northwestern university information technology good security is good “business” 08 april 2005
Post on 22-Dec-2015
213 views
TRANSCRIPT
Northwestern University Information Technology
Good Security is Good “Business”
08 April 2005
Northwestern University Information Technology
Information and Systems Security/Compliance
Office of the Vice President
Mort Rahimi, VP & CTO
Pat Todus, AVP & Deputy CIO
Dave KovarikDirector
Sharlene MielkeDisaster Recovery
Roger SafianInformation Security
Northwestern University Information Technology
Dave Kovarik
• Office: (847) 467-5930
• Email: [email protected]
• 1800 Sherman Ave., Evanston, Suite 600
• 22 years in Information Security practice
• CISSP: Certified Info Systems Security Professional
• CISM: Certified Information Security Manager
Information and Systems Security/Compliance
Northwestern University Information Technology
Mission
“Enable the University to Conduct Its Business in a Secure Mannner”
Purpose“Maintain that delicate balance between service and security”
Information and Systems Security/Compliance
Northwestern University Information Technology
Primary Areas of Responsibility
• Security – Information Protection Services
• Compliance - Regulatory, University policy
• Disaster Recovery / Business Continuity
Information and Systems Security/Compliance
Northwestern University Information Technology
Business Defined…
Northwestern University Information Technology
University “Business”
Partnerships
Research
Servicess
Schools
Finances
Students
Intranets, Intranets, Internet…Internet…
Can they be Can they be trusted?trusted?
Alumni
Northwestern University Information Technology
b
Internet
Every system must be secured
Inside is almost as risky as outside
Individual Individual systemssystems
IntranetIntranetData
Center
=
Foundational Issues
• Ubiquitous connectivity• PCs everywhere• High mobility • Are all assets protected?• “Contingent” clients
– Contractors– Vendors/consultants– Temporary users
• Links to partners, affiliates
Diversity introduces Risk
Northwestern University Information Technology
Trustees
Schools
Students
Research
Employees
Regulatory & Client Demands
Pressure mounting on universities to prove compliance with an increasing array of laws and regulations + Increasing demands
for services = Security becomes ever more challenging.
Web / Internet
Databases
Collaboration
Wireless
Mobile Devices
TechnologiesStakeholdersLaws/Regulations
Sarbanes-Oxley
GLBA, HIPAA
FERPA
Patriot Act
and more…
Northwestern University Information Technology
Complexity Abounds
Network Access Control Interception and Enforcement
Facility
PKI ManagerCentralized
Security Policy Manager
Digital Signature Interface
Other Security Entity Manager
Token Card Manager
OS Security Management
Tools
Certificate Authority Interface
Virus Interception & Correction
VPN Session or Tunnel
Manager
Single Sign-on Tools
Security Event Report
Writer(s)
Encryption Facilities for
Network Connections
Security Policy Distributor
Cyberwall/Firewall Rule
Base
Connection Manager and
Logging
Application Proxy Implementations
Security Traffic Event Analyzer
Application Logging Facility
VPN IPSec and VPN
Connection Manager
Stateful Inspection
IntrusionLogging
Intrusion Prevention
Application Inspection
Security Event Logging
Security Integrity Manager
Packet Inspection
Frame Inspection
SecurityFilter Engine
Real-time Frame
Management
Intrusion Detection
Network
Host-based
Application-based
Authentication
Cryptography
Anti-Virus
Intrusion Detection
Auditing
Security Management
Northwestern University Information Technology
Convergence
We Are More Alike
than Different…
“You will be assimilated –
resistance is futile.”
Northwestern University Information Technology
2005…
• Jan. 03 George Mason University
• Jan. 06 University of Kansas
• Jan. 18 Univ. of California, San Diego
• Feb. 02 Indiana University
Northwestern University Information Technology
2005…
• Mar. 11 Boston College
• Mar. 14 California State University, Chico
• Mar. 18 University of Nevada, Las Vegas
• Mar. 20 Northwestern University
• Mar. 28 University of California, Berkeley
Northwestern University Information Technology
Why Are Universities Targets?
Northwestern University Information Technology
Why Are Universities Targets?
Northwestern University Information Technology
Why Are Universities Targets?
Northwestern University Information Technology
What Can We Do?
• Passphrases
• Security Awareness
• Self-Assessment
• Policy Compliance
• Use NUIT Services
Northwestern University Information Technology
Passwords
• The password is Passphrase
Northwestern University Information Technology
Your passphraseYour passphrase
• Encrypted passphrase– Tf$/cgi3tcG.H
• Your passphrase– ********
• Matching them up– Does ******* == Tf$/cgi3tcG.H ?
Northwestern University Information Technology
SniffersSniffers
• Collects data– username and passphrase
• Widely available
• Available for many operating systems
• You won’t notice
• Often creates very large log files
Northwestern University Information Technology
Passphrase CrackersPassphrase Crackers
• Tools that “Crack” passphrases
• Widely Available
• Very efficient
• Uses system information
• Dictionary-based attack
• Has many rules for substitution
Northwestern University Information Technology
Choosing a good passphraseChoosing a good passphrase
• Not based on personal information
• Don’t use anything in a dictionary
• Never tell it to anyone
• Change it regularly
• Your passphrase is like a toothbrush– Don’t share it, and change it when
necessary
Northwestern University Information Technology
NU,WPiP!NU,WPiP!
Northwestern University, Where Parking is Plentiful!
Northwestern University Information Technology
Passphrases
• You can find additional information on passphrases, E-mail, NetIDs, and related policies & guidelines at…
http://www.it.northwestern.edu/accounts/index.html
Northwestern University Information Technology
What Can We Do?
• Pass-Phrases
• Security Awareness
• Self-Assessment
• Policy Compliance
• Use NUIT Services
Northwestern University Information Technology
Security Awareness
The Prince of Paranoia says:
• If It Walks Like A Duck...
• Trust, But Verify
• Identity Theft – pay attention or pay dearly!
http://www.idtheftcenter.org/index.shtml
Northwestern University Information Technology
Security Awareness
• Get Control!
• Junk mail – just trash it!
• Phishing… and now Pharming
• Privacy & Identity Theft
http://www.it.northwestern.edu/security/index.html
Northwestern University Information Technology
What Can We Do?
• Pass-phrases
• Security Awareness
• Self-Assessment
• Policy Compliance
• Use NUIT Services
Northwestern University Information Technology
Self-Assessment
• Get & Stay Patched!!!
• Keep Anti-virus Current!!!
• Run Anti-Spyware - FREQUENTLY
• Run Analysis Tools – FREQUENTLY
http://www.it.northwestern.edu/security/index.html
Northwestern University Information Technology
What Can We Do?
• Pass-phrases
• Security Awareness
• Self-Assessment
• Policy Compliance
• Use NUIT Services
Northwestern University Information Technology
Policy Compliance
University Policies…
• Security, Privacy & Responsibilities
• Infrastructure
• Services
• Guidelines
• Best Practices
http://www.it.northwestern.edu/policies/index.html
Northwestern University Information Technology
What Can We Do?
• Pass-phrases
• Security Awareness
• Self-Assessment
• Policy Compliance
• Use NUIT Services
Northwestern University Information Technology
NUIT Services
Academic Technologies / Bob Taylor
• Supports NU faculty members' instructional and research needs and supplies educational technologies and multimedia resources to the entire NU community.
http://www.it.northwestern.edu/about/departments/at/index.html
Northwestern University Information Technology
NUIT Services
Administration & Finance / Steve Beck
• Provides administrative and financial support for other IT units in the pursuit of NUIT's mission.
http://www.it.northwestern.edu/about/departments/af/index.html
Northwestern University Information Technology
NUIT Services
Computing Services / Dana Nielsen
• Acquires, supports, and maintains the computing platforms for NU's administrative, instructional, and research systems.
http://www.it.northwestern.edu/dss/abt-dept-itcs/
Northwestern University Information Technology
NUIT Services
Information Systems Architecture / Tom Board
• Oversees the design, maintenance, and improvement of University middleware
http://www.it.northwestern.edu/about/departments/isa/index.html
Northwestern University Information Technology
NUIT Services
iCAIR – International Center for Advanced Internet Research / Joe Mambretti
• Teams with international partners to accelerate innovation and enhance global communications through leading-edge Internet research and pre-production deployment.
http://www.it.northwestern.edu/about/departments/icair/index.html
http://www.icair.org
Northwestern University Information Technology
NUIT Services
Management Systems / Betty Brugger
• Provides information systems support to assist University staff and faculty in the performance of business-related or administrative processes, primarily at the enterprise level.
http://www.it.northwestern.edu/about/departments/itms/index.html
Northwestern University Information Technology
NUIT Services
Technology Support Services / Wendy Woodward
• Educates the NU community on computing and network resources available on campus and over the Internet as well as new and changing technology at Northwestern.
http://www.it.northwestern.edu/about/departments/tss/index.html
Northwestern University Information Technology
NUIT Services
Telecommunications & Network Services / Dave Carr
• Designs, procures, installs, operates, and maintains the central voice, data, image, and video communication services for the NU network.
http://www.it.northwestern.edu/about/departments/tns/index.html
Northwestern University Information Technology
NUIT Services
The Collaboratory Project / Gary Greenberg
• A Northwestern University initiative that provides project consulting, training, and technical advice to teachers interested in using the Collaboratory to advance education.
http://www.it.northwestern.edu/about/departments/cp/index.html
http://collaboratory.nunet.net/cwebdocs/index.html
Northwestern University Information Technology
Back to the Beginning
• Competitive advantage – publicity is not
necessarily a good thing
• Maximize profitability by minimizing loss
• Promote & preserve reputation
Northwestern University Information Technology
Back to the Beginning
• Mandated by legislation – compliance
minimizes vulnerability to adverse action
• Establishes “trust” required of partnerships
• It’s expected of a premier University
Northwestern University Information Technology
ISS/CInformation and Systems Security/Compliance
• Dave Kovarik (847) 467-5930
• Sharlene Mielke (847) 467-7804
• Roger Safian (847) 467-4058