The Threat from Within

The Threat from Within
Anne Oribello
Brown University
The Threat from Within
• Problems:
– departments want to compete with peers at
other schools to incorporate technology into
their programs
– vendors add web based front ends and insist
users move to that platform for software
Threat from Within (cont.)
– Faculty read about new a technology and obtain
it through grant monies or donation
– business units within the university want to be
more accessible by putting data on the Internet
• How many of these activities are being done
• Lack of adequate training for some
• Reliance on vendors to properly configure
• Pressure to roll out a system by a deadline
• Lack of funding by departments for security
Issues (cont.)
• Lack of understanding of risks and issues by
decision makers
• Security had been viewed as an impediment
to work
• Culture of open access
• Lack of sufficient security staff
• Establish realistic policies/guidelines
• Educate the user community on evolving
• Scan servers
• Perform security reviews
Establish Policies/Guidelines
• Get support from key players
• Establish incentives to conform
– offer centralized services to reduce their work
– establish user groups to develop (human)
• Create viable alternative for violators
• Be specific in definition of conformity
• Document dissemination effort
Educate Community
Face-to-face training for staff
Technical updates for decision makers
Articles in faculty/staff newsletter
Listserv mailings
(BBoards seem to have lost “favor”)
Scan Servers
• Schedule can depend on criticality of server
– Internet Security Scaner
– hacker tools (i.e. NMAP)
• Isolate moving targets (i.e. students)
Perform Security Reviews
• Offer as a service BEFORE they have an
• Examine data security in entirety
(electronic, printed data, physical)
• Ensure that comments aren’t surprises
• Allow responses from department
• Follow up on progress
The Threat from Within
• Make security support a service
• Give end users the knowledge to have a
secure system
• Begin to change attitudes
• If all else fails, tell them how much it will
cost if there is a breach (time, research
effort, reputation, money)
Helpful URLs
• (WIN environment)