Embed Size (px)
Citation preview
INFORMATION SECURITYAT YOUR SCHOOL
Jennifer M. Rous
Education Roanoke College, BS Computer Info Systems Johns Hopkins University, MBA and MSc IT
1st job in independent school environment Other industry experience in investment
banking, consulting to corporate and government agencies, law firm
Since 2001 served as CIO, act as CISO Community/Board involvement - 2 CIO councils,
Executive Women's Roundtable, DHHS Advisory Board, Emerging Technology Center (incubator for tech startups) Board
What is the Cloud?
From Wikipedia
What is the Cloud?
SaaS - Software as a Service Delivery of applications over the
Internet. These applications are accessible
through a web browser and managed by the vendor remotely.
Depending on the vendor and type of product, there are likely similar customization and configuration options as are available in on premises software.
What is the Cloud?
PaaS - Platform as a Service Programming platform and tools, as a
service. Allows consumer developers, including
both corporate application developers as well as independent software vendors, to build and deploy applications using the platform, without worrying about the management of the underlying infrastructureincluding networks, servers, storage, and other services.
What is the Cloud?
IaaS (eye-as) - Infrastructure as a Service Availability of raw computing resources
like processing power, storage, etc. over the Internet.
IaaS offers users control over operating system and network components (like firewall, storage, etc.) while taking care of the underlying hardware and in some cases the network.
What’s what?
Level Set Activity (1)
What types of content do you have?
Where is it and how is it accessed?
Are you using cloud services?
What legal requirements exist for the content?
Level Set Activity (2)
Who is in charge of information security?
Do you a formal plan in place?
Does it involve policies? What kind?
How and by whom are the policies enforced?
Does you have an awareness program?
Now we know…
What we mean by “Cloud” What kinds of data we have Where our data is located
What else is relevant? Concept of perimeter security Legal requirements
The Perimeter is Gone
Traditional information security was managed at the perimeter - close all the doors and windows and put a big guard at the gate.
Today the perimeter is squishy - wireless access points and phones create ubiquitous, unsecured mesh of connectivity with no protection against dangers.
Protect the Data
All data is not equal. Need to consider each data set
independently or as groups and determine how to protect each set.
Allocate resources to protect your most sensitive or critical data.
Know the LawPeople have an expectation of protection & privacy.
Some laws: In US, FTC is conducting investigations into privacy violations (by
specific developers as well as companies like Apple, Microsoft and Google) and the FBI has dedicated massive resources to cyber crimes.
Many European countries have laws in place related to data protection UK Data Protection Act - a law designed to protect personal data
stored on computers or in an organized paper filing system. EU considering proposal to govern personal data that resides in
more than one EU Member State. http://
ec.europa.eu/justice/newsroom/data-protection/news/130206_en.htm
Know which laws/regulations apply to your country & school as well as expat faculty, staff, students
Current Dangers
What are some key current dangers?
Key Current Dangers
Malware/Viruses/Spyware Hacking Phishing/Spoofing Consumer Services
Current Dangers
From: https://dm.pwc.com/HMG2013BreachesSurvey/, filtered for Education
For those thinking, these things can’t happen at my school…
Reality is schools may be easier and more desirable targets than you think
Hackers know there's valuable info there and it’s probably easier to crack security than other places
Key Current dangers
Malware/Viruses/Spyware Coming from anywhere including email,
USB devices, social networks, cloud services
Speed increasing Zero day exploits Human compulsion
April 12, 2012 Housatonic Community College, Bridgeport, CT Two campus computers were determined to have been
infected by malware. The breach occurred when a faculty or staff member opened an email that contained a virus. The virus was immediately detected. Student, faculty and staff affiliated with the school between the early 1990's and the day of the breach may have had their names, social security numbers, dates of birth and addresses exposed. Housatonic's president acknowledged that the cost of handling the breach could be as much as $500,000.
Number of records breached: 876,667 Key point: effectiveness of email virus attack.
Key Current Dangers
Hacking - school environment requires hard look at external and internal hack possibilities Wireless and wired attacks Celebrity status Students Hacktivism
Sept. 1, 2011 Birdville, Haltom City, TX Two students may face criminal charges for
hacking into the Birdville School District's network server and accessing a file with student names and Social Security numbers. The students are a high school junior and a senior. Students who attended during the 2008-2009 school year may have been affected.
Number of records breached: 14,500 Key point: student perpetrated.
August 15, 2012 Saudi Aramco Companies, Saudi Arabia Significant use of malware in a politically
motivated hacktivist attack that resulted in widespread infection by malicious virus that wiped out email and data for many parts of the company, including the pre-K- 9 schools (about 2600 students).
Number of computers breached: 30,000 Key point: cannot combat hacktivism,
especially when you’re not exactly the target.
May 3, 2012 University of Pittsburgh, Pittsburg, PA Hackers associating themselves with Anonymous
claimed to have obtained the private information of University of Pittsburgh students and alumni. The hackers threatened to release the information publicly unless the university apologized to students, law enforcement and professors. Student passwords, dorm information, payment and credit card information, parent information, coursework and grades as well as alumni information may have been exposed.
Number of records breached: unknown Key point: cannot combat hacktivism.
Key Current Dangers
Phishing and spoofing Phishing is a message sent to prompt
action from the recipient. Once recipient responds, hacker can gain control of their machine or collect info about them.
Spoofing is the act of sending a message that looks like it came from a specific sender but, in reality, was not sent.
Often targeting identity theft or extortion.
February, 2011 International School of Stavanger, Hafrsfjord,
Norway Internet pirates extorted money via phishing
and spoofing from international teaching candidates applying for positions.
Dr. Linda M. Duevel, Director of school wrote interesting piece on their experience: http://www.internationalschoolsreview.com/nonmemb
ers/internat_scams.htm
Key point: phishing and spoofing attacks can be surprisingly effective.
Key Current Dangers
System Issues Misconfigurations Failure
Feb. 15, 2012 University of North Carolina at Charlotte, Charlotte, NC An online security breach was discovered on Jan. 31.
Around 350,000 people had their social security numbers exposed. Financial information was also exposed. A system misconfiguration and incorrect access settings caused a large amount of electronic data hosted by the university to be accessible from the Internet. One exposure issue affected general university systems over a period of about three months. A second exposure issue affected the college of engineering systems for more than a decade.
Number of records disclosed: 350,000 Key point: system misconfigurations can go unnoticed
for long periods.
September, 2013 Los Angeles, California LAUSD deploying 35k iPads to students in 47
schools ($30M) 300 students altered device configuration to opt
out of MDM software (which eliminated Apple Global HTTP Proxy) and were able to bypass policies and freely access Internet resources
Key point: multiple security issues can be damaging (system misconfiguration and hacking).
http://www.cio.com/article/740746/What_s_Behind_the_iPad_Hack_at_Los_Angeles_High_Schools_?source=CIONLE_nlt_insider_2013-10-03
Key Current Dangers
Application services Consumer apps used by individuals but
not vetted by school Vulnerability of all companies
Potential Impact of Current Dangers
Loss of critical and/or confidential data
Loss of operations Legal issues Identity theft Brand damage
So, what do we do? Come back for Part 2!
“In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.”
Theodore Roosevelt
Part 2
Practical Approachesfor Your School
The Details
Cloud Considerations Policies & Procedures Breach Response Vetting Vendors
Cloud Considerations
EconomicsWith no capital expenses and reduced operating expenses, cloud computing can save significant money on IT costs but not always.
Scalability and ElasticityCloud Computing is infinitely scalable and offers an easy way to scale up and scale down based on demand. Make sure your contract says you can. Trade-off is vendor lock-in so need exit strategy. Make sure contract says you own your content. Remember the difference between uptime and
availability.
Cloud Considerations
Ubiquitous Access Theoretically offers device, location and time
independence. Idea that you can use the system 24x7 from
anywhere you can find an Internet connection. Additional protection from lost productivity
related to physical disaster or snow day. How reliable is remote connectivity for your
constituents?
Cloud Considerations
Security Use of the cloud does not change a school’s
privacy and data security obligations or create a defense that the service provider (not the school) committed the violation.
At the same time, a school must rely in some cases almost entirely on a cloud provider for the school’s compliance with applicable law.
Identify which privacy and data security obligations apply to the IT function moving to the cloud.
Obtain sufficient contractual guarantees to assure compliance.
Discussion:Cloud Considerations
What cloud services are you using or considering?
What are your key considerations for deploying services to the cloud?
What will you do if it your cloud service is down for an extended period of time?
Policies & Procedures
Audiences Staff, Students, Parents
Types Acceptable Use, Access, Password,
Reporting Violations, Data Encryption, Confidentiality
Resources Educause:
http://www.educause.edu/search/apachesolr_search/policies
Washington University in St Louis: http://wustl.edu/policies/infosecurity.html
Policies & Procedures What purpose is this policy meant to
serve? Am I ticking a box, or is it adding real value?
Have I aligned my policy with any subsequent awareness training I might deliver?
Have I aligned my policy to the objectives of the school?
Is there a regulatory and/or statutory basis to the policy, or is it more guidance on good practice?
Who is my audience for this policy? What is the absolute minimum information
they need to have? What are the key messages that I want them to retain?
What is the best format for my audience to receive this information?
Discussion:Policies & Procedures
What policies do you have? What policies do you need to
develop? What procedures are associated with
the policies? Who manages the policies &
procedures? Do you audit?
Breach Response
In US, breach notification is a state law – resulting in varying requirements.
Need to determine what you would say in the event of a breach and to whom (including method of notification).
Need to understand if there are any legal requirements that prevail.
Discussion:Breach Response
What constitutes a breach? What are your legal obligations to
notify? What are your ethical requirements
to notify? Who must you notify? How timely must you notify?
Vetting Vendors
Build provisions into contracts, including restitution, termination for cause
Consider including right to terminate if company bought by another
Understand: How you would get your data back if our
vendor relationship changes (change vendor, vendor goes out of business, etc)?
How would you ensure that all copies maintained by vendor are appropriately destroyed?
Where the vendor stores your data?
Vetting Cloud Vendors How do I move my apps to the cloud? How are my apps and data protected from other users on the same cloud servers? Can I see your data center? Are they certified and willing to share details of certifications with
you? How do they keep critical security settings, virus definitions, and security patches up to date? Do they conduct periodic test restores of your backups to make sure the data is not corrupt and
could be restored in the event of a disaster? Are they will to provide you with written, network documentation detailing what software licenses
you have, critical network passwords, and hardware information? Do they consistently (and proactively) offer new ways to improve your network’s performance, or
do they wait until you have a problem to make recommendations? Do you know, up front, what the costs and charges will actually be? Cloud is not always cheaper! Do they provide detailed invoices that clearly explain what you are paying for? Do they explain what they are doing and answer your questions in terms that you can
understand? Do they have a proven track record of completing projects on time and on budget? Do they offer any guarantees on their services? Uptime versus availability. 99.9% uptime is 8.76
hours of downtime per year. Is the guarantee enforceable? How do they share information about your account internally? Do they offer flat-rate or fixed-fee project quotes, or not to exceed provisions? Do you maintain ownership of the data, regardless of where it travels, how it gets there, or on
what device it is stored? What if it leaves the EU or specific country? Do they offer 2 factor authentication for any cloud services? How do you audit access to my data? How will I be notified and compensated if my data is breached?
Discussion:Vetting Vendors
How do you evaluate vendors? What specific information security
questions should be assessed? What would prevent you from
selecting a vendor?
Getting Started
The Ongoing Conversation Current State Assessment Information Security Plan Framework
The Ongoing ConversationAt least annually with your Head and Board:
What data do we have and where is it? How do/should we move data to and from
the cloud? How does/should our school use virtual
classrooms? What consumer services are we using? Are we satisfied with how our cloud vendor
protects our data? Have we considered cyber liability
insurance?
Assess Current State
Document Current State Research Laws/Requirements Conduct Gap Analysis Tools
http://www.educause.edu/library/resources/information-security-program-assessment-tool
Framework for Security Plan Create a task force that includes school administration,
business office, IT, teacher, student and legal representatives Define key areas of risk Define school risk tolerance posture for each area of risk Define cost and scope (order of magnitude) to remediate the
risk Map it out Conduct vendor due diligence Allocate resources to address Develop applicable policies Renegotiate vendor arrangements and terms as needed Build in opportunities to revisit areas of risk as landscape
changes Communicate the plan and test it regularly
See http://www.educause.edu/ for resources and checklists.
SOME ADDITIONAL THOUGHTS…
Intellectual Property
Who owns what? An employer owns copyrights created by its employees within the scope
of their employment. It is often unclear, however, whether a teacher (or the employer school) owns the original teaching materials that he or she has created. Although creating such materials is related to one’s employment, teachers are sometimes viewed as hired to teach, not to create course materials. Moreover, under a loose “academic exception” that is not reflected in statutory copyright law but is sometimes referred to in case law, teachers often understand or believe that such materials are owned by them and thus can be used freely as they move from school to school. (The academic exception is stronger in higher education than K-12; the policies of most institutions of higher learning allow ownership of such materials by the educator.)
Do you limit access to virtual classrooms only to those participating in the class?
Do you limit the extent to which students can copy or extract other's work from the virtual classroom?
Are you using a school computer to generate or edit the info? Then the IP is probably the school's!
BYOD
Do you have a policy that everyone knows about and signs off on before they are granted access to school resources?
Have you limited exposure to the business/administrative side of the network? How? Are you sure?
Do you maintain ownership of the data, regardless of where it travels, how it gets there, or on what device it is stored?
Do you make it clear to your user community that you reserve the right to govern your data which may allow you access to their personal data on a device?
Have you clearly defined what happens when an employee or student leaves the school? What about content? What about device based licenses? Will you keep the content? For how long?
Can you restrict access on the network to control bandwidth per application?
