UCCSC 8/3/04 Pursuit of IT Security Lessons Learned Huapei Chen -- Director of IT, EECS Alex Brown – Project Lead, EECS Department of Electrical Engineering.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.
Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
University of Cincinnati Staying Ahead of the Security Curve with Finite Resources Presented by Diana Noelcke Associate Director, Enterprise Communication.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Morris Bennett Altman Director of Network Services Internet Security Officer Queens College, CUNY Are You Exposed? Network Security.
Data Center and Network Planning and Services Mark Redican IET CCFIT Update Feb 13, 2012.
Sophos anti-virus and anti-spam for business OARNET October 13, 2004.
1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Stanford’s Patch Management Project   Ced Bennett May 17, 2004 Copyright Cedric Bennett This work is the intellectual property of the author. Permission.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Desktop 1 Owning the Desktop: Is.edu like.com? Scott Bradner Harvard University University Technology Security Officer 28 June 2006.
Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training
IT Update Faculty Senate September 1, 2004 University of Houston Information Technology.
Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
How CERN reacted to the Blaster and Sobig virus attack Christian Boissat, Alberto Pace, Andreas Wagner.
NSF and IT Security George O. Strawn NSF CIO. Outline Confessions of a CIO Otoh NSF matters IT security progress at NSF IT security progress in the Community.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
The Office of Information Technology Campus Network Upgrade A three year plan facilitating increased reliability, functionality and speed for the UTSA.
Security and Privacy Policy The World Has Changed! Common Solutions Group Jack McCredie January 9, 2004.
Policy Pickles at Sueme U Seminars in Academic Computing 2005 – Case 5.
1 Improving Security Through Automated Policy Compliance Christopher Stevens Director of Network and Technical Services Lewis & Clark College Educause.
Outsourcing Student at USC Institute for Computer Policy and Law Cornell University, August 2008 Asbed Bedrossian Director of Enterprise Applications.
Emerging Security Trends & Technologies Presented by Santhosh Koratt Head Consulting & Compliance SecureSynergy Pvt.Ltd.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
CU – Boulder Security Incidents Jon Giltner. Our Challenge.
EECS 4482 Fall 2014 Session 8 Slides. IT Security Standards and Procedures An information security policy is at a corporate, high level and generally.
Desktop Security: Making Sure Your Office Environment is Secure.
Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Information Technology Services Strategic Directions Approach and Proposal “Charting Our Course”
Some Thoughts and Questions on Centralized vs. Distributed I.T. Functions 1. (mainly questions) 2.Classroom / Faculty / Desktop support 3.Governance.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Computer Policy and Security Report to Faculty Council Jeanne Smythe ATN Director for Computing Policy March 26,2004.
Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
By: Matthew Newsome.  The Internet was created so the US Department of Defense can share information between each other, which took place in the 1960’s.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Compliance with hardening standards
IT Development Initiative: Status and Next Steps
Higher Education Privacy Update
Presentation transcript:

UCCSC 8/3/04 Pursuit of IT Security Lessons Learned Huapei Chen -- Director of IT, EECS Alex Brown – Project Lead, EECS Department of Electrical Engineering and Computer Sciences Univ. of CA Berkeley

Pursuit of IT Security Lessons Learned It all started a hot summer day in August, 2003…

What We Had… Blaster Disaster 2 out of 5 Windows systems in EECS were rebuilt (compromised or unpatched). Estimate FTE hours lost (not counting data loss). 65% of grad student laptops were compromised (largest representation of un/mismanaged mobile systems). User awareness was at all time high AFTER the incident, but misconfigured systems still appear on the net daily 

What We Had… EECS IT Risk Assessment A month-long, department wide activity, encompassing all aspects of IT services, such as: – Infrastructure – Application – Operations – People Does not fare well against corporate environment. Serious lacking in user awareness, IT policy and enforcement, and “standards” for computing devices. Starting point of the year-long EECS IT security project.

What We Had…

Virus/Spam Too many to mention: – bagle (32+ variants.a through.ah) – mydoom (13+ variants.a through.m) – netsky (.a through.ac) – soBig, klez, etc. Many virus are transmitted via % of all incoming EECS are “spam”.

What We Had… It’s a Jungle Out There…

What We Have? Active Instructional courses and labs Demanding administrative services Dominant researches: a) Wireless b) Motes c) HoneyPots d) HPC and large computation intensive simulations e) Nano research f) Microfabrication g) Optical/QoS related networking research Delicate balance between the needs for stable, 24x7 production services and flexibility and robustness. Historically, cutting edge research environment defies convention and resists “centralization” or “standardization” of IT.

What We Have? “Centralized” Infrastructure services: – Networking (wired and wireless) – IP based services – User Account management – Department wide applications – Instructional “Federalized” tier-1 and tier 2 services: – User level support – Desktop and server management – Application development – Research specific support Highlight Communications Dissemination of information Difficulty in harboring support and understanding Not streamlined

What We Have? Various federal and state level laws. – SB-1386 – DMCA UCB Minimum Security Standard. – Patch management – Personal firewall UCB Data Management, Usage, and Protection Policy. – Classification of all data – Mandatory protection of certain types of systems. Community buy-in Change in culture Encouragement and enforcement of “right” behavior Expensive!!

What We Have? Many monkeys on our backs…

Realistically… IRIS (EECS IT organization) reports to a faculty committee led by one Vice Chair. – Committee meets twice a year – One person makes the high-level operational decision – Takes a long time to build consensus when dealing with substancial policy changes EECS has 110+ faculty == 110+ CIOs Many IRIS operations are supported via fee-for-service model. What is the right model for us?

Realistically… Too many chiefs, not enough indians.

Control as Little as Possible

Imposing Order Original reaction in the wake of Blaster – Strong Perimeter Firewall – Mandatory central management of all systems – Limitations on allowed platforms, services, and applications.

Reassessment Perimeter firewall did not fly Does central control make sense? – A historically decentralized culture – Wildly diverse computing needs – Limited resources for a task that does not scale How to improve on the decentralized model?

Mandating the Right Things Policies – Campus plus departmental policies – Technical enforcement – Encouraging compliance

Mandating the Right Things Network control – Registration of hosts – Identification of POC – Ability to withdraw network access on short notice Communications channels – Automated contact mailing list for POCs – Mandatory education for incoming students

Releasing Control Optional centralized services – Full end-node management – Patch management – Antivirus management (host based and scanning) – Active and passive network scanning – Education and training

Releasing Control No central support or mandate – Unsupported operating systems – Specialized applications or services – People who don’t use central services end up here

Plan Ahead

Trends Volume Sophistication Speed Severity Dependency

Threats Loss of productivity Loss of data Legal consequences – Copyright violations – Theft of personal information – Use of facilities as stepping stone Loss of funding

Conclusions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.