Herding Cats and Campuses: Addressing Distributed Security and Compliance Issues

  • View

  • Download

Embed Size (px)


Herding Cats and Campuses: Addressing Distributed Security and Compliance Issues. Educause Security Professionals Conference - April, 2007 Kathy Kimball and David Lindstrom The Pennsylvania State University. Outline. Penn State Background Universities and Network Threats - PowerPoint PPT Presentation

Text of Herding Cats and Campuses: Addressing Distributed Security and Compliance Issues

  • Herding Cats and Campuses: Addressing Distributed Security and Compliance IssuesEducause Security Professionals Conference - April, 2007Kathy Kimball and David LindstromThe Pennsylvania State University

  • OutlinePenn State BackgroundUniversities and Network ThreatsLegal and Regulatory LandscapeThe Challenge Facing UsThe Information Privacy And Security (IPAS) ProjectOriginSponsorshipAdministrationOverviewStaffingPhasesNecessary Support

  • Penn State

    One University Geographically Dispersed24 campuses statewideAlso agricultural extension offices, recruitment centers and other distributed operating sitesWorld Campus - provides distance learning opportunities globallyVPN to allow remote connectivity to resources otherwise blocked by border router filtersFall 2006Students: 83,721 (42,914 at University Park)Faculty/Staff: Full time: 22,478; Part time: 39,464One backbone network supports almost all functions (Internet Connectivity goes back through University Park)

  • We AreVery Large

  • We Also Deal With a Lot of Data

  • How Much???One Terabit is roughly equivalent to 32 million two-hundred fifty page booksBy that measure, for the high month during the first six months of 2006, the data backbone transferred the equivalent of approximately 88,000,000,000 two-hundred fifty page books. (Or 2,838,709,677 of them per day rough average).

  • Penn State - More NumbersTypical Day: more than 100,000 individual computers are connected > 1.5 million authentication actions by 120,880 unique Access account usersDoesnt include all the College and Department logins28 February: More than 54,000 systems (of the 100,000) communicated out to the InternetMore than 2,900,000 separate systems attempted to talk to Penn State from the Internet10% of the traffic coming from the Internet to Penn State that day was blocked by filtering at the border. (In other words, it was likely hostile activity subject to very simple blocks)

  • Universities and Network ThreatsWere SpecialI Guess

  • University CharacteristicsCertain Characteristics of Colleges and Universities Make the Security Problem More DifficultDistributed GovernanceVarying User Needs/User PopulationsCultural Tradition of IndependenceEmphasis on committees and consensusComparatively slow-moving process facing a fast-moving threat

  • Challenging Network Threat ClimateGlobal network is a hostile placeConstant probesSecurity is dependent on non-technical usersInsecurity anywhere can affect the wholeMonoculture intensifies attack effectsIf a new Windows flaw is discovered, it could enable rapid exploit spread due to Microsofts market dominance

  • Hostile Probes - 28 February (A Fairly Typical Day)Exploits against Penn State were attempted from multiple locations in the United States and abroad including: Korea, Japan, Brazil, United Kingdom, Russia, Chile, Austria, Uruguay, Turkey, Taiwan, Switzerland, Spain, Peru, Mexico, Kuwait, Italy, India, Hungary, Hong Kong, France, Argentina, AfricaTop hostile probe award went to a single system in Spain with 948,708 hostile attempts (ssh brute force)

  • Trends: Whats Increasing?Sophistication level of network attacks (Bots, bots and more bots)Complexity of detecting and removing residual malicious softwareNumber of vendor security updates Mobility Laptops and PDAs connecting to uncontrolled networks and returning

  • Trends: Whats Decreasing?Amount of time for global spread (worms)Though less impetus to do so (rise in criminal exploitation that is profit motivated)Ability to prevent intrusions at the network borderAmount of time available to install vendor security updatesAmount of time to detect and defeat a network-based attack

  • Legal and Regulatory LandscapeWhen in Doubt, Pass a Law (or Write a Policy) - Controlling the Uncontrollable

  • Privacy and Security Policy OverviewPrimary Penn State Policies related to Privacy and SecurityAD11 - University Policy on Confidentiality of Student RecordsAD19 - Use of Penn State Identifier and Social Security NumberAD20 - Computer and Network SecurityAD22 - Health Insurance Portability and Accountability Act (HIPAA)AD23 - Use of Institutional DataAD35 - University Archives and Records ManagementAD53 - Privacy StatementADG01 - Glossary of Computerized Data and System TerminologyADG02 - Computer Facility Security Guideline

  • Policy Overview - ContinuedWe have an institutional duty to reasonably secure sensitive data entrusted to our careThe network is distributed and so is security responsibilityDeans and Administrative Officers are responsible for establishing security policies in their areasThe local policies have the force of overall University Policy, and are intended to guide system administrators in the development of detailed procedures enabling secure operation of local networks

  • Network PolicyIn addition to overall University Policy and local policies/procedures, attachment to the network requires: a network administrative, technical and security contact Responsible for a designated range of network addressesThe contacts are critical in incident notificationOnly a network address is generally known for university systems when response begins Accuracy of the contact list is a unit responsibility

  • Additional Policy PointsUnits handling administrative data have additional requirements as outlined in the Trusted Network Specifications (http://ais.its.psu.edu/security/specific.html)Units with an exception to hold Social Security Numbers locally have even more requirements (under AD19)There is, however, a perceived gap between Policy and performance for a number of reasons

  • Legal LandscapeApplicable Laws and Regulations (Partial):FERPAHIPAAGraham Leach BlileyThe Pennsylvania Breach of Personal Information Notification Act [73 P.S. 2301 et seq ]FACTAPCI-DSS (Credit card industry security standards)

    Undoubtedly more comingWatch this space

  • The ChallengeWe MUST Do Better or What Part of Comply Dont We Understand

  • Universities in General Have Issues we MUST CorrectTwo sources with slightly different numbers, but the news isnt good:Educational institutions accounted for over 50 of the more than 300 major data breaches in 2006, according to the Privacy Rights Clearinghouse, exposing Social Security numbers, bank account information and other sensitive personal dataAccording to the Treasury Institute for Higher Education of the 321 information security breaches nationwide reported in 2006, 84 or 26% were at education institutions. This 26% share for Education is particularly disproportionate when we consider that education represents only a small percent of total payment activity nationwide. As a result, financial institutions and card issuers increasingly view education institutions as risky merchants

  • Need to ImproveImproving the state of privacy and network security practices is essentialIts a distributed problem; it requires a distributed solutionWe Must: Raise the bar with regard to security practices and policies Assure compliance with existing university policies and laws affecting Penn StateImprove our ability to respond to new laws(And do this even in light of our distributed nature and management structure)

  • Information Privacy And Security (IPAS) Project OriginJoint Effort two year project planned. Loosely based on the model used for Social Security Number conversion. Pushed strongly by:Information Technology ServicesCorporate ControllerPlanning began in July 2006 and was approved in November 2006Planning documents were staffed via both chains (business/finance and IT)Various funding models explored. Ultimately central funding with a split between budgets/budget execs was adopted

  • IPAS Project Executive SponsorsProvost, Chief Financial Officer JointlyOversight:University Controller Vice Provost for Information Technology Services

  • IPAS Project AdministrationSimilarly, a joint effort between:Senior Director, Security Operations and Services, Information Technology Services Kathleen KimballChief Privacy Officer, Corporate Controller David Lindstrom(Advantage: Both business and academic sides are represented in the project administrative structure, as well as the senior executive management structure)

  • Project Overview

    IPAS is a large-scale, multi-year, multi-phase effort with University-wide scopePhase I - Evaluate (and remediate if necessary) PCI-DSS systems and networksPhase II - Take lessons learned and apply to systems and networks handling sensitive University information(There is overlap, with some Phase II tasks coinciding with Phase I. The Project Team has already begun to contact units)

  • IPAS Project StaffingThree project team members temporarily assigned for the duration of the two-year project. (Project Manager, Senior Network Analyst, Project Technical Coordinator)Leadership of distributed units provided the staff resources for the project:ITS, Consulting and Support ServicesStudent AffairsResearch Information Systems

  • Youre Going to Make Us Do What?Initial Reaction by the Governed:

  • Phase I Very detailed requirementsMore than 100 merchant ids University-widePayment Card Industry Data Security Standard (Version 1.1)Qualified data security company is engaged (Ambiron Trustwave)Security scans required quarterly. Security Operations and Services also performs internal scans (ISS and AppScan)Bursar and eCommerce server evaluated and deemed compliant by the end of December 2006

  • Sample RequirementBuild and Maintain a Secure NetworkThe Devil is in the details. This objective breaks out to two main requirement sections with multiple subsections under each:Example -- Require