Mark S. Bruhn

Chief IT Security and Policy OfficerIndiana University

Some material based on presentations prepared by Mark Bruhn and Michael A. McRobbie (IU VP/CIO)

IT Security

Copyright Indiana University 2002. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the person named as presenter above. To disseminate otherwise or to republish requires written permission from the person named as presenter above.

Preliminary StatementIn a perfect world, we shouldn’t have to restrict

activities on the Internet or on our campuses. But, in that same perfect world, we wouldn’t need bank guards or FBI agents; many of us doing work in areas related to operational assurance have other interests and would be happy doing something else. But, in the real world, we have to take reasonable steps to protect the interests of our institutions and our constituents.

Presentation Overview

VERY Brief Intro to Risk and Goal-Oriented Security

Them versus Us: The ThreatUs versus Us: Fertile Ground

Us versus Them: Losing Battle?

Handling Risk

• Assign (insurance)

• Mitigate (controls)

• Accept (gamble)

After risks are quantified or qualified, formally or informally, develop a response strategy based on goals and targets, not on presumptions of security requirements.

Do we have to secure our campuses like Ft. Knox to be successful?

The goal must be to minimize and mitigate risk. Attempting to eliminate risk will result in not only dramatic failure, but also in loss of critical credibility and momentum.

Fertile Ground

Typical University IT and Data Environments

• Large (often huge) number of networked devices• Very high-speed, high-capacity networks • Very diverse hardware and software set• Experimentation with new software• Physical security varies widely• Usually no device registration requirements• Usually no network user authentication • Sometimes no service user authentication

Typical University IT and Data Environments

• Independent departments• Independent researchers• Under-paid, under-trained, over-worked technicians• Inadequate or nonexistent security offices• Few IS/IT auditors on staff• No central data management structure• Thousands of people accessing or deriving data• No data extract and dissemination limits• Minimal training on data handling/protection

Wasting “Power of Many”?

Communities are not collectively:• Putting pressure on vendors• Putting pressure on governments

• Avoiding use of products with bad security record, and which cost much more in time and money to manage

• IU Faculty Research Information Database (1997)

• IU Office of the Bursar (2001)• IU School of Music (2001)• University of Michigan patient records.• University of Washington patient records.• UC Berkeley systems used against commercial

sites• Stolen passwords at Berkeley, UCLA, Harvard • Purdue University password files• Georgia Tech, Notre Dame, Indiana State• Many others not publicized.

Should it Take an Incident to Wake Us Up?

Awareness at the Top

• Typically executive management and

governing boards in universities are not

aware of these problems, which have the

potential to be very damaging to a university

both in reputation and potential liability

The Threat

Easier to Crack/Hack• Veterans are “publishing” code for neophyte crackers• Operating system and application APIs • Complicated operating systems and software• Automated vulnerability probes• Cracker resources• “Script kiddies”

• Cracking for profit• Cracking for political reasons• Cracking as part of cyberwarfare• Cracking as part of criminal enterprise

Intrusion Consequences

• Unauthorized access to data• Installation of malicious code• Stashing illegal materials• Consumption of network resources• Loss of machine cycles• Inappropriate use of public resources• Defacement for political reasons• Distributed Denial of Service Attacks• Attacks waged on other enterprises • Decreased reputation of Higher Education

community

Actors

• National Security Threats• Info Warrior – Reduce U.S. Decision Space, Strategic Advantage,

Chaos, Target Damage• National Intelligence – Information for Political, Military, Economic

Advantage

• Shared Threats• Terrorist – Visibility, Publicity, Chaos, Political Change• Industrial Espionage - Competitive Advantage, Intimidation• Organized Crime – Revenge, Retribution, Financial Gain,

Institutional Change

• Local Threats• Institutional Hacker – Monetary Gain, Thrill, Challenge, Prestige• Recreational Hacker – Thrill, Challenge

Copyright 2000 by E. H. Spafford

Greatest Danger?

• Probes by automated programs

• Every Internet-connected device probed periodically

• Probes lead to compromise of poorly maintained devices

• Vulnerabilities discovered within hours

• Data on vulnerable devices is exposed

Us Versus Them

Institutional Recognition

Higher education institutions must recognize

that information technology is engrained in

ALL academic and administrative activities,

and that poor system, network, and data

security WILL have a direct and costly impact

on the mission.

It must be about “Institutional Risk”, not about technology…

• Reputation of higher education• Reputation of specific institutions• Harm to individuals• Loss of intellectual property• Premature disclosure of research results• Potential violation of government statutes • Waste of publicly-funded resources

• Contribution to vulnerability of national IT infrastructure

Institutional Attention

IT Leadership must help executive colleagues:• Understand that information assets are as critical

as capital and human resources• Understand the risks to the institution• Place visible and vocal priority on systems and

data protection• Ensure that IT security is included in calculation of

costs of activities • Ensure that technicians are trained, capable, and

have the time to secure systems

Inetd

Rpc.statd

Apache “chunking”

Uuencode

Telnet

Sendmail

IIS

CIO

PresidentsProvostsDeansTrusteesRegentsEtc.

• Recognition of authority by governing board(s)• Directive from President and/or Provost• Subsequent directives from the IT leadership• Formal partnership between IT leadership and office of

risk management and internal/external audit• Presentations by IT leadership to executive and other

high level administrators • Engage distributed technical managers and technicians• Develop FREE technician orientation and training

program• Develop Best Practices documents• Develop network isolation strategy

Critical Local Activities

Other Required Involvement• Policy officers

• IT policy officers

• Counsel

• Risk managers

• Auditors

• Student affairs officers

• Human resources officers

• EDUCAUSE/Internet2 Computer and Network Security Task Force

• Information Technology Critical Infrastructure in Higher Education: A Framework For Action

• Recognition by Federal government of critical educational sector

• National Strategy To Secure Cyberspace • Research and Educational Networking Information

Analysis and Sharing Center• Higher Education Information Analysis and Sharing

Center

New Supporting Activities