EDUCAUSE | Security Risk Assessment and Analysis

EDUCAUSE Summit: The Role of IT in Campus Security and Emergency Management

Carie417 — Fri, 15 Aug 2008 07:14:30 -0500

Colleges and universities are subject to all-hazards, ranging from natural disasters to man-made events. Recent shootings at Virginia Tech and Northern Illinois University, coupled with the devastation of floods and hurricanes and the threat of domestic and international terrorism have created a new sense of urgency on our campuses as we continue to explore new practices and policies for security and emergency management, from preparedness through recovery.

In February, EDUCAUSE joined NACUBO and several other higher education associations to launch a new initiative aimed at helping institutions of higher education to develop comprehensive, all-hazards emergency management plans. This month, EDUCAUSE will bring together campus and IT leaders to continue the dialogue.

On Aug. 18-19, key stakeholders in campus emergency management – from CIOs and IT leaders to public safety and law enforcement officers – will converge in Washington, DC, for, “The Role of IT in Campus Security and Emergency Management.” This two-day Summit will explore contemporary approaches and future possibilities for leveraging communications and information technologies as critical components of campus comprehensive emergency management plans.

As the conversation evolves, new ideas and emerging themes will be captured and shared on this EDUCAUSE blog, open to community input and comments. Final results will be captured in a whitepaper and showcased this fall at the EDUCAUSE 2008 Annual Conference in Orlando and will be disseminated through other association events and future publications.

For more information, contact Rodney Petersen, Government Relations Officer and Security Task Force Coordinator, at 202.331.5368 or rpetersen@educause.edu.

Podcast: The FTC as an Educational Partner in Improving Data Security and Privacy

gbayne — Mon, 19 May 2008 16:40:38 -0500

This 38 minute podcast features a keynote address by Mary Beth Richards, Deputy Director of the Bureau of Consumer Protection for the Federal Trade Commission. Her speech, "The FTC as an Educational Partner in Improving Data Security and Privacy," was recorded at the EDUCAUSE 2008 Policy Conference in Arlington, Virgina.

The Federal Trade Commission deals with issues that touch the economic lives of most Americans. The current portfolio includes protecting consumers in the areas of data security and privacy, identity theft, Social Security number misuse, identity management, spam, maintaining the National Do Not Call Registry, and other IT issues of interest to colleges and universities. The FTC's Bureau of Consumer Protection, although a regulator of businesses, is also an educator: it seeks to educate consumers and provide businesses and other organizations with the information they need to comply with the rules of the road and to provide consumers with the necessary tools to engage in commerce intelligently. This session highlights information policy issues the FTC is addressing and educational resources institutions of higher education can leverage to improve student, faculty, and staff awareness of data security and privacy risks.

Podcast: Addressing Complex Security Threats Through Risk Management

gbayne — Fri, 16 May 2008 13:25:56 -0500

This 40 minute podcast features a keynote address by Rebecca Whitener, Former Vice President of Enterprise Risk Management and Chief Risk Officer at EDS. Her speech, "Addressing Complex Security Threats Through Risk Management," was recorded at the EDUCAUSE 2008 Security Conference in Arlington, Virginia.

In this session, we address the current cybersecurity issues that are challenging higher education leaders today as they try to stay on top of the risks associated with attacks on information systems from internal and external sources. Emerging enterprise risk management (ERM) methodologies are examined as a source of guidance for creating an effective risk-based approach for managing current and future threats.

New Risk Assessment Resources Available

vvogel — Fri, 14 Mar 2008 11:57:10 -0500

The Security Task Force Risk Assessment Working Group wishes to inform higher education information security practioners of a few recent resource updates which are now available from the Risk Management section of the IT Security Guide.

The Information Security Risk Assessment Consultants list provides a listing of vendors known to have conducted some form of IS risk assessment for at least one higher education institution. The only way a vendor can get onto this list is to be placed there by an EDUCAUSE member institution that has engaged the consultant. Each entry on this list provides a link to the institution which has provided the vendor reference. The list can be a starting place for schools that are seeking a consultant; referencing institutions may be willing to provide additional information about the vendor and the consulting engagement when asked.

The list of Risk Assessment Tools provides links to various tools which can aid with a risk assessment. The tools are a mix of some sold or licensed by vendors, some provided by colleague institutions, and some from associations or standards groups.

The existing PDF version of the Information Security Governance (ISG) Self Assessment Tool for Higher Education has been enhanced by the addition of a Microsoft Excel version which (1) separates each section onto individual worksheets for increased flexibility of analysis and entry and (2) provides for automatic summarization on the separate scoring worksheet.

We hope you find this information useful. If you are able to provide additional information or references for the Risk Assessment Consultants list or the Risk Assessment Tools list, please send an e-mail to the Security Task Force.

E07 Podcast: An Interview with Cedric Bennett - Security Concerns and Risk Management

gbayne — Thu, 01 Nov 2007 14:14:03 -0500

In this fifteen minute podcast, we feature an interview with Cedric Bennett, Emeritus Director for Information Security Services at Stanford University. Mr. Bennett also serves on the EDUCAUSE/Internet2 Computer and Network Security Task Force. We interviewed him at the EDUCAUSE 2007 Annual Conference in Seattle, Washington, where he was presenting a session entitled, "Stop, Drop, and Roll: Prevent and Douse Cyber Incidents".

E07 Podcast: Bruce Schneier on Information Security: Ten Trends

gbayne — Wed, 31 Oct 2007 15:35:49 -0500

In this 43 minute podcast, we feature a keynote speech by Bruce Schneier, author and Chief Technology Officer for BT Counterpane, Inc. This speech was delivered at the EDUCAUSE 2007 Annual Conference in Seattle, Washington on October 26th, 2007. It is entitled "Bruce Schneier on Information Security: Ten Trends".

Surveying current trends in information security, it’s clear that a myriad of forces are at work. But fundamentally, security is all about economics: both attacker and defender are trying to maximize the return on their investments. Economics can both explain why security fails so often and offer new solutions for its success. For example, often the people who could protect a system are not those who suffer the costs of failure. Changing these economic incentives will do more to improve security than will more technology.

2007 Enterprise Conference: The Adaptable University

gbayne — Fri, 15 Jun 2007 17:20:48 -0500

This podcast features a keynote address from the 2007 Enterprise Conference in Chicago, Illinois. Our speaker is H. David Lambert, Vice President for Information Services and Chief Information Officer at Georgetown University. His speech is titled “The Adaptable University” and runs approximately 53 minutes.

Institutions of higher education have become increasingly concerned about their ability to maintain critical services to faculty, students, and staff in the event of a major disruption. As we build or buy new information systems, enhance new facilities, and design new programs, we must be concerned with business continuity and creating resilient, adaptable institutions that consider academic sustainability in every aspect of the enterprise.

EDUCAUSE Security Conference: Incident Tracking and Reporting

llarsen — Fri, 20 Apr 2007 14:26:03 -0500

Summary

Incident Tracking and Reporting

Kathy Bergsma, University of Florida

Joshua Beeman, University of Pennsylvania

2007 EDUCAUSE Security Professionals Conference

Thursday, April 12, 2007

Denver, CO

Notes:

Kathy Bergsma reported on the UFL environment.

UFL has more than 50K students and is decentralized.

The first thing UFL tracks is the current contacts for security incident reporting.

It includes network managers, server managers, information security managers and administrators and others.

UFL has created an incident response standard that describes 8 response steps from discovery to resolution, establishes an incident response team, defines team and unit responsibilities, and sets up specific procedures for different types of incidents. It is available online at http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response-rewrite.html.

What UFL tracks:

incident identification sources such as IDS (Intrusion Detection System), Email abuse complaints, flow data, and honeypots (decoys)
critical elements such as IP address, unit, type, severity, containment and resolution times

Various options and tools are available for ticket creation when incidents are identified and the UFL incident response team receives daily reports on open tickets. In addition, bi-weekly automated reminders for open tickets are sent to their owners. The centralized unit enters a ticket from the point of discovery via IDS (currently using Dragon but switching to Snort) The decentralized unit has access to enter updates on to the ticket thereafter. Everything is done via the web.

Vulnerability detection is done with continuous Nessus top-20 scans and the results are tracked in SQL. They are able to find the weak spots in their systems and compare data from year to year. The hardware for this is distributed across three machines and takes up to 3 days for a complete scan.

Individual unit reports are generated each semester that compare the unit to the 5 most active units in regard to number of incidents, number of incidents adjusted for unit size, average number of days to contain incidents, number of critical vulnerabilities, and number of critical vulnerabilities adjusted for unit size. No unit wants to be in the top 5 group which are highlighted in bright primary colors that draw attention to their security issues. The report also posts the number of each incident type and the comparison to the previous semester. The incident reports process is semi-automated and they have web tools to do the graphs. [a sample of the reports with their associated bar charts are available in the presentation slides posted online at http://www.educause.edu/ir/library/powerpoint/SEC07097.pps]

A report to the CIO is generated that lists all campus units. The report shows the number of incidents, the containment time, and the number of vulnerabilities.

Bergsma reports that 100% of campus units surveyed find these reports to be incredibly useful and that 46% made changes to their program as a result of the reports. The decentralized units use the reports for

Compliance reviews
Risk assessment
Strategic planning
Business planning

They also surveyed for incident change causes, familiarity with the UFL policy, and the degree of compliancy.

UFL does not keep actual forensics on tickets but they do make a forensics report and put it in the incident safe.

Joshua Beeman reported on the Penn environment.

Penn is running an open network with decentralized computing (40 cost centers) on a limited budget for 22K students and 17K faculty and staff. They have growing security concerns as did everyone else in the room. He indicated that some systems are managed/coordinated centrally.

Their security reports are generated for

Awareness

Identifying larger trends
Developing “security hawks”
Ultimately improving customer service and justifying their existence

Beeman characterized Version 1 as “gum and duct tape” at which point an attendee asked: “You have duct tape?” Version 2 was characterized as “less gum and more tape” after significant feedback from users. He did say that they planned ultimately to shift to Remedy and may use some of the UFL scripts.

Before Version 1 the primary tracking system was via email so when you created reports you had to go back through email to collect information. One person did use a paper system and an excel spreadsheet was used.

In Version 1 of the current reporting system they log incidents with the following information:

Date
IP address
Center names
Incident sources
Incident type
Handler comments are optional

Compromise key elements are

Total number of compromises
Total number of IP addresses
Ratio of compromises/IPs (this is their magic #)
Ranking based on ratio
Average based on ratio

Whereas UFL concentrates on the top 5, Penn does all 40. Their cost centers all want a better score and come bugging them for assistance.

Critical hosts

Total number of critical hosts registered
Total number of IP addresses
Ratio of critical hosts/Ups
Ranking
Average

Beeman said that if a critical host doesn’t register with them that unit is “in trouble” but that there is no real consequence if they don’t have an incident and make the news. The cost centers are ultimately responsible.

Key elements of the management reports are:

Summary tables with compromise & critical host rankings
Summary graphs with incident source and overall distribution.

Beeman noted that the system alerts you to the fact that you are entering an incident on a critical host by turning red.

Defined criteria in the beginning and reactively? There is a distinction between incidents and events, and they found a need to add “non-event,” thus modifying as it was used. Fluidity in “what type of incident” [DMCA vs Vulnerability vs Compromise vs non-event] has been important but reporters sometimes use their own language to describe a specific incident.

Each cost center receives a copy of their report which is detailed. However, Beeman said they are only truly interested in being at the top – incident free, and may not pay attention to the details. The report has a graph that clearly shows the top cost centers and pie charts were created that show progress in “proactive” incident identification. Sample reports were included in the presentation slides.

The gum and duct tape version was very successful and Beeman’s unit received additional funding to build a cold fusion database which is Version 2.

GRADI is their Version 2 web based incident tracking system. It captures all of the previous fields plus many more and it provides automated processes for such things as DNS & host contact lookup, email routing, and custom handling based on incident type.

New elements in the system were suggested by their users and are:

Wireless, wired
DMCA – non-DMCA
Critical vulnerabilities
New management reports
Comparative studies

The Version 2 report is two pages long and has all the summaries on the top sheet for easy viewing. Samples of these were in the presentation slides.

Version 2 provides

Tools and data for senior management
Increased security awareness
Identification of general trends and problem areas
Improvement of the university’s overall security posture

and it created security “hawks” in the field.

Beeman closed by reminding us the Version 1 was based on an individual spreadsheet with five data fields.

The two sets of presentation slides for this session are located at http://www.educause.edu/LibraryDetailPage/666?ID=SEC07097.

EDUCAUSE Security Conference: Secrets of Superspies

llarsen — Tue, 17 Apr 2007 16:30:13 -0500

Summary

Secrets of Superspies

Ira Winkler, Author of Spies Among Us and
President, Internet Security Advisors Group

2007 EDUCAUSE Security Professionals Conference

Wednesday, April 11, 2007

Denver, CO

Notes:

Ira Winkler gave a lively and entertaining account of his work sorting out a variety of un-secure situations and offered specific recommendations based on his experiences.

Bad & Good Spies

Winkler said the 2nd worst spy in the world is ‘James Bond’ who is portrayed as someone who kills people, infiltrates enemy organizations and facilities, is feared by his enemies, and blows things up – but on the other hand he kills people, blows things up, is always known by his enemies and he always gets caught at some point which makes for longer and more interesting movies but isn’t the way good spies operate.

The worst spy in the world is ‘Sydney Bristow’ from ‘Alias’. She does a good job at infiltrating but the bad guys are always prepared and one step ahead of her in protecting their information. Winkler said ‘Alias’ actually demonstrates good security programs – those put in place by the bad guys to thwart her efforts to obtain their secrets with ‘defense in depth’. She can be following leads to find the safe behind the picture but they are one step ahead of her with a booby-trapped safe.

Good spies aren’t noticeable, they find people or systems with information they want and they find ways to have that information given to them without incident. The bottom line message is that these may be good movies but in real life we want to create security with defense in depth that would make bad movies.

What do real spies do? They

Determine requirements – what they want to know
Determine who has it and how to collect it
Analyze information (this is the hard part)
Re-evaluate their needs (Do they need more information? Are there new requirements?)

In this ongoing loop, collection appears to be the apparent focus but the most critical piece is determining the requirements because you ‘need to know what you need to know’.

Science versus Art

Hackers like to portray themselves as artists as they need to be ‘special’

Spies are scientists with a methodical and repeatable process. They must have elements of ability, training, and practice. They can have only two of these but one must be training. If they don’t have training they can be dangerous.

Visualization skills are the key ability in this work. Good security people have ability, work in a process, and practice. The folks on the ‘good side’ don’t use their ability and process for criminal activity.

Operatives with 3 years of experience can rapidly recognize vulnerabilities and exploit them. Also real spies know how to protect themselves.

Winkler noted that security and counterintelligence are totally separate activities. He shared an interesting story about spies gathering sensitive data via local Chinese restaurants.

You need to have common knowledge, exercise common sense, but awareness training is the most important aspect of a good security program.

Know the tricks of the trade and what to expect
Be right 100% of the time though your adversary only needs to be right once to win at this game
It’s not about protecting the computers; it’s about protecting the information on the computers.

Spies focus on information

Technology is only important because it provides access to information
Different classes of computers get different levels of protection
There can be tremendous threat but risk can be relatively small

Risk Management

Winkler suggested using a risk management equation where the threat*vulnerability is considered against the security countermeasures that mitigate risks.

Threat is who or what is ‘out to get you.’ Vulnerability is the weakness that the threat can exploit. Value is the information or services you need to protect. Countermeasures are what you do to protect your value. Knowing these helps you determine where to spend effort and resources. He indicated that the biggest risks are not malicious people, but rather people who do stupid things.

Security is about implementing countermeasures to mitigate risks and he offered two key points:

Don’t do security – manage it instead.
Don’t focus on the threat – focus on the mitigations

Winkler provided two case studies. The first was about testing the security of a nuclear facility which focused on the importance of process. If a spy knows the process and can take advantage of that knowledge and where the vulnerabilities in it may be, you are breach-able. In case the vulnerabilities that he exploited were all preventable. While people are fascinated by threats, it only takes bad intent to accomplish what he demonstrated in his breach of this sensitive facility. He said this is true for any attack.

Winkler also said that we must stop treating the bad guys as celebrities. Be they the Cloverdale teens who infiltrated the .mil domain or others. They are not dragons, they are snakes and good security people are not knights, they are exterminators. He did understand that the dragon/knight scenario is better for budgets.

Moving into a discussion of budget issues, Winkler was clear that IT budgets and security/protection budgets are not the same and we must optimize risk. Potential loss should drive the budget. On measures of cost, there is a point where vulnerabilities plotted against countermeasures can give us a risk optimization. Risk should be a key consideration in determining the budget.

Things to Remember

In his closing statements, Winkler stressed

importance of awareness training
countermeasures should not be determined by budget or vendor hype
focus on information and services not on computers/technology
create defense in depth
focus on countermeasures that mitigate risk

…and indicated that realistic security is achievable.

The presentation slides for Secrets of Superspies are available online at http://www.educause.edu/SEC07/Program/11616?PRODUCT_CODE=SEC07/GS02. A podcast is in production.

Books by Ira Winkler include

Spies Among Us and Zen and the Art of Information Security

New Managers Training and Data Security--Two Seminars Coming in June

cluckett — Thu, 05 Apr 2007 17:54:01 -0500

The EDUCAUSE Seminars program, led by expert members of the higher education IT community and EDUCAUSE staff, presents an opportunity to spend a full day exploring one of various important topics in higher education IT, with the convenience of close location, low cost, and minimal time commitment.

The two EDUCAUSE Seminars detailed below will be held concurrently in Columbia, South Carolina, on June 4, 2007, 8:00 a.m.–4:30 p.m. Those registering for a seminar may wish to forward this message to colleagues who are interested in the seminar topics, so a campus group can attend together.

Survival Training for New Managers

Register before May 3 for low, early-bird rates.

Those who have recently shifted from a technical IT role on campus to a management position or are planning to do so in the near future will benefit from attending Survival Training for New Managers. In this one-day seminar, Marilu Goodyear, a professor in the Public Administration Department of the University of Kansas, will present the critical basics of the management role, such as how to keep a unit's work aligned with the overarching mission and goals of the institution; how to hire, manage, develop, and motivate staff; and how to manage the demands on personal time and maintain a life balance.

A Blueprint for Handling Sensitive Data

Register before May 3 for low, early-bird rates.

Those looking for new ways to tackle challenging issues created by information security risks at their college or university will benefit from attending A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations. In this one-day seminar, Shirley Payne and Jim Jokl, both directors at the University of Virginia, will outline a blueprint for protecting sensitive data according to the EDUCAUSE/Internet2 Computer and Network Security Task Force. Among the steps to protect sensitive data include implementing an information security risk management program, data-classification policies, awareness programs, and technology solutions, as well as clearly defining roles and responsibilities.