Info Security at your school

advertisement
INFORMATION SECURITY
AT YOUR SCHOOL
Jennifer M. Rous
 Education
 Roanoke College, BS Computer Info Systems
 Johns Hopkins University, MBA and MSc IT
 1st job in independent school environment
 Other industry experience in investment banking,
consulting to corporate and government agencies,
law firm
 Since 2001 served as CIO, act as CISO
 Community/Board involvement - 2 CIO councils,
Executive Women's Roundtable, DHHS Advisory Board,
Emerging Technology Center (incubator for tech startups) Board
What is the Cloud?
From Wikipedia
What is the Cloud?
 SaaS - Software as a Service
 Delivery of applications over the Internet.
 These applications are accessible through a web
browser and managed by the vendor remotely.
 Depending on the vendor and type of product,
there are likely similar customization and
configuration options as are available in on
premises software.
What is the Cloud?
 PaaS - Platform as a Service
 Programming platform and tools, as a service.
 Allows consumer developers, including both
corporate application developers as well as
independent software vendors, to build and
deploy applications using the platform, without
worrying about the management of the
underlying infrastructureincluding networks,
servers, storage, and other services.
What is the Cloud?
 IaaS (eye-as) - Infrastructure as a Service
 Availability of raw computing resources like
processing power, storage, etc. over the Internet.
 IaaS offers users control over operating system
and network components (like firewall, storage,
etc.) while taking care of the underlying hardware
and in some cases the network.
What’s what?
Level Set Activity (1)
 What types of content do you have?
 Where is it and how is it accessed?
 Are you using cloud services?
 What legal requirements exist for the content?
Level Set Activity (2)
 Who is in charge of information security?
 Do you a formal plan in place?
 Does it involve policies? What kind?
 How and by whom are the policies enforced?
 Does you have an awareness program?
Now we know…
 What we mean by “Cloud”
 What kinds of data we have
 Where our data is located
 What else is relevant?
 Concept of perimeter security
 Legal requirements
The Perimeter is Gone
Traditional information security was
managed at the perimeter - close all
the doors and windows and put a big
guard at the gate.
Today the perimeter is squishy wireless access points and phones
create ubiquitous, unsecured mesh
of connectivity with no protection
against dangers.
Protect the Data
 All data is not equal.
 Need to consider each data set
independently or as groups and determine
how to protect each set.
 Allocate resources to protect your most
sensitive or critical data.
Know the Law
People have an expectation of protection & privacy.
 Some laws:
 In US, FTC is conducting investigations into privacy violations (by
specific developers as well as companies like Apple, Microsoft and
Google) and the FBI has dedicated massive resources to cyber crimes.
 Many European countries have laws in place related to data
protection
 UK Data Protection Act - a law designed to protect personal data stored on
computers or in an organized paper filing system.
 EU considering proposal to govern personal data that resides in more
than one EU Member State.
 http://ec.europa.eu/justice/newsroom/dataprotection/news/130206_en.htm
 Know which laws/regulations apply to your country & school
as well as expat faculty, staff, students
Current Dangers
What are some key current dangers?
Key Current Dangers
 Malware/Viruses/Spyware
 Hacking
 Phishing/Spoofing
 Consumer Services
Current Dangers
From: https://dm.pwc.com/HMG2013BreachesSurvey/, filtered for Education
For those thinking, these things
can’t happen at my school…
 Reality is schools may be easier and more
desirable targets than you think
 Hackers know there's valuable info there and
it’s probably easier to crack security than
other places
Key Current dangers
 Malware/Viruses/Spyware
 Coming from anywhere including email, USB
devices, social networks, cloud services
 Speed increasing
 Zero day exploits
 Human compulsion
 April 12, 2012
 Housatonic Community College, Bridgeport, CT
 Two campus computers were determined to have been
infected by malware. The breach occurred when a faculty or
staff member opened an email that contained a virus. The
virus was immediately detected. Student, faculty and staff
affiliated with the school between the early 1990's and the
day of the breach may have had their names, social security
numbers, dates of birth and addresses exposed.
Housatonic's president acknowledged that the cost of
handling the breach could be as much as $500,000.
 Number of records breached: 876,667
 Key point: effectiveness of email virus attack.
Key Current Dangers
 Hacking - school environment requires hard
look at external and internal hack possibilities
 Wireless and wired attacks
 Celebrity status
 Students
 Hacktivism
 Sept. 1, 2011
 Birdville, Haltom City, TX
 Two students may face criminal charges for hacking into
the Birdville School District's network server and accessing
a file with student names and Social Security numbers. The
students are a high school junior and a senior. Students
who attended during the 2008-2009 school year may have
been affected.
 Number of records breached: 14,500
 Key point: student perpetrated.
 August 15, 2012
 Saudi Aramco Companies, Saudi Arabia
 Significant use of malware in a politically motivated
hacktivist attack that resulted in widespread infection by
malicious virus that wiped out email and data for many
parts of the company, including the pre-K- 9 schools (about
2600 students).
 Number of computers breached: 30,000
 Key point: cannot combat hacktivism, especially when
you’re not exactly the target.
 May 3, 2012
 University of Pittsburgh, Pittsburg, PA
 Hackers associating themselves with Anonymous claimed
to have obtained the private information of University of
Pittsburgh students and alumni. The hackers threatened to
release the information publicly unless the university
apologized to students, law enforcement and professors.
Student passwords, dorm information, payment and credit
card information, parent information, coursework and
grades as well as alumni information may have been
exposed.
 Number of records breached: unknown
 Key point: cannot combat hacktivism.
Key Current Dangers
 Phishing and spoofing
 Phishing is a message sent to prompt action from
the recipient. Once recipient responds, hacker can
gain control of their machine or collect info about
them.
 Spoofing is the act of sending a message that
looks like it came from a specific sender but, in
reality, was not sent.
 Often targeting identity theft or extortion.
 February, 2011
 International School of Stavanger, Hafrsfjord, Norway
 Internet pirates extorted money via phishing and spoofing
from international teaching candidates applying for
positions.
 Dr. Linda M. Duevel, Director of school wrote interesting
piece on their experience:
 http://www.internationalschoolsreview.com/nonmembers/intern
at_scams.htm
 Key point: phishing and spoofing attacks can be
surprisingly effective.
Key Current Dangers
 System Issues
 Misconfigurations
 Failure
 Feb. 15, 2012
 University of North Carolina at Charlotte, Charlotte, NC
 An online security breach was discovered on Jan. 31.
Around 350,000 people had their social security numbers
exposed. Financial information was also exposed. A system
misconfiguration and incorrect access settings caused a
large amount of electronic data hosted by the university to
be accessible from the Internet. One exposure issue
affected general university systems over a period of about
three months. A second exposure issue affected the college
of engineering systems for more than a decade.
 Number of records disclosed: 350,000
 Key point: system misconfigurations can go unnoticed
for long periods.
 September, 2013
 Los Angeles, California
 LAUSD deploying 35k iPads to students in 47 schools ($30M)
 300 students altered device configuration to opt out of MDM
software (which eliminated Apple Global HTTP Proxy) and
were able to bypass policies and freely access Internet
resources
 Key point: multiple security issues can be damaging
(system misconfiguration and hacking).

http://www.cio.com/article/740746/What_s_Behind_the_iPad_Hack_at_Los_Angeles_High_Schools
_?source=CIONLE_nlt_insider_2013-10-03
Key Current Dangers
 Application services
 Consumer apps used by individuals but not vetted
by school
 Vulnerability of all companies
Potential Impact of Current Dangers
 Loss of critical and/or confidential data
 Loss of operations
 Legal issues
 Identity theft
 Brand damage
So, what do we do?
Come back for Part 2!
“In any moment of decision,
the best thing you can do is the right thing,
the next best thing is the wrong thing, and
the worst thing you can do is nothing.”
 Theodore Roosevelt
Part 2
Practical Approaches
for Your School
The Details
 Cloud Considerations
 Policies & Procedures
 Breach Response
 Vetting Vendors
Cloud Considerations
 Economics
With no capital expenses and reduced operating expenses,
cloud computing can save significant money on IT costs but
not always.
 Scalability and Elasticity
Cloud Computing is infinitely scalable and offers an easy
way to scale up and scale down based on demand.
 Make sure your contract says you can.
 Trade-off is vendor lock-in so need exit strategy.
 Make sure contract says you own your content.
 Remember the difference between uptime and
availability.
Cloud Considerations
 Ubiquitous Access
 Theoretically offers device, location and time
independence.
 Idea that you can use the system 24x7 from anywhere you
can find an Internet connection.
 Additional protection from lost productivity related to
physical disaster or snow day.
 How reliable is remote connectivity for your
constituents?
Cloud Considerations
 Security

Use of the cloud does not change a school’s privacy
and data security obligations or create a defense that
the service provider (not the school) committed the
violation.
At the same time, a school must rely in some cases
almost entirely on a cloud provider for the school’s
compliance with applicable law.



Identify which privacy and data security obligations
apply to the IT function moving to the cloud.
Obtain sufficient contractual guarantees to assure
compliance.
Discussion:
Cloud Considerations
 What cloud services are you using or
considering?
 What are your key considerations for
deploying services to the cloud?
 What will you do if it your cloud service is
down for an extended period of time?
Policies & Procedures
 Audiences
 Staff, Students, Parents
 Types
 Acceptable Use, Access, Password, Reporting
Violations, Data Encryption, Confidentiality
 Resources
 Educause:
http://www.educause.edu/search/apachesolr_search/p
olicies
 Washington University in St Louis:
http://wustl.edu/policies/infosecurity.html
Policies & Procedures
 What purpose is this policy meant to serve? Am I ticking a






box, or is it adding real value?
Have I aligned my policy with any subsequent awareness
training I might deliver?
Have I aligned my policy to the objectives of the school?
Is there a regulatory and/or statutory basis to the policy,
or is it more guidance on good practice?
Who is my audience for this policy?
What is the absolute minimum information they need to
have? What are the key messages that I want them to
retain?
What is the best format for my audience to receive this
information?
Discussion:
Policies & Procedures
 What policies do you have?
 What policies do you need to develop?
 What procedures are associated with the
policies?
 Who manages the policies & procedures?
 Do you audit?
Breach Response
 In US, breach notification is a state law –
resulting in varying requirements.
 Need to determine what you would say in the
event of a breach and to whom (including
method of notification).
 Need to understand if there are any legal
requirements that prevail.
Discussion:
Breach Response
 What constitutes a breach?
 What are your legal obligations to notify?
 What are your ethical requirements to notify?
 Who must you notify?
 How timely must you notify?
Vetting Vendors
 Build provisions into contracts, including
restitution, termination for cause
 Consider including right to terminate if
company bought by another
 Understand:
 How you would get your data back if our vendor
relationship changes (change vendor, vendor goes out
of business, etc)?
 How would you ensure that all copies maintained by
vendor are appropriately destroyed?
 Where the vendor stores your data?
Vetting Cloud Vendors

How do I move my apps to the cloud?

How are my apps and data protected from other users on the same cloud servers?

Can I see your data center? Are they certified and willing to share details of certifications with you?

How do they keep critical security settings, virus definitions, and security patches up to date?

Do they conduct periodic test restores of your backups to make sure the data is not corrupt and could be restored in the
event of a disaster?

Are they will to provide you with written, network documentation detailing what software licenses you have, critical
network passwords, and hardware information?

Do they consistently (and proactively) offer new ways to improve your network’s performance, or do they wait until you
have a problem to make recommendations?

Do you know, up front, what the costs and charges will actually be? Cloud is not always cheaper!

Do they provide detailed invoices that clearly explain what you are paying for?

Do they explain what they are doing and answer your questions in terms that you can understand?

Do they have a proven track record of completing projects on time and on budget?

Do they offer any guarantees on their services? Uptime versus availability. 99.9% uptime is 8.76 hours of downtime per
year. Is the guarantee enforceable?

How do they share information about your account internally?

Do they offer flat-rate or fixed-fee project quotes, or not to exceed provisions?

Do you maintain ownership of the data, regardless of where it travels, how it gets there, or on what device it is stored?
What if it leaves the EU or specific country?

Do they offer 2 factor authentication for any cloud services?

How do you audit access to my data?

How will I be notified and compensated if my data is breached?
Discussion:
Vetting Vendors
 How do you evaluate vendors?
 What specific information security questions
should be assessed?
 What would prevent you from selecting a
vendor?
Getting Started
 The Ongoing Conversation
 Current State Assessment
 Information Security Plan Framework
The Ongoing Conversation
At least annually with your Head and Board:
 What data do we have and where is it?
 How do/should we move data to and from the




cloud?
How does/should our school use virtual
classrooms?
What consumer services are we using?
Are we satisfied with how our cloud vendor
protects our data?
Have we considered cyber liability insurance?
Assess Current State
 Document Current State
 Research Laws/Requirements
 Conduct Gap Analysis
 Tools
 http://www.educause.edu/library/resources/infor
mation-security-program-assessment-tool
Framework for Security Plan
 Create a task force that includes school administration, business










office, IT, teacher, student and legal representatives
Define key areas of risk
Define school risk tolerance posture for each area of risk
Define cost and scope (order of magnitude) to remediate the risk
Map it out
Conduct vendor due diligence
Allocate resources to address
Develop applicable policies
Renegotiate vendor arrangements and terms as needed
Build in opportunities to revisit areas of risk as landscape changes
Communicate the plan and test it regularly
 See http://www.educause.edu/ for resources and checklists.
Thank you!
Any questions, please contact me
@ jmrous@gmail.com
SOME ADDITIONAL THOUGHTS…
Intellectual Property





Who owns what?
An employer owns copyrights created by its employees within the scope of their
employment. It is often unclear, however, whether a teacher (or the employer
school) owns the original teaching materials that he or she has created.
Although creating such materials is related to one’s employment, teachers are
sometimes viewed as hired to teach, not to create course materials. Moreover,
under a loose “academic exception” that is not reflected in statutory copyright
law but is sometimes referred to in case law, teachers often understand or
believe that such materials are owned by them and thus can be used freely as
they move from school to school. (The academic exception is stronger in higher
education than K-12; the policies of most institutions of higher learning allow
ownership of such materials by the educator.)
Do you limit access to virtual classrooms only to those participating in the class?
Do you limit the extent to which students can copy or extract other's work from
the virtual classroom?
Are you using a school computer to generate or edit the info? Then the IP is
probably the school's!
BYOD


Do you have a policy that everyone knows about and signs off on before
they are granted access to school resources?
Have you limited exposure to the business/administrative side of the
network?





Do you maintain ownership of the data, regardless of where it travels, how it
gets there, or on what device it is stored?
Do you make it clear to your user community that you reserve the right to
govern your data which may allow you access to their personal data on a
device?
Have you clearly defined what happens when an employee or student leaves
the school?




How?
Are you sure?
What about content?
What about device based licenses?
Will you keep the content? For how long?
Can you restrict access on the network to control bandwidth per
application?
Download