Presentation is loading. Please wait.

Presentation is loading. Please wait.

UCCSC 8/3/04 Pursuit of IT Security Lessons Learned Huapei Chen -- Director of IT, EECS Alex Brown – Project Lead, EECS Department of Electrical Engineering.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UCCSC 8/3/04 Pursuit of IT Security Lessons Learned Huapei Chen -- Director of IT, EECS Alex Brown – Project Lead, EECS Department of Electrical Engineering."— Presentation transcript:

1 UCCSC 8/3/04 Pursuit of IT Security Lessons Learned Huapei Chen -- Director of IT, EECS Alex Brown – Project Lead, EECS Department of Electrical Engineering and Computer Sciences Univ. of CA Berkeley

2 Pursuit of IT Security Lessons Learned It all started a hot summer day in August, 2003…

3 What We Had… Blaster Disaster 2 out of 5 Windows systems in EECS were rebuilt (compromised or unpatched). Estimate 2000-3000 FTE hours lost (not counting data loss). 65% of grad student laptops were compromised (largest representation of un/mismanaged mobile systems). User awareness was at all time high AFTER the incident, but misconfigured systems still appear on the net daily 

4 What We Had… EECS IT Risk Assessment A month-long, department wide activity, encompassing all aspects of IT services, such as: – Infrastructure – Application – Operations – People Does not fare well against corporate environment. Serious lacking in user awareness, IT policy and enforcement, and “standards” for computing devices. Starting point of the year-long EECS IT security project.

5 What We Had…

6 Virus/Spam Too many to mention: – bagle (32+ variants.a through.ah) – mydoom (13+ variants.a through.m) – netsky (.a through.ac) – soBig, klez, etc. Many virus are transmitted via email. 55+% of all incoming EECS email are “spam”.

7 What We Had… It’s a Jungle Out There…

8 What We Have? Active Instructional courses and labs Demanding administrative services Dominant researches: a) Wireless b) Motes c) HoneyPots d) HPC and large computation intensive simulations e) Nano research f) Microfabrication g) Optical/QoS related networking research Delicate balance between the needs for stable, 24x7 production services and flexibility and robustness. Historically, cutting edge research environment defies convention and resists “centralization” or “standardization” of IT.

9 What We Have? “Centralized” Infrastructure services: – Networking (wired and wireless) – IP based services – User Account management – Department wide applications – Instructional “Federalized” tier-1 and tier 2 services: – User level support – Desktop and server management – Application development – Research specific support Highlight Communications Dissemination of information Difficulty in harboring support and understanding Not streamlined

10 What We Have? Various federal and state level laws. – SB-1386 – DMCA UCB Minimum Security Standard. – Patch management – Personal firewall UCB Data Management, Usage, and Protection Policy. – Classification of all data – Mandatory protection of certain types of systems. Community buy-in Change in culture Encouragement and enforcement of “right” behavior Expensive!!

11 What We Have? Many monkeys on our backs…

12 Realistically… IRIS (EECS IT organization) reports to a faculty committee led by one Vice Chair. – Committee meets twice a year – One person makes the high-level operational decision – Takes a long time to build consensus when dealing with substancial policy changes EECS has 110+ faculty == 110+ CIOs Many IRIS operations are supported via fee-for-service model. What is the right model for us?

13 Realistically… Too many chiefs, not enough indians.

14 Control as Little as Possible

15 Imposing Order Original reaction in the wake of Blaster – Strong Perimeter Firewall – Mandatory central management of all systems – Limitations on allowed platforms, services, and applications.

16 Reassessment Perimeter firewall did not fly Does central control make sense? – A historically decentralized culture – Wildly diverse computing needs – Limited resources for a task that does not scale How to improve on the decentralized model?

17 Mandating the Right Things Policies – Campus plus departmental policies – Technical enforcement – Encouraging compliance

18 Mandating the Right Things Network control – Registration of hosts – Identification of POC – Ability to withdraw network access on short notice Communications channels – Automated contact mailing list for POCs – Mandatory education for incoming students

19 Releasing Control Optional centralized services – Full end-node management – Patch management – Antivirus management (host based and email scanning) – Active and passive network scanning – Education and training

20 Releasing Control No central support or mandate – Unsupported operating systems – Specialized applications or services – People who don’t use central services end up here

21 Plan Ahead

22 Trends Volume Sophistication Speed Severity Dependency

23 Threats Loss of productivity Loss of data Legal consequences – Copyright violations – Theft of personal information – Use of facilities as stepping stone Loss of funding

24 Conclusions

Download ppt "UCCSC 8/3/04 Pursuit of IT Security Lessons Learned Huapei Chen -- Director of IT, EECS Alex Brown – Project Lead, EECS Department of Electrical Engineering."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.

Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.
Information Security Policies and Standards

Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University.

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
CNIL Report April 4 th, 2005. CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.

CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.

The Pieces and the Puzzle of IT Policy University Computer Policy and Law Program April 7, 2004.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Copyright Shanna Smith & Tom Bohman (2003). This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Similar presentations

Ads by Google