northwestern university information technology good security is good “business” 08 april 2005

Northwestern University Information Technology

Good Security is Good “Business”

08 April 2005


Information and Systems Security/Compliance

Office of the Vice President

Mort Rahimi, VP & CTO

Pat Todus, AVP & Deputy CIO

Dave KovarikDirector

Sharlene MielkeDisaster Recovery

Roger SafianInformation Security


Dave Kovarik

• Office: (847) 467-5930

• Email: [email protected]

• 1800 Sherman Ave., Evanston, Suite 600

• 22 years in Information Security practice

• CISSP: Certified Info Systems Security Professional

• CISM: Certified Information Security Manager



Mission

“Enable the University to Conduct Its Business in a Secure Mannner”

Purpose“Maintain that delicate balance between service and security”



Primary Areas of Responsibility

• Security – Information Protection Services

• Compliance - Regulatory, University policy

• Disaster Recovery / Business Continuity



Business Defined…


University “Business”

Partnerships

Research

Servicess

Schools

Finances

Students

Intranets, Intranets, Internet…Internet…

Can they be Can they be trusted?trusted?

Alumni


b

Internet

Every system must be secured

Inside is almost as risky as outside

Individual Individual systemssystems

IntranetIntranetData

Center

=

Foundational Issues

• Ubiquitous connectivity• PCs everywhere• High mobility • Are all assets protected?• “Contingent” clients

– Contractors– Vendors/consultants– Temporary users

• Links to partners, affiliates

Diversity introduces Risk


Trustees

Schools

Students

Research

Employees

Regulatory & Client Demands

Pressure mounting on universities to prove compliance with an increasing array of laws and regulations + Increasing demands

for services = Security becomes ever more challenging.

Web / Internet

Databases

Collaboration

Wireless

Mobile Devices

TechnologiesStakeholdersLaws/Regulations

Sarbanes-Oxley

GLBA, HIPAA

FERPA

Patriot Act

and more…


Complexity Abounds

Network Access Control Interception and Enforcement

Facility

PKI ManagerCentralized

Security Policy Manager

Digital Signature Interface

Other Security Entity Manager

Token Card Manager

OS Security Management

Tools

Certificate Authority Interface

Virus Interception & Correction

VPN Session or Tunnel

Manager

Single Sign-on Tools

Security Event Report

Writer(s)

Encryption Facilities for

Network Connections

Security Policy Distributor

Cyberwall/Firewall Rule

Base

Connection Manager and

Logging

Application Proxy Implementations

Security Traffic Event Analyzer

Application Logging Facility

VPN IPSec and VPN

Connection Manager

Stateful Inspection

IntrusionLogging

Intrusion Prevention

Application Inspection

Security Event Logging

Security Integrity Manager

Packet Inspection

Frame Inspection

SecurityFilter Engine

Real-time Frame

Management

Intrusion Detection

Network

Host-based

Application-based

Authentication

Cryptography

Anti-Virus

Intrusion Detection

Auditing

Security Management


Convergence

We Are More Alike

than Different…

“You will be assimilated –

resistance is futile.”


2005…

• Jan. 03 George Mason University

• Jan. 06 University of Kansas

• Jan. 18 Univ. of California, San Diego

• Feb. 02 Indiana University


2005…

• Mar. 11 Boston College

• Mar. 14 California State University, Chico

• Mar. 18 University of Nevada, Las Vegas

• Mar. 20 Northwestern University

• Mar. 28 University of California, Berkeley


Why Are Universities Targets?


What Can We Do?

• Passphrases

• Security Awareness

• Self-Assessment

• Policy Compliance

• Use NUIT Services


Passwords

• The password is Passphrase


Your passphraseYour passphrase

• Encrypted passphrase– Tf$/cgi3tcG.H

• Your passphrase– ********

• Matching them up– Does ******* == Tf$/cgi3tcG.H ?


SniffersSniffers

• Collects data– username and passphrase

• Widely available

• Available for many operating systems

• You won’t notice

• Often creates very large log files


Passphrase CrackersPassphrase Crackers

• Tools that “Crack” passphrases

• Widely Available

• Very efficient

• Uses system information

• Dictionary-based attack

• Has many rules for substitution


Choosing a good passphraseChoosing a good passphrase

• Not based on personal information

• Don’t use anything in a dictionary

• Never tell it to anyone

• Change it regularly

• Your passphrase is like a toothbrush– Don’t share it, and change it when

necessary


NU,WPiP!NU,WPiP!

Northwestern University, Where Parking is Plentiful!


Passphrases

• You can find additional information on passphrases, E-mail, NetIDs, and related policies & guidelines at…

http://www.it.northwestern.edu/accounts/index.html


What Can We Do?

• Pass-Phrases


• Self-Assessment




Security Awareness

The Prince of Paranoia says:

• If It Walks Like A Duck...

• Trust, But Verify

• Identity Theft – pay attention or pay dearly!

http://www.idtheftcenter.org/index.shtml


Security Awareness

• Get Control!

• Junk mail – just trash it!

• Phishing… and now Pharming

• Privacy & Identity Theft

http://www.it.northwestern.edu/security/index.html


What Can We Do?

• Pass-phrases


• Self-Assessment




Self-Assessment

• Get & Stay Patched!!!

• Keep Anti-virus Current!!!

• Run Anti-Spyware - FREQUENTLY

• Run Analysis Tools – FREQUENTLY

http://www.it.northwestern.edu/security/index.html


What Can We Do?

• Pass-phrases


• Self-Assessment




Policy Compliance

University Policies…

• Security, Privacy & Responsibilities

• Infrastructure

• Services

• Guidelines

• Best Practices

http://www.it.northwestern.edu/policies/index.html


What Can We Do?

• Pass-phrases


• Self-Assessment




NUIT Services

Academic Technologies / Bob Taylor

• Supports NU faculty members' instructional and research needs and supplies educational technologies and multimedia resources to the entire NU community.

http://www.it.northwestern.edu/about/departments/at/index.html


NUIT Services

Administration & Finance / Steve Beck

• Provides administrative and financial support for other IT units in the pursuit of NUIT's mission.

http://www.it.northwestern.edu/about/departments/af/index.html


NUIT Services

Computing Services / Dana Nielsen

• Acquires, supports, and maintains the computing platforms for NU's administrative, instructional, and research systems.

http://www.it.northwestern.edu/dss/abt-dept-itcs/


NUIT Services

Information Systems Architecture / Tom Board

• Oversees the design, maintenance, and improvement of University middleware

http://www.it.northwestern.edu/about/departments/isa/index.html


NUIT Services

iCAIR – International Center for Advanced Internet Research / Joe Mambretti

• Teams with international partners to accelerate innovation and enhance global communications through leading-edge Internet research and pre-production deployment.

http://www.it.northwestern.edu/about/departments/icair/index.html

http://www.icair.org


NUIT Services

Management Systems / Betty Brugger

• Provides information systems support to assist University staff and faculty in the performance of business-related or administrative processes, primarily at the enterprise level.

http://www.it.northwestern.edu/about/departments/itms/index.html


NUIT Services

Technology Support Services / Wendy Woodward

• Educates the NU community on computing and network resources available on campus and over the Internet as well as new and changing technology at Northwestern.

http://www.it.northwestern.edu/about/departments/tss/index.html


NUIT Services

Telecommunications & Network Services / Dave Carr

• Designs, procures, installs, operates, and maintains the central voice, data, image, and video communication services for the NU network.

http://www.it.northwestern.edu/about/departments/tns/index.html


NUIT Services

The Collaboratory Project / Gary Greenberg

• A Northwestern University initiative that provides project consulting, training, and technical advice to teachers interested in using the Collaboratory to advance education.

http://www.it.northwestern.edu/about/departments/cp/index.html

http://collaboratory.nunet.net/cwebdocs/index.html


Back to the Beginning

• Competitive advantage – publicity is not

necessarily a good thing

• Maximize profitability by minimizing loss

• Promote & preserve reputation


Back to the Beginning

• Mandated by legislation – compliance

minimizes vulnerability to adverse action

• Establishes “trust” required of partnerships

• It’s expected of a premier University


ISS/CInformation and Systems Security/Compliance

• Dave Kovarik (847) 467-5930

[email protected]

• Sharlene Mielke (847) 467-7804

[email protected]

• Roger Safian (847) 467-4058

[email protected]

northwestern university information technology good security is good “business” 08 april 2005

Documents

university of california

indiana university slide

university of nevada

university of kansas

california state university

george mason university

risk slide

berkeley slide