cybersecurity - linda sharp

SchoolDude University 2009

Cyber Security

Linda SharpCoSN Cyber Security

Project Director


Understanding the Issues

Four Reasons to Pay Attention to K-12 Four Reasons to Pay Attention to K-12 Network SecurityNetwork Security

1. Protect data 2. Prevent misuse of resources 3. Prevent interruption of operations (Protecting the Core Mission: Learning)

4. Keep kids safe


Reliance on Technology

• For instructional activities• For business operations• For student data and recordkeeping• For assessment and accountability• For internal and external communication

Other areas of reliance in your schools?


The Evolution of Intent From Hobbyists to Professionals

THR

EAT

SEVE

RIT

Y

1990 1995 2000 2005 WHAT’S NEXT?2007

Threats becoming increasingly difficult to detect and mitigateFINANCIAL:Theft & Damage

FAME:Viruses and Malware

TESTING THE WATERS:Basic Intrusions and Viruses

http://www.cisco.com/en/US/hmpgs/index.html


Financial Impact

• 2004 – Cyber Attack impact in business was $226 billion

• 2008 – One of top 4 US priority security issues.

• Cyber Crime has overtaken drugs for financial impact.


Legal Impact

• FERPA• CIPA• HIPAA• COPA• FRCP 34


Legal Impact

• Data– Personal, Private, Sensitive Information

• Information Sharing– Internal – External

• Backup/Restore– Where and how


Legal Impact

• Acceptable Use Policies (AUP)– Who should sign AUP?– What should be included?

• Internet usage• Data protection and privacy• Rules/regulations• Consequences


Safety vs. Security

• Safety: Individual behavior

• Security: An organizational responsibility

http://i.treehugger.com/images/2007/10/24/schoolkids.jpg


Five Guiding Questions

• What needs to be protected?



• What needs to be protected? • What are our weaknesses?



• What needs to be protected? • What are our weaknesses? • What are we protecting against?



• What needs to be protected? • What are our weaknesses? • What are we protecting against? • What happens if protection fails?



• What needs to be protected? • What are our weaknesses? • What are we protecting against? • What happens if protection fails? • What can we do to eliminate

vulnerabilities and threats and reduce impacts?


Three Strategic Areas

People

Policy

Technology


Three Action Themes

Prevention Monitoring Maintenance


Questions to Ask

• Do we have a security plan?


Questions to Ask

• Do we have adequate security and privacy policies in place? –District Security Rules–Legal Review–External Controls

http://www.cyberpunkreview.com/images/hackers08.jpg


Questions to Ask

• Are our network security procedures and tools up to date? –Hardware–Software–Monitoring


Questions to Ask

• Is our network perimeter secured against intrusion? –Design–Laptops–Wireless Security–Passwords


Questions to Ask

• Is our network physically secure? • Environmental Hazards• Physical Security


Questions to Ask

• Have we made our users part of the solution? –Awareness–Training –Communications


Questions to Ask

• Are we prepared to survive a security crisis? –Backups–Redundant Systems–Communications Plan–Preparedness


Security Planning Protocol

Outcome:Outcome:Security Project Description goals

processes resources decision-making standards

Phase 1: Create Leadership Team & Set Security Goals

Outcome:Outcome:Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase

Phase 2: Risk Analysis

Outcome:Outcome:Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness

Phase 3: Risk Reduction

Outcome:Outcome:Crisis Management Plan A blueprint for organizational continuity

Phase 4: Crisis Management


Leadership Team• Create Leadership Team and Set

Security Goals• Purpose:: Clarify IT’s role in district

mission

• Scope:: Set boundaries and budgets

• Values:: Define internal expectations and external requirements for security


Leadership Team

Leadership Team Personnel• IT Leadership• Administrators – district and building• Legal counsel • Human resources • Public relations representative • Teachers


District Security Checklist

• Self Assessment Checklist


Risk Analysis

• What’s at risk? • Vulnerabilities and Threats

–Identify impacts to »System»People»IT organizational issues»Physical plant

• Stress Test


Security Planning GridSecurity Area Basic Developing Adequate Advanced

Management

Leadership:

Little participation in IT security

Aware but little support provided

Supports and funds security

Aligns security with organizational mission

Technology

Network design and IT operations:

broadly vulnerable

security roll out is incomplete

mostly secure

seamless security

Environmental & Physical:

Infrastructure:

not secure partially secure

mostly secure

secure

End Users

Stakeholders:

unaware of role in security

Limited awareness and training

Improved awareness, Mostly trained

Proactive participants in security


Security Planning Grid

• Provides benchmarks for assessing key security preparedness factors

• Uses the same topic areas for consistency

• Helps prioritize security improvement action steps


Planning Security Grid

• Prioritize solutions

• Action plan

• Revise SOP


Plan, Test, Plan, Test…..– Scenario: "Despite our best intentions..."

• Financial system backups stored within a vault below ground

• Vault walls are constructed of cinderblocks

• Fire destroys the building • Very cool to the touch

-- vault becomes sauna, backup tapes destroyed


Plan, Test, Plan, Test…..XXXXX School District

• Monday, February 11, 2008• Break-In at XXX. in XXX, CA• "Smash and Grab" -- 1 computer

stolen• One data file including personally

identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts


Plan, Test, Plan, Test…..

• Decision to notify and “how to respond?"

• Notification authority rests with the Superintendent

• Elected to follow aggressive path of notification and openness

• E-Mails, letters, contact person, Website (blog)


The worst case scenario . . .

NO PLAN!


Questions and Comments?


www.securedistrict.org

www.cosn.org


Thank you Sponsors

http://www.pearsonschool.com/index.cfm?locator=PSZ13e


Linda Sharp

CoSN Project ManagerCyber Security

IT Crisis Preparedness

[email protected]

cybersecurity - linda sharp

Technology

guiding questions

security safety

adequate security

security plan

network security procedures

financial impact

individual behavior

legal impact data personal