Info Security at your school
Download
Report
Transcript Info Security at your school
INFORMATION SECURITY
AT YOUR SCHOOL
Jennifer M. Rous
Education
Roanoke College, BS Computer Info Systems
Johns Hopkins University, MBA and MSc IT
1st job in independent school environment
Other industry experience in investment banking,
consulting to corporate and government agencies,
law firm
Since 2001 served as CIO, act as CISO
Community/Board involvement - 2 CIO councils,
Executive Women's Roundtable, DHHS Advisory Board,
Emerging Technology Center (incubator for tech startups) Board
What is the Cloud?
From Wikipedia
What is the Cloud?
SaaS - Software as a Service
Delivery of applications over the Internet.
These applications are accessible through a web
browser and managed by the vendor remotely.
Depending on the vendor and type of product,
there are likely similar customization and
configuration options as are available in on
premises software.
What is the Cloud?
PaaS - Platform as a Service
Programming platform and tools, as a service.
Allows consumer developers, including both
corporate application developers as well as
independent software vendors, to build and
deploy applications using the platform, without
worrying about the management of the
underlying infrastructureincluding networks,
servers, storage, and other services.
What is the Cloud?
IaaS (eye-as) - Infrastructure as a Service
Availability of raw computing resources like
processing power, storage, etc. over the Internet.
IaaS offers users control over operating system
and network components (like firewall, storage,
etc.) while taking care of the underlying hardware
and in some cases the network.
What’s what?
Level Set Activity (1)
What types of content do you have?
Where is it and how is it accessed?
Are you using cloud services?
What legal requirements exist for the content?
Level Set Activity (2)
Who is in charge of information security?
Do you a formal plan in place?
Does it involve policies? What kind?
How and by whom are the policies enforced?
Does you have an awareness program?
Now we know…
What we mean by “Cloud”
What kinds of data we have
Where our data is located
What else is relevant?
Concept of perimeter security
Legal requirements
The Perimeter is Gone
Traditional information security was
managed at the perimeter - close all
the doors and windows and put a big
guard at the gate.
Today the perimeter is squishy wireless access points and phones
create ubiquitous, unsecured mesh
of connectivity with no protection
against dangers.
Protect the Data
All data is not equal.
Need to consider each data set
independently or as groups and determine
how to protect each set.
Allocate resources to protect your most
sensitive or critical data.
Know the Law
People have an expectation of protection & privacy.
Some laws:
In US, FTC is conducting investigations into privacy violations (by
specific developers as well as companies like Apple, Microsoft and
Google) and the FBI has dedicated massive resources to cyber crimes.
Many European countries have laws in place related to data
protection
UK Data Protection Act - a law designed to protect personal data stored on
computers or in an organized paper filing system.
EU considering proposal to govern personal data that resides in more
than one EU Member State.
http://ec.europa.eu/justice/newsroom/dataprotection/news/130206_en.htm
Know which laws/regulations apply to your country & school
as well as expat faculty, staff, students
Current Dangers
What are some key current dangers?
Key Current Dangers
Malware/Viruses/Spyware
Hacking
Phishing/Spoofing
Consumer Services
Current Dangers
From: https://dm.pwc.com/HMG2013BreachesSurvey/, filtered for Education
For those thinking, these things
can’t happen at my school…
Reality is schools may be easier and more
desirable targets than you think
Hackers know there's valuable info there and
it’s probably easier to crack security than
other places
Key Current dangers
Malware/Viruses/Spyware
Coming from anywhere including email, USB
devices, social networks, cloud services
Speed increasing
Zero day exploits
Human compulsion
April 12, 2012
Housatonic Community College, Bridgeport, CT
Two campus computers were determined to have been
infected by malware. The breach occurred when a faculty or
staff member opened an email that contained a virus. The
virus was immediately detected. Student, faculty and staff
affiliated with the school between the early 1990's and the
day of the breach may have had their names, social security
numbers, dates of birth and addresses exposed.
Housatonic's president acknowledged that the cost of
handling the breach could be as much as $500,000.
Number of records breached: 876,667
Key point: effectiveness of email virus attack.
Key Current Dangers
Hacking - school environment requires hard
look at external and internal hack possibilities
Wireless and wired attacks
Celebrity status
Students
Hacktivism
Sept. 1, 2011
Birdville, Haltom City, TX
Two students may face criminal charges for hacking into
the Birdville School District's network server and accessing
a file with student names and Social Security numbers. The
students are a high school junior and a senior. Students
who attended during the 2008-2009 school year may have
been affected.
Number of records breached: 14,500
Key point: student perpetrated.
August 15, 2012
Saudi Aramco Companies, Saudi Arabia
Significant use of malware in a politically motivated
hacktivist attack that resulted in widespread infection by
malicious virus that wiped out email and data for many
parts of the company, including the pre-K- 9 schools (about
2600 students).
Number of computers breached: 30,000
Key point: cannot combat hacktivism, especially when
you’re not exactly the target.
May 3, 2012
University of Pittsburgh, Pittsburg, PA
Hackers associating themselves with Anonymous claimed
to have obtained the private information of University of
Pittsburgh students and alumni. The hackers threatened to
release the information publicly unless the university
apologized to students, law enforcement and professors.
Student passwords, dorm information, payment and credit
card information, parent information, coursework and
grades as well as alumni information may have been
exposed.
Number of records breached: unknown
Key point: cannot combat hacktivism.
Key Current Dangers
Phishing and spoofing
Phishing is a message sent to prompt action from
the recipient. Once recipient responds, hacker can
gain control of their machine or collect info about
them.
Spoofing is the act of sending a message that
looks like it came from a specific sender but, in
reality, was not sent.
Often targeting identity theft or extortion.
February, 2011
International School of Stavanger, Hafrsfjord, Norway
Internet pirates extorted money via phishing and spoofing
from international teaching candidates applying for
positions.
Dr. Linda M. Duevel, Director of school wrote interesting
piece on their experience:
http://www.internationalschoolsreview.com/nonmembers/intern
at_scams.htm
Key point: phishing and spoofing attacks can be
surprisingly effective.
Key Current Dangers
System Issues
Misconfigurations
Failure
Feb. 15, 2012
University of North Carolina at Charlotte, Charlotte, NC
An online security breach was discovered on Jan. 31.
Around 350,000 people had their social security numbers
exposed. Financial information was also exposed. A system
misconfiguration and incorrect access settings caused a
large amount of electronic data hosted by the university to
be accessible from the Internet. One exposure issue
affected general university systems over a period of about
three months. A second exposure issue affected the college
of engineering systems for more than a decade.
Number of records disclosed: 350,000
Key point: system misconfigurations can go unnoticed
for long periods.
September, 2013
Los Angeles, California
LAUSD deploying 35k iPads to students in 47 schools ($30M)
300 students altered device configuration to opt out of MDM
software (which eliminated Apple Global HTTP Proxy) and
were able to bypass policies and freely access Internet
resources
Key point: multiple security issues can be damaging
(system misconfiguration and hacking).
http://www.cio.com/article/740746/What_s_Behind_the_iPad_Hack_at_Los_Angeles_High_Schools
_?source=CIONLE_nlt_insider_2013-10-03
Key Current Dangers
Application services
Consumer apps used by individuals but not vetted
by school
Vulnerability of all companies
Potential Impact of Current Dangers
Loss of critical and/or confidential data
Loss of operations
Legal issues
Identity theft
Brand damage
So, what do we do?
Come back for Part 2!
“In any moment of decision,
the best thing you can do is the right thing,
the next best thing is the wrong thing, and
the worst thing you can do is nothing.”
Theodore Roosevelt
Part 2
Practical Approaches
for Your School
The Details
Cloud Considerations
Policies & Procedures
Breach Response
Vetting Vendors
Cloud Considerations
Economics
With no capital expenses and reduced operating expenses,
cloud computing can save significant money on IT costs but
not always.
Scalability and Elasticity
Cloud Computing is infinitely scalable and offers an easy
way to scale up and scale down based on demand.
Make sure your contract says you can.
Trade-off is vendor lock-in so need exit strategy.
Make sure contract says you own your content.
Remember the difference between uptime and
availability.
Cloud Considerations
Ubiquitous Access
Theoretically offers device, location and time
independence.
Idea that you can use the system 24x7 from anywhere you
can find an Internet connection.
Additional protection from lost productivity related to
physical disaster or snow day.
How reliable is remote connectivity for your
constituents?
Cloud Considerations
Security
Use of the cloud does not change a school’s privacy
and data security obligations or create a defense that
the service provider (not the school) committed the
violation.
At the same time, a school must rely in some cases
almost entirely on a cloud provider for the school’s
compliance with applicable law.
Identify which privacy and data security obligations
apply to the IT function moving to the cloud.
Obtain sufficient contractual guarantees to assure
compliance.
Discussion:
Cloud Considerations
What cloud services are you using or
considering?
What are your key considerations for
deploying services to the cloud?
What will you do if it your cloud service is
down for an extended period of time?
Policies & Procedures
Audiences
Staff, Students, Parents
Types
Acceptable Use, Access, Password, Reporting
Violations, Data Encryption, Confidentiality
Resources
Educause:
http://www.educause.edu/search/apachesolr_search/p
olicies
Washington University in St Louis:
http://wustl.edu/policies/infosecurity.html
Policies & Procedures
What purpose is this policy meant to serve? Am I ticking a
box, or is it adding real value?
Have I aligned my policy with any subsequent awareness
training I might deliver?
Have I aligned my policy to the objectives of the school?
Is there a regulatory and/or statutory basis to the policy,
or is it more guidance on good practice?
Who is my audience for this policy?
What is the absolute minimum information they need to
have? What are the key messages that I want them to
retain?
What is the best format for my audience to receive this
information?
Discussion:
Policies & Procedures
What policies do you have?
What policies do you need to develop?
What procedures are associated with the
policies?
Who manages the policies & procedures?
Do you audit?
Breach Response
In US, breach notification is a state law –
resulting in varying requirements.
Need to determine what you would say in the
event of a breach and to whom (including
method of notification).
Need to understand if there are any legal
requirements that prevail.
Discussion:
Breach Response
What constitutes a breach?
What are your legal obligations to notify?
What are your ethical requirements to notify?
Who must you notify?
How timely must you notify?
Vetting Vendors
Build provisions into contracts, including
restitution, termination for cause
Consider including right to terminate if
company bought by another
Understand:
How you would get your data back if our vendor
relationship changes (change vendor, vendor goes out
of business, etc)?
How would you ensure that all copies maintained by
vendor are appropriately destroyed?
Where the vendor stores your data?
Vetting Cloud Vendors
How do I move my apps to the cloud?
How are my apps and data protected from other users on the same cloud servers?
Can I see your data center? Are they certified and willing to share details of certifications with you?
How do they keep critical security settings, virus definitions, and security patches up to date?
Do they conduct periodic test restores of your backups to make sure the data is not corrupt and could be restored in the
event of a disaster?
Are they will to provide you with written, network documentation detailing what software licenses you have, critical
network passwords, and hardware information?
Do they consistently (and proactively) offer new ways to improve your network’s performance, or do they wait until you
have a problem to make recommendations?
Do you know, up front, what the costs and charges will actually be? Cloud is not always cheaper!
Do they provide detailed invoices that clearly explain what you are paying for?
Do they explain what they are doing and answer your questions in terms that you can understand?
Do they have a proven track record of completing projects on time and on budget?
Do they offer any guarantees on their services? Uptime versus availability. 99.9% uptime is 8.76 hours of downtime per
year. Is the guarantee enforceable?
How do they share information about your account internally?
Do they offer flat-rate or fixed-fee project quotes, or not to exceed provisions?
Do you maintain ownership of the data, regardless of where it travels, how it gets there, or on what device it is stored?
What if it leaves the EU or specific country?
Do they offer 2 factor authentication for any cloud services?
How do you audit access to my data?
How will I be notified and compensated if my data is breached?
Discussion:
Vetting Vendors
How do you evaluate vendors?
What specific information security questions
should be assessed?
What would prevent you from selecting a
vendor?
Getting Started
The Ongoing Conversation
Current State Assessment
Information Security Plan Framework
The Ongoing Conversation
At least annually with your Head and Board:
What data do we have and where is it?
How do/should we move data to and from the
cloud?
How does/should our school use virtual
classrooms?
What consumer services are we using?
Are we satisfied with how our cloud vendor
protects our data?
Have we considered cyber liability insurance?
Assess Current State
Document Current State
Research Laws/Requirements
Conduct Gap Analysis
Tools
http://www.educause.edu/library/resources/infor
mation-security-program-assessment-tool
Framework for Security Plan
Create a task force that includes school administration, business
office, IT, teacher, student and legal representatives
Define key areas of risk
Define school risk tolerance posture for each area of risk
Define cost and scope (order of magnitude) to remediate the risk
Map it out
Conduct vendor due diligence
Allocate resources to address
Develop applicable policies
Renegotiate vendor arrangements and terms as needed
Build in opportunities to revisit areas of risk as landscape changes
Communicate the plan and test it regularly
See http://www.educause.edu/ for resources and checklists.
Thank you!
Any questions, please contact me
@ [email protected]
SOME ADDITIONAL THOUGHTS…
Intellectual Property
Who owns what?
An employer owns copyrights created by its employees within the scope of their
employment. It is often unclear, however, whether a teacher (or the employer
school) owns the original teaching materials that he or she has created.
Although creating such materials is related to one’s employment, teachers are
sometimes viewed as hired to teach, not to create course materials. Moreover,
under a loose “academic exception” that is not reflected in statutory copyright
law but is sometimes referred to in case law, teachers often understand or
believe that such materials are owned by them and thus can be used freely as
they move from school to school. (The academic exception is stronger in higher
education than K-12; the policies of most institutions of higher learning allow
ownership of such materials by the educator.)
Do you limit access to virtual classrooms only to those participating in the class?
Do you limit the extent to which students can copy or extract other's work from
the virtual classroom?
Are you using a school computer to generate or edit the info? Then the IP is
probably the school's!
BYOD
Do you have a policy that everyone knows about and signs off on before
they are granted access to school resources?
Have you limited exposure to the business/administrative side of the
network?
Do you maintain ownership of the data, regardless of where it travels, how it
gets there, or on what device it is stored?
Do you make it clear to your user community that you reserve the right to
govern your data which may allow you access to their personal data on a
device?
Have you clearly defined what happens when an employee or student leaves
the school?
How?
Are you sure?
What about content?
What about device based licenses?
Will you keep the content? For how long?
Can you restrict access on the network to control bandwidth per
application?