EDUCAUSE | SEC06

EDUCAUSE Security Professionals Conference 2006. Summary: Winning the Battle against Cyber Criminals

llarsen — Tue, 25 Apr 2006 13:48:51 -0500

Winning the Battle against Cyber Criminals

Dan Larkin Unit Chief, Internet Crime Complaint Center , Federal Bureau of Investigation

This opening keynote presentation covered the work of the federal government’s Internet Crime Complaint Center , generally referred to as the IC3, and their industry and academic partners. The IC3 is a joint initiative between the FBI and the National White Collar Crime Center (NW3C)

The IC3 has multiple teams in multiple locations, from Pittsburgh, to Nambia, to , working on issues of internet crime. The efforts of their rapid referral teams push incidents out to law enforcement forces.

The IC3 has identified more than 100 significant spammers and more than 200 Government sites that have been compromised or mis-configured.

They collaborate with industry & law enforcement against phishing schemes and are working to develop better approaches to and more impact on these scams. Key elements are keeping a strong focus in this area, enhancing timely intelligence exchange and broadcasting information appropriately as soon as it is confirmed. Public service announcements are important in the work of the IC3 as a means to getting the word out about new criminal activities. This is critically important as so many of the criminal sites pop up quickly and are gone quickly too. More than 5000 Katrina scam sites were up within days of the hurricane. More than 1000 Tsunami scam sites were active. Identity theft and online pharmacy fraud are major issues as well.

Strategic elements of these collaborations are joint work, joint intelligence development and analysis and an ongoing effort to collaboratively develop strategy with their partners.

The IC3 also develops and refines initiatives thru joint training with industry and law enforcement

Critical and significant to their process philosophy is to investigate first and prosecute second. They work to lock down evidence quickly to minimize victim impact and maximize understanding of the situation. They must have a central team to work through leads – where’s the real criminal –which box is compromised?

The IC3 has three major obstacles: smooth intelligence gathering, lack of resources, and turf issues as in who gets credit for the work. Some key wins are their work on the Digital Phishnet, Operation Identity Shield, and their work, in general, against organized crime. They have enabled arrests world-wide. They also have a public service website for awareness education and Lookstoogoodtobetrue.com which makes internet crime a personal issue for people.

Larkin suggested that we all participate. If you don’t have someone you can put onsite at a triage center then consider hiring someone, perhaps jointly with others to represent your community. They currently have 10 onsite from industry. To back up the desirability of the West Virginia location, Larkin showed a quick AV clip made by a member of the staff.

It’s important to get information about the IC3 out to the endusers asking them to contribute information. They are the only ones aggregating internet crime information. The byword should be “Send to IC3, don’t hit delete”

The presentation site is http://www.educause.edu/SEC06/Program/8339?PRODUCT_CODE=SEC06/GS01

The IC3 website is located at http://www.ic3.gov/

EDUCAUSE Security Professionals Conference 2006. Summary: Defining the Security Domain

llarsen — Tue, 25 Apr 2006 13:54:00 -0500

Defining the Security Domain

Marilu Goodyear, ECAR Fellow and Professor, University of Kansas

John H. Louis, Assistant Vice Provost for Information Systems, University of Kansas

This session took a detailed look at how an institution might define their various domains (network, users, and data) for writing and implementing security policy.

To prepare for writing and implementing security policy one needs to know for whom the policy will apply, how it will apply, and when. This defines the scope statement for your security policy. It is a statement of the network, people, data, and administrative structure of the institution.

This can be a daunting task in the academic community. This session provided a grid of decision points to help identify the gates that need to be kept to ensure that freely available university data is available to all and that restricted or confidential data is protected and made available to only those who are authorized to have access.

Public networks are available to anyone for a price. Universities networks are considered private and therefore must manage the network and the privacy of both users and data. Because of additional federal requirements it is important to understand all relevant boundaries. When academic institutions run their own networks, whether centralized or decentralized they are responsible the security of the data and the privacy of the user. If the network is outsourced there must be clear contract language that delineates responsibility for these issues. Academic institutions also must be aware of public and other networks where members of the community may have individual accounts.

However, the security domain for academic institutions is limited to networks managed by the institution be they centrally managed or run by a department. A good network policy should define the network boundary which in turn affects the definition of the security domain. Along with creating a good network policy, the institution must also consider the “who, what, how” of providing awareness training across the boundaries. Goodyear and Louis provide a checklist to determine who is inside or outside of the security domain. It incorporates three dimensions: who (student, employee, visiting scholar, etc), what (public system, public data, institutional data, institutional systems, etc), and how (network – public or private). These are the same dimensions that determine the affect on an institution if a security breach occurs.

The presentation slides include a number of hypothetical examples who is in the “security domain.”

Defining the Security Domain – presentation slides

Individuals in the Security Domain - spreadsheet

EDUCAUSE Security Professionals Conference 2006. Summary: The Path to Becoming a Security Professional

llarsen — Tue, 25 Apr 2006 17:12:54 -0500

The Path to Becoming a Security Professional

Andrea C. Hoy
President, Orange County Chapter of the Information Systems Security Association (ISSA)

Notes from the 2006 Security Conference Closing General Session

Security org charts vary from organization to organization and your reporting structure can help or hinder you in your work and career growth. A critical factor is “who is your boss and who that person is.” Most of the time it is the long-known factor of working relationships - who you know not what you know – that helps one’s professional work and development.

There are many reporting paths for security professionals. All have pluses and minuses. Take a look at your reporting path. Does your path up go to the right people? Does your path down go to the right people? Can you communicate your work appropriately?

Most of the time those you are working for do not know what they want and you will need to tell them what they need to know and then tell that to them. At the same time, they all know what they don’t want to know and so you need to figure that out in advance and couch your messages appropriately. Institutions need to know their vulnerability and so risk assessments are important, however, some institutions don’t want to know because they think it makes them “look bad.” How will you handle these kinds of issues?

Establishing policies for your work is important, especially in what outside requests you will respond to and how. For example, no one likes email discovery requests so you need good policies to protect you.

Even if your organization, and your boss, understands that information security is important, most will not understand what they need and what it will cost. Job descriptions for professional security positions vary widely and can include many different aspects. An annual survey notes that CISO/CSO/CRO are now considered a strategic permanent position by 58% of the respondents. Forty-nine percent now believe that information security is a business enabler and essential to business and they believe it is no long just an overhead cost.

CISCO Forum 2006 statistics:

Education:

Academic degree – 100%
JD – 1 of 56
MBA / masters 19 of 56
PhD 2 of 56

Certifications:

CISSP 99% (security professional)
CISA 7% (auditing)
CPP 3% (physical security)
CISM 13% (manager)

The presentation slides are available at http://www.educause.edu/LibraryDetailPage/666?ID=SPC0627

EDUCAUSE Security Professionals Conference 2006. Summary: The Phishing Ecosystem: Analyzing the Dynamics for Maximum Defense

llarsen — Tue, 25 Apr 2006 17:06:29 -0500

The Phishing Ecosystem: Analyzing the Dynamics for Maximum Defense

Cathy Hubbs, IT Security Coordinator, George Mason University

Darlene Quackenbush, Information Security Officer, James Madison University

Andrew Klein, E-mail Threat Research Manager, Sonicwall

This corporate presentation was essentially an overview of the Phishing ecosystem with representatives from two institutions.

Phishers need the following to create and implement an attack.

- Email list

- Develop the attack

- Locate sites to send phishing email from (compromised machines - botnets)

- Locate sites to host the phishing site – usually 5-10-20 sites

- Launch the coordinated attack

- Collect info

- Transform into cash

Typical attack goes out to 2million email addresses

5% get to end user (100.000)

5% click on the link

2% enter data

Good for $100K

In reality, phishing kits are available and there are a number of phishing gangs

9715 phishing sites in Jan 06

34% are US

31% on “real” web servers that were hacked -

Only need to run the phish for 8 hours.

Eighty-two percent of incoming mail is still spam, virus, etc. These spurious emails need to be caught and quarantined. Most institutions look for some technical help to block the phish emails. However, technology can not stop the problem.

Why students are more at risk:

Some students are impulsive and gullible
Students are trying a lot of new things – so they tend to be more socially open and technically experimental and will reply to something that comes in IM etc.
Nigerian scams – social engineering scams have been around a long time to older people have seen these.
As a rule students haven’t been burned by fraud and so are more trusting.

Phishing awareness education ideas

General security awareness programs
Online reviews and refreshers
Face to face discussions in the fall for both incoming students/parents
Instructors and advisors should tell students “how” to expect their emails
Central IT with liaisons can push out messages via liaisons to their respective departments.
Look for ways to get their attention all year round and in multiple formats

The presentation slides are available at http://www.educause.edu/LibraryDetailPage/666?ID=SPC0603

EDUCAUSE Security Professionals Conference 2006. Summary:System-wide Strategies for Achieving IT Security at Univ. of California

llarsen — Tue, 25 Apr 2006 16:59:57 -0500

System-wide Strategies for Achieving IT Security at the University of California

Jacqueline Craig, Director of Policy, University of California Office of the President

David H. Walker, Director of Advanced Technology, University of California Office of the President

How do you effectively achieve appropriate stewardship of both personal and restricted information which is used across an institution’s academic, administrative, and other operations? This session took a close look at the efforts of the University of California system efforts.

UC has experienced a number of serious security breaches across the 18 campuses, centers and labs. In 2003, California passed legislation requiring notification if there is a reasonable belief that unauthorized access of information has occurred and there is reason to believe that privacy of individuals has been compromised. UC responded by instituting a university-wide security workgroup to come up with solutions. The workgroup was comprised of faculty, deans, vice-chancellors, general counsel, security officers, CIOs and directors.

The working group agreed upon a number of recommendations:

Leadership actions to achieve accountability
University-wide communication and security education & training
Stronger IT security policies
Risk assessment guidelines and mitigation with focus on both academic and administrative strategies.
Campus-based encryption strategies
Improved security incident guidelines

This session emphasized encryption and forensic decisions.

Encryption at the UC will include:

Encryption for data when stored in a location that does not have appropriate physical security and access controls. This includes whole disk encryption including mobile devices, file encryption for data that will be “carried” or transmitted, and database encryption. Encrypted backups are also under consideration. UC is setting up appropriate infrastructure and working on contracts with vendors at this time. Note that all copies of restricted data are being assessed.

Encryption for data transmission at “all” times. This will include file transfers, email, network printer communication, remote file services, and VPN.

A workflow plan and a communication plan for incident response are being developed.

Response will include the following initial steps:

Communication to appropriate staff/teams and others as required

Maintenance of a log of actions

Securing the area/facility

Determining the need for forensics and collecting forensic evidence as possible

Regaining control and analyzing the situation.

Forensic services are being put into place including established local teams and outside help/backup when needed. Operational responsibility is at the campus level to preserve evidence first, provide audit log analysis, and restore service later. Having swaps available critical infrastructure where possible. It was noted that managers are held responsible for doing the right things in preparation and at the time of an incident but they are not held responsible if there is a breach.

UC is establishing an “instant services” vendor service to ensure chain of evidence if needed and pre-set agreements and process procedures for incidents with law enforcement so timely decisions are easier and good relations are maintained.

Guidelines are being established for management of application log, system logs, network device logs, change management logs, and others as appropriate, ie, surveillance, physical access, etc. They emphasized the importance of building a case for taking logs and putting them into a centrally located log management service that is a repository with appropriate tools.

The presentation went into depth on each of the types of logs and the content that can be monitored for uses such as access, change, cost allocation, malfunctions, resource utilization, user activity, and, of course, security incidents.

As university records, logs must be appropriately managed and preserved and able to be retrieved as needed. Retention periods must balance confidentiality of specific individual’s activities, the need to support investigations, and the cost of retaining the records within what is legally required unless there are extenuated circumstances.

The presentation slides are available at http://www.educause.edu/upload/presentations/SEC06/SESS20/EDUCAUSESecurity.2006-04-11.ppt

EDUCAUSE Security Professionals Conference 2006.Summary: Implementing HIPAA Security Rule Training Program for Sys Admins at ECU

llarsen — Tue, 25 Apr 2006 14:31:00 -0500

Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University. Carol Davis, DRP Coordinator, East Carolina University

This session walked us through the planning and implementation process that created a training program for systems administrators at ECU for the HIPAA Security Rule. The program was added to a privacy program that already existed but was in need of revision. A key resource was the SANS Press HIPAA Security Implementation book.

Key questions for the planning process were

What is the training?
Who needs the training?
What are the overall project alternatives?
How will it be delivered?
What will the cost be?
What is the “completion” point?
How will effectiveness be measured?
How often must the training be taken?
Who will do the Public Relations on the project and what will be included?
Who will continue to update the training content and monitor?

The project was developed over three months using their HIPAA Committee as the key advisory group. This committee developed the policies for the project. Time was spent on fully understanding the rule sets: the privacy rule, the transaction and code set rule, and the security rule. Technical safeguards and related policies were to be included in the training. Initial options considered included purchasing a full set of modules or customizing the training using Blackboard which was already an established resource.

Awareness training was to be included for all members of their health care workforce including management. Visitors and students complete an abbreviated version of the training and students take a web-based quiz and take the results to their faculty.

The course objectives were:

Familiarity with HIPAA and the security rule
Understanding rule sets
Understanding why both Privacy and Security rules are needed
Understanding how the rule applies to the trainee.
Understanding safeguards
Review of security policies
Understanding technical security awareness
Understanding individual responsibility for protecting health information

The content was created in five sections:

Overview and structure
Security rule principles
ITCS safeguards
Security awareness
Security incident notifications

A Blackboard course was populated & information on the program was distributed

Training guidelines were provided electronically and course deadlines were included

Management helped to ensure course completion.

Current knowledge was sampled by having administrators complete the quiz before the online training and again afterwards. The specific training assessment is a quiz of 10 questions based on HIPAA privacy but concentrating on security specifics. Instant feedback is provided for both correct and incorrect answers. The training and quiz can be retaken to improve learning. Certificates are awarded for 80% or better scores. The certificates are popular and being hung on office walls and added to resumes.

Each person taking the training is asked to complete an evaluation survey that includes the question of the application of the training to their position and a blank field for additional comments.

The latest phase is to more fully utilize Blackboard with one training package that includes two modules and to incorporate student training into the system as well as reviewing role-based training opportunities. HR is assisting in identifying new departments or individual positions that require compliancy or other special training. And, of course, the training content is continually reviewed and revised when appropriate.

HIPAA Security Rule Training – presentation slides

HIPAA System Admin Training Guidelines – 4 page document – instructions for training program.