CyberSecurity - Linda Sharp

Download CyberSecurity - Linda Sharp

Post on 20-Nov-2014

742 views

Category:

Technology

1 download

Embed Size (px)

DESCRIPTION

 

TRANSCRIPT

<ul><li> 1. Cyber Security Linda Sharp CoSN Cyber SecurityProject DirectorSchoolDude University 2009</li></ul> <p> 2. Understanding the Issues </p> <ul><li>Four Reasons to Pay Attention to K-12 Network Security </li></ul> <ul><li>1.Protect data</li></ul> <ul><li>2. Prevent misuse of resources</li></ul> <ul><li>3. Prevent interruption of operations</li></ul> <ul><li>( Protecting the Core Mission: Learning) </li></ul> <ul><li>4. Keep kids safe</li></ul> <p>SchoolDude University 2009 3. Reliance on Technology </p> <ul><li>For instructional activities </li></ul> <ul><li>For business operations </li></ul> <ul><li>For student data and recordkeeping </li></ul> <ul><li>For assessment and accountability </li></ul> <ul><li>For internal and external communication</li></ul> <ul><li>Other areas of reliance in your schools? </li></ul> <p>SchoolDude University 2009 4. The Evolution of IntentFrom Hobbyists to Professionals SchoolDude University 2009 THREAT SEVERITY 1990 1995 2000 2005 WHATS NEXT? 2007 Threats becoming increasingly difficult to detect and mitigate FINANCIAL: Theft &amp; Damage FAME: Viruses and Malware TESTING THE WATERS: Basic Intrusions and Viruses 5. Financial Impact </p> <ul><li>2004 Cyber Attack impact in business was $226 billion </li></ul> <ul><li>2008 One of top 4 US priority security issues. </li></ul> <ul><li>Cyber Crime has overtaken drugs for financial impact.</li></ul> <p>SchoolDude University 2009 6. Legal Impact </p> <ul><li>FERPA </li></ul> <ul><li>CIPA </li></ul> <ul><li>HIPAA </li></ul> <ul><li>COPA </li></ul> <ul><li>FRCP 34 </li></ul> <p>SchoolDude University 2009 7. Legal Impact </p> <ul><li>Data </li></ul> <ul><li><ul><li>Personal, Private, Sensitive Information </li></ul></li></ul> <ul><li>Information Sharing </li></ul> <ul><li><ul><li>Internal</li></ul></li></ul> <ul><li><ul><li>External </li></ul></li></ul> <ul><li>Backup/Restore </li></ul> <ul><li><ul><li>Where and how </li></ul></li></ul> <p>SchoolDude University 2009 8. Legal Impact </p> <ul><li>Acceptable Use Policies (AUP) </li></ul> <ul><li><ul><li>Who should sign AUP? </li></ul></li></ul> <ul><li><ul><li>What should be included? </li></ul></li></ul> <ul><li><ul><li><ul><li>Internet usage </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Data protection and privacy </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Rules/regulations </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Consequences </li></ul></li></ul></li></ul> <p>SchoolDude University 2009 9. Safety vs. Security </p> <ul><li>Safety: Individual behavior </li></ul> <ul><li>Security :An organizational responsibility </li></ul> <p>SchoolDude University 2009 10. Five Guiding Questions </p> <ul><li>What needs to be protected? </li></ul> <p>SchoolDude University 2009 11. Five Guiding Questions </p> <ul><li>What needs to be protected? </li></ul> <ul><li>What are our weaknesses? </li></ul> <p>SchoolDude University 2009 12. Five Guiding Questions </p> <ul><li>What needs to be protected? </li></ul> <ul><li>What are our weaknesses? </li></ul> <ul><li>What are we protecting against? </li></ul> <p>SchoolDude University 2009 13. Five Guiding Questions </p> <ul><li>What needs to be protected? </li></ul> <ul><li>What are our weaknesses? </li></ul> <ul><li>What are we protecting against? </li></ul> <ul><li>What happens if protection fails? </li></ul> <p>SchoolDude University 2009 14. Five Guiding Questions </p> <ul><li>What needs to be protected? </li></ul> <ul><li>What are our weaknesses? </li></ul> <ul><li>What are we protecting against? </li></ul> <ul><li>What happens if protection fails? </li></ul> <ul><li>What can we do to eliminate vulnerabilities and threats and reduce impacts? </li></ul> <p>SchoolDude University 2009 15. Three Strategic Areas </p> <ul><li>People</li></ul> <ul><li>Policy</li></ul> <ul><li>Technology </li></ul> <p>SchoolDude University 2009 16. Three Action Themes </p> <ul><li>Prevention</li></ul> <ul><li>Monitoring</li></ul> <ul><li>Maintenance </li></ul> <p>SchoolDude University 2009 17. Questions to Ask </p> <ul><li>Do we have a security plan? </li></ul> <p>SchoolDude University 2009 18. Questions to Ask </p> <ul><li>Do we have adequate security and privacy policies in place? </li></ul> <ul><li><ul><li>District Security Rules </li></ul></li></ul> <ul><li><ul><li>Legal Review </li></ul></li></ul> <ul><li><ul><li>External Controls </li></ul></li></ul> <p>SchoolDude University 2009 19. Questions to Ask </p> <ul><li>Are our network security procedures and tools up to date? </li></ul> <ul><li><ul><li>Hardware </li></ul></li></ul> <ul><li><ul><li>Software </li></ul></li></ul> <ul><li><ul><li>Monitoring </li></ul></li></ul> <p>SchoolDude University 2009 20. Questions to Ask </p> <ul><li>Is our network perimeter secured against intrusion? </li></ul> <ul><li><ul><li>Design </li></ul></li></ul> <ul><li><ul><li>Laptops </li></ul></li></ul> <ul><li><ul><li>Wireless Security </li></ul></li></ul> <ul><li><ul><li>Passwords </li></ul></li></ul> <p>SchoolDude University 2009 21. Questions to Ask </p> <ul><li><ul><li><ul><li><ul><li>Is our network physically secure? </li></ul></li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li><ul><li><ul><li>Environmental Hazards </li></ul></li></ul></li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li><ul><li><ul><li>Physical Security </li></ul></li></ul></li></ul></li></ul></li></ul> <p>SchoolDude University 2009 22. Questions to Ask </p> <ul><li>Have we made our users part of the solution? </li></ul> <ul><li><ul><li>Awareness </li></ul></li></ul> <ul><li><ul><li>Training</li></ul></li></ul> <ul><li><ul><li>Communications </li></ul></li></ul> <p>SchoolDude University 2009 23. Questions to Ask </p> <ul><li>Are we prepared to survive a security crisis? </li></ul> <ul><li><ul><li>Backups </li></ul></li></ul> <ul><li><ul><li>Redundant Systems </li></ul></li></ul> <ul><li><ul><li>Communications Plan </li></ul></li></ul> <ul><li><ul><li>Preparedness </li></ul></li></ul> <p>SchoolDude University 2009 24. Security Planning Protocol SchoolDude University 2009 Outcome: Security Project Description goals processes resources decision-making standards Phase 1: Create LeadershipTeam &amp; Set Security Goals Outcome: Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase Phase 2: Risk Analysis Outcome: Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness Phase 3: Risk Reduction Outcome: Crisis Management Plan A blueprint for organizational continuity Phase 4: Crisis Management 25. Leadership Team </p> <ul><li>Create Leadership Team and Set Security Goals </li></ul> <ul><li><ul><li><ul><li>Purpose :Clarify ITs role in district mission </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Scope :Set boundaries and budgets</li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Values : Define internal expectations and external requirements for security</li></ul></li></ul></li></ul> <p>SchoolDude University 2009 26. Leadership Team </p> <ul><li>Leadership Team Personnel </li></ul> <ul><li>IT Leadership </li></ul> <ul><li>Administrators district and building </li></ul> <ul><li>Legal counsel</li></ul> <ul><li>Human resources</li></ul> <ul><li>Public relations representative</li></ul> <ul><li>Teachers </li></ul> <p>SchoolDude University 2009 27. District Security Checklist </p> <ul><li>Self Assessment Checklist </li></ul> <p>SchoolDude University 2009 28. Risk Analysis </p> <ul><li><ul><li><ul><li>Whats at risk? </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Vulnerabilities and Threats </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li><ul><li>Identify impacts to</li></ul></li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li><ul><li><ul><li>System </li></ul></li></ul></li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li><ul><li><ul><li>People </li></ul></li></ul></li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li><ul><li><ul><li>IT organizational issues </li></ul></li></ul></li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li><ul><li><ul><li>Physical plant </li></ul></li></ul></li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Stress Test </li></ul></li></ul></li></ul> <p>SchoolDude University 2009 29. Security Planning Grid SchoolDude University 2009 Security Area Basic Developing Adequate Advanced Management Leadership: Little participation in IT security Aware but little support provided Supports andfunds security Aligns securitywith organizationalmission Technology Network designand IT operations : broadlyvulnerable security roll outis incomplete mostly secure seamless security Environmental &amp; Physical: Infrastructure: not secure partially secure mostly secure secure End Users Stakeholders: unaware of role in security Limitedawarenessandtraining Improvedawareness,Mostlytrained Proactiveparticipants insecurity 30. Security Planning Grid </p> <ul><li>Provides benchmarks for assessing key security preparedness factors </li></ul> <ul><li>Uses the same topic areas for consistency </li></ul> <ul><li>Helps prioritize security improvement action steps </li></ul> <p>SchoolDude University 2009 31. Planning Security Grid </p> <ul><li><ul><li>Prioritize solutions </li></ul></li></ul> <ul><li><ul><li>Action plan </li></ul></li></ul> <ul><li><ul><li>Revise SOP </li></ul></li></ul> <p>SchoolDude University 2009 32. Plan, Test, Plan, Test.. </p> <ul><li><ul><li>Scenario: "Despite our best intentions..." </li></ul></li></ul> <ul><li><ul><li><ul><li>Financial system backups stored within a vault below ground </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Vault walls are constructed of cinderblocks </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Fire destroys the building</li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Very cool to the touch </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>-- vault becomes sauna, backuptapes destroyed </li></ul></li></ul></li></ul> <p>SchoolDude University 2009 33. Plan, Test, Plan, Test.. </p> <ul><li><ul><li>XXXXX School District </li></ul></li></ul> <ul><li><ul><li><ul><li>Monday, February 11, 2008 </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Break-In at XXX. in XXX, CA </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>"Smash and Grab" -- 1 computer stolen </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>One data file including personally identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts </li></ul></li></ul></li></ul> <p>SchoolDude University 2009 34. Plan, Test, Plan, Test.. </p> <ul><li><ul><li><ul><li>Decision to notify and how to respond?" </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Notification authority rests with the Superintendent </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>Elected to follow aggressive path of notification and openness </li></ul></li></ul></li></ul> <ul><li><ul><li><ul><li>E-Mails, letters, contact person, Website (blog) </li></ul></li></ul></li></ul> <p>SchoolDude University 2009 35. </p> <ul><li>The worst case scenario . . . </li></ul> <ul><li>NO PLAN! </li></ul> <p>SchoolDude University 2009 36. SchoolDude University 2009 Questions and Comments? 37. </p> <ul><li>www.securedistrict.org </li></ul> <p>SchoolDude University 2009 www.cosn.org 38. Thank you Sponsors SchoolDude University 2009 39. </p> <ul><li>Linda Sharp </li></ul> <ul><li>CoSN Project Manager </li></ul> <ul><li>Cyber Security </li></ul> <ul><li>IT Crisis Preparedness </li></ul> <ul><li>[email_address] </li></ul> <p>SchoolDude University 2009 </p>