joint universities computer centre limited (“jucc”) · email system had been hacked. it was a...
TRANSCRIPT
![Page 1: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/1.jpg)
Joint Universities Computer Centre Limited (“JUCC”) Information Security Awareness Training-
Session Two
Information Security in Universities
![Page 2: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/2.jpg)
1
Agenda
Information Security Management in Universities•
Recent Information Security Incidents
•
Information Security Risk Management
•
Information Asset in Universities
•
Information Security Risk Assessment
•
Information Security Controls
•
Information Security Awareness
•
Case Study –
IT Outsourcing
![Page 3: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/3.jpg)
2
Recent Information Security Incidents
Hackers target leading climate research unit
The e-mail system of one of the world's leading climate research units has been breached by hackers.
E-mails reportedly from the University of East Anglia's Climatic Research Unit (CRU), including personal exchanges, appeared on the internet on Thursday.
A university spokesman confirmed the email system had been hacked
and that information was taken and published without permission.
Mr
Cluley
added that universities were vulnerable to attacks by hackers because so many people required access to IT systems.
Source: BBC Nov 20, 2009
Computer data breach at EIU investigated
CHARLESTON --
An investigation into a breach of computer security at Eastern Illinois University has not yet determined if personal data
was stolen from a list of about 9,000 people, a university official said Friday.
Eastern has mailed letters to 9,000 former, prospective and current undergraduate students regarding the breach of files that contain personal information. ..
“A machine was compromised by a virus
so we don’t believe it was a targeted attack against the university data system,”
said Adam Dodge, assistant director of information security for Eastern Information Technology Services.
That caused the university’s Office of Admissions server to be infected with a number of viruses, including several that could allow an external person to access the server.
Source: Journal Gazette Times-Courier Dec 04, 2009
Recent Information Security Incidents in Universities
Personal data is always valuable
to hackers
Difficult to manage user access rights in universities
Virus is a key threat to the universities
because access to the internet cannot be controlled, mainly due to academic freedom issue
![Page 4: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/4.jpg)
3
Recent Information Security Incidents
UC Berkeley computers hacked, 160,000 at risk
Hackers
broke into the University of California at Berkeley's health services center
computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced Friday.
At particular risk of identity theft are some 97,000 individuals whose Social Security numbers were accessed in the breach, but it's still unclear whether hackers were able to match up those SSNs
with individual names, Shelton Waggener, UCB's
chief technology officer, said in a press conference Friday afternoon.
Source: BBC Nov 20, 2009
Hacking incident on J-school Web server triggers notices to affected applicants
BERKELEY —
University of California, Berkeley, officials announced today (Tuesday, Aug. 11) that the campus will be notifying approximately 490 individuals of a computer security incident involving the Graduate School of Journalism.
Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers
and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009.
Although there is no evidence that the intruder stole or even viewed information from the database containing the Social Security numbers, it is possible that such action could have occurred, campus computer security experts said. Consequently, UC Berkeley decided to err on the side of caution and notify the
493 student applicants of the incident. Letters are being sent out this week
from the journalism school.
Source: Journal Gazette Times-Courier Dec 04, 2009
Recent Information Security Incidents in Universities
Health services hold massive amount of
personal information which
is easily overlooked.
Hackers tend to attack universities because they know
the security is weak.
![Page 5: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/5.jpg)
4
Recent Information Security Incidents
Statistics from Technology Crime Division of the HK Police:
Title of Offence 2000 2001 2002 2003 2004 2005 2006 2007 2008
Unauthorised Access to Computer by
telecommunication 275 33 26 47 11 8 6 6 7
Access to Computer with Criminal Dishonest Intent 0 81 138 356 329 441 471 333 277
Criminal Damage 15 27 16 16 11 6 5 4 3Obtaining Property by
Deception 29 32 45 86 105 145 193 215 387
Obtaining Services by Deception 0 33 19 17 15 9 12 8 5
Thefts (E-banking related) 0 8 6 8 19 3 0 1 2
Others 49 21 22 58 70 41 54 67 110Total 368 235 272 588 560 653 741 634 791
Source: http://www.police.gov.hk/hkp-home/english/tcd/overview.htm, Jan 2010
![Page 6: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/6.jpg)
5
Recent Information Security Incidents
Why Universities?
•
Hacking for challenge/ fun (external and student hackers / professional and
script kiddies)
•
Scale of universities helps creating
noise
in community (reputation attack)
•
Universities’
computers-
a great
candidate for zombie
machines
•
Relatively weak security perimeter
•
Enormous personal information
•
Valuable
research data
There is always a motivation…
Statistics on Data leakage Incidents
![Page 7: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/7.jpg)
6
Information Security Risk Management
Identify Information
Assets
RiskAssessment
SecurityControl
Security Awareness
![Page 8: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/8.jpg)
Information Assets in Universities
Information Asset -
definable piece of information, stored in any form, that has
value to the organisation
Personal Information•Student records
•Employee records
•Payroll information
Academic Information•Student grade information
•Research data
•University policies
•Confidential data obtained from third parties
7
“Information security is all about protecting the
CIA of information assets”
![Page 9: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/9.jpg)
Information Assets in Universities
More information assets….•University web sites
•Software and applications
•Computer servers and terminals
•Network and network devices
• IT service provider of outsourced services
8
010010101011010101001
011101010001010101110
100010100010111010101
101010001011101010010
101101011101010011110
010100010101011010101
001011101010001010101
110100010100010111010
101101010001011101010
010101101011101010011
![Page 10: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/10.jpg)
Information Assets in Universities
Threats to Information AssetThreats to Information Asset
![Page 11: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/11.jpg)
Information Assets in Universities
10
Information Asset
Information Asset
Deliberate actions by people•inside your organisation•outside your organisation(e.g. hackers’
attack)
Deliberate actions by people•inside your organisation•outside your organisation(e.g. hackers’
attack)
Accidental actions by people•inside your organisation•outside your organisation(e.g. dumping students’
personal data into rubbish bin)
Accidental actions by people•inside your organisation•outside your organisation(e.g. dumping students’
personal data into rubbish bin)
System problems•hardware•software•malicious code•Other(e.g. computer virus)
System problems•hardware•software•malicious code•Other(e.g. computer virus)
Other events•power cut•telecommunications failure•natural disaster•Other
Other events•power cut•telecommunications failure•natural disaster•Other
Disclosure of assetDisclosure of asset
Modification of the assetModification of the asset
Destruction or loss of the asset, the hardware it resides upon, or the software that interacts with it
Destruction or loss of the asset, the hardware it resides upon, or the software that interacts with it
Interruption of access to the asset
Interruption of access to the asset
Threats Outcomes
Financial and Reputation Loss
Financial and Reputation Loss
![Page 12: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/12.jpg)
11
Identification Information Assets Process
Step 1:
Identify the boundaries of what is to be protected
Step 2: Identify the information assets and the media/systems in which they are handled
Step 3: Identify relationships between the assets/media/ systems and the organisational objectives
Step 4: Identify those critical to organisational objectives
Considerations:• Nature: location, assets and technology
• Types of information that are sensitive
and confidential
Considerations:• Users
given access to the information
• How
that information is provided
Considerations:• Organisational objectives
• How they are affected by information assets
Considerations:• Likelihood
and the impact
of the information assets affecting the organisational objectives
Student’s personal data
Student’s phone number stored in PC of individuals
Objective : Compliance-
personal data protection
What will happen if there is a security breach to the C, I or A
of this data?
![Page 13: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/13.jpg)
12
Information Security Risk Assessment
Risk Assessment-
Assignment of value for potential harm/ loss
QualitativeQuantitative
$ $ $ $ $Annualised Loss Expectancy (ALE)
Annualised Rate of Occurrence (ARO)Single Loss Expectancy (SLE)
Asset Valuation (AV)Exposure Factor (EF)
$ $ $ $ $
SLE = AV x EF
ALE = SLE x ARO
5 4 3 2 1
![Page 14: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/14.jpg)
13
Information Security Risk Assessment
Risk Assessment-
Example
Asset Asset Valuation Vulnerabilities & Threats Impact Occurrence ALE
University Website
Lost of productivity; cost of information; cost of rebuilding services…=$30,000
Vulnerabilities: Outdated patch, unnecessary services…Threats:
Unauthorised intrusion; defacement…
Unavailability of website and
student portal
ARO = 2 / Year
EF = 40%
= AV x EF x ARO= $30,000 x 40% x 2
= $24,000
2 3 3 1 Avg. = 2.3
Quantitative- How much to pay for
countermeasure?
Qualitative-
How to prioritise
for resource allocation?
![Page 15: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/15.jpg)
14
Information Security Risk Assessment
Cost of Security Control
PotentialLoss
![Page 16: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/16.jpg)
Areas of Information Security Risk in Universities
Category Examples of Risk Recommendations
Information Handling
•
Lack of information classification
•
Sensitive information being disclosed to the public
•
Establish information classification and handling procedures
•
Raise user awareness
Logical Access
•
Shared accounts
•
Weak password settings
•
Abuse of super user accounts
•
Implement strong password policies and configurations.
•
Restrictions and policy on the use of privileged/administrator accounts.
•
Promotion of user awareness on the concept of accountability.
Network Security
•
External / Internal threats (e.g. Hacking, denial of service, viruses, malware)
•
Wireless network sniffing
•
Segregate the network into different segments.
•
Installation of devices such as firewall and Intrusion Detection System.
•
Periodic firewall log review.
•
Installation of virus and spyware detection systems.
•
Perform periodic scanning on network and computers.
Outsourcing
•
Compliance risk
•
Lack of security controls in third party services
•
Non-disclosure agreement
•
Include clauses regarding security requirements in the SLA
15
![Page 17: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/17.jpg)
Areas of Information Security Risk in Universities
Category Examples of Risk Recommendations
User Account Access /
Administration
•
Excess access rights granted •
User access review
•
Classify data and create data ownerships.
•
Segregation of duties.
Physical Security
•
Loss of portable devices
•
Decentralised location of computer servers
•
Stealing of hardware
•
Vandalism
•
Portable device encryption
•
Security guards.
•
Swipe card/biometrically controlled access points.
•
Access control lists.
•
Perimeter controls.
Incident Management
•
Errors overlooked or not resolved on a timely basis
•
Lack of accountability
•
Escalation procedures.
•
Investigation procedures.
•
Defined roles and responsibilities.
Information Security Awareness
•
Social engineering
•
Difficulties in promoting security awareness to academic staff and students
•
Regular information Security Awareness Training.
•
Management commitment in building good security culture.
16
![Page 18: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/18.jpg)
-HARDWARE--NETWORK--SOFTWARE-
Procedures
17
Information Security Controls
Procedures
People
Physical
-HARDWARE--NETWORK--SOFTWARE-
Conf
iden
tialit
yAvailability
Integrity
Foundation
InformationSecurity
Triad
![Page 19: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/19.jpg)
18
Information Security Controls
Procedures
People
Physical
Are your thumb-drives secured?
Do you keep your office door locked always?
Are you aware of your role?
Do you know about YOUR information?
Do you know what to do when there is a security incident?
Do you know the “POLICY”?
Are the data centre secured?
Do you have sufficient offsite backups?
Are there security professionals in the team?
Are the users well trained?
Are the policies/ procedures up-to-date?
How do you communicate them to the users?
General Users IT Professionals
FOU
ND
AT
ION
![Page 20: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/20.jpg)
19
Information Security Controls
Types of Information Security Controls
Limitations•
No 100% assurance
•
Breakdown e.g. misunderstand/ mistake•
Involve human judgement
•
Management override•
Collusion
Administrative
Logical
Physical
Detective
Corrective
Preventive
Know when it occurs
Rectify when it occurs
Avoid its occurrence
![Page 21: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/21.jpg)
Sample Information Security Controls
Detective Corrective Preventive
Administrative
•
Rotation of duties•
Management review of data, configuration, procedures and routines
•
Risk management•
IT audit, control evaluation
•
Business continuity plan•
Disaster recovery plan•
Separation of duties•
Security training•
Well communicated security policy
•
User account administration
Logical
•
Network Intrusion Detection System
•
System logs•
System integrity check
•
Network Intrusion Prevention System
•
Anti-virus software
•
Access control•
Data encryption (storage and in-transit)
•
Authentication•
Anti-virus software
Physical
•
Camera & alarms•
Security guards•
Regular asset count
•
Emergency power supply •
Physical access control (e.g. swipe cards, biometric locks) to computer facilities
•
Environment controls (e.g. fire, water, temperature, humidity…)
•
Offsite backup
![Page 22: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/22.jpg)
Sample Information Security Controls
Detective Corrective Preventive
Administrative
•
Rotation of duties
•
Management review
of data, configuration, procedures and routines
•
Risk management
•
IT audit, control evaluation
•
Business continuity plan
•
Disaster recovery plan•
Separation of duties
•
Security training
•
Well communicated security policy
•
User account administration
Logical
•
Network Intrusion Detection System
•
System logs•
System integrity check
•
Network Intrusion Prevention System
•
Anti-virus software
•
Access control•
Data encryption
(storage and in-transit)
•
Authentication
•
Anti-virus software
Physical
•
Camera & alarms•
Security guards•
Regular asset count
•
Emergency power supply •
Physical access control
(e.g. swipe cards, biometric locks) to computer facilities
•
Environment controls (e.g. fire, water, temperature, humidity…)
•
Offsite backup
Not just the responsibility of IT Centre!
![Page 23: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/23.jpg)
22
Evaluation of Information Security Controls
Regular evaluation of information security controls
•Changing environment•
technology, people, threats, information sharing…
•Evaluation of adequacy in design of existing controls•
Identify needs to additional controls and the cost
vs
benefit
•Evaluation of operating effectiveness of existing controls•
Management awareness and risk acceptance
•
Plan for improvement actions
Reasons not having regular information security evaluation
•Lack of resources (human resources, budget…)•Trusted environment (e.g. employees, students)•Unlikely outbreak of security incidents/ breaches
“
The consequence of not having regular security evaluation can be very costly”
![Page 24: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/24.jpg)
SECURITY AWARENESS PROGRAM
23
Information Security Awareness
Management
Teaching Staff
Administrative Staff
Students
Knowledge
&
Attitude
Security Risk
&
Protection of Assets
![Page 25: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/25.jpg)
24
Information Security Awareness
Topics
•Sensitive information comes in contact with the individual•Roles and responsibility in information security
•
Data owner identify, classify and protect information•
Students Appropriate use of computer facility and network
•Handling procedure for sensitive information•
E.g. Media of transmission and cryptographic requirement
•Knowledge of security issues•
E.g. Identification of phishing email, potential damage of malwares, existence of social engineering
•Consequences
![Page 26: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/26.jpg)
25
Information Security Awareness
Security Awareness for:
MANAGEMENT•
Involvement of IT management in senior management communication
•
Understanding
the importance of information security before the incidents happen•
Raising awareness of the needs for management support
over institution-wide security awareness programme
IT CENTRE•
Realising the senior management concern over information security
•
Allocating
resources for security awareness programmes•
Obtaining knowledge of up-to-date security threats
•
Promoting
the culture of security awareness within the university
STAFF / STUDENTS•
Knowing
information security via IT centre•
Understanding
their roles in information security (e.g. regular email reminders, training, campus security awareness campaign)
Top down support for security awareness within University
![Page 27: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/27.jpg)
26
Case Study –
IT Outsourcing
IT Outsourcing•
Background•
University Outsourcing Email (partially)
•
Email storage, spam filtering and online organiser•
Email anywhere
•
Service Provider-
Unqualified SAS70 Type II Certification
What are the security concerns?
![Page 28: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/28.jpg)
27
Case Study –
IT Outsourcing
IT Outsourcing-
Security Concerns•
Asset Identification•
Email correspondences
•
Sensitive information (email contents/ attachments)•
Contacts information
•
Vulnerabilities•
Unencrypted data transfer/ storage
•
System security weaknesses (e.g. outdated patches)•
Different legal/ regulatory requirements over personal data
•
Other concerns•
Uncontrollable/ unknown security standard
•
Inability to review the security standard of the service provider•
Inadequate planning
![Page 29: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/29.jpg)
28
Case Study –
IT Outsourcing
IT Outsourcing-
Best Practice•
Planning•
The Border-
define the service to be outsourced (just email? Online organiser?)•
Compatibility with existing process and infrastructure
•
Risk Assessment•
Evaluation of certification/ accreditation (e.g. SAS70, ISO27001)
•
Agreement•
Ability to perform on-site due diligence
•
Security review (by service provider or independent party)•
Service level agreement (security standard)
•
Non-disclosure agreement
•
On-going•
Annual security assessment/ certification review
•
Perform on-site due diligence
•
Monitoring service level
![Page 30: Joint Universities Computer Centre Limited (“JUCC”) · email system had been hacked. it was a targeted attack against the university data system,” and that information was taken](https://reader035.vdocuments.us/reader035/viewer/2022070810/5f0965507e708231d426a2ab/html5/thumbnails/30.jpg)
29
Summary
Information Security in University•
Universities are valuable targets
•
Information Security Management•
Identifying Information Assets
•
Risk Assessment•
Security Controls
•
Security Awareness
•
Case Studies & Best Practice-
IT Outsourcing