IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Questions I’d like to Answer ► Why do we care about IT security? ► What are some of our universities biggest challenges? ► What can universities do to address these challenges?
Why Do We Care? ► Current federal and state law Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act (GLBA) Compromise notification laws ► 12 states ► NYS Breech of Security Bill -- December, 2005
Why Do We Care? ► Growing social expectations due to rise in identity theft awareness ► Reputational concerns ► Growing possibility for lawsuits
Why Do We Care? ► First half of this year had 72 reported compromises Education – 37 Business – 23 Government – 7 Healthcare – 5 ► Causes of the compromises Hacking – 40 Stolen property – 16 Lost property – 6 Insider – 5 Fraud/social engineering – 2 – 1 Web – 1
Why Do We Care?
Our Biggest Challenges ► Understanding new threats ► Changing/emerging law ► Growing social expectations and requirements ► General “openness” of universities can make us an easier target ► Creating a common understanding about what data needs to be protected ► Complexity due to decentralized IT support complicates the identification of critical or sensitive resources/data ► Timely and accurate response to security incidents ► Institutional-level questions are difficult to get answered
Discovery: Keystroke Loggers ► Purpose Capture every key pressed on any given computer Keystrokes are stored in a file and either retrieved at a later time or sent automatically via or other mechanism Such things as logins, passwords and credit cards are typically captured in this manner
Exploitation: Spreading Viruses ISP in New Haven, CT
Exploitation: Spreading Viruses ISP in New Haven, CT
Exploitation: Spreading Worms ► Worms spread by Using techniques of system and port scanning Find vulnerable systems Automatically exploiting vulnerabilities
Use of Exploited Systems ► Systems are typically exploited for File distribution ► Copyrighted material ► Warez Exploiting other systems ► Sniffers ► Keystroke loggers ► Scanners Creating a bot network
Use of Exploited Systems: BotNets BotNet Creation 1.Compromise system 2.Create Controller 3.Send out worm to many systems 4.Infected systems alert controller 5.Send commands as desired ControllerBot Commands
Use of Exploited Systems: BotNets ► Observed functions Spreading copies Denial of service attacks Packet sniffing Keystroke loggers File distribution
Challenge: Changing/Emerging Law ► Response Make friends with University Counsel Develop a clear understanding and communicate what data needs to be protected Periodic security awareness for at least those handling regulated data Never miss a “learning” opportunity ► User/department notification Make sure policy reflects current requirements ► Data Security/Management policy
Challenge: Growing Social Expectations and Requirements ► Response Prepare your legal defense now ► Participate in internal and external audits ► Show consistent improvements ► Work to establish at least state-of-the-practice security technology, processes and procedures ► Develop analysis and incident handling standards and practices
Challenge: University “Openness” ► Response Implement a security strategy that meets the business needs of the unit Build trust and understanding across the community Rise to the challenge ► Protected infrastructures DO NOT hinder research
Challenge: Understanding What Data Needs to be Protected ► Response Data categories can help ► Regulated, Confidential and Public Map specific data elements into each category Work toward the identification of all IT resources that house each category Communicate ► Awareness ► Policy ► “Educational” opportunities The Audit Office can certainly help here
Challenge: Complexity Due to Decentralization ► Response Building and maintaining trust is not an option Establish best practices and strong recommendations Gain the support of the University Audit Office Support university-wide outreach ► IT Security Council ► Monthly Security Special Interest Group (SIG)
Challenge: Timely and accurate response to security incidents ► Response Develop processes and procedures in advance Ensure the procedures are universally available Provide response training to local units Ensure the central IT Security Office is involved with the incident Automate as much of the response process as possible Establish a Data Loss Response Team
Challenge: Answering Institutional Questions ► Response Do not ask abstract questions Work real world situations requiring action and decisions Create a Data Loss Response Team
Responding to Incidents ► Clearly distinguish between IT security and data security ► Data Loss Response Team Established to ensure the university responds appropriately Members ► University AuditUniversity Counsel ► Public RelationsVP of IT ► Risk ManagementUniversity Police ► Data StewardsLocal Unit Two meetings of this team per incident ► First meeting establishes understanding of incident and provides specific direction ► Second meeting weighs evidence and determines appropriate actions
Responding to Incidents ► Data Loss Response Team benefits Helps answer tough questions for the university Provides a balanced and effective decision making process Helps establish minimum standards for analysis Weighs in on established practices and procedures Establishes a more thorough understanding of IT security challenges
Questions?