Download Security Challenges and Incidents in Higher Education - GR-ISSA

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
Document related concepts
no text concepts found
Transcript 
Challenges and Incidents in
Higher Ed
About->Presenter
• Zach Jansen
• Information Security Officer, Calvin
College
Help->About Calvin
• ~4200 Students
– ~2500 living on campus
• ~350 Faculty
– 0 living on campus?
• ~700 staff
• Off campus programs in 8 countries
Diverse User Needs
• Academic
• Administrative
• Student / Residential Network
Academic Environment
• Academia
– Traditionally an open access
environment
– Few restraints or restrictions
– Infrastructure designed to provide
access
– Faculty, Staff, and Students expect to
be able to do whatever they need with
their computers
Academic Environment (2)
• Faculty, Staff, and Students used to
being able to:
– Install software
– Change/customize settings
– Use machines for personal use
– Store personal data on personal
machines with an expectation of privacy
Academic Environment Machines
• Many unmanaged machines on
network.
• Received through a grant or donation
• Often run medical or scientific
software.
• Frequently no updates available, or
no money for updates.
• Personal machines frequently used.
Academic Environment problems
• Restrict to least privilege?
• Support for custom web scripts?
• Provide a secure, but open,
environment.
• Need to comply with increased
regulation, yet still allow an
educational environment.
• Large amounts of PII to protect
Administrative
• The business end of the college
• Responsible for personal, health,
educational, and financial data
• From an IT perspective, managed
very similarly to the academic part of
the college.
• Causes problems:
– Compliance
– Securing data
Regulations
• FERPA – Family Educational Rights
and Privacy Act
• Governs how colleges handle
– Grades
– Academic Performance
– Directory Information
• A “no teeth” regulation
• What happens if you’re in violation?
HIPAA
• Health Services
• Student Health Information
• HIPAA specifically excludes
protected health information in
“education records” as subject to
FERPA.
PCI, GLBA, etc
• The list of regulations goes on.
• PCI will continue to become a bigger
issue as credit card companies and
acquiring banks push this.
• Some schools comply by not
processing credit cards.
• GLBA is again partially complied
with by complying with FERPA.
Breach Notification Laws
• There are a lot of these
• Pushing a substantial investment in
Information Security.
• Nobody wants to be the next school
in the news.
Data Security - SSN
• It’s 3 o’clock, do you know where
your SSN’s are?
• SSN used as primary identifier by
many schools for many years.
• Many states have mandated that SSN
not be used. Big problem for big
schools.
Data Security – SSN(2)
• Tons of SSN’s
– Have to collect SSN’s for loan
processing with the Department of
Education.
• Makes for expensive breach
notification when they get stolen.
Students / Residential Network
• On campus housing for about 2500
students.
• Resnet needs to provide access to
Calvin IT services
• Also needs to function as an ISP.
• 07-08 is the first year wireless used
more than wired.
Students / Resnet (2)
• For general network health, there is a
need to keep virus/malware activity
to a minimum.
• Also need to protect academic and
administrative areas from student
PC’s.
Responsible Freedom
• What do you get when you combine
the newfound freedom of:
• Living away from home
• A brand new computer
• A super fast internet connection
P2P Issues
•
•
•
•
•
Huge bandwidth consumption
Bittorrent and IDS sigs.
DMCA takedown notices
RIAA/MPAA subpoena’s.
College Opportunity and Affordability
Act
– Force Higher Ed to offer legal
alternative to P2P and implement
network filtering.
Solutions
• Academic
• Administrative
• Students / Residential Network
Policy
• Needs to protect privacy of
professors and students.
• Specific category in AUP for
personal data.
• IT must have permission of data
owner or 2 VP’s to view private data.
• Professor’s data, class/student
notes, research, considered private.
Administrative – SSN’s
• Calvin hasn’t used it as primary identifier
for over 18 years.
– I still find them used occasionally.
• Some Schools use scanners like
Spider to find sensitive data.
– High false positives e.g. Japanese
telephone numbers.
• Few staff with access to SSN’s.
• Data purge plans.
Resnet
• Both wired and wireless option
• Separate VLAN from the rest of
campus
– Some schools use completely separate
networks.
• Use Bradford Campus Manager
(NAC) to enforce use of AV, firewall,
minimum patch level.
– Exemptions for game consoles, linux.
P2P Solutions
• Many schools use traffic shaping
• Packeteer
• Traffic shaping:
– Worked well for a while
– Can’t handle encrypted protocols
– Bandwidth caps instead
• Ruckus
• Not responsible for traffic traversing the
network. Safe Harbor
P2P Wrapup
• Most schools don’t block p2p usage
– Has some legitimate uses
– Pretty hard to block effectively
– Don’t want to be held liable
– Academic freedom.
• Many restrict its use
– Bandwidth hog
– Little to no educational value.
• Alternatives.
Administrative Support
• Support of upper management is
crucial.
• Calvin is blessed with a VP that
understands the need for good
InfoSec.
Incidents
• “I can’t think of a more dirty and
dangerous network than one on a
college campus.” – Colleague at
Georgetown
Stallowned!
Web site hack
• Fall 2007
• In the spirit of academia, a professor
was given permission to write cgi
scripts on web server.
• CGI scripts were vulnerable.
• How did attacker get root?
• Bad news.
The End
• Time to view the packet capture.
Related documents
Sustainable development Commission
Sustainable development Commission
Health History - Bluegrass Endodontics
Health History - Bluegrass Endodontics
Database Management System
Database Management System
ER-NFL
ER-NFL
Relational Terminology - California State University, East Bay
Relational Terminology - California State University, East Bay
PRIVACY_IN_COMPUTINGbyWill
PRIVACY_IN_COMPUTINGbyWill
GHS College Visit Record
GHS College Visit Record
MEDICAL HISTORY - Arazie Orthodontics!
MEDICAL HISTORY - Arazie Orthodontics!
The Future is Bright at Highland Park Renaissance
The Future is Bright at Highland Park Renaissance
chapter 12: practical database design methodology and use
chapter 12: practical database design methodology and use
DB Systems - SELECT-INSERT-DELETE-UPDATE Practice - Individual
DB Systems - SELECT-INSERT-DELETE-UPDATE Practice - Individual
Instructor`s Manual to Accompany
Instructor`s Manual to Accompany