Info Security at your school
advertisement
INFORMATION SECURITY AT YOUR SCHOOL Jennifer M. Rous Education Roanoke College, BS Computer Info Systems Johns Hopkins University, MBA and MSc IT 1st job in independent school environment Other industry experience in investment banking, consulting to corporate and government agencies, law firm Since 2001 served as CIO, act as CISO Community/Board involvement - 2 CIO councils, Executive Women's Roundtable, DHHS Advisory Board, Emerging Technology Center (incubator for tech startups) Board What is the Cloud? From Wikipedia What is the Cloud? SaaS - Software as a Service Delivery of applications over the Internet. These applications are accessible through a web browser and managed by the vendor remotely. Depending on the vendor and type of product, there are likely similar customization and configuration options as are available in on premises software. What is the Cloud? PaaS - Platform as a Service Programming platform and tools, as a service. Allows consumer developers, including both corporate application developers as well as independent software vendors, to build and deploy applications using the platform, without worrying about the management of the underlying infrastructureincluding networks, servers, storage, and other services. What is the Cloud? IaaS (eye-as) - Infrastructure as a Service Availability of raw computing resources like processing power, storage, etc. over the Internet. IaaS offers users control over operating system and network components (like firewall, storage, etc.) while taking care of the underlying hardware and in some cases the network. What’s what? Level Set Activity (1) What types of content do you have? Where is it and how is it accessed? Are you using cloud services? What legal requirements exist for the content? Level Set Activity (2) Who is in charge of information security? Do you a formal plan in place? Does it involve policies? What kind? How and by whom are the policies enforced? Does you have an awareness program? Now we know… What we mean by “Cloud” What kinds of data we have Where our data is located What else is relevant? Concept of perimeter security Legal requirements The Perimeter is Gone Traditional information security was managed at the perimeter - close all the doors and windows and put a big guard at the gate. Today the perimeter is squishy wireless access points and phones create ubiquitous, unsecured mesh of connectivity with no protection against dangers. Protect the Data All data is not equal. Need to consider each data set independently or as groups and determine how to protect each set. Allocate resources to protect your most sensitive or critical data. Know the Law People have an expectation of protection & privacy. Some laws: In US, FTC is conducting investigations into privacy violations (by specific developers as well as companies like Apple, Microsoft and Google) and the FBI has dedicated massive resources to cyber crimes. Many European countries have laws in place related to data protection UK Data Protection Act - a law designed to protect personal data stored on computers or in an organized paper filing system. EU considering proposal to govern personal data that resides in more than one EU Member State. http://ec.europa.eu/justice/newsroom/dataprotection/news/130206_en.htm Know which laws/regulations apply to your country & school as well as expat faculty, staff, students Current Dangers What are some key current dangers? Key Current Dangers Malware/Viruses/Spyware Hacking Phishing/Spoofing Consumer Services Current Dangers From: https://dm.pwc.com/HMG2013BreachesSurvey/, filtered for Education For those thinking, these things can’t happen at my school… Reality is schools may be easier and more desirable targets than you think Hackers know there's valuable info there and it’s probably easier to crack security than other places Key Current dangers Malware/Viruses/Spyware Coming from anywhere including email, USB devices, social networks, cloud services Speed increasing Zero day exploits Human compulsion April 12, 2012 Housatonic Community College, Bridgeport, CT Two campus computers were determined to have been infected by malware. The breach occurred when a faculty or staff member opened an email that contained a virus. The virus was immediately detected. Student, faculty and staff affiliated with the school between the early 1990's and the day of the breach may have had their names, social security numbers, dates of birth and addresses exposed. Housatonic's president acknowledged that the cost of handling the breach could be as much as $500,000. Number of records breached: 876,667 Key point: effectiveness of email virus attack. Key Current Dangers Hacking - school environment requires hard look at external and internal hack possibilities Wireless and wired attacks Celebrity status Students Hacktivism Sept. 1, 2011 Birdville, Haltom City, TX Two students may face criminal charges for hacking into the Birdville School District's network server and accessing a file with student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected. Number of records breached: 14,500 Key point: student perpetrated. August 15, 2012 Saudi Aramco Companies, Saudi Arabia Significant use of malware in a politically motivated hacktivist attack that resulted in widespread infection by malicious virus that wiped out email and data for many parts of the company, including the pre-K- 9 schools (about 2600 students). Number of computers breached: 30,000 Key point: cannot combat hacktivism, especially when you’re not exactly the target. May 3, 2012 University of Pittsburgh, Pittsburg, PA Hackers associating themselves with Anonymous claimed to have obtained the private information of University of Pittsburgh students and alumni. The hackers threatened to release the information publicly unless the university apologized to students, law enforcement and professors. Student passwords, dorm information, payment and credit card information, parent information, coursework and grades as well as alumni information may have been exposed. Number of records breached: unknown Key point: cannot combat hacktivism. Key Current Dangers Phishing and spoofing Phishing is a message sent to prompt action from the recipient. Once recipient responds, hacker can gain control of their machine or collect info about them. Spoofing is the act of sending a message that looks like it came from a specific sender but, in reality, was not sent. Often targeting identity theft or extortion. February, 2011 International School of Stavanger, Hafrsfjord, Norway Internet pirates extorted money via phishing and spoofing from international teaching candidates applying for positions. Dr. Linda M. Duevel, Director of school wrote interesting piece on their experience: http://www.internationalschoolsreview.com/nonmembers/intern at_scams.htm Key point: phishing and spoofing attacks can be surprisingly effective. Key Current Dangers System Issues Misconfigurations Failure Feb. 15, 2012 University of North Carolina at Charlotte, Charlotte, NC An online security breach was discovered on Jan. 31. Around 350,000 people had their social security numbers exposed. Financial information was also exposed. A system misconfiguration and incorrect access settings caused a large amount of electronic data hosted by the university to be accessible from the Internet. One exposure issue affected general university systems over a period of about three months. A second exposure issue affected the college of engineering systems for more than a decade. Number of records disclosed: 350,000 Key point: system misconfigurations can go unnoticed for long periods. September, 2013 Los Angeles, California LAUSD deploying 35k iPads to students in 47 schools ($30M) 300 students altered device configuration to opt out of MDM software (which eliminated Apple Global HTTP Proxy) and were able to bypass policies and freely access Internet resources Key point: multiple security issues can be damaging (system misconfiguration and hacking). http://www.cio.com/article/740746/What_s_Behind_the_iPad_Hack_at_Los_Angeles_High_Schools _?source=CIONLE_nlt_insider_2013-10-03 Key Current Dangers Application services Consumer apps used by individuals but not vetted by school Vulnerability of all companies Potential Impact of Current Dangers Loss of critical and/or confidential data Loss of operations Legal issues Identity theft Brand damage So, what do we do? Come back for Part 2! “In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.” Theodore Roosevelt Part 2 Practical Approaches for Your School The Details Cloud Considerations Policies & Procedures Breach Response Vetting Vendors Cloud Considerations Economics With no capital expenses and reduced operating expenses, cloud computing can save significant money on IT costs but not always. Scalability and Elasticity Cloud Computing is infinitely scalable and offers an easy way to scale up and scale down based on demand. Make sure your contract says you can. Trade-off is vendor lock-in so need exit strategy. Make sure contract says you own your content. Remember the difference between uptime and availability. Cloud Considerations Ubiquitous Access Theoretically offers device, location and time independence. Idea that you can use the system 24x7 from anywhere you can find an Internet connection. Additional protection from lost productivity related to physical disaster or snow day. How reliable is remote connectivity for your constituents? Cloud Considerations Security Use of the cloud does not change a school’s privacy and data security obligations or create a defense that the service provider (not the school) committed the violation. At the same time, a school must rely in some cases almost entirely on a cloud provider for the school’s compliance with applicable law. Identify which privacy and data security obligations apply to the IT function moving to the cloud. Obtain sufficient contractual guarantees to assure compliance. Discussion: Cloud Considerations What cloud services are you using or considering? What are your key considerations for deploying services to the cloud? What will you do if it your cloud service is down for an extended period of time? Policies & Procedures Audiences Staff, Students, Parents Types Acceptable Use, Access, Password, Reporting Violations, Data Encryption, Confidentiality Resources Educause: http://www.educause.edu/search/apachesolr_search/p olicies Washington University in St Louis: http://wustl.edu/policies/infosecurity.html Policies & Procedures What purpose is this policy meant to serve? Am I ticking a box, or is it adding real value? Have I aligned my policy with any subsequent awareness training I might deliver? Have I aligned my policy to the objectives of the school? Is there a regulatory and/or statutory basis to the policy, or is it more guidance on good practice? Who is my audience for this policy? What is the absolute minimum information they need to have? What are the key messages that I want them to retain? What is the best format for my audience to receive this information? Discussion: Policies & Procedures What policies do you have? What policies do you need to develop? What procedures are associated with the policies? Who manages the policies & procedures? Do you audit? Breach Response In US, breach notification is a state law – resulting in varying requirements. Need to determine what you would say in the event of a breach and to whom (including method of notification). Need to understand if there are any legal requirements that prevail. Discussion: Breach Response What constitutes a breach? What are your legal obligations to notify? What are your ethical requirements to notify? Who must you notify? How timely must you notify? Vetting Vendors Build provisions into contracts, including restitution, termination for cause Consider including right to terminate if company bought by another Understand: How you would get your data back if our vendor relationship changes (change vendor, vendor goes out of business, etc)? How would you ensure that all copies maintained by vendor are appropriately destroyed? Where the vendor stores your data? Vetting Cloud Vendors How do I move my apps to the cloud? How are my apps and data protected from other users on the same cloud servers? Can I see your data center? Are they certified and willing to share details of certifications with you? How do they keep critical security settings, virus definitions, and security patches up to date? Do they conduct periodic test restores of your backups to make sure the data is not corrupt and could be restored in the event of a disaster? Are they will to provide you with written, network documentation detailing what software licenses you have, critical network passwords, and hardware information? Do they consistently (and proactively) offer new ways to improve your network’s performance, or do they wait until you have a problem to make recommendations? Do you know, up front, what the costs and charges will actually be? Cloud is not always cheaper! Do they provide detailed invoices that clearly explain what you are paying for? Do they explain what they are doing and answer your questions in terms that you can understand? Do they have a proven track record of completing projects on time and on budget? Do they offer any guarantees on their services? Uptime versus availability. 99.9% uptime is 8.76 hours of downtime per year. Is the guarantee enforceable? How do they share information about your account internally? Do they offer flat-rate or fixed-fee project quotes, or not to exceed provisions? Do you maintain ownership of the data, regardless of where it travels, how it gets there, or on what device it is stored? What if it leaves the EU or specific country? Do they offer 2 factor authentication for any cloud services? How do you audit access to my data? How will I be notified and compensated if my data is breached? Discussion: Vetting Vendors How do you evaluate vendors? What specific information security questions should be assessed? What would prevent you from selecting a vendor? Getting Started The Ongoing Conversation Current State Assessment Information Security Plan Framework The Ongoing Conversation At least annually with your Head and Board: What data do we have and where is it? How do/should we move data to and from the cloud? How does/should our school use virtual classrooms? What consumer services are we using? Are we satisfied with how our cloud vendor protects our data? Have we considered cyber liability insurance? Assess Current State Document Current State Research Laws/Requirements Conduct Gap Analysis Tools http://www.educause.edu/library/resources/infor mation-security-program-assessment-tool Framework for Security Plan Create a task force that includes school administration, business office, IT, teacher, student and legal representatives Define key areas of risk Define school risk tolerance posture for each area of risk Define cost and scope (order of magnitude) to remediate the risk Map it out Conduct vendor due diligence Allocate resources to address Develop applicable policies Renegotiate vendor arrangements and terms as needed Build in opportunities to revisit areas of risk as landscape changes Communicate the plan and test it regularly See http://www.educause.edu/ for resources and checklists. Thank you! Any questions, please contact me @ jmrous@gmail.com SOME ADDITIONAL THOUGHTS… Intellectual Property Who owns what? An employer owns copyrights created by its employees within the scope of their employment. It is often unclear, however, whether a teacher (or the employer school) owns the original teaching materials that he or she has created. Although creating such materials is related to one’s employment, teachers are sometimes viewed as hired to teach, not to create course materials. Moreover, under a loose “academic exception” that is not reflected in statutory copyright law but is sometimes referred to in case law, teachers often understand or believe that such materials are owned by them and thus can be used freely as they move from school to school. (The academic exception is stronger in higher education than K-12; the policies of most institutions of higher learning allow ownership of such materials by the educator.) Do you limit access to virtual classrooms only to those participating in the class? Do you limit the extent to which students can copy or extract other's work from the virtual classroom? Are you using a school computer to generate or edit the info? Then the IP is probably the school's! BYOD Do you have a policy that everyone knows about and signs off on before they are granted access to school resources? Have you limited exposure to the business/administrative side of the network? Do you maintain ownership of the data, regardless of where it travels, how it gets there, or on what device it is stored? Do you make it clear to your user community that you reserve the right to govern your data which may allow you access to their personal data on a device? Have you clearly defined what happens when an employee or student leaves the school? How? Are you sure? What about content? What about device based licenses? Will you keep the content? For how long? Can you restrict access on the network to control bandwidth per application?
