Download
top 10 security risks for educational institutions n.
Skip this Video
Loading SlideShow in 5 Seconds..
Top 10 Security Risks For Educational Institutions PowerPoint Presentation
Download Presentation
Top 10 Security Risks For Educational Institutions

Top 10 Security Risks For Educational Institutions

143 Views Download Presentation
Download Presentation

Top 10 Security Risks For Educational Institutions

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Top 10 Security Risks For Educational Institutions Thursday, April 3, 2008 Presenters: Dr. Tom Cupples, EdD, CISSP, MCSE Dr. Craig Klimczak, DVM, MS

  2. Agenda • Security Terms 101 • The Security Forecast • Technology Risks • Personnel Risks • The Threat to Higher Education • Tools for Coping

  3. Security Terms 101 • Threat – potential cause of an unwanted event which could cause damage to an asset • Vulnerability – weakness of an asset that can be exploited by a threat • Impact – a measure of the effect of an event • Risk – the combination of the likelihood of an event and its potential impact • Control – means of managing risk – can be administrative, technical, managerial, or legal in nature Reference - http://www.iso27001security.com/Top_information_security_risks_for_2008.pdf

  4. The Security Forecast CRN • VoIP • Professional Attack Toolkits • Virtualization • Online gaming • Vista • Storm Worms • Pump and Dump • Social Networking Sites • Online applications • Phishing Reference - http://www.crn.com/security/203600054?queryText=top+10+risks+2008

  5. The Security Forecast SANS • Browser vulnerabilities • Botnets • Targeted Phishing • VoIP/Mobile Devices • Insider Attacks • Persistent Bots • Spyware • Web Applications • Blended Phishing with VoIP & Event Phishing • Supply chain attacks Reference - http://www.sans.org/top20/

  6. The Security Forecast McAfee • Web 2.0 • Botnets • Instant Malware • Online Gaming • Vista • Adware • Targeted Phishing • Parasitic Malware • Virtualization • VoIP Reference - http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_avert_predictions_2008.pdf

  7. The Security Forecast Computer Associates • Botnets • Malware • Online Gaming • Social Networking Sites • Key Dates of Opportunity • Web 2.0 • Vista • Mobile Devices Reference - http://www.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97702

  8. The Security Forecast Symantec • Bot Evolution • Election Campaigns • Mobile Platforms • Spam Evolution • Virtual Worlds Reference - http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=endofyear

  9. Technology Risks • VoIP/Mobile Devices & Platforms • Professional Attack Toolkits • Virtualization & Vista • Online & Web-based Applications • Browser Vulnerabilities • Botnets & Persistent Bots & Bot Evolution • Spyware • Supply Chain Attacks • Web 2.0 • Instant Malware, Parasitic Malware & Adware

  10. Personnel Risks • Online Gaming • Storm Worms • Pump and Dump • Social Networking Sites • Event, Targeted, & Blended Phishing • Insider Attacks • Key Dates of Opportunity & Election Campaigns • Virtual Worlds

  11. The Threat to Higher Education • Web Applications • Social Engineering • Cyber Terrorism • Communications • Human Error/Lack of Training • Crisis Management • Strong Passwords/ID Protection • Networks (Physical-Wireless, Logical-Social) • Identity Life Cycle Management • PCI Standard for Payment Acceptance

  12. Tools for Coping with Web Application Threats • Microsoft (http://www.microsoft.com/downloads/details.aspx?familyid=E9C4BFAA-AF88-4AA5-88D4-0DEA898C31B9&displaylang=en) • Sun Microsystems (http://www.javapassion.com/j2ee/WebSecurityThreats.pdf)

  13. Tools for Coping with Social Engineering Threats • Education • Policy Development • Procedure Development & Personnel Training • Monitoring

  14. Tools for Coping with Cyber Terrorism Threats • Federal Bureau of Investigation (http://www.fbi.gov/) • Law Enforcement Training Site (http://www.counterterrorismtraining.gov/pubs/02.html) • Department of Homeland Security (http://www.dhs.gov/index.shtm)

  15. Tools for Coping with Communications Threats • International Telecommunications Union (http://www.itu.int/net/home/index.aspx) • Federal Communications Commission (http://www.fcc.gov/pshs/) • National Institute of Standards and Technology (http://csrc.nist.gov/)

  16. Tools for Coping with Human Error & Lack of Training • Education • Policy Development • Procedure Development & Personnel Training • Monitoring

  17. Tools for Coping with Crisis Management • Missouri Department of Homeland Security (http://www.dps.mo.gov/HomelandSecurity/) • Missouri Campus Security Task Force (http://www.dps.mo.gov/CampusSafety/index.htm) • FEMA (http://www.fema.gov) • Local Law Enforcement

  18. Tools for Coping with Strong Passwords & ID Protection Threats • Microsoft “How-to” (http://www.microsoft.com/protect/yourself/password/create.mspx) • Microsoft ‘Password Checker” (http://www.microsoft.com/protect/yourself/password/checker.mspx) • Microsoft - What is a Strong Password? (http://technet2.microsoft.com/windowsserver/en/library/d406b824-857c-4c2a-8de2-9b7ecbfa6e511033.mspx?mfr=true) • SANS Tutorial (http://www.sans.org/reading_room/whitepapers/authentication/1636.php)

  19. Tools for Coping with Networks • Use Encryption for • Storing Usernames and Passwords • Transmitting Usernames and Passwords • Storing Files • Transmitting files on a • Local Area Network • Virtual Private Network • Intranet/Extranet • Use two factor authentication when possible • Enforce Strong Passwords • Use Password Policies that require timely changes in passwords

  20. Tools forIdentity Life Cycle Management • Microsoft (http://www.microsoft.com/windowsserver2003/technologies/idm/ilm.mspx) • Sun Microsystems (http://www.sun.com/storagetek/white-papers/identity_enabled_ilm.pdf)

  21. Tools for PCI Standard for Payment Acceptance • PCI Standard Website (http://www.pcistandard.com/home.html) • PCI Standard White Paper (https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf) • PCI Forum (http://www.pciforum.us/pci/)

  22. Conclusion • There is no guarantee of total security. • The best that can be accomplished is managing the threats • Know your enemy!

  23. Questions? Dr. Tom Cupples tgcupples@stlcc.edu Dr. Craig Klimczak cklimczak@stlcc.edu http://www.stlcc.edu