Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, 2004. This work is the intellectual property of the.

Slides:

Advertisements

Similar presentations

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Advertisements

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.

Problems With Centralized Passwords Dartmouth College PKI Lab.

1 Extending Authenticated Online Services with "Friend Accounts" at Washington State University Brian Foley Technology Architect/Application Developer.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Lecture 23 Internet Authentication Applications

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.

So You Want to Switch Course Management Systems? We Have! Come Find Out What We’ve Learned. Copyright University of Okahoma This work is the intellectual.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Discovering Computers 2010

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.

Ten Thing IT Staff Need to Know About Education Records Privacy Ten Things IT Staff Need to Know About Education Records Privacy Jeff von Munkwitz-Smith.

Educause 2006, Dallas TX What does a University need from Access Management? John Paschoud InfoSystems Engineer, LSE Library London School of Economics.

NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.

Chapter 13 Network Security. Contents Definition of information security Role of network security Vulnerabilities, threats and controls Network security.

Internet Security for Small & Medium Business Week 6

NERCOMP 2002 Ten Things IT Staff Need to Know About Education Records Privacy Jeff von Munkwitz-Smith University Registrar University of Connecticut.

CHAPTER 7: PRIVACY, CRIME, AND SECURITY. Privacy in Cyberspace  Privacy: an individual’s ability to restrict or eliminate the collection, use and sale.

Types of Electronic Infection

Introduction to Computer Security PA Turnpike Commission.

Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.

Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)

Copyright © 2003, The University of Texas at Austin. This work is the intellectual property of the author. Permission is granted for this material to be.

DIGITAL SIGNATURE.

Problems With Centralized Passwords Dartmouth College PKI Lab.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Security Professionals Workshop May 17, 2004 Copyright Mark Franklin, This work.

NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.

Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.

LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.

John O’Keefe Director of Academic Technology & Network Services

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

myIS.neu.edu – presentation screen shots accompany:

September 2002 CSG Meeting Jim Jokl

Presentation transcript:

Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Our Systems Are Under Constant Attack Trojan horses Worms Viruses Spam Hackers Disgruntled insiders Script kiddies

3 Some of These Attacks Succeed Spectacularly Loss of personal data Outages Potentially huge costs: –Productivity loss (user and IT staff) –Remediation –User notification –Bad publicity, loss of credibility –Lawsuits? See “Damage Control: When Your Security Incident Hits the 6 O’Clock News”

4 IT Security Risks Escalate More and more important information and transactions are online: –Personal identity information –Financial transactions –Course enrollment, grades –Tests, quizzes administered online –Licensed materials –Confidential research data We must comply with increasingly strict regulations: –Health information - HIPAA: –Educational records - FERPA:

5 Specific Example: Student Information System Online enrollment, schedule, grades FERPA protected information Available to hackers Q: What if someone hacks your authentication system and potentially downloads grades from thousands of students? A: You are probably obligated by law to notify every individual whose grades may have been exposed!

6 How Can PKI Help? One example: –A better solution for network authenticaiton

7 Users HATE Usernames and Passwords Too many for them to manage: –Re-use same password –Use weak (easy to remember) passwords –Rely on “remember my password” crutches Forgotten password help desk calls cost $25 - $200 each (IDC) and are far too common As we put more services online, it just gets worse…

8 Usernames and Passwords Require Expensive Administration Many different username/password schemes to learn, set up, and administer: –Backups, password resets, revoking access, initial password values, etc. Multiple administrators have access to usernames/passwords – many points of failure Each forgotten password help desk event costs $25 - $200 (IDC report)

9 Password Sharing Corrupts value of username/password for authentication and authorization. Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing.

10 PKI’s Answer to Password Woes Better security Lower overall cost Convenience for the user

11 PKI Provides Two Factor Authentication Requires something the user has (credentials in their possession) in addition to something a user knows (local password to unlock the credentials). Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole). Greatly reduces password sharing (need to share credentials too).

12 PKI Passwords Are User Managed Stored in user’s posession, NOT on network User carries only copy of the password, changes it with no administrator or network involvement One password per set of PKI credentials Likely only one or two sets of credentials per user (securely reduces number of passwords) Only one type of password to be forgotten, and it’s used constantly so not likely forgotten

13 Underlying Key Technology Asymmetric encryption uses a pair of asymmetric keys, each is the only way to decrypt data encrypted by the other. One key is private and protected, the other public and freely distributed. In authentication, the client proves its identity by its ability to encrypt or decrypt something with the private key on demand by the server. Private key and password always stay in the user’s possession.

14 Server Administration Simplified Just implement PKI authentication (standard in many server applications) No need to provision, maintain, synchronize, reset, back up passwords PKI infrastructure cost factored across many applications = significant savings

But Wait There’s More… It slices, it dices… Beyond Authentication, PKI Enables Digital signatures allow business automation. Encryption protects data from all but intended recipients. S/MIME combines the two for vastly improved security.

16 PKI Benefit: Digital Signatures Our computerized world still relies heavily on handwritten signatures on paper. PKI allows digital signatures, recognized by Federal Government as legal signatures: –Reduce paperwork with electronic forms. –Much faster and more traceable business processes. –Improved assurance of electronic transactions (e.g. really know who that was from). Federal digital signature information:

17 Dartmouth PKI Lab R&D to make PKI a practical component of campus networks Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

18 Production PKI Applications at Dartmouth Dartmouth certificate authority –890 end users have certificates, –639 of them are students PKI authentication in production for: –Banner Student Information System –Library Electronic Journals –Tuck School of Business Portal –VPN Concentrator –Blackboard CMS –Software downloads

19 For More Information Outreach web: Dartmouth PKI Lab PKI Lab information: Dartmouth user information, getting a Dartmouth certificate: I’ll happily send copies of these slides upon request.