EDUCAUSE Center for Applied Research Safeguarding the Tower: IT Security in Higher Education 2006 EDUCAUSE Webcast December 15, 2006 John Voloudakis Copyright ECAR, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Safeguarding the Tower: IT Security in Higher Education 2006 EDUCAUSE Webcast December 15, 2006 John Voloudakis Copyright ECAR, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Study Background

Page 3 Research Methodology Literature review of material published from 2003 – 2005, with the intent of identifying issues of concern to the higher education community, and creating additional hypotheses to test Consultation with security experts, including members of the EDUCAUSE/Internet2 Computer and Network Security Task Force, and IT leaders at 17 higher education institutions A quantitative web-based survey first used in 2003 was modified to reflect changes in technologies and practices. 492 higher education institutions responded to the survey A longitudinal analysis compared the survey findings with those from ECAR’s 2003 study. 204 institutions responded to both surveys, and that population was used to perform the comparison

Page 4 Respondents represented institutions in all Carnegie classes, with strongest representation from doctoral institutions Note that since a random sampling was not used, some sample bias may exist in the results. However, given the large size of the sample, we feel this bias is acceptable The population used for longitudinal analysis shows a slight bias (less than 5%) toward DR and MA institutions The current study shows far less difference in IT security practice by Carnegie class than in % of respondents were public, 62% private. We found little difference along this dimension

Page 5 Respondents also represented a spectrum of institutional size, with smaller institutions more prevalent 44% of respondents had under 4,000 students, while fewer than 20% had over 15,000 The mean student body for the current study was 8,375, compared to 7,169 in 2003 Institutional size was less significant than in the 2003 study, but there are differences, especially in the areas of planning and awareness programs

Page 6 Survey respondents were mostly CIOs and other IT professionals There was a major shift in respondents’ titles from 2003 to the current study. The number of CISOs grew by 97%, while the number of CIOs grew 15%. This growth replaced directors of networking, administrative, and academic computing The average experience of our respondents with IT Security was 13.9 years, with nearly 25% reporting more than 20 years of experience

Summary of Findings

Page 8 Significant new penetration* of key security technologies was observed * Note that these findings do not show the penetration rate within the institution – numbers may include pilot projects as well as full deployments ** This data includes only the institutions that responded to both studies Approach Implemented (2005) Currently Implementing (2005) Percent used in 2005** Percent used in 2003** Rate of change Network firewalls (perimeter)83.4%5.3%77.0%68.1%13.1% Centralized data backup system76.4%10.7%76.6%68.1%12.5% Virtual private network (VPN) for remote access 74.6%10.8%75.4%45.6%65.4% Enterprise directory68.3%14.5%71.9%46.3%55.3% Network firewalls (interior)66.1%13.7%65.0%51.0%27.5% Intrusion detection55.7%17.0%62.3%46.1%35.1% Active filtering57.8%6.6%59.3%29.7%99.7% Intrusion prevention39.8%15.8%44.3%33.5%32.2% Security standards for application or system development 32.2%19.1%32.4%27.5%17.8% Electronic signature7.4%10.3%6.4%5.9%8.5% Shibboleth2.7%5.6%4.9%1.5%226.7%

Page 9 Observations on penetration of security approaches There was significantly less difference in technologies in use by Carnegie class than in 2003 Use of perimeter firewalls greatly increased at doctoral institutions (21%), though they still deploy less than other types of institutions. These institutions made heaviest use of VPN as well (83%). The average responding institution utilized 7.5 of the 16 approaches listed. 5% used 13 or more approaches, and 10% reported 3 or fewer

Page 10 Strong advances in wireless security were also observed Approach Implemented (2005) Currently Implementing (2005) Percent used in 2005 Percent used in 2003 Rate of change Firewall71.4%6.6%74.1%41.4%79% Remote authentication dial-in user service (RADIUS) 54.4%2.9%50.8%45.9%10.7% Internet Protocol Virtual Private Network (IP VPN) 47.8%10.5%51.5%29.9%72.2% 128-bit Wired Equivalency Privacy (WEP) 34.5%6.7%39.5%29.6%33.4% Wireless vendor supplied proprietary solution 25.7%5.7%28.6%18.2%57.1% Kerberos21.2%3.2%26.2%13.2%98.5% Extensible Authentication Protocol (EAP) 19.7%8.5%22.6%7.7%193.5% 40-bit Wired Equivalency Privacy (WEP) 19.6%1.9%21.1%17.5%20.6% Advanced encryption standard (AES) 14.2%5.5%18.9%4.4%125.4% Doctoral institutions reported somewhat higher usage of wireless security approaches than others

Page 11 Little change in authentication approaches was observed from 2003 to 2005 Higher education’s usage of non-password authentication lags other industries 90% of respondents use 3 or fewer approaches. This is a change from 2003, where 65% used 3 or less Doctoral institutions were the primary users of non-password authentication methods Approach Implemented (2005) Currently Implementing (2005) Conventional password/PIN94.4%0% Strong password59.9%12.8% Kerberos26.9%2.9% Secure ID-style one-time password8.9%2.8% Other multi-factor authentication methods8.1%4.0% PKI certificate (software) without PIN6.8%1.3% PKI certificate (software) with PIN5.1%1.5% Biometric identification2.8%2.3% PKI hardware token with PIN1.7% PKI hardware token without PIN0.9%

Page 12 Security strategies employed by institutions vary Approach Implemented (2005) Currently Implementing (2005) Percent used in 2005 Percent used in 2003 Rate of change Limiting the types of protocols allowed through the firewall/router 87.1%7.4%88.7%73.0%21.5% Restricting and eliminating access to servers and applications 79.6%14.9%80.9%70.1%15.4% Timing-out access to specific applications after an idle period 77.0%6.2%76.0%65.0%16.9% Instituting a recovery or back-up plan in the case of disasters caused by natural events or by human acts 46.4%30.8%44.3%46.3%(4.3%) Limiting the URLs allowed through the firewall 34.7%5.6%29.1%26.9%8.2% Installing a software inventory system to watch for malicious software or program changes 16.4%17.2%17.7%11.4%55.3% Using security devices (cards, biometric scanners, etc.) for authentication 14.0%7.2%15.8%12.3%28.5% Doctoral institutions report lower overall usage of these strategies, but usage patterns are consistent across Carnegie types More than 20% of institutions are still not implementing a disaster recovery plan

Page 13 Day to day responsibility for IT security varies by institution 71% of IT Security Officers work at doctoral institutions, down from 90% in Nearly all reporting institutions with enrollments over 25,000 had a full-time security officer 67% of these individuals work full-time on security The salary range for IT security officers rose from the $50-74,000 range to the $75-99,000 range 20.5% of security staff were reported to have an IT security certification Approach Percent responsible in 2005 Percent responsible in 2003 Rate of change IT security officer (or equivalent)34.9%22.4%55.8% CIO (or equivalent)14.3%6.7%113.4% Director of administrative computing2.7%3.2%(15.6%) Director of academic computing1.2%1.8%(33.3%) Other academic management0.6%1.2%(50.0%) Other administrative management0.6%3.2%(81.3%) Other IT management23.9%30.9%(-22.7%) Director of networking21.8%30.6%(28.8%)

Page 14 There has been a major change in the structure of IT security organizations 68% of respondents had at least one full time security staff member, up from 50% in 2003 Doctoral institutions were more likely to have larger IT security teams, averaging 2.8 FTE. 68% of other institutions reported having a staff of one or less. 32% of institutions expect to add staff in the next two years, mostly doctoral institutions and institutions with enrollments over 25,000. Staffing structure2005 Percent 2003 Percent Percent Change Rate of change One central IT security unit/function61.8%38.7%23.1%59.7% Spread across multiple central IT units/functions 32.7%58.2%-25.5%-43.8% Other5.5%3.1%2.4%77.4%

Page 15 IT security budgets as a percentage of total IT spend did not increase significantly Higher education lags other industries in percentage of IT budget spent on security by more than half (11.4% on average) 39% of respondents disagreed or strongly disagreed with the statement that their institution provided the needed resources to address IT security issues. Only 34% agreed or strongly agreed, a slight improvement from 2003 Justification for spending due to compliance rose by 124% from

Page 16 Prevalence of security awareness programs significantly increased StudentsFacultyStaff Mandatory17.4%14.5%20.4% Voluntary37.9%47.7%44.4% No program44.7%37.7%35.2% The number of institutions reporting having awareness programs in place rose by more than 25% from 2003 – The biggest increase (31%) was in faculty awareness programs. Doctoral institutions were much more likely (80%) to have awareness programs in place than others (under 50%) Institutions were neutral as to the effectiveness of their awareness programs, with slightly better results reported by doctoral institutions

Page 17 A range of IT security policies are in place Institutions with higher enrollments were more likely to have more extensive policies in place Policies implementedYes Acceptable use of computers, , Internet, and intranet97.8% Data backups and secure off-site storage89.1% Access control, authentication, and authorization practices85.1% Vulnerability management (e.g., patch management, antivirus software)85.1% Physical security81.4% Individual employee responsibilities for information security practices72.8% Protection of organizational assets72.8% Managing privacy issues, including breaches of personal information71.6% Secure disposal of data, media, or printed material that contains sensitive information71.0%

Page 18 Policies (cont) Incident reporting and response68.9% Disaster recovery contingency planning (business continuity planning)68.4% Investigation and correction of the causes of security failures68.2% Notification of security events to affected parties (individuals, law enforcement, campus organizations)66.9% Sharing, storing, and transmitting of institutional data (e.g., ISPs, external networks, contractors' systems) 51.3% Data classification, retention, and destruction50.6% Identity management50.0% Security compliance monitoring and enforcement49.0% Change management processes45.6% Personnel clearances or background checks38.1%

Page 19 Senior management interest in IT security issues has increased Management Reporting2005 Percent 2003 Percent Percent Change Rate of change Never8.8%14.2%(5.4%)(38%) Seldom26.0%34.8%(8.8%)(25.3%) Occasionally34.3%26.0%8.3%31.9% Often25.0%14.3%10.7%74.8% Very Often3.4%2.5%0.9%36.0% Don’t Know2.5%9.4%(6.9%)(73.4%) Doctoral institutions are most likely (40%) to report often or very often, compared to 21% for others Lower enrollment institutions were less likely to report IT security issues to senior management

Page 20 IT security planning has increased, but still has room to improve In 2003, nearly 50% of respondents had no plan, or were creating one. Higher enrollment institutions were more likely to have comprehensive plans in place 62% reported that IT security was part of the campus or IT strategic plan

Page 21 Risk assessments became more prevalent Risk assessment in last 2 yearsPercent No risk assessments done42.6% For some institutional data and asset types 46.3% For all institutional data and asset types 8.6% Don't know2.5% Audit FrequencyPercent Not performed25.0% On an irregular basis50.6% On a regular basis23.0% Don't know1.4% For the comparison group, 60% had performed a risk assessment in 2005, vs. 34% in 2003, a 77% increase. The frequency of IT security audits did not change significantly from 2003 to 2005 Larger institutions were more likely to have performed risk assessments and audits The use of external auditors / consultants to perform security audits grew significantly, especially in larger institutions Only 19% of institutions provide departments with a framework for performing security assessments

Page 22 Institutions identified viruses and theft of personal information as high-risk areas Perceived RiskPercent Computer virus, worm, or Trojan horse72.6% Theft of personal financial information (SSN, credit/debit/ATM card, account or PIN numbers, etc.)64.8% Other computer security Risk incidents (hacking, spoofing, sniffing, pinging, scanning, spyware, etc.) 55.3% Denial of service30.5% Unlicensed use or copying (piracy) of digital products (software, music, motion pictures, etc.)25.2% Breaches resulting from information obtained from stolen laptops11.0% Electronic vandalism or sabotage10.4% Misuse of computers by employees (Internet, , etc.)10.0% Theft of intellectual property (copyrights, patents, trade secrets, trademarks)7.7% Fraud2.6% Embezzlement0.6%

Page 23 The number of reported security incidents declined significantly since % of 2005 respondents indicated an incident reported to the press in the past 12 months, compared to 19% in 2003 A majority of institutions (74%) report that the number of incidents is about the same or less in the past twelve months as compared with the year before. There was little variation by Carnegie class, but institutions with higher enrollments reported more incidents Over one third of the respondents (34%) identified business applications being unavailable, followed by the network being unavailable (29%) as the biggest impacts from incidents. 26% reported data compromises Only 48% of institutions reported formal incident handling procedures, with numbers much higher (76%) at doctoral institutions and high enrollment institutions

Page 24 Security program outcomes were rated lower than in 2003, with advances in protection of central assets The majority of 2005 respondents indicated (4.0 on 5 point scale) that their institutions were more secure today than two years ago However, the comparison group rated their success lower in 2005 than in 2003 A large disparity was perceived in the security of central vs. local systems, with central systems rated much higher (except AA institutions) Institutions reporting the use of awareness programs, security plans, and security audits rated themselves significantly higher than institutions without these in place Institutions who felt they did not have sufficient resources rated their performance less highly

Page 25 While barriers to implementing effective security still exist, they have lessened since 2003 Barrier Institutional Change Rate of Change Lack of awareness35.8% 50.5%-14.7%-29.1% Culture of decentralization29.9% 37.3%-7.4%-19.8% Lack of enforcement of policies13.2% 20.1%-6.9%-34.3% Absence of policies22.1% 27.0%-4.9%-18.1% Lack of senior management support13.2% 17.2%-4.0%-23.3% Lack of resources68.1%71.6%-3.5%-4.9% Technology issues7.4% 8.8%-1.4%-15.9% Privacy of the individual4.4% 0.0%

Page 26 Questions and comments John Voloudakis: Full study available to ECAR subscribers and for purchase at