The Costs of Preventing Breaches in
Higher Ed
Tammy Clark, CISO, Georgia State University
Introducing…
I was a very persistent Hacker Whacker—Doing battle
with Hackers in the early years of our information
security program. It was a thankless job, but someone
had to do it…
Key Topics For Today’s Discussion





Today’s Threat Landscape
Breaches and Root Causes
What Seems to Be the Problem Here?!
What Drives Change in Higher Ed?
Can We Use Technology, Processes, and People Effectively to
Assist with Breach Prevention?
 The ‘Nitty-Gritty’ About Our Information Security Programs
 Summary of Key Points
 Join in On the Fun With Questions or Comments
Today’s Threat Landscape
 What are the prevalent threats we’re seeing out there
that affect our end users?
 Lots of spear phishing
 Infected websites
 Social Engineering, Scams, Organized Crime
 Our IT orgs are dealing with increasingly sophisticated
malware, SSH attacks and OS/APP vulnerabilities. New
exploits continue to be developed at a dizzying pace
and our vendors can’t seem to keep up!
Breaches and Root Causes

Educational Security Incidents (ESI) reports that in 2008:
 173 separate incidents were reported
 24.5% increase over 2007
 Primary Reasons:
 Unauthorized Disclosure - 75
 Theft - 40
 Unauthorized Access/Penetration – 35

Additionally, Privacy Rights Clearinghouse reports that so far in 2009, 38
colleges have reported incidents out of 196 total incidents reported…

Of these, 17 were due to theft; 11 to unauthorized access/penetration,
and 10 were the result of unauthorized disclosure
What Seems to Be the Problem Here!?


Lack of standardization/plans, policies and standards
Challenges in data classification and risk management



Incorrectly configured/secured devices, apps and Web sites
Inadequate perimeter protection
Lack of advanced intrusion detection & analysis skills


Inadequate endpoint protection
Lack of encryption


Open ended culture
Security ‘un-aware’ users—no ‘skin in the game’ or circumventing controls
What Drives Change in Higher Ed?

Let’s face it--data breaches (either our own or a neighboring institution)

Compliance: PCI, FERPA, HIPAA, GLBA, Red Flags, DMCA

Research grants that require minimum levels of security or compliance with
FISMA or ISO 27001/2





Budget cuts
Audits
Emergency management
Risk management
University president’s/provost’s priorities
Can We Use Technology to Assist with Preventing
Breaches?
 Network intrusion prevention, intrusion detection, firewalls,
AV and anti-spam gateways, et al)
 Endpoint security tools and suites (AV, anti-spyware, antimalware, host firewalls/IPS, NAC, etc)
 Encryption
 Vulnerability assessments
 Governance, risk and compliance
 Data loss prevention
 Identity access management
 Security information and event management
 The list goes on…and on
 Bottom Line---$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Is Process Development Important as Well?
 YES! Why?
 Myriad of compliance requirements
 Standards (ISO, FISMA, COBIT, ITIL) and standardization (yes!
in higher ed.)
 Get rid of confidential data we don’t need or require!
 Data classification and risk management
 Audits/corrective & preventive measures
 Physical & logical controls to integrate into IT/business
processes
 3rd parties processing or storing our data
 Contracts with customers on campus to manage their
critical systems and data with central IT/Sec organizations
And What About the People?!
 Authority (must) = Accountability (the golden rule)
 Make IT system/data protection everyone’s job!
 Responsible for compliance – in some cases,
personal liability
 Data cleanup parties including non-electronic
formats
 Security reviews and mandated controls for
systems processing confidential data (require
encryption, not running P2P apps, etc.)
 Lots and lots of security awareness training!
Higher Ed Information Security
Programs—The ‘Nitty-Gritty’
 Reactive
 Proactive
 Predictive
Reactive







People – Depend on ‘security unaware’ end users and (often) a
cheerleader ISO!
Process – Too busy chasing the threats and incidents!
Technology – Protecting either the outside perimeter or
workstations/servers (AV, firewalls)
$$$ Investment in breach prevention - Low
Aftermath of a potential breach – High impact
Information security program maturity index – 1 or 2 on the CMMI
Largest impacts to information security programs in reactive
mode - Lots of unfunded mandates, inadequate resources and
funding, threat of penalties/lawsuits due to noncompliance and lack of
due diligence, difficulty detecting and responding to security incidents,
increased reputational risk, high risk of widespread malware outbreaks
and data breaches
Proactive







People – Emphasis on securing adequate resources
Process – Huge investment in process development and awareness
training
Technology – Implement defense in depth architecture
$$$ Investment in breach prevention – Very high
Aftermath of a potential breach – Medium impact
Information security program maturity index – 3 or 4 on the CMMI
Largest impacts to information security programs in proactive
stage/mode – Heavy infrastructure costs; resource intensive activities;
paradigm shifts towards incorporating standards and regulatory
guidance; increased standardization, risk management, and attention
to building out a fully functional information security program; heavy
reliance by the IT org. on the information security dept. staff to protect
institutional data/IT resources
Predictive







People – Emphasis on integrating information security throughout the IT org
and university
Process – Continuing investment; increased emphasis on security awareness
education and training
Technology –Emphasis on optimizing technology investment
$$$ investment in breach prevention –Spread and streamline costs as IS
integrates throughout the IT org and campus
Aftermath of a potential breach – Low impact
Information security program maturity index – 4 or 5 on the CMMI
Largest impacts to information security programs in predictive
stage/mode – no information security silos, information security is integrated
into every facet of the institution, data protection is everyone’s responsibility,
authority=accountability, dedicated staff focus on core IS duties
Case Study—Infosec@Ga State Univ
 2000-2003: Reactive Mode
 2004-2009: Proactive Mode
 2010: Moving into Predictive Mode
Infosec@Ga State Univ
 The early years—reactive mode
 One dedicated information security staff member—
CISO
 Tiny budget for information security--$40k first year
to buy tools, equipment, training
 75% of CISO time – incident response
 Widespread malware outbreaks occurred 3-4 times
 Primary tech solutions—IDS at perimeter;
AV/firewalls on desktops & servers
 Very little process development
Infosec@Ga State Univ
 Ramping up the information security program—
moving into proactive mode









Additional staff members to specialize in various areas of infosec
(technical, people and process)
Large budget increase to accommodate program initiatives (over $200k
per year)
Over 75% CISO time spent on policy/process development and security
awareness training
25% staff time on incident response
No widespread malware outbreaks
Tech solutions emphasized defense in depth
Security incident reductions of over 98%
Huge emphasis on governance, risk and compliance
Achieved ISO 27001 certification for 2 areas of univ.
Infosec@Ga State Univ
 Shifting gears into predictive mode






Significant re-org. of IT/security resulted in security ops & engineering
moving into IT org. and CISO, and one dedicated staff member
maintaining the Infosec Office at GSU
Authority=Accountability, as system owners and data stewards are
accountable for security
Information security budget pieces devoted to solutions/engineering
and operations moved to those particular IT groups
Security architecture is being ramped up to incorporate integrated
vendor solutions that offer predictive capabilities, as well as heavy
automation to facilitate ops (infancy stage)
Over 85% CISO time spent on policy/process development and security
awareness training
25% staff time on incident investigations; 75% risk mgt., sec. reviews,
vuln. assessments, forensics
Summary of Key Points







Threats continue to heavily target end users
Human errors account for over 70% of data breaches that occur
Information security staffs should not be held accountable for protecting
institutional assets and data
Information security needs to be integrated throughout our IT organizations
and campuses
In order to mature and ensure continuous improvement, information
security programs must be adequately funded and ramped up in terms of
people, process and technology
Effective policies, processes, guidelines and security training/education
must be emphasized and funded in terms of $$ and resources
Building a solid community of ‘security aware’ users represents both our
greatest challenge and our best defense against data breaches!
Questions?
 Contact Tammy Clark at tlclark@gsu.edu, 404 413 4509
Copyright Tammy L. Clark, Oct 2009.. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.