it security and policy issues mark bruhn university it policy officer office of the vice president...
TRANSCRIPT
IT Security and Policy Issues
Mark Bruhn
University IT Policy Officer
Office of the Vice President for Information Technology
Indiana University
Security Issues Distributed servers, data, authentication, authority. Wireless, mobile computing. Library authentication. Administrative systems reengineering. Probes. Viruses. To firewall or not to firewall. Intrusion detection. Desktop power. “System Administrator” fuzzy. Technician training. “Dictating” standards into departments. Security Officer (or lack thereof). Security staff (or lack thereof).
Data Distribution/Server Proliferation
At our institutions, thousands of users in departments have formal authorization to extract confidential information from central databases.
At large institutions, there are 10s-of-thousands of computers that are configured to provide access to files and programs.
Servers are being managed by wide variety of individuals, from poorly trained undergraduates (“out of high school all day”) to veteran professional administrators.
Servers are being maintained in a wide variety of facilities, from small dedicated machine rooms to beneath a staff member’s desk.
Wireless/Mobile Computing
Laptop stations.Wireless zones.Current capabilities not scaleable: e.g., “CSG”
for 40 people may work, but not for 1000.Is a big VLAN enough? A bunch of VLANs?Unauthenticated accesses remain a problem. To VPN or not to VPN (yes, at IU).
Library Authentication (or not)
Differing opinions about what level of service our libraries must provide to the community.
That doesn’t matter: permitting access to the public does not mean without authentication.
University Counsel now concerned about this.Temporary credentials.
Admin System Reengineering
Peoplesoft.
Reported Probes Against All IU Systems
0
10
20
30
40
50
60
70
80
Year/Month
Reported ProbesPer Month
Viruses
0
5
10
15
20
25
30
35
1997-0
9
1997-1
1
1998-0
1
1998-0
3
1998-0
5
1998-0
7
1998-0
9
1998-1
1
1999-0
1
1999-0
3
1999-0
5
1999-0
7
1999-0
9
1999-1
1
2000-0
1
2000-0
3
2000-0
5
2000-0
7
2000-0
9
2000-1
1
2001-0
1
Year/Month
Re
po
rte
d V
iru
se
s o
n IU
Sy
ste
ms
General Technology Misuse IncidentsTotal Reported Technology Misuse Incidents Against or By IU Users
050
100150200250300350400
1997
-09
1997
-11
1998
-01
1998
-03
1998
-05
1998
-07
1998
-09
1998
-11
1999
-01
1999
-03
1999
-05
1999
-07
1999
-09
1999
-11
2000
-01
2000
-03
2000
-05
2000
-07
2000
-09
2000
-11
2001
-01
Year/Month
ReportedIncidents
Intrusions Into IU Systems
0
1
2
3
4
5
6
7
8
1997-1
0
1998-0
1
1998-0
2
1998-0
3
1998-0
4
1998-0
6
1998-0
7
1998-0
8
1998-0
9
1998-1
0
1998-1
1
1998-1
2
1999-0
1
1999-0
2
1999-0
3
1999-0
4
1999-0
5
1999-0
6
1999-0
7
1999-0
8
1999-0
9
1999-1
1
1999-1
2
2000-0
1
2000-0
2
2000-0
3
2000-0
4
2000-0
5
2000-0
7
2000-0
8
2000-0
9
2000-1
0
2000-1
1
2000-1
2
2001-0
1
2001-0
2
2001-0
3
2001-0
4
Year/Month
Breakins on IU
Systems
Breakins Per Month
Trend
Security Organization
Security Officers must be:– Technically savvy, with broad technical knowledge.– Able to cultivate trustworthy technical contacts.– Diplomats.– Negotiators.– Translators.– Able to talk others into accepting responsibility when
appropriate.– Able to relinquish responsibility when appropriate.– Reasonable when risk is low.– Hardcases when risk is high.
Organizational Issues Issues related to conflict of interest dictate that Security Officers
report to the CIO. Issues related to conflict of interest and consistency of approach
dictate that dedicated security staff report to the Security Officer.Security Officers must have the visible support of the CIO.Security Officers can be more technical and less schmoozy if
there is also a Policy Officer.Security Officers/staff should not be seen as the “police”.Security offices should be a resource for technicians. They
should be helpful and interactions should be non-contentious.The “police” role should be reserved for an Internal Audit
function or for the IT Policy Officer…
ResponsibilitiesService managers and technicians must retain primary
responsibility for security of systems.Data “owners” or “stewards” must retain responsibility for
security of data.Security Officers are responsible for adequately translating
technical vulnerabilities to risk factors for data owners.Security Officers provide security toolkits and specialized
knowledge in risk assessment. CIOs must be interested, and must have a sense of the
overall security climate of their campus. (“Sleeplessness factor”).
Mark BruhnPolicy OfficerContracts &
Agreements Officer
Jason AbelsSummer Ulrich
Alix SebestaIncident Response
Coordinator
Technical Investigators
University Information Technology Policy Office
Linda McNabb(Admin Asst)
Stacie WiegandData Administrator
Info Mgt Officer
Tammy Grubb Rose Ann HastyMelissa Silvers
Barbara HanesIUPUI Accts Coord
Chris ConklinIUB Accts Coord
Tom DavisSecurity Officer
Michael McRobbieVP/CIO
Information Technology Security
OfficeAllan StriebSasha HaywoodTerry Crowe (UIS)Milan Tasic (UIS)
Laura KleinAndrew KortyBen BoruffMarge Abels*Frank NeversSean Krulewitch
Marge AbelsDisaster
RecoveryProgram Manager
Recovery PlanningTeam
Global Directory Services
IU IT Policy Office Scope is all campuses and all departments. IT policy development, dissemination, education, and interpretation
(coordinating with many University offices and groups). Electronic information policy development and education (in
conjunction with data management committees). Coordinating response to incidents of abuse or misuse use of
information technology. Coordinating response or advising departments engaged in response
to incidents of abuse or inappropriate use of electronic information. Global Directory Services: identification, authentication,
authorization, and enterprise directories. Handles all non-security incidents, so the SO doesn’t have to.’
IU IT Security Office
Scope is all campuses and all departments. IT security awareness and education IT security guidelines and standardSecurity consulting and reviewMaintain production services in support of policy and
security operations (Kerberos, etc.) Investigate and document IT security incidentsSix security engineers/analysts located at IUB and IUPUIStaff knowledgeable in a wide range of technologies
(Unix, Windows, MVS, Networks, Encryption, etc.)
Services - Security Awareness and Education
General education and/or presentations on common security issues– http://www.itso.iu.edu/staff/ajk/
Comprehensive resource for information on security alerts, bulletins, and patches– http://www.itso.iu.edu/– https://www.itso.iu.edu/services/alerts/
Services - Security Guidelines and Standards
Function dedicated to developing and maintaining consistent security standards.
Comprehensive resource for security information, resources, etc.– http://www.itso.iu.edu/howto/
Resource for security related software– https://www.itso.iu.edu/services/– http://iuware.indiana.edu
Services - Security Consulting and Review
Assistance in reviewing specific situations and analyzing exposures.– Technical architecture diagram required– Data flow diagram beneficial
Requires departments and technicians to have a better understanding of their environment.
Services - Production Services
Security scanning in support of system administrators and audit activities– https://www.itso.iu.edu/scanner/
Central Kerberos authentication serversCentral SafeWord token authentication
servers
Services - IT Security Incidents
Assistance in coordinating appropriate technical investigation of security breaches.
Assistance in packaging technical security information for IU governance agencies, IU legal counsel, law enforcement, prosecutors, university administration, etc.
Common and consistent incident response.
Top 10 Security Mistakes(Tom Davis, IU ITSO)
1. Installing unnecessary programs and services.2. Not keeping current on software patches,
especially security related ones.3. Not installing anti-virus software and keeping its
virus patterns current.4. Opening e-mail attachments from unknown
people.5. Bringing up lab (test) machines and forgetting
about them.
Top 10 Security Mistakes (continued)
6. Lack of adequate training to administer the system.
7. Inadequate handling of sensitive data (gathering more than what they need, keying files off of SSN, etc.)
8. Not deploying encryption where available.9. Propagating virus hoax and chain mail.10. Sharing passwords.
Trustees ResolutionRESOLUTION
WHEREAS, the advent of the Internet has significantly transformed the manner in which information is stored on interconnected servers throughout the world; and
WHEREAS, the Internet is an information technology environment in which it is possible to have inadvertent or intentional unauthorized access to Internet sites and related servers; and
WHEREAS, successful intrusions into Internet sites and servers can lead to the disclosure of sensitive personal and institutional information; and
WHEREAS, it is critical that Indiana University protect its institutional information and information technology infrastructure so as to reduce the possibility of unauthorized access to servers holding sensitive information or running mission-critical applications.
NOW THEREFORE BE IT RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO to develop and implement policies necessary to minimize the possibility of unauthorized access to Indiana University's information technology infrastructure regardless of the Indiana University office involved; and
BE IT FURTHER RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO, which may draw upon the experience and expertise and resources of other University offices (including the Office of Internal Audit), to assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the Indiana University office involved.
(Passed by the Indiana University Board of Trustees, 4 May, 2001)