Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Challenges and Incidents in Higher Ed About->Presenter • Zach Jansen • Information Security Officer, Calvin College Help->About Calvin • ~4200 Students – ~2500 living on campus • ~350 Faculty – 0 living on campus? • ~700 staff • Off campus programs in 8 countries Diverse User Needs • Academic • Administrative • Student / Residential Network Academic Environment • Academia – Traditionally an open access environment – Few restraints or restrictions – Infrastructure designed to provide access – Faculty, Staff, and Students expect to be able to do whatever they need with their computers Academic Environment (2) • Faculty, Staff, and Students used to being able to: – Install software – Change/customize settings – Use machines for personal use – Store personal data on personal machines with an expectation of privacy Academic Environment Machines • Many unmanaged machines on network. • Received through a grant or donation • Often run medical or scientific software. • Frequently no updates available, or no money for updates. • Personal machines frequently used. Academic Environment problems • Restrict to least privilege? • Support for custom web scripts? • Provide a secure, but open, environment. • Need to comply with increased regulation, yet still allow an educational environment. • Large amounts of PII to protect Administrative • The business end of the college • Responsible for personal, health, educational, and financial data • From an IT perspective, managed very similarly to the academic part of the college. • Causes problems: – Compliance – Securing data Regulations • FERPA – Family Educational Rights and Privacy Act • Governs how colleges handle – Grades – Academic Performance – Directory Information • A “no teeth” regulation • What happens if you’re in violation? HIPAA • Health Services • Student Health Information • HIPAA specifically excludes protected health information in “education records” as subject to FERPA. PCI, GLBA, etc • The list of regulations goes on. • PCI will continue to become a bigger issue as credit card companies and acquiring banks push this. • Some schools comply by not processing credit cards. • GLBA is again partially complied with by complying with FERPA. Breach Notification Laws • There are a lot of these • Pushing a substantial investment in Information Security. • Nobody wants to be the next school in the news. Data Security - SSN • It’s 3 o’clock, do you know where your SSN’s are? • SSN used as primary identifier by many schools for many years. • Many states have mandated that SSN not be used. Big problem for big schools. Data Security – SSN(2) • Tons of SSN’s – Have to collect SSN’s for loan processing with the Department of Education. • Makes for expensive breach notification when they get stolen. Students / Residential Network • On campus housing for about 2500 students. • Resnet needs to provide access to Calvin IT services • Also needs to function as an ISP. • 07-08 is the first year wireless used more than wired. Students / Resnet (2) • For general network health, there is a need to keep virus/malware activity to a minimum. • Also need to protect academic and administrative areas from student PC’s. Responsible Freedom • What do you get when you combine the newfound freedom of: • Living away from home • A brand new computer • A super fast internet connection P2P Issues • • • • • Huge bandwidth consumption Bittorrent and IDS sigs. DMCA takedown notices RIAA/MPAA subpoena’s. College Opportunity and Affordability Act – Force Higher Ed to offer legal alternative to P2P and implement network filtering. Solutions • Academic • Administrative • Students / Residential Network Policy • Needs to protect privacy of professors and students. • Specific category in AUP for personal data. • IT must have permission of data owner or 2 VP’s to view private data. • Professor’s data, class/student notes, research, considered private. Administrative – SSN’s • Calvin hasn’t used it as primary identifier for over 18 years. – I still find them used occasionally. • Some Schools use scanners like Spider to find sensitive data. – High false positives e.g. Japanese telephone numbers. • Few staff with access to SSN’s. • Data purge plans. Resnet • Both wired and wireless option • Separate VLAN from the rest of campus – Some schools use completely separate networks. • Use Bradford Campus Manager (NAC) to enforce use of AV, firewall, minimum patch level. – Exemptions for game consoles, linux. P2P Solutions • Many schools use traffic shaping • Packeteer • Traffic shaping: – Worked well for a while – Can’t handle encrypted protocols – Bandwidth caps instead • Ruckus • Not responsible for traffic traversing the network. Safe Harbor P2P Wrapup • Most schools don’t block p2p usage – Has some legitimate uses – Pretty hard to block effectively – Don’t want to be held liable – Academic freedom. • Many restrict its use – Bandwidth hog – Little to no educational value. • Alternatives. Administrative Support • Support of upper management is crucial. • Calvin is blessed with a VP that understands the need for good InfoSec. Incidents • “I can’t think of a more dirty and dangerous network than one on a college campus.” – Colleague at Georgetown Stallowned! Web site hack • Fall 2007 • In the spirit of academia, a professor was given permission to write cgi scripts on web server. • CGI scripts were vulnerable. • How did attacker get root? • Bad news. The End • Time to view the packet capture.