
eb1d05f2febf762bda7c05fdf3922ffe.ppt
- Количество слайдов: 54
NERCOMP 2003 Annual Conference Higher Education Contribution to the National Strategy to Secure Cyberspace H. Morrow Long Director, Information Security Office ITS, Yale University 1
Copyright Statement r Copyright Educause/Internet 2 Security Task Force 2003. This work is the intellectual property of the Educause/Internet 2 Security Task Force. Permission is granted for this material to be shared for noncommercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the Educause/Internet 2 Security Task Force. 2
§NERCOMP Annual Conference: Higher Education Contribution to the National Strategy to Secure Cyberspace § History: Information Security Problems in Higher Ed § Background: The Internet 1988 -1998 § Recent Events and Case Studies § Educause Information Security Activities § Working Group 2000 -2002 § Educause/I 2 Security Task Force 2002 § NSF Sponsored Workshops 2002 § National Strategy To Secure Cyberspace § AN-MSI § Educause Information Security Initiatives in 2003 § REN-ISAC 3
Internet Security History & HE IT r 1986 – Major NSF funding for national backbone & r r regional supercomputer centers 1988 – Robert Morris & the Internet Worm 1988 – Creation of CERT at CMU 1989 – The Cornell Commission report 1989 – Clifford Stoll’s The Cuckoo’s Egg 1991 – CIX, commercial use, & Gopher 4
Internet History, cont’d r 1993 – Mosaic browser released by UIUC r 1993 -4 ISP Sniffing attacks (PANIX, Near. Net) r 1994 -5 Kevin Mitnick demos TCP Hijacking. r 1995 – National backbone privatized r 1995 – SATAN released by Farmer & Venema r 1996 – PANIX, Internet Chess Server, and other web sites shut down by SYN attacks. r 1996 – Internet 2 consortium formed 5
2000 -2001 Academic Info. Sec r Feb – Distributed Denial of Service (DDo. S) r r attacks bring down key. COM sites; university sites implicated (UC Davis, UCLA, Stanford, etc. ) June – SANS Top Ten list released. June-July – Univ. of Washington Medical Center intrusion. 4000 medical records involved. No firewall protecting server. Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records. March – 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert. 6
Higher Education Computer Security 2000 -2003 r Hacker Steals Personal Data on Foreign Students at U. of Kansas Chronicle of Higher Education, 1/24/2003 r UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002 r Why Was Princeton Snooping in Yale’s Web Site? Chronicle of Higher Education, 8/9/2002 r Delaware Student Allegedly Changed Her Grades Online Chronicle of Higher Education, 8/2/2002 7
. . . 2000 -2003 r Russian Mafia May Have Infiltrated Computers at Arizona State and Other Colleges Chronicle of Higher Education, 6/20/2002 r Hacker exposes financial information at Georgia Tech Computer. World, 3/18/2002 r College Reveals Students’ Social Security Numbers Chronicle of Higher Education, 2/22/2002 r Hackers Use University’s Mail Server to Send Pornographic Messages Chronicle of Higher Education 8/10/2001 8
. . . 2000 -2003 r Review to ensure University of Montana Web security Montana Kaimin, 11/14/2001 r ‘Code Red’ Worms Linger Chronicle of Higher Education, 9/14/2001 r Students Fault Indiana for Delay in Telling Them About Stolen Files Chronicle of Higher Education, 3/16/2001 9
. . . 2000 -2003 r [UWashington] Hospital records hacked hard Security. Focus. com, 7/12/2000 r 3 Universities in California Find Themesleves Linked to Hacker Attacks Chronicle of Higher Education 2/25/2000 r Hackers Attack Thousands of Computers on at Least 25 U. S. Campuses Chronicle of Higher Education, 3/13/1998 r UT Austin: 55, 000 SSNs and Personal Records ‘data mined’ by intruder r Princeton University: 10
2001 -2003 Worms r 2001: Code. Red, Code. Red II, NIMDA Worms r 2002: “Slapper” (A/B/C) Apache Open. SSL Worm r 2003: SQL Slammer / Sapphire Worm 11
The Current Situation r The Internet is a world-wide, increasingly missionr r critical infrastructure Internet’s underlying structure, protocols, & governance are still primarily open Many vendors ship systems w/ insecure configs (NT, Linux, W 2 K, Unixes, IIS ) Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce Many college & university networks are insecure 12
Information Security in HE r Research universities: deployment of workstations r r & servers by researchers whose talents are usually focused elsewhere Smaller institutions: dearth of tech skills Dorm networking: little adult supervision Too few security experts; weak tools; most institutions have no Info. Sec office. Few policies regarding systems security 13
Information Security in US HE r 3500+ Colleges and Universities r > 1000 Community colleges r < 100 major research universities r 125+ University Medical Schools r 400 Teaching Hospitals r 150+ Institutional members of Internet 2 14
Targets of Opportunity on US HE Computer Networks r Sensitive Data m Credit Card #s, ACH (NACHA) bank #s m patient records (SSN) m student records (SSN) m institution financial records m Investment records m donor records m research data 15
Why US HE Computer Networks are attractive targets r Platforms for launching attacks m Wired dorms (insecure Linux PCs, PC Trojans) m High bandwidth Internet (Fract T 3, T 3+) m High computing capacity (scientific computing clusters, even web servers, etc. ). m “Open” network security environment (no firewalls or only “light” filtering routers on many high bandwidth WANs and LANs) m Trust relationships between departments at various Universitiess for research (e. g. Physics) m Univ research lab computers are often insecure and unmanaged. 16
Unique Challenges to implementing Information Security in Higher Ed r Academic “Culture” and tradition of open and free r r r networking Lack of control over users Decentralization (no mainframe anymore) Lack of financial resources Creative Network Anarchy – anyone can attach anything to the network IT has not always been central to institutional mission -changing attitudes and getting “buy in” requires politics and leadership. 17
What should US HE IT be doing W. R. T. Information Security r Investigating network security methods. r Investigating strong authentication methods (e. g. smart cards, tokens). r Evaluating “best practices” in: m m Higher Education Corporations Government Military r Developing common recommended policies. 18
Trends in Academic Info. Sec r E-Commerce site threaten litigation against future DDo. S r r r sites. Liability for negligence? Insurance companies begin to rewrite liability policies, separate ‘cyber’ policies to require info security vulnerability assessments & changes. Funding agencies to require firewalls, security? HIPAA is a “forcing function” in academic Medical Centers. FERPA, COPPA, DMCA, Privacy legislation. If HE Info. Sec doesn’t improve, will more federal legislation be far behind? 19
Info. Sec Trends Elsewhere r Some of the K-12 school system networks are the only sites (in the US) which have worse network and system security than. EDU sites. r Information security at State gov. agencies and municipal goverments is a mixed bag. r Outside US some academic institutions are more tightly controlled (e. g. Internet access is severely restricted), some not. 20
Info. Sec Trends Elsewhere r. MIL sites take steps to secure data and servers (Mac web servers, data isolation/classification). Broke initial ground in IDS (Intrusion Detection Systems). r. GOV – NIST has released draft guidelines/recommendations for info security to be implemented at Federal Government agencies. 21
Info. Sec Trends Elsewhere r. COM sites – Some web sites have poor security (even those outsourced), some (e. g. financial) strive to be state of the art. r Insurance/auditors requiring security assessments for policies. r BS 7799 / ISO/IEC 17799 -1 Info. Sec Mgt stds r CISSP / CISA / SANS GIAC / Vendor (Microsoft/Cisco/Checkpoint) certifications of Information Security personnel 22
Corporate Info. Sec Trends, (relatively rare in US HE) r Firewalls, proxies, user access control r Network monitoring, bandwidth management r Extensive logging, logfile analysis r IDS – Intrusion Detection Systems r VPNs (Virtual Private Networks) m PPTP, L 2 TP, IPSEC r Strong Authentication – PKI, Smartcards r Vulnerability scanning (internal, external) r Change Control / Management r Managed Security Services (e. g. outsourced) 23
Why should higher ed care? r Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission r Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability 24
Higher Ed and Cybersecurity r Education and Training m Centers of Academic Excellence m Professional Training and Certification r Research and Development m Cyberinfrastructure m Basic and Applied Research r Securing Our Corner of Cyberspace! 25
GAO Designates Computer Security a High Risk Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety. GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003) 26
Security Task Force r Formed Summer 2000 m Respond to charges that higher education is lax and dangerous m Threat of blunt-edged regulations r Co-chairs, Steering Committee r Web page, Listservs, Conferences r Staff – EDUCAUSE/Internet 2 27
Cybersecurity – Post Sept. 11 th r Executive Order 13231 – October 2001 Created the Presidents Critical Infrastructure Protection Board (PCIPB) r Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. USA PATRIOT Act 28
EDUCAUSE/I 2 Security TF Initiatives r Education/Awareness – Speakers; Developing or obtaining high quality r r r seminar materials; AN-MSI information security tutorials (e. g. CA Native American C. C. ), SPW Conference and tracks at conferences. “Best” Practices Security Recommendations – Booklet to be published with Security Policies, Assessment, chapters, etc. Assembling resources/licensing tools – Vulnerability Scanners (commercial and non-commercial), DDo. S zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc. Federal (NSF) grant proposal funded meetings in 2002. Reports. REN-ISAC - http: //archives. internet 2. edu/guest/archives/I 2 -NEWS/log 200302/msg 00006. html National Strategy to Secure Cyberspace Higher Ed Contribution http: //archives. internet 2. edu/guest/archives/I 2 -NEWS/log 200302/msg 00006. html r Letter on Cybersecurity to University Presidents. http: //www. acenet. edu/washington/letters/2003/03 march/cyber. cfm r Coordination with Federal (e. g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards). E. g. w/HE IT Alliance, “A Framework for Action” April 2002 29
EDUCAUSE/I 2 Security TF Initiatives r Education/Awareness – Speakers; Developing or obtaining high quality seminar materials; AN-MSI information security tutorials (e. g. CA Native American C. C. ), SPW Conference and tracks at conferences. 30
EDUCAUSE/I 2 Security TF Initiatives r “Best” Practices Security Recommendations – Booklet to be published with Security Policies, Assessment, chapters, etc. 31
EDUCAUSE/I 2 Security TF Initiatives r Assembling resources/licensing tools – Vulnerability Scanners (commercial and non-commercial), DDo. S zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc. 32
EDUCAUSE/I 2 Security TF Initiatives r Federal (NSF) grant proposal funded meetings in 2002. Reports on findings. 33
NSF Workshops r A More Complete Response to National Strategy m Experts on academic values m Experts on practices and policies m Research scientists who use the networks m Summit including all stakeholders r Foundation for Future Activities 34
Guiding Principles r Civility and Community r Academic and Intellectual Freedom r Privacy and Confidentiality r Equity, Diversity, and Access r Fairness and Process r Ethics, Integrity, and Responsibility 35
Action Agenda 1. 2. 3. 4. 5. Identify Responsibilities for IT security, Establish Authority, and Hold Accountable Designate an IT Security Officer Conduct Institutional Risk Assessments Increase Awareness and Provide Training to Users and IT staff Develop IT Security Policies, Procedures, and Standards 36
Action Agenda (cont’d) Require Secure Products From Vendors 7. Establish Collaboration and Information Sharing Mechanisms 8. Design, Develop, and Deploy Secure Communication and Information Systems 9. Use Tools: Scan, Intrusion Detection Systems, Anti-Virus Software, etc. 10. Invest in Staff and Tools 6. 37
EDUCAUSE/I 2 Security TF Initiatives r REN-ISAC – http: //archives. internet 2. edu/guest/archives/I 2 -NEWS/log 200302/msg 00006. html 38
EDUCAUSE/I 2 Security TF Initiatives r National Strategy to Secure Cyberspace Higher Ed Contribution http: //archives. internet 2. edu/guest/archives/I 2 NEWS/log 200302/msg 00006. html 39
National Strategy to Secure Cyberspace r Draft announced September 18 See www. securecyberspace. gov m Includes higher ed contribution r National, not a government, strategy m Secure your own piece of cyberspace m Market drive, not regulatory m Best practice, information sharing r Final Strategy Release – TBD 40
Higher Education Contribution r Higher Education Interests: m Teach security m Invent technology m Powerful networks and computers r Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002) See www. educause. edu/security/national-strategy r Framework for Action (April 2002) See security. internet 2. edu/Action. Statement. pdf 41
EDUCAUSE/I 2 Security TF Initiatives r Letter on Cybersecurity to University Presidents. http: //www. acenet. edu/washington/letters/2003/03 march/cyber. cfm 42
What Every President Must Do r Ensure the confidentiality, integrity, and availability of University assets and information r Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact r Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions 43
Security: Negative Deliverable Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it. Jeffrey I. Schiller, MIT’s Security Architect 44
EDUCAUSE/I 2 Security TF Initiatives r Coordination with Federal (e. g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards). E. g. w/HE IT Alliance, “A Framework for Action” April 2002 45
Framework for Action r Make IT Security a higher and more visible priority in higher r r education Do a better job with existing security tools, including revision of institutional policies Design, develop and deploy improved security for future research and education networks Raise the level of security collaboration among higher education, industry and government Integrate higher education work on security into the broader national effort to strengthen critical infrastructure 46
EDUCAUSE/I 2 Security TF Initiatives r “Standards. ” (A poem). Standards are good. Standards are true. There are many to choose from. If you don’t pick a standard, one will be chosen for you. 47
How You Can Participate r Welcome: info security officers, network & systems r r r experts, policy specialists, attorneys, vendors, -- even CIOs! Meetings, email, website one going up, white papers <http: //www. educause. edu/security> Security Professionals Workshop (SPW) 4/21 -22 2003, Pechanga Resort & Casino Regional Educause Conferences (such as this one). Educause 2003 Annual Conference Information Security related Track November 4 -7, 2003, Anaheim, CA http: //www. educause. edu/conference/annual/2003/ 48
Security Professionals Workshop (SPW) EDUCAUSE/Internet 2 Security Task Force 1 st Annual Higher Ed Security Professionals Workshop Pechanga Resort and Casino, Temecula CA April 22 -23, 2003 (1. 5 days) Preceding the 1 st Annual Secure-IT Conference sponsored by California State University at San Bernardino Registration: $100 ($125 after 3/24) Audience: CISOs, IT Security and Policy Directors and Officers, Network Security Engineers and System Administrators. 49
SPW Agenda r Keynote : Information Assurance and IT Security r r r r r Professionals in Higher Education Session : A 10 -Step Approach to Developing an Information Security Program Session : Creating a Security Architecture Session : Using Open Source Tools Session : Creating an Incident Response Team Session : Best Practices for User Education BOFs (Birds of a Feather Sessions) Keynote: Legal Issues in Computer and Network Security Session : Security Policies and Procedures Panel Session : "Ask the Experts" Panel 50
Security Task Force Conference EDUCAUSE/Internet 2 Security Task Force 1 st Annual Higher Ed Security Professionals Workshop 51
52
Questions? 53
Security Task Force Resources r EDUCAUSE/Internet 2 Security Working Group (http: //www. educause. edu/security/) r 1 st Annual Higher Ed Security Professionals Workshop Pechanga Resort and Casino, Temecula CA April 22 -23, 2003 http: //www. educause. edu/conference/security/2003/ r Contact Info: Security-Task-Force@educause. edu 202. 872. 4200 54
eb1d05f2febf762bda7c05fdf3922ffe.ppt