1 / 23

Computer-Related Incidents in Colleges and Universities: Factors and Categorization

Computer-Related Incidents in Colleges and Universities: Factors and Categorization. Virginia Rezmierski Daniel Rothschild The University of Michigan.

cesard
Download Presentation

Computer-Related Incidents in Colleges and Universities: Factors and Categorization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer-Related Incidents in Colleges and Universities: Factors and Categorization Virginia Rezmierski Daniel Rothschild The University of Michigan This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. CIFAC

  2. Previous work, new questions • Building on earlier studies • Questions being asked today CIFAC

  3. Building on earlier studies I-CAMP (Incident Cost Analysis and Monitoring Project) • How do we measure incident costs? • What are the costs associated with incidents? • Cost of 30 incidents: $1,015,810 CIFAC

  4. Building on earlier studies I-CAMP II • What about smaller incident costs? • What is the frequency of different incidents? • Risk = Cost X Frequency • Mean costs of incidents: • Access compromise: $1,800 • Harmful code: $980 • DoS: $22,350 • Hacker attacks: $2,100 • Warez sites: $340 CIFAC

  5. Building on earlier studies LAMP (Logging and Monitoring Privacy Project) • Do administrators log and monitor? • How far can we go within FERPA? • Inadequate training and resources • Inadequate protections • Liability when departments function in isolation CIFAC

  6. Computer Incident Factor Analysis and Categorization Project • How do incidents compare across institutions? • How do other institutions handle similar incidents? • What are the causative and facilitative factors associated with different incident types? • What are the best practices available for incident prevention and management? CIFAC

  7. Incidents and Models • What is an incident? • Why is this important? • Involving people from across campus • Disagreements within IT • Narrow definitions • CIFAC Methodology • 3 focus groups, 33 total participants CIFAC

  8. An incident is an event that utilizes or exploits information technology resources or security flaws therein, either by accident or by design and through malice or otherwise, that causes, directly or indirectly, one or more of the following occurrences: • Compromise of proprietary, confidential, or protected data, • System disruption which impedes user(s)’ access to data or other IT resources, • Violates IT use policies set out and made known by the administrator(s) of the IT systems in question, • Violates norms commonly accepted within the community of system user(s) for use of IT resources, • Attempting or conspiring engage or represent oneself or another to be engaged in any aforementioned behavior. CIFAC

  9. An incident is any action/event that takes place through, on, or involving information technology resources, whether accidental or purposeful, that has the potential to destabilize, violate, or damage, the resources, services, policies, or data of the community or individual members of the community. Such incidents may focus on/target individuals, systems/networks, or data resources and result in a policy, education, disciplinary, or technical action. CIFAC

  10. Incidents and Models • Risk-management incident prevention • Burden placed on IT staff • Historically left isolated • Benefit-cost analysis: how to devote scarce resources • Thresholds: Codified rules of action • Reduces technologist liability • Devote time to the problem CIFAC

  11. Incidents and Models • What’s happening in the literature? • Convergence of corporate and educational literature to holistic approach to management • Robert Austin and Christopher Darby, “The Myth of Secure Computing,” Harvard Business Review (June 2003), 120-126. • Focus on specific vulnerabilities and attack types • Categorization of incidents • Colleges and universities moving from lists to codification and modeling CIFAC

  12. CIFAC

  13. CIFAC

  14. Seriousness • Short incidents and categorization • System-focused: 37% • Data-focused: 22% • People-focused: 42% • Roles and perception of seriousness CIFAC

  15. Seriousness: Variables • Long incidents • Seriousness ratings • Three variables of interest: • Quantity or extent of loss • Rank of the people involved • Potential for further damage • Other identified variables CIFAC

  16. Risk (or lack) of harm to people • Potential criminality • Not my job/role/responsibility • Policy issue/violation • Outside authority involvement • Number of people affected • Financial/monetary cost to university/department • Knowledge of quantity of damage • Opportunity cost/time to fix • Number of machines affected • Type of data affected • Fraud/Liability to uni/FERPA • Public relations/reputation • Types of machines affected • Types/rank of people affected • Other/misc CIFAC

  17. Seriousness: Variables • Variables list • Most common variables: • Probability of danger to person(s) (84%) • Type and sensitivity of data involved (50%) • Probability of further access/damage (37%) • Cost to the department/college/university (15%) CIFAC

  18. Getting Into Factors CIFAC

  19. 1) User education (i.e.: no education or poor education) 2) Policy existence/quality (i.e.: no policy or poor policy) 3) Too much access/inappropriate access level available 4) Physical security lacking Remainder unranked Policy enforcement/or ignorance of policy Ignorance of law/potential legal ramifications Failure to audit/examine logs Sysadmin training/performance; no or inadequate training Too much bandwidth Virtual security lacking Ease of (mis)use; absence of tech. impediment to inappropriate use IT department not consulted/left out of loop Password poor or exposed Human nature/behavior Access termination procedures lacking or faulty Inappropriate information in public directory Configuration error CIFAC

  20. CIFAC/NSF • Second phase of CIFAC project: identifying causative and associative factors • Methodology • 36 colleges and universities, 18 corporations • Per respondent: three retrospective and three future incidents • Up to three respondents per institutions CIFAC

  21. CIFAC/NSF: Questions • Are there common factors associated with • People-focused incidents? • Systems-focused incidents? • Data-focused incidents? • Is there a common set of variables used to rate seriousness? • What else can we find about the effects of role? CIFAC

  22. CIFAC/NSF • Geographic clusters: • San Francisco Bay area • Chicago area • Atlanta area • Baltimore/DC area • Eastern Massachusetts area • Southeast Michigan/Northern Ohio area CIFAC

  23. The CIFAC Project Gerald R. Ford School of Public Policy University of Michigan 712 Oakland Street Ann Arbor, MI 48104-3021 734-615-9595 cifac.staff@umich.edu Final report to EDUCAUSE http://www.educause.edu/asp/doclib/abstract.asp?ID=SEC0409 CIFAC

More Related