information security for educational institutions. mark rasch [email protected]
Post on 19-Dec-2015
217 views
TRANSCRIPT
Introduction
The threats are realMalware (e.g. viruses, worms, Trojan Horses) are becoming more
sophisticatedSecurity breaches and attacks are becoming more publicizedPeople are becoming more concerned with their online privacy…However, people still lack awareness on basic computer security
issues
A Typical Higher Education Computing Infrastructure
Traditionally “open”Critical for researchersCritical for students’ learningHigher education comprise of 15% of the Internet address spaceWired campus (dorms to Greek housing) with usually no network
authenticationMany institutions now offer campus-wide wireless accessTech-savvy students
Threat Matrix
Internal Threats•Illness of personnel•Illness of multiple personnel•Loss of key personnel•Loss of network services•Disgruntled employees•Disgruntled consultants•Labor dispute / unrest•User misuse / theft of data and resources•Malware (viruses, worms, Trojan Horses, rootkits)•Software bugs and flaws
External Threats•Lighting•Short-term utility outage•Long-term utility outage•Flood•Fire•Theft of hardware / disks / tapes•Theft of personnel desktop•Theft of personnel laptop•Computer vendor / developer failure (e.g. bankruptcy)•Random hackers / crackers•Terrorism
Overlapping Security Issues in Industry and Higher Education
Enormous disconnect between IT and general usersLack of awareness of computer security fundamentals (poor practices)Social engineeringInsider threatLack of low-tech and low-cost planningToo much focus on products for implementing computer securityLack of testing environments to understand threats and potential
security breachesSecurity is a reactive process
Risks in Higher Education
Openness = fertile ground for attacks and risksWeb hosting and file sharingDecentralizationLack of visibility for security and privacySecurity is looked at as a bad thing by professionals and students: tough sellMultiple roles of educational institutions
Educational – provider of servicesEducational – academic freedomFinancialHealth careGovernment contractReal estate ownerInternet service providerLaw enforcement agency
Hotspots
Data securityPrivacyNext generation of malwarePoisoned Peer-to-Peer (P2P) networks and torrentsCompliance and auditing
Next Generation of Malware
Now spreading through instant messaging, P2P, social networking sites, cell phone and SMS and MMS
Malware hybrids: fooling and cloaking malicious intent• Rootkit - Toolbox of tools for a cracker to keep root
access. Also hides and secures a cracker's presence on a system.
• Example: spyware that has a rootkit component• Can fool anti-virus or anti-spyware software
Next Generation of Malware (continued)
Kernel-based attack technique using hooks and layers • Kernel - Core of an operating system, Responsible for
resource allocation, low-level hardware interfaces, security, etc.
• Altering normal program control flow• The Microsoft Windows architecture makes this possible
Bottom line: malware becoming more lethal, and extremely more difficult to find!
Data Privacy
Mantras:• Provide prominent disclosure• Data minimization (collection, storage, and sharing)• Anonymity• Put users in charge of their data
Other components to a privacy framework:• Quality (accuracy and completion)• Security• Monitoring and enforcement
WHAT IS FERPA?
Family Educational Rights and Privacy Act of 1974 protects the privacy of student educational records.
FERPA applies to any higher education institution receiving federal funds administered by the Department of Education.
WHO IS PROTECTED UNDER FERPA?
Students who are currently enrolled in higher education institutions or formerly enrolled, regardless of their age or status in regard to parental dependency.
Students who have applied but have not attended an institution do not have rights under FERPA.
RIGHTS OF STUDENTS
Inspect and Review their Education RecordsExercise limited control over disclosure of Education Records
informationSeek to correct their Education RecordsReport violations of FERPA to the Department of EducationBe informed of their FERPA rights
EDUCATION RECORDS
“Education Records” generally include any records which contain information directly related to the student that is in the possession of the University. The records may be in printed form, handwritten, computer, magnetic tape, e-mail, film or some other medium.
WHAT IS NOT INCLUDED IN AN EDUCATION RECORD?
Records or notes in the sole possession of educational personnel not accessible to other personnel (i.e. contained in a faculty member’s notes)
Law enforcement or campus security records (University Police records)Records relating to individual’s employment by the University (Work Study
records ARE educational records)Medical treatment records (made or maintained by a Physician, Psychiatrist,
Psychologist or related paraprofessional)Alumni records
LIMITATIONS ON STUDENT’S RIGHT TO INSPECT AND REVIEW
Students may review their records by submitting a written request to the appropriate Record Custodian.
The Student is not permitted to inspect and review financial records of his/her parents.
2. The Student is not permitted to inspect and review confidential letters and recommendations in their education record (if the student signed a waiver).
The items listed above are to be removed from the file prior to the student’s review of his/her education record.
LIMITATIONS ON STUDENT’S RIGHT TO INSPECT AND REVIEW
3. Copies are not required unless it is unreasonable for the student to come in and inspect his/her records.
4. The University is responsible to provide the student’s records for inspection no later than 45 days after requested.
WRITTEN CONSENT OF STUDENT
Voluntary written consent of Student to specific third parties. Document should be signed and dated by the Student and state the following:
--Specific records to disclose--Purpose of disclosure--Identity of party to whom disclosure is to be made
The consent will remain valid until the student requests that it be revoked.
DisclosureTo Parents
When Student is financially dependent on Parents as defined under Section 152 of Internal Revenue Code.
(Claimed as a dependent on Parent’s federal tax return)
When Student violates any Federal, State or Local law, or any rule or policy of the University governing the use or possession of alcohol or controlled substances if, the Student is under 21, and the Student has committed a disciplinary violation.
(Judicial Board)
DISCLOSURE EXCEPTIONS
University Faculty, Staff and Administrators with a “legitimateeducational interest”
Federal, State and Local Education Authorities involving an audit or evaluation of compliance with Education Programs
Results of disciplinary hearing to alleged victim of a crime of violence
Judicial Order or Subpoena
Health or Safety Emergency
Processing Financial Aid
Directory Information
Educational institutions where student seeks or intends to enroll
WHAT IS DIRECTORY INFORMATION?
The University may disclose information about a student without violating FERPA through what is known as “directory information”.
Annually the University is required to notify students in attendance of what information constitutes “directory information.” This notice must also provide procedures for students to restrict the University from releasing his/her directory information. This notice is provided in the annual Student Code of Conduct, on the Registrar’s website, in University Policy, and published in the student newspaper.
DIRECTORY INFORMATION
Student’s nameStudent’s addressTelephone numberMajor field of studyDegrees and awards receivedPrevious educational institutionsParticipation in officially recognized sports and activitiesWeight and height for athletesDates of attendanceElectronic mail addressStudent’s photograph
STUDENT’S REFUSAL TO PERMIT RELEASE OF DIRECTORY INFORMATION
Student can refuse to permit release of directory information by completing the form in the student paper or on the Registrar’s website or by forwarding the following statement to the University Registrar’s office at G-3 Thackeray Hall:
“I hereby request that no personal information included in my Directory Information be released.” This request must be signed and dated by the student with his/her name, address and social security number.
Once this request is received at the Registrar’s office, no future disclosures will be made without the student’s written consent.
The refusal to permit release of Directory Information is permanent.
A student may rescind this action in-person or by submitting a notarized request in writing to the Office of the University Registrar.
RECORDKEEPING REQUIREMENT
The University is required to keep a record of each request for access and disclosure of personally identifiable information from the education record of each student.
This record must be maintained with the education record of each student as long as the education record is maintained.
FERPA AND INTERNATIONAL STUDENTS
International students have the same rights to inspect their records and request amendments.
International students consent to release of their records to
certain governmental agencies on immigration forms.
CORRECTING EDUCATION RECORDS
Students are permitted to inspect and review their Education Records, and to seek to change any part that they believe is inaccurate, misleading, or in violation of their privacy rights.
a. If the requested change falls within the individual’s Academic Integrity Guidelines, then Academic Integrity Guidelines shall control the procedure to follow. FERPA gives the student the right to correct an inaccurately recorded grade, not to have the grade evaluated and changed.
b. If the requested change is not a violation of the Student or Faculty obligation, then the standard access and release of records will be followed
RIGHT TO REPORT VIOLATIONS TO THE U.S. DEPARTMENT OF EDUCATION
Any complaint filed by a Student regarding a violation of their FERPA rights is investigated and processed by the Family Policy Compliance Office of the U.S. Department of Education. If a determination is made that the University is in violation, both the University and the Student will be advised and informed of the measures to be taken in order to come into compliance with the law.
STUDENT’S RIGHT TO BE INFORMED OF THEIR FERPA RIGHTS
The University is required to annually inform student’s of their FERPA rights. The notification must also indicate the location of the student’s records and the procedure to be followed to inspect and review their record.
The privacy rights of an individual expires upon that individual’s death. FERPA does not apply and it is the University’s discretion to disclose any information of the deceased student.
DECEASED STUDENTS
How Come So Many Data Privacy Problems Recently?
Heavy usage and dependency of Social Security Numbers and credit card numbers
Poor web securityInsider threatsSocial engineering (scam artists, phishing)PharmingThird-part businessesLinkability
Common Compliance and Legal Frameworks
Health Insurance Portability and Accountability Act (HIPPA)Gramm-Leach-Bliley Act (GLBA)Computer Fraud and Abuse Act (CFAA)Sarbanes-Oxley ActUSA PATRIOT ActVisa USA Cardholder Information Security Program (CISP) /
MasterCard Site Data Protection Program / Payment Card Industry (PCI) Data Security Standard
Significance of the Compliance Frameworks
HIPAA security rule - Safeguarding of electronic protected health information
GLBA - Protects privacy of consumer information in the financial sectorSarbanes-Oxley Act - Executives need to report quickly and accuratelyUSA PATRIOT Act – Provides law enforcement agencies with greater
access to electronic communicationsColleges and universities have to comply with more regulations than
businesses
Impact of Breaches
Heavy network consumptionDirect impact on leadershipDirect impact on students’ learningWasted funding (private and public)Legal consequencesBad pressLoss of competitive edgeLong road to recovery
What You DON’T Want to Do
Pretend the problems will go awayEstablish reactive and short-term fixesPrimarily rely on a firewall, or just software solutions, for security
perimeter protectionFail to understand the relationship of information security to the
business problemAssign untrained people to maintain security and compliance
Short-Term: Awareness, Awareness, Awareness
Irony: provisions for education and training in SOX and the DMCAVery little money is spent on computer security education to the
publicSecurity is boring, difficult, and politicalAt fault: IT professionals, users, technologyLack of ownership on security and privacy issues by companiesEmerging technologies pose a serious threat if deployed naivelyUnfortunately, the infrastructure and architecture of current
computing systems, users do need to be informed
Short-Term: Awareness (continued)
Provide an undergraduate course in computer security, privacy, and politics:• Overlap of departments and groups in a
University (e.g. Computer Science, Law School)• Investment for students, the University, and for
the instructors of the course
Short-Term: Low-Cost and Low-Tech Improvements
First things first, ask yourself, and to management (revisit the questions):• What are your security goals?• What are you really protecting?• What are your priorities, especially in a product (e.g.
interface, administration, prevention)?
Short-Term: Low-Cost and Low-Tech Improvements (continued)
Write documentation in what system support staff and users need to do with respect to network and information security
Establish baseline security configurations for all appropriate technology platforms (e.g. web browser)
Establish a vulnerability management processUse vulnerability assessment tools to periodically conduct self-
assessmentsMonitor log files from critical systems on a daily basisSANS have excellent policy templates
Long-Term Opportunity: Develop Visualization Tools (continued)
Example projects/opportunities:• Security situation awareness• Profiling users and traffic• Linking relationships• Network traffic classification• Intrusion detection• Detecting abnormalities
For More Information
Mark D. RaschManaging Director – TechnologyFTI Consulting1201 Eye Street, NWWashington, D.C. 20005(301) 547-6925 tel(240) 209-5344 [email protected]