Securing Your Campus: What Every CIO Should Be Doing Joy Hughes CIO, George Mason University firstname.lastname@example.org Peter M. Siegel CIO, University of California, Davis email@example.com Jack Suess VP of IT, U of Maryland, Baltimore County firstname.lastname@example.org
Seminar Logistics • Seminar 11A - Securing Your Campus: What Every CIO Should Be Doing • 8:30 to Noon • Please check your name off the list. • Break is at 10:00 - 10:15 • Materials: • Seminar booklet with slides • CD containing security resources
Securing Your Campus: What Every CIO Should Be Doing • This seminar will focus on the senior IT leader's role in securing the campus. It will leverage the work produced by the Security Task Force to help IT leaders understand current security issues and future trends. Special emphasis will be placed on using community resources to improve handling of sensitive data, preventing and responding to security incidents, and establishing security awareness programs on campus.
Basic Principles • Pete Siegel
Learning Objectives • Develop understanding of the importance of proper incident handling when a security incident occurs • Examine and discuss the ethical “gray areas” associated with security incidents. • Review the security resources available to help you at your campus. • Identify steps you can take now to improve security at your campus • Review the role of privacy in campus planning
Programs, policies, and practices to maintain the Integrity, Availability and Confidentiality of Electronic Information What Is “Information Security?” Robert Ono, UC Davis
Major Components of an Information Security Program Robert Ono, UC Davis
Security Checkpoint • How many of you in the past 18 months have completed… • A risk assessment? • A comprehensive security plan?
ECAR Preliminary Results • In November 2005 ECAR replicated its study done in 2003. Some general findings: • Security technology is being deployed as quickly as funding permits • Staffing and funding for security has increased • Only 51% reported having done a risk assessment. • 11% report having a comprehensive security plan • With this increase in funding why are things appearing to get worse? • People and process issues are always the hardest!
Security Checkpoint • How many information security staff (in FTEs) do you have? • Has the number increased in the past 2 years? • Quip of the Day: “If you have to think about whether they are doing I.T. security or not, then don’t count them.” Paraphrase of George Strawn, NSF CIO, Cybersecurity Summit, Sep 2004
ECAR - Staffing compliment and structure varies significantly • 50% of respondents had at least one full time security staff member, with multi-person staffs most often reported at institutions with larger numbers of devices (10,000+) on their networks • 66% of respondents indicated that they did not expect the size of their IT security staff to change in the next two years. 25% expected to add one staff member, and 9% expected to add two or more
Major Components of an Information Security Program • One way to think about it…
Major Components of an Information Security Program • Metaphor of “FIREFIGHTING” • Prevention / Avoidance • Fire codes, building codes, research • Assurance • Building inspections, firedrills, assessment • Response • Fire detectors, pulling alarms, getting everyone out, warning neighbors • Actually putting out fires! • Recovery and Investigation • Cleanup, hotel stay, rebuilding according to code, code citations Putting out fires
Actions We Recommend • By end of talk, you as… • CIOs • I.T. unit directors and managers • will have a set of “take-away” action items identified as effective, community practices
Actions for CIOs i. Designate an information security officer and organizationally place this position in an effective location.ii. Review your institutional security policy. Does the policy define security governance? Is the policy clear with respect to requirements and responsibilities?iii. Review the security model which underlines your institution’s security program. Does the program address prevention, assurance, response and recovery? Do security program initiatives correspond to the identified system/network/data risks and regulatory controls?iv. Review the process by which core institutional data is identified and protected.v. Review your institutional strategic plan and information security long-term plans for congruence.
Actions for IT unit directors and Managers i. Assign specific technical staff members to support your information security program. Ensure that staff members understand their responsibilities and are sufficiently trained to carry-out these responsibilities. ii. Conduct unit security awareness for non-technical staff. Effective security practices requires the participation of everyone in the unit. iii. Conduct periodic risk assessments of your information systems and data using a team of administrators and technical staff. Verify that security work objectives will reduce vulnerabilities within high-risk security areas. iv. Adopt an organizational framework for security management. Review information security work objectives and progress on a regular basis. Focus measurement on reliable metrics wherever possible. v. Align unit security practices with institutional requirements. Review unit compliance to institutional security policies and regulations.
Information Security Challenges • The Challenges… • Too few resources • Too much to do • We can’t get everyone to buy in • It will take time • No, really, too few resources • Solution?
Challenges:Handling complexity by risk assessment • Solution • Share the risk (and responsibility) • View the issues as campus issues, not as “I.T.” issues • Carefully consider risks and address higher risk issues first and address progressively more • Not everything can be accomplished in a single year • Estimate risk against cost (including effort, local expertise)
Information Security Challenges Robert Ono, UC Davis
Information Security Challenges Discussion Low Effort High Effort High Risk … Low Risk
The Crisis in Confidential Data Disclosure on Campus • To see just what the situation is: www.privacyrights.org/ar/ChronDataBreaches.htm • Some Facts - • January 2005 – August 2007 • 159,054,253 private records disclosed • This represents only the tip of the iceberg, and the problem is more substantial than these data indicate
Security Breaches are Increasing • More data available & at risk • Institutions providing 24x7 Internet access • Staff & faculty moving to laptops & wireless • Internet increasingly hostile • Botnets & home broadband a bad combination • Organized crime now engaged - lucrative targets • HE gaps in policy, resources, & expertise • Numerous breaches outside purview of central IT • Some believe campuses are being targeted • Governing boards, legislators, public upset
Funding Agencies becoming concerned • Granting agencies expecting more and more sophisticated security plans are part of grants • NSF: Large Centers, but likely to expand • NIH • Faculty need to be part of your campus plan, not (in general) create their own
Laws and Policy – Privacy / Security • HIPAA Privacy Rule - Health Insurance Portability and Accountability Act • FERPA – Family Educational Rights and Privacy Act • California* Information Practices Act • Notification, 1798 California* Civil Code • PCI – Payment Card Industry standards * Your state goes here!
Laws and Policies – Privacy / Security • FISMA – Federal Information Security Management Act • On your campus: • Privacy Standards / Policies • Communications Policies • Cyber-safety Policy and Security Standards
Data Breaches – Good News • Academic institutions represent only about 2% of the records exposed during breaches in 2007 • Academic institutions report the largest number of incidents (compared with business, medical, K-12) • Tradition of openness • Relatively sophisticated detection • Improving steadily • More work needs to be done
More States Require Notification 35 States as of Jan 2007 Courtesy of U. of Georgia http://infosec.uga.edu/policymanagement/breachnotificationlaws.php
Notification an Ethical Response • Fear of Identity Theft • Nearly 100m identities released in recent years! • Press is making this a big issue, because their readers are concerned • Companies see money to be made by “protecting people from ID theft” and hype threats • Privacy groups want to use this issue to change data practices in companies • Result - average person, our students, faculty, and staff are worried!
Identity Theft Is Big Business Jan 22, 2007 14:23 ET LifeLock Begins Working With Rush Limbaugh TEMPE, AZ -- (MARKET WIRE) -- January 22, 2007 -- LifeLock, the leader in ID Theft prevention, today announced a new radio advertising campaign with the nationally syndicated radio program, "The Rush Limbaugh Show," that will communicate a powerful, consistent message about preventing the rapidly growing crime of identity theft. … (http://www.marketwire.com/mw/release.do?id=725647&sourceType=1)
Case Study • Jack Suess
A Case Study • Based on real incident at large public institution
2003 Incidents at UT • 2003 – Central admin database system breached; 45,000 names/SSNs exposed • The importance of this incident was it was one of the first higher education data incidents to get national media coverage. • It is also one of (possibly the only on in higher ed) to catch the person that did this and successfully prosecute them. • Credit for these slides is to go to our colleague Dan Updegrove, VP of IT at UT during this period.
2003 SSN Data Theft Chronology • Sun, Mar 2: initial observation of high-volume database access from off-campus • Mar 3: Law enforcement & ISPs contacted • Mar 4: Evidence points to UT undergrad student • Mar 5: 2 residences searched by U.S. Secret Service; press breaks story; UT “datatheft” website • Mar 14: Student arrested • Jun 10, 2005: Student convicted in Federal court • Sep 6, 2005: Student sentenced: 5 yrs community svc, $170K restitution; sentence under appeal
Case Study Overview • Why was UT vulnerable? • What did the attacker do? • How did UT respond? • Plea bargaining, trial, sentencing, (appeal?) • What was the cost to UT? • Lessons learned from this incident?
Why UT was vulnerable • Used SSN as a primary key in some of its legacy business system that validated your had completed safety training. • To help another UT campus it created a backdoor whereby you could enter your ssn to view your safety training record. • As application evolved from mainframe to web the developers didn’t recognize the risk inherent in this. • Irony in this is that one week later UT had planned to shut down this application!
Break-in Discovered on Sunday • Application malfunctioned last week of Feb • Errors attributed to recent software mods • Applications analyst, checking the system Sunday evening, March 2, observed thousands of incremental SSN inputs, all from same IP address, in Houston • Application shut down immediately