Information Security in Higher Education Today
Current
Threats
Higher Ed.
Challenges
Solutions and
Best Practices
Lewis Watkins,CISO
lwatkins@utsystem.edu
1
The Good News
and Bad News
Some Facts from the U. S. Secret
Service and Verizon 2010 Breach Report
• 98% of exposed data came from servers.
 Make sure servers are professionally managed.
• 85% of attacks were not complex.
• 96% of breaches were avoidable using simple controls.
 Security requires operational excellence!
• 61% were discovered by a third party.
• 86% of breached organizations had evidence in their log files.
 Organizations have inadequate monitoring.
2
Current Threats
The future is already here – it's just
not very evenly distributed.
William Gibson
3
Gartner 2006 Prediction
4
Today’s Threats!
1. Attacks come 24/7 from anywhere in the world.
2. Unprotected computers are 100% assured of being
compromised.
3. Attacks are much more sophisticated than just a year ago,
and the motives are much more sinister.
4. Most owners of compromised computers have no
knowledge that they have a problem.
5. Primary attackers of concern:
1.
2.
3.
Organized, professional crime organizations
Nation States
Quasi-political/terrorist organizations
5
Most Common Exposures
within the UT System
1. Lost/Stolen Computers (that aren’t encrypted)
2. Paper Documents (old documents)
3. Business Partners (mistakes, contract
violations, employees)
4.
5.
6.
7.
Insecure Applications (Its not the network)
Breached Electronic Files (Forgotten files)
Employee Errors
Employee Misconduct
6
“Oh Toto, I don’t think we
are in Kansas anymore!”
•
•
•
•
•
•
State of Virginia medical data held for ransom
San Francisco network held hostage
Slacker harms University of Utah by PHI exposure
Stuxnet – worm targets Iran nuclear program
“Here you Have” virus (zero day)
UNC Professor fighting termination because of
exposure of 100,000 patient records
• Drive-by malware – mostly unseen
• Bots, Bots, Bots – Attacking others
7
Higher Ed. Challenges
8
Five Challenges of Higher
Education Security
• The Complexity Problem:
 Universities are very complex.
 Information Security is complex.
 Security touches every operational aspect
of the university.
• The Scope Problem:
 Risks span the entire organization – and
beyond.
• The Quality Problem:
 Small errors can result in large security
vulnerabilities that result in breaches.
9
The Location Problem
We place data everywhere now….










USB Drives
iPhone / Blackberry / Android / Smart Phones
Netbooks / Laptops / Desktops/iPads
Departmental Servers
Central IT Servers
Virtual Servers
Consolidated Data Centers / Shared Services
Outsourcers / Business Partners
The “Cloud” Private Clouds / Public Clouds / Unsanctioned Clouds
Other: Embedded Systems / Auto Systems (Nav & GPS)
10
Compliance Obligations
Information Security
Compliance includes
these and other
regulations,
FERPA
1974
PCI-DSS
HIPAA
2004
1996
TAC 202
1994
GLB
HITECH
1999
Including….
- TX Bus. & Com. Code Ch. 521
- E-Discovery
- Red Flag
- Business Associate Agreements
FISMA
2002
11
Worker Economic Stress
Fewer Workers to
perform needed tasks.
Workers working under
greater stress and fear.
12
Solutions and
Best Practices
13
There are Solutions!
1. Make sure Data Owners are trained and engaged.
2. Take Inventory (as part of risk assessment process)



Devices on your network
Applications
Data stores
3. Eliminate Unnecessary Data.
4. Make sure your security personnel have visibility
into the environment.
5. Make sure your Information Security Officer has
access to Executive management.
14
Cloud Computing
Unmanaged cloud computing
poses risk to University data.
Well managed cloud
computing holds promise of
improved information security.
15
Implement and Track
Best Practice Strategies
16
Questions?
Lewis Watkins, CISSP
Chief Information Security Officer
lwatkins@utsystem.edu
(512) 499-4540
17