Mark Rasch Mark.Rasch@FTIConsulting.com Information Security for Educational Institutions.
Introduction • The threats are real • Malware (e.g. viruses, worms, Trojan Horses) are becoming more sophisticated • Security breaches and attacks are becoming more publicized • People are becoming more concerned with their online privacy… • However, people still lack awareness on basic computer security issues
A Typical Higher Education Computing Infrastructure • Traditionally “open” • Critical for researchers • Critical for students’ learning • Higher education comprise of 15% of the Internet address space • Wired campus (dorms to Greek housing) with usually no network authentication • Many institutions now offer campus-wide wireless access • Tech-savvy students
Overlapping Security Issues in Industry and Higher Education • Enormous disconnect between IT and general users • Lack of awareness of computer security fundamentals (poor practices) • Social engineering • Insider threat • Lack of low-tech and low-cost planning • Too much focus on products for implementing computer security • Lack of testing environments to understand threats and potential security breaches • Security is a reactive process
Risks in Higher Education • Openness = fertile ground for attacks and risks • Web hosting and file sharing • Decentralization • Lack of visibility for security and privacy • Security is looked at as a bad thing by professionals and students: tough sell • Multiple roles of educational institutions • Educational – provider of services • Educational – academic freedom • Financial • Health care • Government contract • Real estate owner • Internet service provider • Law enforcement agency
Hotspots • Data security • Privacy • Next generation of malware • Poisoned Peer-to-Peer (P2P) networks and torrents • Compliance and auditing
Next Generation of Malware • Now spreading through instant messaging, P2P, social networking sites, cell phone and SMS and MMS • Malware hybrids: fooling and cloaking malicious intent • Rootkit - Toolbox of tools for a cracker to keep root access. Also hides and secures a cracker's presence on a system. • Example: spyware that has a rootkit component • Can fool anti-virus or anti-spyware software
Next Generation of Malware (continued) • Kernel-based attack technique using hooks and layers • Kernel - Core of an operating system, Responsible for resource allocation, low-level hardware interfaces, security, etc. • Altering normal program control flow • The Microsoft Windows architecture makes this possible • Bottom line: malware becoming more lethal, and extremely more difficult to find!
Data Privacy • Mantras: • Provide prominent disclosure • Data minimization (collection, storage, and sharing) • Anonymity • Put users in charge of their data • Other components to a privacy framework: • Quality (accuracy and completion) • Security • Monitoring and enforcement
Family Educational Rights and Privacy Act of 1974 protects the privacy of student educational records. FERPA applies to any higher education institution receiving federal funds administered by the Department of Education. WHAT IS FERPA?
FERPA • Family Education Rights and Privacy Act • 20 U.S.C § 1232g • 34 CFR Part 99
WHO IS PROTECTED UNDER FERPA?Students who are currently enrolled in higher education institutions or formerly enrolled, regardless of their age or status in regard to parental dependency. Students who have applied but have not attended an institution do not have rights under FERPA.
RIGHTS OF STUDENTS • Inspect and Review their Education Records • Exercise limited control over disclosure of Education Records information • Seek to correct their Education Records • Report violations of FERPA to the Department of Education • Be informed of their FERPA rights
EDUCATION RECORDS • “Education Records” generally include any records which contain information directly related to the student that is in the possession of the University. The records may be in printed form, handwritten, computer, magnetic tape, e-mail, film or some other medium.
WHAT IS NOT INCLUDED IN AN EDUCATION RECORD? Records or notes in the sole possession of educational personnel not accessible to other personnel (i.e. contained in a faculty member’s notes) Law enforcement or campus security records (University Police records) Records relating to individual’s employment by the University (Work Study records ARE educational records) Medical treatment records (made or maintained by a Physician, Psychiatrist, Psychologist or related paraprofessional) Alumni records
LIMITATIONS ON STUDENT’S RIGHT TO INSPECT AND REVIEW • Students may review their records by submitting a written request to the appropriate Record Custodian. The Student is not permitted to inspect and review financial records of his/her parents. • 2. The Student is not permitted to inspect and review confidential letters and recommendations in their education record (if the student signed a waiver). • The items listed above are to be removed from the file prior to the student’s review of his/her education record.
LIMITATIONS ON STUDENT’S RIGHT TO INSPECT AND REVIEW • 3. Copies are not required unless it is unreasonable for the student to come in and inspect his/her records. • 4. The University is responsible to provide the student’s records for inspection no later than 45 days after requested.
WRITTEN CONSENT OF STUDENT • Voluntary written consent of Student to specific third parties. Document should be signed and dated by the Student and state the following: --Specific records to disclose --Purpose of disclosure --Identity of party to whom disclosure is to be made The consent will remain valid until the student requests that it be revoked.
WHAT IS DIRECTORY INFORMATION? • The University may disclose information about a student without violating FERPA through what is known as “directory information”. • Annually the University is required to notify students in attendance of what information constitutes “directory information.” This notice must also provide procedures for students to restrict the University from releasing his/her directory information. This notice is provided in the annual Student Code of Conduct, on the Registrar’s website, in University Policy, and published in the student newspaper.
DIRECTORY INFORMATION • Student’s name • Student’s address • Telephone number • Major field of study • Degrees and awards received • Previous educational institutions • Participation in officially recognized sports and activities • Weight and height for athletes • Dates of attendance • Electronic mail address • Student’s photograph
STUDENT’S REFUSAL TO PERMIT RELEASE OF DIRECTORY INFORMATION • Student can refuse to permit release of directory information by completing the form in the student paper or on the Registrar’s website or by forwarding the following statement to the University Registrar’s office at G-3 Thackeray Hall: “I hereby request that no personal information included in my Directory Information be released.” This request must be signed and dated by the student with his/her name, address and social security number. • Once this request is received at the Registrar’s office, no future disclosures will be made without the student’s written consent. • The refusal to permit release of Directory Information is permanent. • A student may rescind this action in-person or by submitting a notarized request in writing to the Office of the University Registrar.
RECORDKEEPING REQUIREMENT • The University is required to keep a record of each request for access and disclosure of personally identifiable information from the education record of each student. • This record must be maintained with the education record of each student as long as the education record is maintained.
FERPA AND INTERNATIONAL STUDENTS • International students have the same rights to inspect their records and request amendments. • International students consent to release of their records to certain governmental agencies on immigration forms.
CORRECTING EDUCATION RECORDS • Students are permitted to inspect and review their Education Records, and to seek to change any part that they believe is inaccurate, misleading, or in violation of their privacy rights. • a. If the requested change falls within the individual’s Academic Integrity Guidelines, then Academic Integrity Guidelines shall control the procedure to follow. FERPA gives the student the right to correct an inaccurately recorded grade, notto have the grade evaluated and changed. • b. If the requested change is not a violation of the Student or Faculty obligation, then the standard access and release of records will be followed
RIGHT TO REPORT VIOLATIONS TO THE U.S. DEPARTMENT OF EDUCATION • Any complaint filed by a Student regarding a violation of their FERPA rights is investigated and processed by the Family Policy Compliance Office of the U.S. Department of Education. If a determination is made that the University is in violation, both the University and the Student will be advised and informed of the measures to be taken in order to come into compliance with the law.
STUDENT’S RIGHT TO BE INFORMED OF THEIR FERPA RIGHTS • The University is required to annually inform student’s of their FERPA rights. The notification must also indicate the location of the student’s records and the procedure to be followed to inspect and review their record.
DECEASED STUDENTS • The privacy rights of an individual expires upon that individual’s death. FERPA does not apply and it is the University’s discretion to disclose any information of the deceased student.
How Come So Many Data Privacy Problems Recently? • Heavy usage and dependency of Social Security Numbers and credit card numbers • Poor web security • Insider threats • Social engineering (scam artists, phishing) • Pharming • Third-part businesses • Linkability
Common Compliance and Legal Frameworks • Health Insurance Portability and Accountability Act (HIPPA) • Gramm-Leach-Bliley Act (GLBA) • Computer Fraud and Abuse Act (CFAA) • Sarbanes-Oxley Act • USA PATRIOT Act • Visa USA Cardholder Information Security Program (CISP) / MasterCard Site Data Protection Program / Payment Card Industry (PCI) Data Security Standard
Significance of the Compliance Frameworks • HIPAA security rule - Safeguarding of electronic protected health information • GLBA - Protects privacy of consumer information in the financial sector • Sarbanes-Oxley Act - Executives need to report quickly and accurately • USA PATRIOT Act – Provides law enforcement agencies with greater access to electronic communications • Colleges and universities have to comply with more regulations than businesses
Impact of Breaches • Heavy network consumption • Direct impact on leadership • Direct impact on students’ learning • Wasted funding (private and public) • Legal consequences • Bad press • Loss of competitive edge • Long road to recovery
What You DON’T Want to Do • Pretend the problems will go away • Establish reactive and short-term fixes • Primarily rely on a firewall, or just software solutions, for security perimeter protection • Fail to understand the relationship of information security to the business problem • Assign untrained people to maintain security and compliance
Short-Term: Awareness, Awareness, Awareness • Irony: provisions for education and training in SOX and the DMCA • Very little money is spent on computer security education to the public • Security is boring, difficult, and political • At fault: IT professionals, users, technology • Lack of ownership on security and privacy issues by companies • Emerging technologies pose a serious threat if deployed naively • Unfortunately, the infrastructure and architecture of current computing systems, users do need to be informed
Short-Term: Awareness (continued) • Provide an undergraduate course in computer security, privacy, and politics: • Overlap of departments and groups in a University (e.g. Computer Science, Law School) • Investment for students, the University, and for the instructors of the course
Short-Term: Low-Cost and Low-Tech Improvements • First things first, ask yourself, and to management (revisit the questions): • What are your security goals? • What are you really protecting? • What are your priorities, especially in a product (e.g. interface, administration, prevention)?
Short-Term: Low-Cost and Low-Tech Improvements (continued) • Write documentation in what system support staff and users need to do with respect to network and information security • Establish baseline security configurations for all appropriate technology platforms (e.g. web browser) • Establish a vulnerability management process • Use vulnerability assessment tools to periodically conduct self-assessments • Monitor log files from critical systems on a daily basis • SANS have excellent policy templates
Long-Term Opportunity: Develop Visualization Tools (continued) • Example projects/opportunities: • Security situation awareness • Profiling users and traffic • Linking relationships • Network traffic classification • Intrusion detection • Detecting abnormalities
For More Information • Mark D. Rasch • Managing Director – Technology • FTI Consulting • 1201 Eye Street, NW • Washington, D.C. 20005 • (301) 547-6925 tel • (240) 209-5344 fax • Mark.Rasch@FTIConsulting.com