1 h. morrow long director, information security office its, yale university nercomp 2003 annual...
TRANSCRIPT
![Page 1: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/1.jpg)
1
H. Morrow LongDirector, Information Security OfficeITS, Yale University
NERCOMP 2003 Annual Conference
Higher Education Contribution to the National Strategy to Secure Cyberspace
![Page 2: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/2.jpg)
2
Copyright Statement
Copyright Educause/Internet2 Security Task Force 2003.
This work is the intellectual property of the Educause/Internet2 Security Task Force.
Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the Educause/Internet2 Security Task Force.
![Page 3: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/3.jpg)
3
NERCOMP Annual Conference:
Higher Education Contribution to the National Strategy to Secure Cyberspace
History: Information Security Problems in Higher Ed Background: The Internet 1988-1998 Recent Events and Case Studies
Educause Information Security Activities Working Group 2000-2002 Educause/I2 Security Task Force 2002
NSF Sponsored Workshops 2002 National Strategy To Secure Cyberspace AN-MSI
Educause Information Security Initiatives in 2003 REN-ISAC
![Page 4: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/4.jpg)
4
Internet Security History & HE IT
1986 – Major NSF funding for national backbone & regional supercomputer centers
1988 – Robert Morris & the Internet Worm 1988 – Creation of CERT at CMU 1989 – The Cornell Commission report 1989 – Clifford Stoll’s The Cuckoo’s Egg 1991 – CIX, commercial use, & Gopher
![Page 5: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/5.jpg)
5
Internet History, cont’d
1993 – Mosaic browser released by UIUC 1993-4 ISP Sniffing attacks (PANIX, NearNet) 1994-5 Kevin Mitnick demos TCP Hijacking. 1995 – National backbone privatized 1995 – SATAN released by Farmer & Venema 1996 – PANIX, Internet Chess Server, and other web
sites shut down by SYN attacks. 1996 – Internet 2 consortium formed
![Page 6: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/6.jpg)
6
2000-2001 Academic InfoSec Feb – Distributed Denial of Service (DDoS)
attacks bring down key .COM sites; university sites implicated (UC Davis, UCLA, Stanford, etc.)
June – SANS Top Ten list released. June-July – Univ. of Washington Medical Center
intrusion. 4000 medical records involved. No firewall protecting server.
Feb 2001 – Indiana University Bursar server with anon FTP enabled and student records.
March – 40+ E-Commerce NT/IIS servers hacked from E. Europe. Credit card #s. FBI NIPC alert.
![Page 7: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/7.jpg)
7
Higher Education Computer Security 2000-2003 Hacker Steals Personal Data on Foreign Students at U.
of Kansas Chronicle of Higher Education, 1/24/2003
UMBC students’ data put on Web in error Baltimore Sun, 12/7/2002
Why Was Princeton Snooping in Yale’s Web Site?Chronicle of Higher Education, 8/9/2002
Delaware Student Allegedly Changed Her Grades OnlineChronicle of Higher Education, 8/2/2002
![Page 8: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/8.jpg)
8
. . . 2000-2003
Russian Mafia May Have Infiltrated Computers at Arizona State and Other CollegesChronicle of Higher Education, 6/20/2002
Hacker exposes financial information at Georgia TechComputerWorld, 3/18/2002
College Reveals Students’ Social Security NumbersChronicle of Higher Education, 2/22/2002
Hackers Use University’s Mail Server to Send Pornographic MessagesChronicle of Higher Education 8/10/2001
![Page 9: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/9.jpg)
9
. . . 2000-2003
Review to ensure University of Montana Web securityMontana Kaimin, 11/14/2001
‘Code Red’ Worms Linger Chronicle of Higher Education, 9/14/2001
Students Fault Indiana for Delay in Telling Them About Stolen FilesChronicle of Higher Education, 3/16/2001
![Page 10: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/10.jpg)
10
. . . 2000-2003
[UWashington] Hospital records hacked hardSecurityFocus.com, 7/12/2000
3 Universities in California Find Themesleves Linked to Hacker AttacksChronicle of Higher Education 2/25/2000
Hackers Attack Thousands of Computers on at Least 25 U.S. CampusesChronicle of Higher Education, 3/13/1998
UT Austin: 55,000 SSNs and Personal Records ‘data mined’ by intruder
Princeton University:
![Page 11: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/11.jpg)
11
2001-2003 Worms
2001: CodeRed, CodeRed II, NIMDA Worms 2002: “Slapper” (A/B/C) Apache OpenSSL
Worm 2003: SQL Slammer / Sapphire Worm
![Page 12: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/12.jpg)
12
The Current Situation
The Internet is a world-wide, increasingly mission-critical infrastructure
Internet’s underlying structure, protocols, & governance are still primarily open
Many vendors ship systems w/ insecure configs (NT, Linux, W2K, Unixes, IIS )
Massive CPU power & bandwidth available to crackers as well as scientists, e-commerce
Many college & university networks are insecure
![Page 13: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/13.jpg)
13
Information Security in HE Research universities: deployment of
workstations & servers by researchers whose talents are usually focused elsewhere
Smaller institutions: dearth of tech skills Dorm networking: little adult supervision Too few security experts; weak tools;
most institutions have no InfoSec office. Few policies regarding systems security
![Page 14: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/14.jpg)
14
Information Security in US HE
3500+ Colleges and Universities > 1000 Community colleges < 100 major research universities 125+ University Medical Schools 400 Teaching Hospitals 150+ Institutional members of Internet2
![Page 15: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/15.jpg)
15
Targets of Opportunity on US HE Computer Networks Sensitive Data
Credit Card #s, ACH (NACHA) bank #s patient records (SSN) student records (SSN) institution financial records Investment records donor records research data
![Page 16: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/16.jpg)
16
Why US HE Computer Networks are attractive targets
Platforms for launching attacks Wired dorms (insecure Linux PCs, PC Trojans) High bandwidth Internet (Fract T3, T3, T3+) High computing capacity (scientific computing
clusters, even web servers, etc.). “Open” network security environment (no firewalls or
only “light” filtering routers on many high bandwidth WANs and LANs)
Trust relationships between departments at various Universitiess for research (e.g. Physics)
Univ research lab computers are often insecure and unmanaged.
![Page 17: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/17.jpg)
17
Unique Challenges to implementing Information Security in Higher Ed
Academic “Culture” and tradition of open and free networking
Lack of control over users Decentralization (no mainframe anymore) Lack of financial resources Creative Network Anarchy – anyone can attach
anything to the network IT has not always been central to institutional mission
-- changing attitudes and getting “buy in” requires politics and leadership.
![Page 18: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/18.jpg)
18
What should US HE IT be doing W.R.T. Information Security
Investigating network security methods. Investigating strong authentication methods
(e.g. smart cards, tokens). Evaluating “best practices” in:
Higher Education Corporations Government Military
Developing common recommended policies.
![Page 19: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/19.jpg)
19
Trends in Academic InfoSec E-Commerce site threaten litigation against future
DDoS sites. Liability for negligence? Insurance companies begin to rewrite liability policies,
separate ‘cyber’ policies to require info security vulnerability assessments & changes.
Funding agencies to require firewalls, security? HIPAA is a “forcing function” in academic Medical
Centers. FERPA, COPPA, DMCA, Privacy legislation. If HE InfoSec doesn’t improve, will more federal
legislation be far behind?
![Page 20: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/20.jpg)
20
InfoSec Trends Elsewhere
Some of the K-12 school system networks are the only sites (in the US) which have worse network and system security than .EDU sites.
Information security at State gov. agencies and municipal goverments is a mixed bag.
Outside US some academic institutions are more tightly controlled (e.g. Internet access is severely restricted), some not.
![Page 21: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/21.jpg)
21
InfoSec Trends Elsewhere
.MIL sites take steps to secure data and servers (Mac web servers, data isolation/classification). Broke initial ground in IDS (Intrusion Detection Systems).
.GOV – NIST has released draft guidelines/recommendations for info security to be implemented at Federal Government agencies.
![Page 22: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/22.jpg)
22
InfoSec Trends Elsewhere
.COM sites – Some web sites have poor security (even those outsourced), some (e.g. financial) strive to be state of the art.
Insurance/auditors requiring security assessments for policies.
BS 7799 / ISO/IEC 17799-1 InfoSec Mgt stds CISSP / CISA / SANS GIAC / Vendor
(Microsoft/Cisco/Checkpoint) certificationsof Information Security personnel
![Page 23: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/23.jpg)
23
Corporate InfoSec Trends, (relatively rare in US HE)
Firewalls, proxies, user access control Network monitoring, bandwidth management Extensive logging, logfile analysis IDS – Intrusion Detection Systems VPNs (Virtual Private Networks)
PPTP, L2TP, IPSEC
Strong Authentication – PKI, Smartcards Vulnerability scanning (internal, external) Change Control / Management Managed Security Services (e.g. outsourced)
![Page 24: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/24.jpg)
24
Why should higher ed care?
Improperly secured computers and networks present considerable institutional risk and can impact ability to achieve mission
Improperly secured college and university IT environments can cause harm to third parties, including gov’t and industry, and create liability
![Page 25: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/25.jpg)
25
Higher Ed and Cybersecurity
Education and Training Centers of Academic Excellence Professional Training and Certification
Research and Development Cyberinfrastructure Basic and Applied Research
Securing Our Corner of Cyberspace!
![Page 26: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/26.jpg)
26
GAO Designates Computer Security a High Risk
Significant, pervasive information security weaknesses continue to put critical federal operations and assets at high risk. Among other reasons for designating cyber critical infrastructure protection high risk is that terrorist groups and others have stated their intentions of attacking our critical infrastructures, and failing to adequately protect these infrastructures could adversely affect our national security, national economic security, and/or national public health and safety.GAO Report to Congress on Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures (January 2003)
![Page 27: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/27.jpg)
27
Security Task Force
Formed Summer 2000 Respond to charges that higher education is lax and
dangerous Threat of blunt-edged regulations
Co-chairs, Steering Committee Web page, Listservs, Conferences Staff – EDUCAUSE/Internet2
![Page 28: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/28.jpg)
28
Cybersecurity – Post Sept. 11th
Executive Order 13231 – October 2001Created the Presidents Critical Infrastructure Protection Board (PCIPB)
Critical Infrastructure: those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
USA PATRIOT Act
![Page 29: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/29.jpg)
29
EDUCAUSE/I2 Security TF Initiatives Education/Awareness – Speakers; Developing or obtaining high quality
seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.), SPW Conference and tracks at conferences.
“Best” Practices Security Recommendations – Booklet to be published with Security Policies, Assessment, chapters, etc.
Assembling resources/licensing tools – Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc.
Federal (NSF) grant proposal funded meetings in 2002. Reports. REN-ISAC - http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
National Strategy to Secure Cyberspace Higher Ed Contributionhttp://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
Letter on Cybersecurity to University Presidents.http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm
Coordination with Federal (e.g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards). E.g. w/HE IT Alliance, “A Framework for Action” April 2002
![Page 30: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/30.jpg)
30
EDUCAUSE/I2 Security TF Initiatives
Education/Awareness –
Speakers; Developing or obtaining high quality seminar materials; AN-MSI information security tutorials (e.g. CA Native American C.C.), SPW Conference and tracks at conferences.
![Page 31: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/31.jpg)
31
EDUCAUSE/I2 Security TF Initiatives
“Best” Practices Security Recommendations –
Booklet to be published with Security Policies, Assessment, chapters, etc.
![Page 32: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/32.jpg)
32
EDUCAUSE/I2 Security TF Initiatives
Assembling resources/licensing tools –
Vulnerability Scanners (commercial and non-commercial), DDoS zombie detectors, patch tools, potential group purchase discounts. Website, lists, etc.
![Page 33: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/33.jpg)
33
EDUCAUSE/I2 Security TF Initiatives
Federal (NSF) grant proposal funded meetings in 2002.
Reports on findings.
![Page 34: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/34.jpg)
34
NSF Workshops
A More Complete Response to National Strategy Experts on academic values Experts on practices and policies Research scientists who use the networks Summit including all stakeholders
Foundation for Future Activities
![Page 35: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/35.jpg)
35
Guiding Principles
Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility
![Page 36: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/36.jpg)
36
Action Agenda
1. Identify Responsibilities for IT security, Establish Authority, and Hold Accountable
2. Designate an IT Security Officer3. Conduct Institutional Risk Assessments4. Increase Awareness and Provide Training to
Users and IT staff5. Develop IT Security Policies, Procedures, and
Standards
![Page 37: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/37.jpg)
37
Action Agenda (cont’d)
6. Require Secure Products From Vendors7. Establish Collaboration and Information
Sharing Mechanisms8. Design, Develop, and Deploy Secure
Communication and Information Systems9. Use Tools: Scan, Intrusion Detection
Systems, Anti-Virus Software, etc.10. Invest in Staff and Tools
![Page 38: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/38.jpg)
38
EDUCAUSE/I2 Security TF Initiatives
REN-ISAC –
http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
![Page 39: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/39.jpg)
39
EDUCAUSE/I2 Security TF Initiatives
National Strategy to Secure Cyberspace Higher Ed Contribution
http://archives.internet2.edu/guest/archives/I2-NEWS/log200302/msg00006.html
![Page 40: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/40.jpg)
40
National Strategy to Secure Cyberspace Draft announced September 18
See www.securecyberspace.gov Includes higher ed contribution
National, not a government, strategy Secure your own piece of cyberspace Market drive, not regulatory Best practice, information sharing
Final Strategy Release – TBD
![Page 41: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/41.jpg)
41
Higher Education Contribution
Higher Education Interests: Teach security Invent technology Powerful networks and computers
Higher Education Contribution to National Strategy to Secure Cyberspace (July 2002)See www.educause.edu/security/national-strategy
Framework for Action (April 2002)See security.internet2.edu/ActionStatement.pdf
![Page 42: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/42.jpg)
42
EDUCAUSE/I2 Security TF Initiatives
Letter on Cybersecurity to University Presidents.
http://www.acenet.edu/washington/letters/2003/03march/cyber.cfm
![Page 43: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/43.jpg)
43
What Every President Must Do
Ensure the confidentiality, integrity, and availability of University assets and information
Manage risk by reducing vulnerabilities, avoiding threats, and minimizing impact
Empower CIO’s, IT Security Officers, and other staff to invoke best practice and employ effective solutions
![Page 44: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/44.jpg)
44
Security: Negative Deliverable
Security is a negative deliverable. You don’t know when you have it. You only know when you’ve lost it.
Jeffrey I. Schiller, MIT’s Security Architect
![Page 45: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/45.jpg)
45
EDUCAUSE/I2 Security TF Initiatives
Coordination with Federal (e.g. granting) Agencies, CERT, SANS, CIS, ALA regarding legislation and regulation (regarding info security standards).
E.g. w/HE IT Alliance, “A Framework for Action” April 2002
![Page 46: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/46.jpg)
46
Framework for Action
Make IT Security a higher and more visible priority in higher education
Do a better job with existing security tools, including revision of institutional policies
Design, develop and deploy improved security for future research and education networks
Raise the level of security collaboration among higher education, industry and government
Integrate higher education work on security into the broader national effort to strengthen critical infrastructure
![Page 47: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/47.jpg)
47
EDUCAUSE/I2 Security TF Initiatives
“Standards.” (A poem).
Standards are good.Standards are true. There are many to choose from-If you don’t pick a standard,one will be chosen for you.
![Page 48: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/48.jpg)
48
How You Can Participate
Welcome: info security officers, network & systems experts, policy specialists, attorneys, vendors, -- even CIOs!
Meetings, email, website one going up, white papers
<http://www.educause.edu/security> Security Professionals Workshop (SPW)
4/21-22 2003, Pechanga Resort & Casino Regional Educause Conferences (such as this one). Educause 2003 Annual Conference
Information Security related TrackNovember 4-7, 2003, Anaheim, CAhttp://www.educause.edu/conference/annual/2003/
![Page 49: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/49.jpg)
49
Security Professionals Workshop (SPW)EDUCAUSE/Internet2 Security Task Force1st Annual Higher Ed Security Professionals Workshop
Pechanga Resort and Casino, Temecula CAApril 22-23, 2003 (1.5 days)
Preceding the 1st Annual Secure-IT Conference sponsored by California State University at San Bernardino
Registration: $100 ($125 after 3/24)
Audience:CISOs, IT Security and Policy Directors and Officers, Network Security Engineers and System Administrators.
![Page 50: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/50.jpg)
50
SPW Agenda
Keynote : Information Assurance and IT Security Professionals in Higher Education
Session : A 10-Step Approach to Developing an Information Security Program
Session : Creating a Security Architecture Session : Using Open Source Tools Session : Creating an Incident Response Team Session : Best Practices for User Education BOFs (Birds of a Feather Sessions) Keynote: Legal Issues in Computer and Network Security Session : Security Policies and Procedures Panel Session : "Ask the Experts" Panel
![Page 51: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/51.jpg)
51
Security Task Force ConferenceEDUCAUSE/Internet2 Security Task Force1st Annual Higher Ed Security Professionals Workshop
![Page 52: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/52.jpg)
52
![Page 53: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/53.jpg)
53
Questions?
![Page 54: 1 H. Morrow Long Director, Information Security Office ITS, Yale University NERCOMP 2003 Annual Conference Higher Education Contribution to the National](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649cf35503460f949c1575/html5/thumbnails/54.jpg)
54
Security Task Force Resources
EDUCAUSE/Internet2 Security Working Group(http://www.educause.edu/security/)
1st Annual Higher Ed Security Professionals WorkshopPechanga Resort and Casino, Temecula CAApril 22-23, 2003http://www.educause.edu/conference/security/2003/
Contact Info:[email protected]
202.872.4200