EDUCAUSE | Cybersecurity

Information Sharing for IT Security Professionals

vvogel — Wed, 13 Aug 2008 14:44:50 -0500

Learn how to develop a network of professional contacts in order to create an effective support system for information sharing within the IT Security community. Read the article "Information Sharing for IT Security Professionals" by EDUCAUSE Security Task Force Coordinator, Rodney Petersen in the latest EDUCAUSE Quarterly.

Cybersecurity Research Challenges

elilly — Mon, 16 Jun 2008 10:56:12 -0500

Today’s most prevalent and widely discussed attacks exploit code-level flaws such as buffer overruns and type-invalid input. We need to anticipate tomorrow’s attacks and think beyond buffer overruns, beyond code-level bugs, and beyond the horizon. To be ready for threats of the future, we need to be doing more basic research in cybersecurity today. This talk will outline a few suggestions for important research directions in cybersecurity: the foundations of trustworthy computing, security architectures, privacy, usability, and security metrics.

NSF Response to 2007 Summit Final Report

elilly — Mon, 16 Jun 2008 10:41:49 -0500

The Cybersecurity Summit meetings have proven to be a useful forum to foster dialog between awardees, cybersecurity experts and NSF. NSF will provide feedback on the 2007 Summit meeting and discuss best practices in cybersecurity that might be useful to large facilities.

Community Updates

elilly — Mon, 16 Jun 2008 10:26:49 -0500

Community updates from EDUCAUSE/Internet2 Security Task Force, InCommon, OpenScience Grid, Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), TeraGrid, and the U.S. Department of Energy Computer Incident Advisory Capability.

EDUCAUSE Now - Show #4 – Cybersecurity, Cyberinfrastucture, Fear 2.0

gbayne — Thu, 12 Jun 2008 18:39:26 -0500

EDUCAUSE Now is a monthly podcast, focusing on the intelligent use of information technology in higher education. Each episode features a variety of stories, interviews, and views that relate to IT in higher education. Let us know what you would like to hear at podcast@educause.edu.

Subscribe to EDUCAUSE NOW RSS feed

This episode of EDUCAUSE Now features:

Lessons Learned in Cybersecurity
(01:37―07:24)
We speak with security professionals from Ohio University about their highly publicized 2006 security breach and what they've learned from the experience. The presented a session at the EDUCAUSE 2008 Security Professionals Conference entitled, " The Lifecycle of a Security Breach."
New Research Study―" Higher Education IT and Cyberinfrastructure: IntegratingTechnologies for Scholarship"
(08:04―14:09)
Cyberinfrastructure is a term that has confounded and confused many of us in higher education. We speak to ECAR Fellow Mark Sheehan about this new study on how institutions are using cyberinfrastructure successfully and what you need to know about it.
A Commentary from EDUCAUSE President Diana Oblinger
(14:10―17:01)
Diana considers a few of our assumptions about new and old technologies in a changing world.
ELI in Conversation: "Fear 2.0"
(17:20―22:35)
A conversation from the ELI 2008 Annual Meeting. A group of higher ed professionals discusses Web 2.0 tools and how they are shifting education. Participants include:
- Laura Blankenship, Senior Instructional Technologist, Bryn Mawr College
- Martha Burtis, Director, Teaching and Learning Technologies, University of Mary Washington
- Barbara Ganley, Lecturer in English and Writing Program, Middlebury College
- Leslie Madsen-Brooks, Teaching Resources Center, University of California, Davis
- Barbara Sawhill, Director Cooper International Learning Center, Oberlin College

This is an excerpt of a longer conversation.

Music for EDUCAUSE Now:
"Groove IT" by Denis Kitchen
"Zune 2" by Sebastian6
"MOAQ" & "Kalimbabumbum" by Kelly Walker
"Amber" by Dan Tharp

Security is Number One IT Issue According to 2008 Current Issues Survey Report

vvogel — Thu, 29 May 2008 18:02:05 -0500

EDUCAUSE has published the results of the 2008 Current Issues Survey, and this year Security edged out Funding IT as the top strategic challenge.

The latest EDUCAUSE Quarterly article, "Current Issues Survey Report, 2008", states:

It is no wonder that IT security has again emerged as the top strategic issue for colleges and universities given the increasing amount of critical data and new services that are available electronically and need to be protected. The persistence of security incidents and reported data breaches, and a growing number of compliance requirements including security-related state and federal regulations and contractual obligations, make this a central and acute concern of all IT organizations, no matter their institutions' sizes and missions. College and university personnel have a daunting task to ensure the security of information resources while operating within a culture of openness and decentralization. In addition, the changing nature of the threats continues to challenge IT organizations.

The article goes on to suggest security issues that institutions need to address. Security-related resources are available as part of the 2008 Current Issues Resources.

Security Task Force Submits Comments on Proposed FERPA Rules

vvogel — Thu, 29 May 2008 17:38:33 -0500

The EDUCAUSE/Internet2 Security Task Force recently commented on the "Recommendations for Safeguarding Education Records". The Family Educational Rights and Privacy Act (FERPA) has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."

See Rodney Petersen's blog for additional details. To review the full comments of ACE and the Security Task Force, see:

A Cybersecurity Agenda for the Next President

drupal — Wed, 21 May 2008 12:55:14 -0500

There has been much improvement in securing cyberspace in the last five years, but much still needs to be done. The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency, the administration that will take office in January 2009. The goal of the commission is to identify a strategy and set of recommendations for the next administration to move ahead in securing cyberspace. This session will provide a status report on the commission's work to date. It will also provide an opportunity to offer input regarding progress that has been made in the higher education sector, remaining challenges and opportunities, and the role of the federal government to help improve cybersecurity at colleges and universities.

First-Time Attendees: How to Get the Most Out of the Conference Experience

drupal — Wed, 21 May 2008 10:25:11 -0500

This session will help you get the most out of your attendance at the Security Professionals Conference. Beyond a conference overview, we will address how to make smart choices about which sessions to attend, network with colleagues in similar situations, be intentional about taking home what you learned, and become more professionally involved in the activities of the EDUCAUSE/Internet2 Security Task Force.

Welcome and Introductions

drupal — Wed, 21 May 2008 10:25:11 -0500

The following presentations are from the "Welcome and Introductions"of the 2008 Security Professionals Conference.

Addressing Complex Security Threats Through Risk Management

drupal — Tue, 20 May 2008 11:39:10 -0500

In this session, we will address the current cybersecurity issues that are challenging higher education leaders today as they try to stay on top of the risks associated with attacks on information systems from internal and external sources. Emerging enterprise risk management (ERM) methodologies will be examined as a source of guidance for creating an effective risk-based approach for managing current and future threats.

Podcast: Addressing Complex Security Threats Through Risk Management

gbayne — Fri, 16 May 2008 13:25:56 -0500

This 40 minute podcast features a keynote address by Rebecca Whitener, Former Vice President of Enterprise Risk Management and Chief Risk Officer at EDS. Her speech, "Addressing Complex Security Threats Through Risk Management," was recorded at the EDUCAUSE 2008 Security Conference in Arlington, Virginia.

In this session, we address the current cybersecurity issues that are challenging higher education leaders today as they try to stay on top of the risks associated with attacks on information systems from internal and external sources. Emerging enterprise risk management (ERM) methodologies are examined as a source of guidance for creating an effective risk-based approach for managing current and future threats.

Dartmouth Cyber-Security Initiative and the New Achilles Vulnerability Assessment Console: A Case Study in Collaboration

drupal — Wed, 14 May 2008 10:48:27 -0500

The Dartmouth Cyber-Security Initiative is an ongoing collaboration between faculty, staff, and students focused on projects aimed at improving the security of the College's information systems. By coordinating research interests with practical concerns, the initiative has resulted in a number of innovative procedures and tools. One such tool is Achilles. Integrated with popular assessment tools such as Nessus and NMAP, Achilles is an easy to use, enterprise-scale analysis console that allows institutions to rank, manage, and track assessment results for thousands of systems.

EDUCAUSE and Security Task Force Comment on Proposed FERPA Rules

Rodney — Mon, 12 May 2008 20:38:32 -0500

EDUCAUSE joined the American Council on Education (ACE) in comments to respond to a Notice of Proposed Rulemaking regarding the Family Educational Rights and Privacy Act (FERPA). The EDUCAUSE contribution addressed the proposed rules treatment of Social Security Numbers (SSN's), Student ID Numbers, and Student User ID's in the context of "directory information." The comments state:

According to the discussion [in the proposed rules], "student ID numbers (SID) can be used to impersonate the owner of the number and obtain information or services by fraud." We understand that this is widespread practice with respect to how the private sector uses the SSN for obtaining a variety of products and services. We do not believe, however, that unique student ID numbers created for internal educational uses typically are used in the same way or are subject to the same abuses. More often than not, such numbers are treated as identifiers only; they normally cannot be used to obtain access to education records by themselves, without a further act of authentication, nor can they normally be used in combination with other commonly available information to establish accounts or impersonate people. Moreover, on many campuses, the general "student ID number" and the "user ID" used to log in to electronic systems are in fact one and the same. As a result, many campuses may believe that they cannot designate these various kinds of identifiers as directory information even when doing so would yield clear benefits and could cause no harm.

The comments support the U.S. Department of Education's position that SSN's should never be considered "directory information". However, the comments provide alternative language for the treatment of SID and User ID's, essentially suggesting that they could be treated as "directory information" if there is an additional act of authentication and that the identifier itself does not provide an individual with access to student education records. The entire comments related to "directory information" are available on pages 1-2 of the ACE letter. There is also a discussion of "outsourcing" on pages 4-5.

The EDUCAUSE/Internet2 Computer and Network Security Task Force also commented on the department's "Recommendations for Safeguarding Education Records". FERPA has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."

Help Promote the 2009 Computer Security Awareness Student Poster & Video Contest

vvogel — Thu, 01 May 2008 17:29:42 -0500

The EDUCAUSE/Internet2 Computer and Network Security Task Force, in cooperation with the ResearchChannel, is conducting its third annual contest in search of computer security awareness posters and short videos developed by college students for college students. The contest, which is co-sponsored by the National Cyber Security Alliance (NCSA) and CyberWATCH, offers cash prizes ($1,000, $800 and $400) to the winners in each of the four categories. It also provides an opportunity for students to gain experience by developing creative and effective short videos or posters. The deadline for submission of entries is April 30, 2009.

Winning entries will be exhibited on the ResearchChannel web site, heavily promoted during National Cyber Security Awareness month in October, and may be used in your own campus security awareness campaigns. Previous year’s winners gained national recognition in online publications such as Network World, Information Week, Campus Technology, and ZDNet Education.

You can help promote this contest by posting the flyer that is available from the contest website. On this site you will also find materials such as message templates and suggestions for how to publicize the contest to both students and faculty. We encourage you to announce the contest on your campus at this time and then again in the fall (we will remind you). A spring announcement would give students an opportunity to work on entries over the summer and for faculty to include it in plans for the fall semester if they so choose.

For more details and the complete contest rules, visit http://www.educause.edu/SecurityVideoContest2009, where you will also find links to previous winners’ videos. Additional inquiries can be directed to the Security Task Force staff at 202-872-4200 or e-mail, security-video@educause.edu.

Baker College Takes First Place in the 2008 National Collegiate Cyber Defense Competition (NCCDC)

vvogel — Thu, 24 Apr 2008 10:55:05 -0500

Congratulations to Baker College (Flint, Michigan) on winning the third annual National Collegiate Cyber Defense Competition! After competing for the last three years, the Baker College team finally made it past the regional level to beat the 2007 winners from Texas A&M University.

The competition is a three day event hosted by the University of Texas at San Antonio's Center for Infrastructure Assurance and Security, a cybersecurity research and education center. Students have the opportunity to test their knowledge of network infrastructure management and protection in an operational environment. The competition also provides students with a chance to interact and discuss the security and operational challenges they will face upon entering the job market.

FERPA Notice of Proposed Rulemaking Addresses Changes in IT

Rodney — Mon, 31 Mar 2008 12:52:09 -0500

The U.S. Department of Education has issued a Notice of Proposed Rulemaking with proposed regulations pertaining to the Family Education Rights and Privacy (FERPA). Among other things, "the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA," according to the Notice. Additionally, the regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme Court decisions interpreting FERPA, and to make other necessary changes.

Among the IT-related changes are:

Clarification of what can be included as directory information, addressing Social Security Number (SSN), other student ID numbers, and email addresses
Requiring the use of reasonable methods to identify and authenticate the identity of students, parents, school officials, and any other parties to whom personally identifiable information is disclosed
Recommendations to assist institutions in safeguarding educational records

The deadline for comments is May 8, 2008.

The EDUCAUSE Washington Office is reviewing the proposed changes and welcome your comments or questions. We will provide a more detailed analysis of the proposed rules and any further updates at a later date.

Security Task Force Provides Briefing to CSIS Commission on Cyber Security for the 44th Presidency

vvogel — Wed, 26 Mar 2008 10:01:41 -0500

The EDUCAUSE/Internet Security Task Force provided a briefing to the CSIS Commission on Cyber Security for the 44th Presidency on March 12, 2008, during the event "Improving Cybersecurity: Recommendations from Private Sector Experts". A 1-page summary of the briefing is available, as well as the complete transcript.

FireEye Joins Internet2 to Participate in High-Performance Network Security and Malware Analysis Initiatives

vvogel — Wed, 26 Mar 2008 09:28:23 -0500

FireEye, Inc., a leader in global anti-botnet protection, announced that it has joined Internet2 as a corporate member. FireEye plans to collaborate with the Internet2 community on advanced network security projects involving high-performance network security and next- generation malware analysis In addition, FireEye and Internet2 will host a joint webinar titled "Botnet Incident Response" on April 2, 2008. FireEye's chief security content officer Dr. Fengmin Gong will also present "Scaling Security Analysis vs. Next-Gen Botnet Malware Using VM-Based Analysis" at the Spring Internet2 Member Meeting on April 21-23 in Arlington, Va. Harold Stonebraker, a security investigator at FireEye, will present "Incident Response and Network Forensics: Avoiding Common IR Errors".

While emerging network technologies will be used by legitimate organizations to drive innovation, they may also be exploited by criminals and their botnets to conduct illicit activities. As such, FireEye continues to advance its anti-botnet security technologies for the next-generation Internet. As a corporate member of Internet2, FireEye will collaborate with higher education institutions and researchers to investigate how anti-botnet protections can be incorporated into the design of next-generation Internet technologies.

Read the full press release or learn more about Internet2's security initiative.

Briefing to CSIS Commission on Cyber Security for the 44th Presidency

ckeller — Thu, 13 Mar 2008 09:35:11 -0500

This "Briefing to CSIS Commission on Cyber Security for the 44th Presidency" By Rodney Petersen and Jack Suess on behalf of the EDUCAUSE/Internet2 IT Security Task Force was presented to the Commission on Cyber Security for the 44th Presidency. The agenda was "Improving Cybersecurity: Recommendations from Private Sector Experts".

Soliciting Higher Education Input to the Commission on Cyber Security for the 44th Presidency

Rodney — Thu, 06 Mar 2008 15:31:21 -0600

The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency – the administration that will take office in January 2009. The goal of the nonpartisan Commission is to develop recommendations for a comprehensive strategy to improve cyber security in federal systems and in critical infrastructure.

The EDUCAUSE/Internet2 Security Task Force has been invited to provide input to the Commission and welcomes your comments in the following areas:

What role has the Federal government played to improve cybersecurity these past few years that has been useful for the higher education sector?
Are there ways in which the Federal government has hindered progress? If so, please describe.
Are there new initiatives you would like to see from the Federal government help to improve cybersecurity?

Please comment by Wednesday, March 12th, 2008, by using the "Post new comment" section below or sending your comments to Security-Task-Force@educause.edu

National Campus Safety and Security Project Launched

lgesner — Fri, 22 Feb 2008 14:47:36 -0600

EDUCAUSE has joined with NACUBO and several other higher education associations to launch a national campus safety and security project. The project team will conduct an 18-month study that will examine threats of every nature facing colleges and universities and develop guidelines for campus emergency management plans for prevention, preparedness, response, and recovery. Mark Luker, vice president of EDUCAUSE, underscores the importance of addressing campus threats through a multi-organizational effort: "EDUCAUSE, for example, has investigated cyber security and assisted institutions in solving related problems. Expanding on our past efforts in the most meaningful way to colleges and universities requires more of an enterprise approach. We’re looking forward to this opportunity to integrate the concerns and work of EDUCAUSE with those of our partners in the higher education community who represent other components of campus life."

National Campus Safety and Security Project Launched

vvogel — Thu, 21 Feb 2008 16:41:19 -0600

EDUCAUSE has joined with NACUBO and several other higher education associations to launch a national campus safety and security project. The project team will conduct an 18-month study that will examine threats of every nature facing colleges and universities and develop guidelines for campus emergency management plans for prevention, preparedness, response, and recovery. Mark Luker, vice president of EDUCAUSE, underscores the importance of addressing campus threats through a multi-organizational effort: "EDUCAUSE, for example, has investigated cyber security and assisted institutions in solving related problems. Expanding on our past efforts in the most meaningful way to colleges and universities requires more of an enterprise approach. We’re looking forward to this opportunity to integrate the concerns and work of EDUCAUSE with those of our partners in the higher education community who represent other components of campus life."

Privacy related links of interest ...

mpasiewicz — Wed, 20 Feb 2008 09:57:06 -0600

I just discovered a series of interesting blog entries from Danny Weitzner, W3C Technology and Society Policy Director and co-director of MIT CSAIL. These aren't especially new links, but I thought they might be worth relaying ...

Reciprocal Privacy for the Social Web - provides an introduction for a proposal "to establish a reasonable privacy balance in social networking environment" using FOAF. Also of interest is a link from Shahan Khatchadourian describing the use of FOAF and OpenID to establish trust/prevent spam. Apparently the solution could be available from Ryan Lee as a Drupal module? In some ways, this sounds similar to the Social Network Portability concept mentioned by Stephen Downes.

Driving Security Improvements in Existing Technologies and Emerging Systems

drupal — Tue, 19 Feb 2008 11:38:30 -0600

The Directorate for Science and Technology (S&T) is the primary research and development arm of the U.S. Department of Homeland Security. S&T uses the Homeland Security Advanced Research Project Agency to engage industry, academia, government, and other sectors in innovative research and development, rapid prototyping, and technology transfer to meet operational needs. Academic organizations such as the Computing Research Association and industry groups have called for increased funding for cybersecurity R&D. This keynote will describe what the S&T directorate is doing to drive, discover, and deliver new solutions to address cybervulnerabilities as well as what research areas it considers as priorities in the near term.

DNSSEC: Challenges and Opportunities for Higher Education

drupal — Tue, 19 Feb 2008 11:38:30 -0600

The Domain Name System Security Extensions, known as the DNSSEC, is a suite of IETF specifications for securing certain kinds of information provided by the DNS as used on IP networks. It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of devising a backward-compatible standard that can scale to the size of the Internet and deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients). This session will describe collaborative efforts between the federal government, industry, and academia, and how .edu can signal to the rest of the Internet community that it will lead the way with deployment of DNS security extensions.

Security Professionals Conference to Focus on Security and Privacy Compliance, Planning, and Trends in Higher Ed

cluckett — Fri, 08 Feb 2008 15:16:52 -0600

Rebecca Whitener, vice president, enterprise risk management and chief risk officer, EDS, and Greg Garcia, assistant secretary for cyber security and communications, United States Department of Homeland Security, will present keynote sessions at the 2008 Security Professionals Conference, May 4–6 in Arlington, Virginia.

The conference program will cover these topic areas, with a focus on higher education:

Forensics and Incident Handling
Policy, Law, and Compliance
Risk Assessment
Security Management and Operations
Technology Solutions
Vendors and Partners of IT Products and Services

In-depth, half-day preconference seminars will spotlight managing security breaches, Windows Vista security, and establishing an information security program, among others. The postconference seminar will focus on developing an effective electronic records management process. Register by April 4 to save money with low early-bird rates.

For more information, peruse security-related resources at the EDUCAUSE/Internet2 Computer and | Network Security Task Force website.

EDUCAUSE Live! Podcast: What Price Insularity? Reflections About Computer Security Failings.

gbayne — Mon, 07 Jan 2008 12:27:05 -0600

In this EDUCAUSE Live! podcast, join host, Steve Worona, for the topic "What Price Insularity? Reflections About Computer Security Failings". Steve's guest is Fred Schneider, Professor of Computer Science at Cornell University.

Presentation slides for this audio can be found here.

Why is it risky for technologists to ignore the nontechnical context where their systems will be deployed? Furthermore, what is the risk when policymakers ignore the limits and potential of technology? How can we structure dialogue between technologists and policymakers to address security failings—to revisit identity theft, electronic voting machines, digital rights management, and network neutrality? Fred Schneider, editor of the National Research Council study Trust in Cyberspace and longtime researcher on what makes computer systems secure, considers these and other questions.

Tune in Jan. 4 for a Free Web Seminar on the Role Insularity Plays in Computer Security Failings

pkurkowski — Tue, 18 Dec 2007 18:06:55 -0600

Why is it risky for technologists to ignore the nontechnical context where their systems will be deployed? Furthermore, what is the risk when policymakers ignore the limits and potential of technology? How can we structure dialogue between technologists and policymakers to address what could be termed as "security failings"—to revisit identity theft, electronic voting machines, digital rights management, and network neutrality?

In this free January 4 EDUCAUSE LIVE! seminar, What Price Insularity? Reflections About Computer Security Failings, presenter Fred Schneider, professor of computer science, Cornell University, will consider these and other questions.

Those unable to attend may wish to visit the archives after the event or browse related EDUCAUSE resources on Security Management, Identity Theft, and Cybersecurity Policy.

Net@EDU Tenth Annual Meeting: Registration Now Open

pkurkowski — Mon, 10 Dec 2007 11:55:08 -0600

Guru Parulkar, Consulting Professor and Executive Director, Clean Slate Internet Design Program, Stanford University, and Douglas Maughan, Program Manager, Cyber Security R&D, Science and Technology Directorate, U.S. Department of Homeland Security, will present keynote sessions at the tenth Net@EDU Annual Meeting: “The Next 10 Years,” February 10–12, 2008, in Tempe, Arizona, with Working Groups through February 14.

The conference program will cover the latest developments in network and system security, regional and state networking, identity management, federal IT policy, converged communications services, and policies for national broadband connections. Register now for low early-bird rates.

Final Report of the 2007 Cybersecurity Summit

ckeller — Fri, 30 Nov 2007 12:27:45 -0600

This is the final report for the 2007 NSF Cybersecurity Summit, held February 22 & 23rd, 2007, in Arlington, VA.

E07 Video & Podcast: "Bruce Schneier on Information Security: Ten Trends"

vvogel — Thu, 29 Nov 2007 16:51:51 -0600

Watch the video or listen to the podcast of Bruce Schneier's recent keynote speech, "Bruce Schneier on Information Security: Ten Trends", which was delivered at the EDUCAUSE 2007 Annual Conference in Seattle, Washington on October 26, 2007.

You can also hear a 14 minute interview with Bruce Schneier. Listen in as he shares some insightful words about privacy along with interesting commentary about ethics, cybersecurity, and blogging.

E07 Podcast: The 2007 Campus Computing Survey

kellywalker — Tue, 27 Nov 2007 21:17:42 -0600

This 36-minute podcast recorded during the EDUCAUSE 2007 Annual Conference features Kenneth C. Green, Founding Director, The Campus Computing Project speaking on "The 2007 Campus Computing Survey."

The session abstract:

Begun in 1990, the Campus Computing Project is the largest continuing study of the role of computing, e-learning, and information technology in American higher education. The session will present the results of the 2007 Campus Computing Survey, including new data on P2P policies, open source deployment, IT security issues, strategic and financial planning for IT, instructional integration of IT, campus IT standards, course management systems, and Web site services.

Security Certifications in Higher Education

Rodney — Tue, 27 Nov 2007 14:22:03 -0600

The Security Task Force has created a resource page that provides information about security certifications, including links to known security certifications (under the heading of "Community Resources"). Please contact us if we are missing any known security certifications.

According to the 2006 security survey conducted by the EDUCAUSE Center for Applied Research (Safeguarding the Tower: IT Security in Higher Education), the following information is available regarding security certifications by IT security staff at colleges and universities:

18% of the respondents indicated that the person in charge of IT security holds one IT security certificate
3% of those in charge of IT security hold two certificates
3% of those in charge of IT security hold three certificates

Of the individuals who have certification, the following information available:

15.3% hold the Certified Information Systems Security Professional (CISSP) certificate;
5.5% hold the Certified Information Security Manager (CISM) certificate;
5.2% hold the Global Information Assurance Certification (GIAC);
2.4% hold the Certified Information Systems Auditor (CISA) certificate; and
14.9% hold other security certifications

The Security Task Force Awareness and Training Working Group is continuing to promote security training for IT staff and evaluate the role of security certifications in establishing credentials that advance the IT security profession in higher education. Your comments and suggestions are welcome.

E07 Podcast: An Interview with Howard Muffler

kellywalker — Mon, 26 Nov 2007 12:43:34 -0600

In this 6-minute podcast, we feature an interview with Howard Muffler, Chief Information Security Office, Embry-Riddle Aeronautical University. He discusses the role of and challenges facing the CISO.

IT Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce Development

ckeller — Wed, 14 Nov 2007 12:06:50 -0600

The Department of Homeland Security's National Cyber Security Division worked with subject matter experts from government, the private sector, and academia to develop an umbrella framework that establishes a national baseline representing the essential knowledge and skills IT security practitioners must have to perform their jobs. The IT Security EBK builds directly on established work and is not intended to represent a standard, directive, or policy by DHS. Instead, it further clarifies key IT security terms and concepts for well-defined competencies, identifies notional security roles, and defines primary functional perspectives to help advance the IT security training and certification landscape as we strive to ensure that we have the most qualified and appropriately trained IT security workforce possible.

Tune In Nov. 14: Free Web Seminar on IT Security Essential Body of Knowledge for Workforce Development

vvogel — Thu, 08 Nov 2007 16:15:57 -0600

This free November 14 EDUCAUSE Live! Web seminar, IT Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce Development, features presenter Brenda Oldfield, Director of Education, Training, and Workforce Development, Office of Cyber Security and Communications, U.S. Department of Homeland Security.

Those unable to attend may wish to visit the archives after the event or browse related EDUCAUSE resources:

Tune In Nov. 14: Free Web Seminar on IT Security Essential Body of Knowledge for Workforce Development

cluckett — Wed, 07 Nov 2007 17:18:53 -0600

This free November 14 EDUCAUSE Live! Web seminar, IT Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce Development, features presenter Brenda Oldfield, director of education, training, and workforce development, office of cyber security and communications, U.S. Department of Homeland Security,

Those unable to attend may wish to visit the archives after the event or browse related EDUCAUSE resources:

Security Task Force Leadership Update

vvogel — Tue, 06 Nov 2007 17:09:18 -0600

We would like to thank Joy Hughes (CIO & Vice President, Information Technology, George Mason University) for her 3 years of service as a co-chair and 4 years of service as a member of the EDUCAUSE/Internet2 Computer and Network Security Task Force.

We would also like to welcome Mely Tynan (Vice President for IT and CIO, Tufts University), who begins her term as co-chair of the Security Task Force. She will serve alongside Pete Siegel (CIO & Vice Provost, Information & Educational Technology, University of California, Davis), a co-chair since 2006.

Attend the State of the Net Conference in January 2008

Rodney — Tue, 06 Nov 2007 15:58:31 -0600

The Congressional Internet Caucus Advisory Committee's State of the Net Conference will be held on January 30, 2008, in Washington, D.C. The conference offers attendees unparalleled opportunities to network and dialogue on key technology and information policy issues. Attendees include a mix of academics, consumer groups, industry, and government. In 2007, over 50 percent of the attendees were policy staff from Congressional offices and governmental agencies. There is a significant registration discount for non-profit and academic organizations. For more information or to register, go to http://netcaucus.org/conference/2008/

National Cyber Security Awareness Month Wrap-Up

vvogel — Tue, 06 Nov 2007 14:23:48 -0600

This year's National Cyber Security Awareness Month (NCSAM) is now over and the list of 2007 campus events on the EDUCAUSE Security Task Force Web site demonstrates the tremendous effort, creativity, and hard work that many of you contributed in support of this important initiative. Thank you to all of you for your support.

If your event is not yet listed on the website, please share the URL or brief description of your NCSAM-related initiatives, as well as the outcomes you realized, with the participants on the Security Discussion list or send an email to: Security-Task-Force@educause.edu.

We would also like to take this opportunity to remind you to share your updated or new security awareness materials with other colleges and universities. These may be easily added to the EDUCAUSE online resource library via the simple online submission form. We appreciate you taking the time to help us expand the Cybersecurity Awareness Resource Library and helping to make it a very valuable resource.

Sincerely,
Awareness and Training Working Group Co-Chairs Shirley Payne (University of Virginia) and Jodi Ito (University of Hawaii)

Congress Expresses “Apprehension” About DHS Framework for Cybersecurity

Rodney — Thu, 01 Nov 2007 17:01:42 -0500

In a hearing before the U.S. House of Representatives Homeland Security Committee Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, subcommittee chair Rep. James R. Langevin (Dem.-RI) said, “I have great apprehension about the current framework DHS is creating with the sector specific plans (SSP’s) as they relate to cybersecurity.” He continued, “The Federal government and the American people want to ensure there is a high level of cybersecurity protections on our critical infrastructure.

Dr. Lawrence A. Gordon, a professor from the University of Maryland, testified regarding ways of encouraging investments (i.e., incentives) that are directed at improving cybersecurity in profit-oriented organizations. “The most powerful incentive for an organization in the private sector to invest in cybersecurity activities is the motivation to increase the organization’s value to its owners,” he said. “A fundamental problem in coming up with estimates of the benefits derived from cybersecurity investments is that the most important potential losses are due to unobservable lost customers resulting from cyber breaches and the potential liabilities associated with cyber breaches.” Sally Katzen, a visiting professor of law at George Mason University (GMU) and senior consultant to the GMU Critical Infrastructure Protection (CIP) Program, observed in her testimony that the key to addressing cybersecurity both within and across sectors is the integration of various existing standards into Enterprise Risk Management (ERM) principles and techniques. She remarked, “ERM shines a light on cyber-CIP risks and all other enterprise risks at very high levels of accountability, including the boardroom.”

The hearing, “Enhancing and Implementing the Cybersecurity Elements of the Sector Specific Plans”, was designed to highlight the cyber elements of the plans submitted by the critical infrastructure sectors as required by the National Infrastructure Protection Plan. Although higher education cyber systems are not considered “critical infrastructure” according to the Federal government’s current framework, the U.S. Department of Education has submitted an SSP on behalf of “educational facilities” that references the need to maintain the security of college and university cyber systems. A report issued by the Government Accountability Office concluded that the sector specific plans varied in how comprehensively they addressed the cyber security aspects of their sectors.

E07 Podcast: An Interview with Bruce Schneier

mpasiewicz — Thu, 01 Nov 2007 15:02:49 -0500

The attached recording provides coverage of a 14 minute interview with BT Counterpane's Bruce Schneier. Listen in as he shares some insightful words about privacy along with interesting commentary about ethics, cybersecurity and blogging. Don't forget the video (or audio) of his session in Seattle too.

E07 Podcast: Bruce Schneier on Information Security: Ten Trends

gbayne — Wed, 31 Oct 2007 15:35:49 -0500

In this 43 minute podcast, we feature a keynote speech by Bruce Schneier, author and Chief Technology Officer for BT Counterpane, Inc. This speech was delivered at the EDUCAUSE 2007 Annual Conference in Seattle, Washington on October 26th, 2007. It is entitled "Bruce Schneier on Information Security: Ten Trends".

Surveying current trends in information security, it’s clear that a myriad of forces are at work. But fundamentally, security is all about economics: both attacker and defender are trying to maximize the return on their investments. Economics can both explain why security fails so often and offer new solutions for its success. For example, often the people who could protect a system are not those who suffer the costs of failure. Changing these economic incentives will do more to improve security than will more technology.

Academic Freedom Versus Network Security

drupal — Tue, 30 Oct 2007 13:42:40 -0500

Can too much security be a bad thing? Tighter Air Force policies are conflicting with the Air Force Academy's academic mission. While most colleges are tightening security, we are trying to relax ours. This talk will explain why this struggle will eventually occur at all educational institutions and how we have dealt with it.

GSU's Roadmap for a World-Class Information Security Management System: ISO 27001:2005

drupal — Tue, 30 Oct 2007 13:42:38 -0500

Georgia State University is one of the first universities to embrace the ISO 27001:2005 standard for establishing an information security management system (ISMS). A systematic and disciplined approach helps us leverage technology to develop a world-class ISMS that empowers users and improves processes. This session will discuss the importance of developing a comprehensive, risk-management based information security program.

Information Security: Zero to 60 in 10 Years

drupal — Tue, 30 Oct 2007 13:42:38 -0500

The focus on information security at Embry-Riddle Aeronautical University, as in many institutions, has evolved gradually over a number of years. Beginning with what can best be described as ad hoc initiatives driven by afterthought oversight, the university's focus on information security is maturing into a formalized, integrated business component and directive.

Bruce Schneier on Information Security: Ten Trends - Sponsored by AT&T, An EDUCAUSE Silver Partner

drupal — Tue, 30 Oct 2007 13:42:34 -0500

Security Task Force Open Meeting in Seattle

vvogel — Tue, 16 Oct 2007 17:04:42 -0500

Join us in Seattle at the EDUCAUSE 2007 Security Task Force Open Meeting, October 25, 12:45-2:15 p.m. (Grand Ballroom A, 2nd floor, Sheraton Hotel). You will learn more about the initiatives of the Security Task Force, including progress in strategic areas such as data protection, risk assessment, incident response, and business continuity. Attendees are invited to bring questions and suggestions regarding efforts to improve IT security in higher education. Volunteer opportunities will also be described. Explore other security-related conference sessions at EDUCAUSE 2007.

Please note: There will be NO walk-in registration on site in Seattle.

Congressional Resolution Introduced in Support of National Cyber Security Awareness Month

Rodney — Fri, 12 Oct 2007 17:11:40 -0500

The U.S. House of Representatives has introduced H. Res. 716 "expressing the sense of Congress with respect to raising awareness and enhancing the state of computer security in the United States, and supporting the goals and ideals of National Cyber Security Awareness Month." The resolution was presented by Rep. James R. Langevin (Dem-RI), chair of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee.

While introducing the resolution on the House floor, Rep. Langevin said:

Each year, the National Cyber Security Division, NCSD, of the Department of Homeland Security, DHS, joins with the National Cyber Security Alliance, NCSA, the Multi-State Information Sharing and Analysis Center, MS-ISAC, and other partners to support National Cyber Security Awareness Month. The goal of National Cyber Security Awareness Month is to show everyday Internet users that by taking simple steps, they can safeguard themselves from the latest online threats and respond to potential cyber-crime incidents.

He also commented that cybersecurity issues have been largely ignored and misunderstood for too long. "The oversight that the Homeland Security Committee is undertaking will help change that," he observed, "but much work remains to be done."

National Cyber Security Awareness Month is organized by the National Cyber Security Alliance (www.StaySafeOnline.org) and is supported by the EDUCAUSE/Internet2 Computer and Network Security Task Force. For more information about how educational institutions can get involved, see the Resource Kit for NCSAM developed by the task force.