Joint Universities Computer Centre Limited (“JUCC”) Information Security Awareness Training-

Session Two

Information Security in Universities

1

Agenda

Information Security Management in Universities•

Recent Information Security Incidents

•

Information Security Risk Management

•

Information Asset in Universities

•

Information Security Risk Assessment

•

Information Security Controls

•

Information Security Awareness

•

Case Study –

IT Outsourcing

2

Recent Information Security Incidents

Hackers target leading climate research unit

The e-mail system of one of the world's leading climate research units has been breached by hackers.

E-mails reportedly from the University of East Anglia's Climatic Research Unit (CRU), including personal exchanges, appeared on the internet on Thursday.

A university spokesman confirmed the email system had been hacked

and that information was taken and published without permission.

Mr

Cluley

added that universities were vulnerable to attacks by hackers because so many people required access to IT systems.

Source: BBC Nov 20, 2009

Computer data breach at EIU investigated

CHARLESTON --

An investigation into a breach of computer security at Eastern Illinois University has not yet determined if personal data

was stolen from a list of about 9,000 people, a university official said Friday.

Eastern has mailed letters to 9,000 former, prospective and current undergraduate students regarding the breach of files that contain personal information. ..

“A machine was compromised by a virus

so we don’t believe it was a targeted attack against the university data system,”

said Adam Dodge, assistant director of information security for Eastern Information Technology Services.

That caused the university’s Office of Admissions server to be infected with a number of viruses, including several that could allow an external person to access the server.

Source: Journal Gazette Times-Courier Dec 04, 2009

Recent Information Security Incidents in Universities

Personal data is always valuable

to hackers

Difficult to manage user access rights in universities

Virus is a key threat to the universities

because access to the internet cannot be controlled, mainly due to academic freedom issue

3

Recent Information Security Incidents

UC Berkeley computers hacked, 160,000 at risk

Hackers

broke into the University of California at Berkeley's health services center

computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced Friday.

At particular risk of identity theft are some 97,000 individuals whose Social Security numbers were accessed in the breach, but it's still unclear whether hackers were able to match up those SSNs

with individual names, Shelton Waggener, UCB's

chief technology officer, said in a press conference Friday afternoon.

Source: BBC Nov 20, 2009

Hacking incident on J-school Web server triggers notices to affected applicants

BERKELEY —

University of California, Berkeley, officials announced today (Tuesday, Aug. 11) that the campus will be notifying approximately 490 individuals of a computer security incident involving the Graduate School of Journalism.

Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers

and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009.

Although there is no evidence that the intruder stole or even viewed information from the database containing the Social Security numbers, it is possible that such action could have occurred, campus computer security experts said. Consequently, UC Berkeley decided to err on the side of caution and notify the

493 student applicants of the incident. Letters are being sent out this week

from the journalism school.

Source: Journal Gazette Times-Courier Dec 04, 2009

Recent Information Security Incidents in Universities

Health services hold massive amount of

personal information which

is easily overlooked.

Hackers tend to attack universities because they know

the security is weak.

4

Recent Information Security Incidents

Statistics from Technology Crime Division of the HK Police:

Title of Offence 2000 2001 2002 2003 2004 2005 2006 2007 2008

Unauthorised Access to Computer by

telecommunication 275 33 26 47 11 8 6 6 7

Access to Computer with Criminal Dishonest Intent 0 81 138 356 329 441 471 333 277

Criminal Damage 15 27 16 16 11 6 5 4 3Obtaining Property by

Deception 29 32 45 86 105 145 193 215 387

Obtaining Services by Deception 0 33 19 17 15 9 12 8 5

Thefts (E-banking related) 0 8 6 8 19 3 0 1 2

Others 49 21 22 58 70 41 54 67 110Total 368 235 272 588 560 653 741 634 791

Source: http://www.police.gov.hk/hkp-home/english/tcd/overview.htm, Jan 2010

5

Recent Information Security Incidents

Why Universities?

•

Hacking for challenge/ fun (external and student hackers / professional and

script kiddies)

•

Scale of universities helps creating

noise

in community (reputation attack)

•

Universities’

computers-

a great

candidate for zombie

machines

•

Relatively weak security perimeter

•

Enormous personal information

•

Valuable

research data

There is always a motivation…

Statistics on Data leakage Incidents

6

Information Security Risk Management

Identify Information

Assets

RiskAssessment

SecurityControl

Security Awareness

Information Assets in Universities

Information Asset -

definable piece of information, stored in any form, that has

value to the organisation

Personal Information•Student records

•Employee records

•Payroll information

Academic Information•Student grade information

•Research data

•University policies

•Confidential data obtained from third parties

7

“Information security is all about protecting the

CIA of information assets”

Information Assets in Universities

More information assets….•University web sites

•Software and applications

•Computer servers and terminals

•Network and network devices

• IT service provider of outsourced services

8

010010101011010101001

011101010001010101110

100010100010111010101

101010001011101010010

101101011101010011110

010100010101011010101

001011101010001010101

110100010100010111010

101101010001011101010

010101101011101010011

Information Assets in Universities

Threats to Information AssetThreats to Information Asset

Information Assets in Universities

10

Information Asset

Information Asset

Deliberate actions by people•inside your organisation•outside your organisation(e.g. hackers’

attack)

Deliberate actions by people•inside your organisation•outside your organisation(e.g. hackers’

attack)

Accidental actions by people•inside your organisation•outside your organisation(e.g. dumping students’

personal data into rubbish bin)

Accidental actions by people•inside your organisation•outside your organisation(e.g. dumping students’

personal data into rubbish bin)

System problems•hardware•software•malicious code•Other(e.g. computer virus)

System problems•hardware•software•malicious code•Other(e.g. computer virus)

Other events•power cut•telecommunications failure•natural disaster•Other

Other events•power cut•telecommunications failure•natural disaster•Other

Disclosure of assetDisclosure of asset

Modification of the assetModification of the asset

Destruction or loss of the asset, the hardware it resides upon, or the software that interacts with it

Destruction or loss of the asset, the hardware it resides upon, or the software that interacts with it

Interruption of access to the asset

Interruption of access to the asset

Threats Outcomes

Financial and Reputation Loss

Financial and Reputation Loss

11

Identification Information Assets Process

Step 1:

Identify the boundaries of what is to be protected

Step 2: Identify the information assets and the media/systems in which they are handled

Step 3: Identify relationships between the assets/media/ systems and the organisational objectives

Step 4: Identify those critical to organisational objectives

Considerations:• Nature: location, assets and technology

• Types of information that are sensitive

and confidential

Considerations:• Users

given access to the information

• How

that information is provided

Considerations:• Organisational objectives

• How they are affected by information assets

Considerations:• Likelihood

and the impact

of the information assets affecting the organisational objectives

Student’s personal data

Student’s phone number stored in PC of individuals

Objective : Compliance-

personal data protection

What will happen if there is a security breach to the C, I or A

of this data?

12

Information Security Risk Assessment

Risk Assessment-

Assignment of value for potential harm/ loss

QualitativeQuantitative

$ $ $ $ $Annualised Loss Expectancy (ALE)

Annualised Rate of Occurrence (ARO)Single Loss Expectancy (SLE)

Asset Valuation (AV)Exposure Factor (EF)

$ $ $ $ $

SLE = AV x EF

ALE = SLE x ARO

5 4 3 2 1

13

Information Security Risk Assessment

Risk Assessment-

Example

Asset Asset Valuation Vulnerabilities & Threats Impact Occurrence ALE

University Website

Lost of productivity; cost of information; cost of rebuilding services…=$30,000

Vulnerabilities: Outdated patch, unnecessary services…Threats:

Unauthorised intrusion; defacement…

Unavailability of website and

student portal

ARO = 2 / Year

EF = 40%

= AV x EF x ARO= $30,000 x 40% x 2

= $24,000

2 3 3 1 Avg. = 2.3

Quantitative- How much to pay for

countermeasure?

Qualitative-

How to prioritise

for resource allocation?

14

Information Security Risk Assessment

Cost of Security Control

PotentialLoss

Areas of Information Security Risk in Universities

Category Examples of Risk Recommendations

Information Handling

•

Lack of information classification

•

Sensitive information being disclosed to the public

•

Establish information classification and handling procedures

•

Raise user awareness

Logical Access

•

Shared accounts

•

Weak password settings

•

Abuse of super user accounts

•

Implement strong password policies and configurations.

•

Restrictions and policy on the use of privileged/administrator accounts.

•

Promotion of user awareness on the concept of accountability.

Network Security

•

External / Internal threats (e.g. Hacking, denial of service, viruses, malware)

•

Wireless network sniffing

•

Segregate the network into different segments.

•

Installation of devices such as firewall and Intrusion Detection System.

•

Periodic firewall log review.

•

Installation of virus and spyware detection systems.

•

Perform periodic scanning on network and computers.

Outsourcing

•

Compliance risk

•

Lack of security controls in third party services

•

Non-disclosure agreement

•

Include clauses regarding security requirements in the SLA

15

Areas of Information Security Risk in Universities

Category Examples of Risk Recommendations

User Account Access /

Administration

•

Excess access rights granted •

User access review

•

Classify data and create data ownerships.

•

Segregation of duties.

Physical Security

•

Loss of portable devices

•

Decentralised location of computer servers

•

Stealing of hardware

•

Vandalism

•

Portable device encryption

•

Security guards.

•

Swipe card/biometrically controlled access points.

•

Access control lists.

•

Perimeter controls.

Incident Management

•

Errors overlooked or not resolved on a timely basis

•

Lack of accountability

•

Escalation procedures.

•

Investigation procedures.

•

Defined roles and responsibilities.

Information Security Awareness

•

Social engineering

•

Difficulties in promoting security awareness to academic staff and students

•

Regular information Security Awareness Training.

•

Management commitment in building good security culture.

16

-HARDWARE--NETWORK--SOFTWARE-

Procedures

17

Information Security Controls

Procedures

People

Physical

-HARDWARE--NETWORK--SOFTWARE-

Conf

iden

tialit

yAvailability

Integrity

Foundation

InformationSecurity

Triad

18

Information Security Controls

Procedures

People

Physical

Are your thumb-drives secured?

Do you keep your office door locked always?

Are you aware of your role?

Do you know about YOUR information?

Do you know what to do when there is a security incident?

Do you know the “POLICY”?

Are the data centre secured?

Do you have sufficient offsite backups?

Are there security professionals in the team?

Are the users well trained?

Are the policies/ procedures up-to-date?

How do you communicate them to the users?

General Users IT Professionals

FOU

ND

AT

ION

19

Information Security Controls

Types of Information Security Controls

Limitations•

No 100% assurance

•

Breakdown e.g. misunderstand/ mistake•

Involve human judgement

•

Management override•

Collusion

Administrative

Logical

Physical

Detective

Corrective

Preventive

Know when it occurs

Rectify when it occurs

Avoid its occurrence

Sample Information Security Controls

Detective Corrective Preventive

Administrative

•

Rotation of duties•

Management review of data, configuration, procedures and routines

•

Risk management•

IT audit, control evaluation

•

Business continuity plan•

Disaster recovery plan•

Separation of duties•

Security training•

Well communicated security policy

•

User account administration

Logical

•

Network Intrusion Detection System

•

System logs•

System integrity check

•

Network Intrusion Prevention System

•

Anti-virus software

•

Access control•

Data encryption (storage and in-transit)

•

Authentication•

Anti-virus software

Physical

•

Camera & alarms•

Security guards•

Regular asset count

•

Emergency power supply •

Physical access control (e.g. swipe cards, biometric locks) to computer facilities

•

Environment controls (e.g. fire, water, temperature, humidity…)

•

Offsite backup

Sample Information Security Controls

Detective Corrective Preventive

Administrative

•

Rotation of duties

•

Management review

of data, configuration, procedures and routines

•

Risk management

•

IT audit, control evaluation

•

Business continuity plan

•

Disaster recovery plan•

Separation of duties

•

Security training

•

Well communicated security policy

•

User account administration

Logical

•

Network Intrusion Detection System

•

System logs•

System integrity check

•

Network Intrusion Prevention System

•

Anti-virus software

•

Access control•

Data encryption

(storage and in-transit)

•

Authentication

•

Anti-virus software

Physical

•

Camera & alarms•

Security guards•

Regular asset count

•

Emergency power supply •

Physical access control

(e.g. swipe cards, biometric locks) to computer facilities

•

Environment controls (e.g. fire, water, temperature, humidity…)

•

Offsite backup

Not just the responsibility of IT Centre!

22

Evaluation of Information Security Controls

Regular evaluation of information security controls

•Changing environment•

technology, people, threats, information sharing…

•Evaluation of adequacy in design of existing controls•

Identify needs to additional controls and the cost

vs

benefit

•Evaluation of operating effectiveness of existing controls•

Management awareness and risk acceptance

•

Plan for improvement actions

Reasons not having regular information security evaluation

•Lack of resources (human resources, budget…)•Trusted environment (e.g. employees, students)•Unlikely outbreak of security incidents/ breaches

“

The consequence of not having regular security evaluation can be very costly”

SECURITY AWARENESS PROGRAM

23

Information Security Awareness

Management

Teaching Staff

Administrative Staff

Students

Knowledge

&

Attitude

Security Risk

&

Protection of Assets

24

Information Security Awareness

Topics

•Sensitive information comes in contact with the individual•Roles and responsibility in information security

•

Data owner identify, classify and protect information•

Students Appropriate use of computer facility and network

•Handling procedure for sensitive information•

E.g. Media of transmission and cryptographic requirement

•Knowledge of security issues•

E.g. Identification of phishing email, potential damage of malwares, existence of social engineering

•Consequences

25

Information Security Awareness

Security Awareness for:

MANAGEMENT•

Involvement of IT management in senior management communication

•

Understanding

the importance of information security before the incidents happen•

Raising awareness of the needs for management support

over institution-wide security awareness programme

IT CENTRE•

Realising the senior management concern over information security

•

Allocating

resources for security awareness programmes•

Obtaining knowledge of up-to-date security threats

•

Promoting

the culture of security awareness within the university

STAFF / STUDENTS•

Knowing

information security via IT centre•

Understanding

their roles in information security (e.g. regular email reminders, training, campus security awareness campaign)

Top down support for security awareness within University

26

Case Study –

IT Outsourcing

IT Outsourcing•

Background•

University Outsourcing Email (partially)

•

Email storage, spam filtering and online organiser•

Email anywhere

•

Service Provider-

Unqualified SAS70 Type II Certification

What are the security concerns?

27

Case Study –

IT Outsourcing

IT Outsourcing-

Security Concerns•

Asset Identification•

Email correspondences

•

Sensitive information (email contents/ attachments)•

Contacts information

•

Vulnerabilities•

Unencrypted data transfer/ storage

•

System security weaknesses (e.g. outdated patches)•

Different legal/ regulatory requirements over personal data

•

Other concerns•

Uncontrollable/ unknown security standard

•

Inability to review the security standard of the service provider•

Inadequate planning

28

Case Study –

IT Outsourcing

IT Outsourcing-

Best Practice•

Planning•

The Border-

define the service to be outsourced (just email? Online organiser?)•

Compatibility with existing process and infrastructure

•

Risk Assessment•

Evaluation of certification/ accreditation (e.g. SAS70, ISO27001)

•

Agreement•

Ability to perform on-site due diligence

•

Security review (by service provider or independent party)•

Service level agreement (security standard)

•

Non-disclosure agreement

•

On-going•

Annual security assessment/ certification review

•

Perform on-site due diligence

•

Monitoring service level

29

Summary

Information Security in University•

Universities are valuable targets

•

Information Security Management•

Identifying Information Assets

•

Risk Assessment•

Security Controls

•

Security Awareness

•

Case Studies & Best Practice-

IT Outsourcing