Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College.

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Security Policies Larry Conrad September 29, 2009.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Web server security Dr Jim Briggs WEBP security1.
Computer Networks IGCSE ICT Section 4.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
EDUCAUSE Security 2006 Internet John Brown University.
Information Security Information Technology and Computing Services Information Technology and Computing Services
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006.
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
Campus Firewalling Dearbhla O’Reilly Network Manager Dublin Institute of Technology.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
1. What is the DMCA? Digital Millennium Copyright Act. Signed into law in Provides the legal framework for copyright holders to claim copyright.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.
Wireless or wired connection of the technician’s smartphone to Cable Ties network.
 Cloud Computing is an emerging field wherein the focus is on providing virtualized resources as service.  Also the user is almost entirely blinded.
Number 10: To Respond or Not to DMCA Notices Pro –Good faith effort towards content owner concerns. –As a matter of policy and citizenship obligations.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
FERPA 101 Student Records: Institutional Responsibility and Student Rights What Every University Employee Should Know Prepared by the Office of Academic.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Stanford Computer Security and You . Higher Education  Higher education environment is open, sharing, exploratory, experimental  Many information assets.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
CPT 123 Internet Skills Class Notes Internet Security Session A.
Family Educational Rights and Privacy Act (FERPA) UNION COLLEGE.
SPH Information Security Update September 10, 2010.
Networks.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Desktop Security Strategy Common Solutions Group September 19, 2006 Bill Clebsch.
Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
CU – Boulder Security Incidents Jon Giltner. Our Challenge.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
Information Security Services. Overview  Administrative Systems Security  Legislative Requirements  SUNet Security  Individual Security Awareness.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.
SECURE DATA TRANSFER Melvin Freeman The Next Step Public Charter School.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.
Payment Card Industry (PCI) Rules and Standards
Strategies in the Game of
Chapter 7. Identifying Assets and Activities to Be Protected
Educause/Internet 2 Computer and Network Security Task Force
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Page 1 Fundamentals of Information Systems.
Outline Introduction Characteristics of intrusion detection systems
Higher Education Privacy Update
IS4680 Security Auditing for Compliance
CompTIA Security+ Study Guide (SY0-401)
IS4680 Security Auditing for Compliance
6. Application Software Security
Presentation transcript:

Challenges and Incidents in Higher Ed

About->Presenter Zach Jansen Information Security Officer, Calvin College

Help->About Calvin ~4200 Students –~2500 living on campus ~350 Faculty –0 living on campus? ~700 staff Off campus programs in 8 countries

Diverse User Needs Academic Administrative Student / Residential Network

Academic Environment Academia –Traditionally an open access environment –Few restraints or restrictions –Infrastructure designed to provide access –Faculty, Staff, and Students expect to be able to do whatever they need with their computers

Academic Environment (2) Faculty, Staff, and Students used to being able to: –Install software –Change/customize settings –Use machines for personal use –Store personal data on personal machines with an expectation of privacy

Academic Environment - Machines Many unmanaged machines on network. Received through a grant or donation Often run medical or scientific software. Frequently no updates available, or no money for updates. Personal machines frequently used.

Academic Environment - problems Restrict to least privilege? Support for custom web scripts? Provide a secure, but open, environment. Need to comply with increased regulation, yet still allow an educational environment. Large amounts of PII to protect

Administrative The business end of the college Responsible for personal, health, educational, and financial data From an IT perspective, managed very similarly to the academic part of the college. Causes problems: –Compliance –Securing data

Regulations FERPA – Family Educational Rights and Privacy Act Governs how colleges handle –Grades –Academic Performance –Directory Information A “no teeth” regulation What happens if you’re in violation?

HIPAA Health Services Student Health Information HIPAA specifically excludes protected health information in “education records” as subject to FERPA.

PCI, GLBA, etc The list of regulations goes on. PCI will continue to become a bigger issue as credit card companies and acquiring banks push this. Some schools comply by not processing credit cards. GLBA is again partially complied with by complying with FERPA.

Breach Notification Laws There are a lot of these Pushing a substantial investment in Information Security. Nobody wants to be the next school in the news.

Data Security - SSN It’s 3 o’clock, do you know where your SSN’s are? SSN used as primary identifier by many schools for many years. Many states have mandated that SSN not be used. Big problem for big schools.

Data Security – SSN(2) Tons of SSN’s –Have to collect SSN’s for loan processing with the Department of Education. Makes for expensive breach notification when they get stolen.

Students / Residential Network On campus housing for about 2500 students. Resnet needs to provide access to Calvin IT services Also needs to function as an ISP is the first year wireless used more than wired.

Students / Resnet (2) For general network health, there is a need to keep virus/malware activity to a minimum. Also need to protect academic and administrative areas from student PC’s.

Responsible Freedom What do you get when you combine the newfound freedom of: Living away from home A brand new computer A super fast internet connection

P2P Issues Huge bandwidth consumption Bittorrent and IDS sigs. DMCA takedown notices RIAA/MPAA subpoena’s. College Opportunity and Affordability Act –Force Higher Ed to offer legal alternative to P2P and implement network filtering.

Solutions Academic Administrative Students / Residential Network

Policy Needs to protect privacy of professors and students. Specific category in AUP for personal data. IT must have permission of data owner or 2 VP’s to view private data. Professor’s data, class/student notes, research, considered private.

Administrative – SSN’s Calvin hasn’t used it as primary identifier for over 18 years. –I still find them used occasionally. Some Schools use scanners like Spider to find sensitive data. –High false positives e.g. Japanese telephone numbers. Few staff with access to SSN’s. Data purge plans.

Resnet Both wired and wireless option Separate VLAN from the rest of campus –Some schools use completely separate networks. Use Bradford Campus Manager (NAC) to enforce use of AV, firewall, minimum patch level. –Exemptions for game consoles, linux.

P2P Solutions Many schools use traffic shaping Packeteer Traffic shaping: –Worked well for a while –Can’t handle encrypted protocols –Bandwidth caps instead Ruckus Not responsible for traffic traversing the network. Safe Harbor

P2P Wrapup Most schools don’t block p2p usage –Has some legitimate uses –Pretty hard to block effectively –Don’t want to be held liable –Academic freedom. Many restrict its use –Bandwidth hog –Little to no educational value. Alternatives.

Administrative Support Support of upper management is crucial. Calvin is blessed with a VP that understands the need for good InfoSec.

Incidents “I can’t think of a more dirty and dangerous network than one on a college campus.” – Colleague at Georgetown

Stallowned!

Web site hack Fall 2007 In the spirit of academia, a professor was given permission to write cgi scripts on web server. CGI scripts were vulnerable. How did attacker get root? Bad news.

The End Time to view the packet capture.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.