Computer and Network Security in Higher Education

Transcription

1 Index Computer and Network Security in Higher Education Mark Luker and Rodney Petersen, Editors A Publication of EDUCAUSE Copyright 2003 Jossey-Bass Inc. Published by Jossey-Bass, A Wiley Company. Reprinted by permission of John Wiley & Sons, Inc. For personal use only. Not for distribution.

2 Index A Academic freedom, 4, 7. See also Intellectual freedom Academic values, 3 5 Acceptable use policy, 66 Access: convenience vs. security in, 16; equal, 5; equity and diversity goals and, 8; fairness in, 9; Internet, and intellectual freedom, 4; policies for dealing with abuses of, 9; privacy and confidentiality considerations with, 8; vulnerability due to ease of, 78; wireless, VPNs for, Administration, security education for, Advanced Networking with Minority-Serving Institutions (AN-MSI) Security Committee, 8 Alerts, security, 97 American Association of University Professors, 13n2 American Council on Education, xix American Library Association (ALA), 5 Application-based security, Arnone, M., 48 Articles, for delivering security education, Association of College and University Policy Administrators (ACUPA), policy procedure information from, Association of Research Libraries, 13n2 Attorneys, in-house, security education for, 94 Auditors: risk analysis supported by, 42; security education for, 93 Authentication: appropriateness of, 10; central-service approach to, 82 83; enterprise directories for, 84, 86 Authentication and authorization systems, privacy practices of, 8 Autonomy, as academic value, 4 B Barman, S., 63 Barton, T., 73, 84 Bickel, R. D., Biometrics, 12 Border firewalls, 75 Boyer, E. L., 2 Briney, A., 78 Bruhn, M., 59 Bugtrak Mailing List Archive, 81 Business continuity, C Campus directories, 84 Campus police, security education and, 93 94,

3 106 Index Cantor, S., 86 Carnegie Mellon University, CERT Coordination Center, 95 Carroll, L., 45 Cassat, P. C., 46 Cassidy, D., 33 Cavanaugh, L., 64 Center for Academic Integrity, 13n2 Center for Internet Security (CIS): CISECURITY toolkit, 80; security benchmarks, CERIAS (Center for Education and Research in Information Assurance and Security), Purdue University, 103 CERT Advisory, 79 CERT Coordination Center, security education offered by, 95 Certification, of security professionals, Certified information systems security professionals (CISSPs), 27 Checklists, as element of policy, 63 Chief information officers (CIOs), 22, Chief security officers (CSOs), CISECURITY toolkit, 80 Civil liability, 49 Civility, as principle for security in higher education, 6 Clarke, R., xix Columbia University, 13n2 Community: as academic value, 3 4; as principle for security in higher education, 6 Computer Science and Telecommunications Board, xvi Computers: firewalls in, 81; as target of hackers, 31, 77. See also Hostbased security Computing Technology Industry Association (CompTIA), certification program, 27 Confidentiality, as principle for security in higher education, 7 8 Consultants, hired for security purposes, 20 21, 28, 29 Content filtering, 11 Convenience, balancing security with, 16 Cornell University, policy procedure information from, 64 Cybersecurity insurance, 56 D Definitions, as element of policy, 62 Desman, M. B., 63 Developing a Strategy to Manage Enterprisewide Risk in Higher Education (Cassidy and others), 33 Distributed denial-of-service (DDOS) attacks, xi, 31 Diversity, as principle for security in higher education, 8 Dors, N., 86 Duderstadt, J. J., 2, 3 Dunn, J., 77 Duty, in negligence law, E encrypted vs. unencrypted, 85; filtering content of, 11 Eaton, J., 4 Education. See Security education EDUCAUSE/Cornell Institute for Computer Policy and Law, models for campus IT security policies, 101 EDUCAUSE/Internet2 Computer and Network Security Task Force: Framework for Action, xviii xix; participated in development of national security strategy, xvii; principles for implementing security in higher education, 6 10, 13n2; security policies information from, 65 66; security resources from, 103 Encryption, necessity of, Enterprise directories, 84, 86 Equity, as principle for security in higher education, 8

4 Index 107 Ethernet, shared, 75 Ethics, as principle for security in higher education, 9 10 Events, for delivering security education, 97 F Facilitator university model, Faculty, security education for, 92 Fair information practices, 5, 7 8 Fairness, as academic value, 5 Family Educational Rights and Privacy Act, 92 FBI Academy, 102 Firewalls: appropriateness of, 10; border, 75; host-based, 81; multiple, 75 Foster, A., 18 Fraser, B., 74 Frasier, M., 76 Freedom. See Academic freedom; Intellectual freedom FTP, encrypted vs. unencrypted, 85 G Global information assurance certification (GIAC), 27 Government, independence from, 4 Gray, T., 75 Green, R., 49 Grimes, S., 76 Guidelines, as element of policy, 63 Gwaltney, R., 81 H Hackers: computers as target of, 31, 77; vulnerability to, xii, 31 32, 78, 79 Handbooks, security, Handouts, for delivering security education, 98 Health care professionals, security education for, 93 Health Insurance Portability and Accountability Act (HIPAA), 93, 102 Higher education: academic values in, 3 5; mission of, 2; operational environment of, 2 3; potential security practices for, 10 12; principles for implementing security in, 6 10, 13n2; security conditions with liability potential in, 47 48; security vulnerability of computers in, xii, 31 32, 78, 79 Higher Education Information Technology Alliance, xix Host-based firewalls, 81 Host-based security: best practices for, 78 83; defined, 78; importance of, I Identity management, 83 Indiana University, response to security breaches improved at, Information protection programs (IPPs), steps for establishing, Information security. See Security Institutional policies: elements of, 61 64; process of developing and maintaining, See also Security policies Institutional risk analysis. See Risk analysis Insurance, cybersecurity, 56 Integrity, as principle for security in higher education, 9 10 Intellectual freedom, 4, 7, 16. See also Academic freedom International Information Systems Security Certification Consortium, 27 Internet access, intellectual freedom and, 4 Internet Audit Project, security vulnerabilities revealed by, Internet Security Systems, 80 Internet2 Middleware initiative, 83 84, 86 Intrusion detection systems (IDSs), 11 12, 76 Intrusion prevention systems, 76

5 108 Index IT Security Cookbook, 66 IT security. See Security IT staff. See Security staff J Jacobson, H., 49 Joint Information Systems Committee, 63 Jopeck, E., 33 K Kenneally, E., 51 Kerberos, King, C. M., 63 Klingenstein, K., 83 Kohl, J., 82 Krebs, B., 56 L Lake, P. F., Leadership: security, 21 23; and security architecture, See also Security staff Legal liability. See Liability Liability, 45 57; civil, 49; and cybersecurity insurance, 56; and facilitator university model, 53 55; and negligence law, 50 53; security conditions with potential for, 47 48; and team approach to risk management, Libraries, privacy measures of, 5 Logging, 8, 11, 82 M Mandia, K., 66 Marchany, R., 31 McIntyre, D. J., 52 McRobbie, M., 19 Meetings, for presenting security education, 95 Microsoft products, virus protection when using, Middleware: defined, 83; security considerations with, Mission, higher education, 2 Mission Continuity Planning (Qayoumi), 33 Murrell v. Mount St. Clare College, 52 N National Association of College and Business Officers (NACUBO), risk assessment information, 33 National Infrastructure Protection Center (NIPC), risk assessment model, 33 National Institute for Standards and Technology Security Resource Center, 103 National Institute of Science and Technology (NIST), risk assessment information, 33 National Science Foundation, 6, 13n2, 86 National Strategy to Secure Cyberspace, xii, xvi xviii, 16 Negligence law, 50 53; breach in, 50, 52 53; duty in, 50 51; and facilitator university model, 53 55; and foreseeable harm, 51 52; general principles of, 50 Network scanning utilities, 80 Network security: best practices for, 75 77; defined, 74 Neumann, C., 82 Nichols, R. K., 63 NIMDA worm virus, 79 Nmap Network Mapping Software, 80 O Oblinger, D., 1 Olsen, F., 19 Online quizzes, for security education, 96 Openness, balancing security with, 16 OpenSAML, 86 The OpenSSL Project, 85

6 Index 109 Operational environment, higher education, 2 3 Operational security, 25 Outsourcing security, 20 21, 28, 29 P Packet filtering, 10 Parents, security education for, 92 Partnerships, security obtained through, Passwords: central authentication service for, 82 83; encrypted vs. unencrypted, 84 86; enterprise directory for managing, 84, 86 Patches, 32, Payne, S., 89 Peltier, T. R., Personnel. See Security staff Pescatore, J., 90 Petersen, R., 59 Physical security, Planning. See Security plan; Security policies Policies. See Security policies Policy statement, as element of policy, Postel, J., 80 Princeton University, Principles, for implementing security in higher education, 6 10, 13n2 Privacy: as academic value, 5; as principle for security in higher education, 7 8 Procedures, as element of policy, 62 Prosise, C., 66 Purpose statement, as element of policy, 61 Q Qayoumi, M. H., 33 R Rationale statement, as element of policy, 61 Read, B., 18, 48 Recor, J., 15 References, as element of policy, 63 Research and Educational Networking Information Sharing Analysis Center (REN-ISAC), xii Researchers, security education for, Responsibility, as principle for security in higher education, 9 10 Risk analysis, 31 42; benefits of, 32; case study of, at Virginia Tech, 33 42; CIS security benchmarks for, 40 42; models for, 33; need for, 31 32, 42; as step in designing host-based security plan, 79 Risk assessment. See Risk analysis Risk management: and insurance, 55 56; team approach to, Roesch, M., 76 Roles and responsibilities, as element of policy, 62 Ryan, D. J., 63 Ryan, J.J.C.H., 63 S Safe SQL Slammer Worm Attack Mitigation, 75 Salaries, of certified security professionals, 28 Salomon, K. D., 46 San Diego Super Computer Security Advisory, 85 Scanning, 11 Scope, as element of policy, 62 Security: balancing convenience and openness with, 16; functions of, 23 26; goals of program for, 60; obtaining support for, 18 20; principles for implementing, in higher education, 6 10, 13n2; range of practices for, Security + certification, 27 Security administrators, responsibilities of, 26 Security alerts, 81

7 110 Index Security analysts, responsibilities of, 26 Security architecture, 73 87; application-based security element of, 84 86; CIO s role with, 86 87; context for, 73; host-based security element of, 77 83; middleware and directory services element of, 83 84; network security element of, 74 77; technical resource on, 74. See also Security infrastructure Security breaches: due process for dealing with, 9; examples of preventable, 17 18; by insiders, 90; institutional responses to, 52 53; monitoring, 20; response to, improved by security policies, Security convergence, Security education, ; delivery methods for, 95 98; need for, 89, 90; obstacles to, 90 91; recommended approach to, ; targets audiences for, 91 95; tips for communicating, Security engineers, responsibilities of, 26 Security incidents. See Security breaches Security infrastructure: institutional characteristics influencing, 17; steps for establishing, See also Security architecture Security plan: developing, 18; obtaining support for, 18 20; potential security practices in, Security policies, 59 70; acceptable use policy as component of, 66; and elements of institutional policies, 61 64; and goals of information security program, 60; information security policy statement vs., 59 60; issues to be addressed by, 65 68; necessity of establishing, 9; process for developing and maintaining, 64 65; response to security breach improved with, 68 70; security education program based on, ; sources of information on, 65 66, 101 Security professionals. See Security staff Security Self-Assessment Guide for Information Technology Systems (Swanson), 33 Security staff: certification of, 27 28; common job titles and responsibilities for, 22 23, 26; number of, and size of organization, 23, 24, 25; outside consultants as, 20 21, 28, 29; salaries of, 28; security education for, Security Targeting and Analysis of Risks (STAR) process for risk assessment, Security teams, 23 Semjanov, P., 82 Shibboleth, 86 Siri, L., 31 Sniffers, 11 SQL Slammer attack, xiii, 75 Staff, security education for, 92, See also Security staff Standards, as element of policy, Stanton v. University of Maine, Students: computer equipment of, 3; security education for, 92 Suess, J., 73 Support, obtaining, for information security, Swanson, M., 33 System Administration, Audit, Network, Security (SANS) Institute: certification program, 27; security education offered by, 95; security policies information from, 66 System logging service, 82 T Telnet, encrypted vs. unencrypted, 85 Thibeau, B. E., 46 Training, incorporating security education in, 98. See also Security education Tribbensee, N. E., 45

8 Index 111 TriWest Healthcare Alliance, 52, 53 Tudor, J. K., 64 U University of Colorado Encrypted Authentication Security Standards, 85 University of Delaware, security incident at, University of Maine, Stanton v., University of Maryland: computer security vulnerability at, 78, 79; security alert tracking at, 81; security education by Dept. of Public Safety at, 101 University of Minnesota, information on policy procedures from, 64 University of Virginia, FBI Academy operated by, 102 U.S. Department of Education, 64 U.S. Department of Homeland Security, 97, 103 V Values, in higher education, 3 5 Videos, for delivering security education, 98 Vinik, F., 53 Virginia Alliance for Secure Computing and Networking, 103 Virginia Tech, risk assessment at, Virtual private networks (VPNs), 11, Viruses: alerts about, 97; protection against, Vulnerability, of computers in higher education, xii, 31 32, 78, 79 W Walker, K. M., 64 Web ads, for delivering security education, 96 Web content filtering, 11 Web sites, for delivering security education, 96 WebISO, 86 Whatis, 11 Wireless networks, Wireless Security and VPN, 77 Wood, C. C., 64 Worms. See Viruses Y Yale University, Yasin, R., 83 Zager, M., 49 Z