more sophisticated? professional?organized crime?“industrial” espionage?

Most critical vendor areas?

O/S Vendors in Redmond and Cupertino

Unix vendors

ERP Vendors

Database companies

Networking Vendors

Web 2.0 suppliers

Others???

Networking Vendors

Convergence of networking and security products?

Multiple vendors are now integral to the network

OS Vendors: Microsoft

Vista rollout

Higher Education Advisory Group has been strong advocate for security.

How to Engage Vendors

Common effective practices?

Advisory groups?

Checklists of key issues?

Scream

Identity Management - Collaboration opportunity?

Identity Management

High-value collaboration opportunity?

ERP Security Checklist Topics

Managing Roles and Responsibilities

Passwords, IDs and PINs

Data Standards and Integrity

Process Documentation

Exporting Sensitive Data

Sample from Roles/Responsibilities

Is security controlled at the database level or is it left to the applications that are supposedly integrated with the ERP to each control security?

How easy is it to set up role based access? e.g. can roles be associated with position categories; can default roles be established?

Sample from Roles/Responsibilities

Are there some features of the system that require that the user, no matter what their role, be given access to the underlying database? If so, how is security managed?Can context-sensitive roles be defined (i.e. the user can perform a function for specified records only at a specified point in the processing cycle)?

Sample from Roles/Responsibilities

Is there a web-based tool that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the product, its underlying database, and integrated third party products and reporting tools?

Sample from Roles/Responsibilities

Can the vendor provide you with the names of institutions similar to yours that have implemented role based security on a wide variety of roles so that you can assess the person hours that will be needed to implement and maintain role based security?

Sample from PINs/IDs/Passwords

Does the system require strong passwords?

Are the IDs randomly or sequentially generated? Are they at least 8 characters long?

Sample from Data Standards/Integrity

Are data fields encrypted at the database level?

Is each standardized data field adequately documented in a data dictionary?

As the institution articulates the standards/rules that define a data field, do these standards/rules then become part of a data dictionary?

Sample from Data Standards/Integrity

Can the vendor provide you with the names of institutions similar to yours that have implemented features such as:

- encrypted data fields

- audit trails on data fields

so that you can determine the effect on performance of implementing these features on all the fields that need to be protected?

Sample from Process Documentation

Are there visual representations of processes, role approvals, security checkpoints, data flow, and tables touched/accessed during each process?

Are there clear and complete work flow diagrams?

REN-ISAC

Research and Education Networking: Information Sharing and Analysis Center

http://www.ren-isac.net/

REN-ISAC Mission

Serve as a trusted connector hub for the security community to collaborate.Focus is to improve network security through information collection, analysis, dissemination, early warning, and response; Unique capability to support the R&E community because of NOC at Indiana University; andSupports efforts to protect the U.S. national cyber infrastructure by participating in the formal ISAC structure.

REN-ISAC Members

Membership is open and free to institutions of higher education, teaching hospitals, research and education network providers, and government-funded research organizations. http://www.ren-isac.net/membership.html

Current membership300 individual members165 institutionsPredominately research universities to date but increasingly

new members are coming from non-research universities.

• Membership is aimed at security staff and vetted to insure trust relationship.

REN-ISAC Organization

Hosted by Indiana University

Three permanent staff

Executive Advisory Group

Technical Advisory Group Support and contributions from: Indiana University, Internet2, EDUCAUSE Louisiana State University, Worchester Polytechnic

Institute, University of Massachusetts Amherst And the members

Technical Advisory Group

The REN-ISAC Technical Advisory Group (TAG) Chris Misra - University of Massachusetts Amherst (Chair) Tom Davis - Indiana University Phil Deneault - Worcester Polytechnic Institute Brian Eckman - University of Minnesota Stephen Gill - Team Cymru John Kristoff - UltraDNS Randy Raw - Missouri Research & Education Network

(MOREnet) Joe St Sauver - University of Oregon Michael Sinatra - University of California, Berkeley Ex-officio Members

• Doug Pearson - REN-ISAC/Indiana University• Dave Monnier - REN-ISAC/Indiana University

Executive Advisory Group

The REN-ISAC Executive Advisory Group Jack Suess - University of Maryland-Baltimore County

(Chair) Brian Voss - Louisiana State University Theresa Rowe - Oakland University Marty Ringle - Reed College Ken Klingenstein - Internet2 & University of Colorado Rodney Petersen - EDUCAUSE TBD - HPC center representative Ex-officio Members

• Mark Bruhn - REN-ISAC/Indiana University• Chris Misra - TAG Chair, University of Massachusetts

Amherst

Focus is on developing business plan

External Relationships

Internet2 and EDUCAUSEOther private threat collection and mitigation efforts, e.g. among ISPs, .edu regional groups, etc.Global Research NOC at Indiana University, servicing Internet2 Abilene, National LambaRail, and international connecting networks National ISAC Council and other sector ISACsDepartment of Homeland Security & US-CERTComing soon - vendors!

Vendor Relationships

REN-ISAC is uniquely positioned to work with vendors by its status as an ISAC.

Vendors won’t and can’t share security secrets with 2000 institutions, they will consider sharing with REN if we demonstrate we can be trusted.

In final negotiations with one major vendor.

REN-ISAC Activities

A vetted trust community for cybersecurityInformation-sharing and communications channel for vendor security issuesInformation products aimed at protection and detectionParticipate in incident detection, response, and disseminationDevelop tools for information sharing and response

Information Products

Daily Weather Report provides situational awareness and actionable protection information.

Alerts provide critical, timely, actionable protection information concerning new or increasing threat.

Notifications identify specific sources and targets of active threat or incident involving member networks.

Threat Information Resources provide information regarding known active sources of threat.

Information Products (2)

Advisories inform regarding specific practices or approaches that can improve security posture.

Instruction on technical topics relevant to security protection and response.

Monitoring views provide aggregate information for situational awareness.

For More Information

Visit: EDUCAUSE/Internet2 Security Task Force

http://www.educause.edu/security

Contact: Joy Hughes, GMU, STF Co-Chair

jhughes@gmu.edu Peter Siegel, UC-Davis, STF Co-Chair

pmsiegel@ucdavis.edu Rodney Petersen, EDUCAUSE, STF Staff

rpetersen@educause.edu