Higher Education-Industry Collaborations to Improve Security Joy Hughes, George Mason University Peter Siegel, University of California, Davis Jack Suess, UMBC

Security Task Force Goals The Security Task Force (STF) has been pursuing the following strategic goals since 2003: Education and Awareness Standards, Policies, and Procedures Security Architecture and Tools Organization and Information Sharing

STF Priorities for Strategic Plan: Making Progress on Data Protection, Risk Assessment, Incident Response and Business Continuity 1.Executive Commitment and Action 2.Professional Development for Information Security Officers (ISOs) 3.Awareness of Available Resources 4.Security of Packaged Software 5.New Tools and Technologies

Awareness of Resources EDUCAUSE/Internet2 Security Task Force  Blueprint for Handling Sensitive Data  Cybersecurity Awareness Resource Center  Data Incident Notification Tool  Information Security Governance Assessment Tool  Risk Assessment Framework  Security Discussion Group  Research and Educational Networking Information Sharing and Analysis Center (REN-ISAC) EDUCAUSE Cybersecurity Resource Ctr Effective IT Security Practices Guide

Security 2007 April 10-12, 2007, Denver, Colorado Keynote Speakers  Ira Winkler, authors of The Spies Among Us  Pamela Fusco, Head Global InfoSec, CitiGroup Pre-Conference Seminars  Continuity of Operations Planning, IT Disaster Planning, Wireless Security, DNS Security, Compliance & Legal Issues, Establishing Information Security Program, Handling Sensitive Data, Incident Response Processes and Tools, and Privacy and Security Training Concurrent Sessions: Campus & Vendor Presentations Corporate Displays Human Networking  BoF’s, Roundtable Discussions, Reception, etc.

Why collaborate with Industry? Original Security Issues still there, some growing Problems in new areas- web/db apps Growing Complexity for end users a PR problem for us Challenge of “professionalizing” non-security staff on security issues Heightened state security requirements Are attacks more sophisticated? professional? organized crime? “industrial” espionage?

Most critical vendor areas? O/S Vendors in Redmond and Cupertino Unix vendors ERP Vendors Database companies Networking Vendors Web 2.0 suppliers Others???

Networking Vendors Convergence of networking and security products? Multiple vendors are now integral to the network

OS Vendors: Microsoft Vista rollout Higher Education Advisory Group has been strong advocate for security.

How to Engage Vendors Common effective practices? Advisory groups? Checklists of key issues? Scream Identity Management - Collaboration opportunity?

Identity Management High-value collaboration opportunity?

ERP Security Checklist Topics Managing Roles and Responsibilities Passwords, IDs and PINs Data Standards and Integrity Process Documentation Exporting Sensitive Data

Sample from Roles/Responsibilities Is security controlled at the database level or is it left to the applications that are supposedly integrated with the ERP to each control security? How easy is it to set up role based access? e.g. can roles be associated with position categories; can default roles be established?

Sample from Roles/Responsibilities Are there some features of the system that require that the user, no matter what their role, be given access to the underlying database? If so, how is security managed? Can context-sensitive roles be defined (i.e. the user can perform a function for specified records only at a specified point in the processing cycle)?

Sample from Roles/Responsibilities Is there a web-based tool that allows you to see the access that has been provided to a user with respect to the fields/tables/forms in the product, its underlying database, and integrated third party products and reporting tools?

Sample from Roles/Responsibilities Can the vendor provide you with the names of institutions similar to yours that have implemented role based security on a wide variety of roles so that you can assess the person hours that will be needed to implement and maintain role based security?

Sample from PINs/IDs/Passwords Does the system require strong passwords? Are the IDs randomly or sequentially generated? Are they at least 8 characters long?

Sample from Data Standards/Integrity Are data fields encrypted at the database level? Is each standardized data field adequately documented in a data dictionary? As the institution articulates the standards/rules that define a data field, do these standards/rules then become part of a data dictionary?

Sample from Data Standards/Integrity Can the vendor provide you with the names of institutions similar to yours that have implemented features such as: - encrypted data fields - audit trails on data fields so that you can determine the effect on performance of implementing these features on all the fields that need to be protected?

Sample from Process Documentation Are there visual representations of processes, role approvals, security checkpoints, data flow, and tables touched/accessed during each process? Are there clear and complete work flow diagrams?

REN-ISAC Research and Education Networking: Information Sharing and Analysis Center

REN-ISAC Mission Serve as a trusted connector hub for the security community to collaborate. Focus is to improve network security through information collection, analysis, dissemination, early warning, and response; Unique capability to support the R&E community because of NOC at Indiana University; and Supports efforts to protect the U.S. national cyber infrastructure by participating in the formal ISAC structure.

REN-ISAC Members Membership is open and free to institutions of higher education, teaching hospitals, research and education network providers, and government-funded research organizations.  Current membership  300 individual members  165 institutions  Predominately research universities to date but increasingly new members are coming from non- research universities. Membership is aimed at security staff and vetted to insure trust relationship.

REN-ISAC Organization Hosted by Indiana University Three permanent staff Executive Advisory Group Technical Advisory Group  Support and contributions from:  Indiana University, Internet2, EDUCAUSE  Louisiana State University, Worchester Polytechnic Institute, University of Massachusetts Amherst  And the members

Technical Advisory Group The REN-ISAC Technical Advisory Group (TAG)  Chris Misra - University of Massachusetts Amherst (Chair)  Tom Davis - Indiana University  Phil Deneault - Worcester Polytechnic Institute  Brian Eckman - University of Minnesota  Stephen Gill - Team Cymru  John Kristoff - UltraDNS  Randy Raw - Missouri Research & Education Network (MOREnet)  Joe St Sauver - University of Oregon  Michael Sinatra - University of California, Berkeley  Ex-officio Members Doug Pearson - REN-ISAC/Indiana University Dave Monnier - REN-ISAC/Indiana University

Executive Advisory Group The REN-ISAC Executive Advisory Group  Jack Suess - University of Maryland-Baltimore County (Chair)  Brian Voss - Louisiana State University  Theresa Rowe - Oakland University  Marty Ringle - Reed College  Ken Klingenstein - Internet2 & University of Colorado  Rodney Petersen - EDUCAUSE  TBD - HPC center representative  Ex-officio Members Mark Bruhn - REN-ISAC/Indiana University Chris Misra - TAG Chair, University of Massachusetts Amherst Focus is on developing business plan

External Relationships Internet2 and EDUCAUSE Other private threat collection and mitigation efforts, e.g. among ISPs,.edu regional groups, etc. Global Research NOC at Indiana University, servicing Internet2 Abilene, National LambaRail, and international connecting networks National ISAC Council and other sector ISACs Department of Homeland Security & US-CERT Coming soon - vendors!

Vendor Relationships REN-ISAC is uniquely positioned to work with vendors by its status as an ISAC. Vendors won’t and can’t share security secrets with 2000 institutions, they will consider sharing with REN if we demonstrate we can be trusted. In final negotiations with one major vendor.

REN-ISAC Activities A vetted trust community for cybersecurity Information-sharing and communications channel for vendor security issues Information products aimed at protection and detection Participate in incident detection, response, and dissemination Develop tools for information sharing and response

Information Products Daily Weather Report provides situational awareness and actionable protection information. Alerts provide critical, timely, actionable protection information concerning new or increasing threat. Notifications identify specific sources and targets of active threat or incident involving member networks. Threat Information Resources provide information regarding known active sources of threat.

Information Products (2) Advisories inform regarding specific practices or approaches that can improve security posture. Instruction on technical topics relevant to security protection and response. Monitoring views provide aggregate information for situational awareness.

For More Information Visit:  EDUCAUSE/Internet2 Security Task Force Contact:  Joy Hughes, GMU, STF Co-Chair  Peter Siegel, UC-Davis, STF Co-Chair  Rodney Petersen, EDUCAUSE, STF Staff