Presentation is loading. Please wait.

Presentation is loading. Please wait.

Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College.

Published byLogan Baldwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College."— Presentation transcript:

1 Challenges and Incidents in Higher Ed

2 About->Presenter Zach Jansen Information Security Officer, Calvin College

3 Help->About Calvin ~4200 Students –~2500 living on campus ~350 Faculty –0 living on campus? ~700 staff Off campus programs in 8 countries

4 Diverse User Needs Academic Administrative Student / Residential Network

5 Academic Environment Academia –Traditionally an open access environment –Few restraints or restrictions –Infrastructure designed to provide access –Faculty, Staff, and Students expect to be able to do whatever they need with their computers

6 Academic Environment (2) Faculty, Staff, and Students used to being able to: –Install software –Change/customize settings –Use machines for personal use –Store personal data on personal machines with an expectation of privacy

7 Academic Environment - Machines Many unmanaged machines on network. Received through a grant or donation Often run medical or scientific software. Frequently no updates available, or no money for updates. Personal machines frequently used.

8 Academic Environment - problems Restrict to least privilege? Support for custom web scripts? Provide a secure, but open, environment. Need to comply with increased regulation, yet still allow an educational environment. Large amounts of PII to protect

9 Administrative The business end of the college Responsible for personal, health, educational, and financial data From an IT perspective, managed very similarly to the academic part of the college. Causes problems: –Compliance –Securing data

10 Regulations FERPA – Family Educational Rights and Privacy Act Governs how colleges handle –Grades –Academic Performance –Directory Information A “no teeth” regulation What happens if you’re in violation?

11 HIPAA Health Services Student Health Information HIPAA specifically excludes protected health information in “education records” as subject to FERPA.

12 PCI, GLBA, etc The list of regulations goes on. PCI will continue to become a bigger issue as credit card companies and acquiring banks push this. Some schools comply by not processing credit cards. GLBA is again partially complied with by complying with FERPA.

13 Breach Notification Laws There are a lot of these Pushing a substantial investment in Information Security. Nobody wants to be the next school in the news.

14 Data Security - SSN It’s 3 o’clock, do you know where your SSN’s are? SSN used as primary identifier by many schools for many years. Many states have mandated that SSN not be used. Big problem for big schools.

15 Data Security – SSN(2) Tons of SSN’s –Have to collect SSN’s for loan processing with the Department of Education. Makes for expensive breach notification when they get stolen.

16 Students / Residential Network On campus housing for about 2500 students. Resnet needs to provide access to Calvin IT services Also needs to function as an ISP. 07-08 is the first year wireless used more than wired.

17 Students / Resnet (2) For general network health, there is a need to keep virus/malware activity to a minimum. Also need to protect academic and administrative areas from student PC’s.

18 Responsible Freedom What do you get when you combine the newfound freedom of: Living away from home A brand new computer A super fast internet connection

19 P2P Issues Huge bandwidth consumption Bittorrent and IDS sigs. DMCA takedown notices RIAA/MPAA subpoena’s. College Opportunity and Affordability Act –Force Higher Ed to offer legal alternative to P2P and implement network filtering.

20 Solutions Academic Administrative Students / Residential Network

21 Policy Needs to protect privacy of professors and students. Specific category in AUP for personal data. IT must have permission of data owner or 2 VP’s to view private data. Professor’s data, class/student notes, research, considered private.

22 Administrative – SSN’s Calvin hasn’t used it as primary identifier for over 18 years. –I still find them used occasionally. Some Schools use scanners like Spider to find sensitive data. –High false positives e.g. Japanese telephone numbers. Few staff with access to SSN’s. Data purge plans.

23 Resnet Both wired and wireless option Separate VLAN from the rest of campus –Some schools use completely separate networks. Use Bradford Campus Manager (NAC) to enforce use of AV, firewall, minimum patch level. –Exemptions for game consoles, linux.

24 P2P Solutions Many schools use traffic shaping Packeteer Traffic shaping: –Worked well for a while –Can’t handle encrypted protocols –Bandwidth caps instead Ruckus Not responsible for traffic traversing the network. Safe Harbor

25 P2P Wrapup Most schools don’t block p2p usage –Has some legitimate uses –Pretty hard to block effectively –Don’t want to be held liable –Academic freedom. Many restrict its use –Bandwidth hog –Little to no educational value. Alternatives.

26 Administrative Support Support of upper management is crucial. Calvin is blessed with a VP that understands the need for good InfoSec.

27 Incidents “I can’t think of a more dirty and dangerous network than one on a college campus.” – Colleague at Georgetown

28 Stallowned!

29 Web site hack Fall 2007 In the spirit of academia, a professor was given permission to write cgi scripts on web server. CGI scripts were vulnerable. How did attacker get root? Bad news.

30 The End Time to view the packet capture.

Download ppt "Challenges and Incidents in Higher Ed. About->Presenter Zach Jansen Information Security Officer, Calvin College."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
EDUCAUSE Security 2006 Internet John Brown University.

EDUCAUSE Security 2006 Internet John Brown University.

Similar presentations

Ads by Google