Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Transcription

1 Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

2 Agenda Information Security Management in Universities Recent Information Security Incidents Information Security Risk Management Information Asset in Universities Information Security Risk Assessment Information Security Controls Information Security Awareness Case Study IT Outsourcing 1

3 Recent Information Security Incidents Recent Information Security Incidents in Universities Hackers target leading climate research unit Computer data breach at EIU investigated Personal The data system is of one of the world's leading climate always research valuable units has been breached by hackers. to hackers s reportedly from the University of East Anglia's Climatic Research Unit (CRU), including personal exchanges, appeared on the internet on Thursday. A university spokesman confirmed the system had been hacked and that information was taken and published without permission. Mr Cluley added that universities were vulnerable to attacks by hackers because so many people required access to IT systems. Source: BBC Nov 20, 2009 Difficult to manage user access rights in universities CHARLESTON -- An investigation into a breach of computer security at Eastern Illinois University has not yet determined if personal data was stolen from a list of about 9,000 people, a university official said Friday. Eastern has mailed letters to 9,000 former, prospective and current undergraduate students regarding the breach of files that contain personal information... A machine was compromised by a virus so we don t believe it was a targeted attack against the university data system, said Adam Dodge, assistant director of information security for Eastern Information Technology Services. Virus is a key threat That caused the university s Office of Admissions server to be infected with a number of viruses, to including the universities several that could allow an external person to access because the server. access to the internet cannot be controlled, mainly Source: Journal Gazette Times-Courier due Dec to 04, academic 2009 freedom issue 2

4 Recent Information Security Incidents Recent Information Security Incidents in Universities UC Berkeley computers hacked, 160,000 at risk Hackers broke into the University of California at Berkeley's health services center computer and potentially stole the personal information of more than 160,000 students, alumni, and others, the university announced Friday. Health services hold At particular risk of massive identity amount theft are some of 97,000 individuals whose personal Social Security numbers were accessed information the breach, which but it's still unclear whether hackers were able to match up those is easily SSNs with overlooked. individual names, Shelton Waggener, UCB's chief technology officer, said in a press conference Friday afternoon. Hacking incident on J-school Web server triggers notices to affected Hackers applicants tend to attack universities because they know the security is weak. BERKELEY University of California, Berkeley, officials announced today (Tuesday, Aug. 11) that the campus will be notifying approximately 490 individuals of a computer security incident involving the Graduate School of Journalism. Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May Although there is no evidence that the intruder stole or even viewed information from the database containing the Social Security numbers, it is possible that such action could have occurred, campus computer security experts said. Consequently, UC Berkeley decided to err on the side of caution and notify the 493 student applicants of the incident. Letters are being sent out this week from the journalism school. Source: BBC Nov 20, 2009 Source: Journal Gazette Times-Courier Dec 04,

5 Recent Information Security Incidents Statistics from Technology Crime Division of the HK Police: Title of Offence Unauthorised Access to Computer by telecommunication Access to Computer with Criminal Dishonest Intent Criminal Damage Obtaining Property by Deception Obtaining Services by Deception Thefts (E-banking related) Others Total Source: Jan

6 Recent Information Security Incidents Why Universities? Hacking for challenge/ fun (external and student hackers / professional and script kiddies) Scale of universities helps creating noise in community (reputation attack) Universities computers- a great candidate for zombie machines Relatively weak security perimeter Enormous personal information Valuable research data There is always a motivation Statistics on Data leakage Incidents 5

7 Information Security Risk Management Identify Information Assets Risk Assessment Security Control Security Awareness 6

8 Information Assets in Universities Information Asset - definable piece of information, stored in any form, that has value to the organisation Personal Information Student records Employee records Payroll information Information security is all about protecting the CIA of information assets Academic Information Student grade information Research data University policies Confidential data obtained from third parties 7

9 Information Assets in Universities More information assets. University web sites Software and applications Computer servers and terminals Network and network devices IT service provider of outsourced services

10 Information Assets in Universities Threats to Information Asset

11 Information Assets in Universities Threats Deliberate actions by people inside your organisation outside your organisation (e.g. hackers attack) Accidental actions by people inside your organisation outside your organisation (e.g. dumping students personal data into rubbish bin) System problems hardware software malicious code Other (e.g. computer virus) Other events power cut telecommunications failure natural disaster Other Information Asset Outcomes Disclosure of asset Modification of the asset Destruction or loss of the asset, the hardware it it resides upon, or the software that interacts with it it Interruption of access to the asset Financial and Reputation Loss 10

12 Identification Information Assets Process Step 1: Identify the boundaries of what is to be protected Step 2: Identify the information assets and the media/systems in which they are handled Step 3: Identify relationships between the assets/media/ systems and the organisational objectives Step 4: Identify those critical to organisational objectives Student s personal data Student s phone number stored in PC of individuals Objective : Compliancepersonal data protection What will happen if there is a security breach to the C, I or A of this data? Considerations: Nature: location, assets and technology Types of information that are sensitive and confidential Considerations: Users given access to the information How that information is provided Considerations: Organisational objectives How they are affected by information assets Considerations: Likelihood and the impact of the information assets affecting the organisational objectives 11

13 Information Security Risk Assessment Risk Assessment- Assignment of value for potential harm/ loss Quantitative Qualitative $ $ $ $ $ Annualised Loss Expectancy (ALE) Annualised Rate of Occurrence (ARO) Single Loss Expectancy (SLE) Asset Valuation (AV) Exposure Factor (EF) $ $ $ $ $ SLE = AV x EF ALE = SLE x ARO 12

14 Information Security Risk Assessment Risk Assessment- Example Asset Asset Valuation Vulnerabilities & Threats Impact Occurrence ALE University Website Lost of productivity; cost of information; cost of rebuilding services =$30,000 Vulnerabilities: Outdated patch, unnecessary services Threats: Unauthorised intrusion; defacement Unavailability of website and student portal ARO = 2 / Year EF = 40% = AV x EF x ARO = $30,000 x 40% x 2 = $24,000 Quantitative -How much to pay for countermeasure? Avg. = 2.3 Qualitative - How to prioritise for resource allocation? 13

15 Information Security Risk Assessment Cost of Security Control Potential Loss 14

16 Areas of Information Security Risk in Universities Category Examples of Risk Recommendations Lack of information Establish information classification and handling classification procedures Sensitive information being Raise user awareness disclosed to the public Information Handling Logical Access Network Security Outsourcing Shared accounts Weak password settings Abuse of super user accounts External / Internal threats (e.g. Hacking, denial of service, viruses, malware) Wireless network sniffing Compliance risk Lack of security controls in third party services Implement strong password policies and configurations. Restrictions and policy on the use of privileged/administrator accounts. Promotion of user awareness on the concept of accountability. Segregate the network into different segments. Installation of devices such as firewall and Intrusion Detection System. Periodic firewall log review. Installation of virus and spyware detection systems. Perform periodic scanning on network and computers. Non-disclosure agreement Include clauses regarding security requirements in the SLA 15

17 Areas of Information Security Risk in Universities Category Examples of Risk Recommendations User Account Access / Administration Excess access rights granted User access review Classify data and create data ownerships. Segregation of duties. Physical Security Incident Management Information Security Awareness Loss of portable devices Decentralised location of computer servers Stealing of hardware Vandalism Errors overlooked or not resolved on a timely basis Lack of accountability Social engineering Difficulties in promoting security awareness to academic staff and students Portable device encryption Security guards. Swipe card/biometrically controlled access points. Access control lists. Perimeter controls. Escalation procedures. Investigation procedures. Defined roles and responsibilities. Regular information Security Awareness Training. Management commitment in building good security culture. 16

18 Information Security Controls Information Security Triad Foundation Availability Integrity -HARDWARE- -NETWORK- -SOFTWARE- Confidentiality Physical People Procedures 17

19 Information Security Controls General Users IT Professionals Physical People Procedures Are your thumb-drives secured? Do you keep your office door locked always? Are you aware of your role? Do you know about YOUR information? Do you know what to do when there is a security incident? Do you know the POLICY? Are the data centre secured? Do you have sufficient offsite backups? Are there security professionals in the team? Are the users well trained? Are the policies/ procedures up-to-date? How do you communicate them to the users? FOUNDATION 18

20 Information Security Controls Types of Information Security Controls Know when it occurs Administrative Logical Physical Detective Corrective Preventive Rectify when it occurs Limitations No 100% assurance Breakdown e.g. misunderstand/ mistake Involve human judgement Management override Collusion Avoid its occurrence 19

21 Sample Information Security Controls Detective Corrective Preventive Administrative Rotation of duties Management review of data, configuration, procedures and routines Risk management IT audit, control evaluation Business continuity plan Disaster recovery plan Separation of duties Security training Well communicated security policy User account administration Logical Network Intrusion Detection System System logs System integrity check Network Intrusion Prevention System Anti-virus software Access control Data encryption (storage and in-transit) Authentication Anti-virus software Physical Camera & alarms Security guards Regular asset count Emergency power supply Physical access control (e.g. swipe cards, biometric locks) to computer facilities Environment controls (e.g. fire, water, temperature, humidity ) Offsite backup

22 Sample Information Security Controls Detective Corrective Preventive Administrative Logical Physical Rotation of duties Management review of data, configuration, procedures and routines Risk management IT audit, control evaluation Network Intrusion Detection System System logs System integrity check Business continuity plan Disaster recovery plan Network Intrusion Prevention System Anti-virus software Not just the responsibility of IT Centre! Camera & alarms Security guards Regular asset count Emergency power supply Separation of duties Security training Well communicated security policy User account administration Access control Data encryption (storage and in-transit) Authentication Anti-virus software Physical access control (e.g. swipe cards, biometric locks) to computer facilities Environment controls (e.g. fire, water, temperature, humidity ) Offsite backup

23 Evaluation of Information Security Controls Regular evaluation of information security controls Changing environment technology, people, threats, information sharing Evaluation of adequacy in design of existing controls Identify needs to additional controls and the cost vs benefit Evaluation of operating effectiveness of existing controls Management awareness and risk acceptance Plan for improvement actions Reasons not having regular information security evaluation Lack of resources (human resources, budget ) Trusted environment (e.g. employees, students) Unlikely outbreak of security incidents/ breaches The consequence of not having regular security evaluation can be very costly 22

24 Information Security Awareness Management Teaching Staff Administrative Staff Students Knowledge & Attitude Security Risk & Protection of Assets SECURITY AWARENESS PROGRAM 23

25 Information Security Awareness Topics Sensitive information comes in contact with the individual Roles and responsibility in information security Data owner identify, classify and protect information Students Appropriate use of computer facility and network Handling procedure for sensitive information E.g. Media of transmission and cryptographic requirement Knowledge of security issues E.g. Identification of phishing , potential damage of malwares, existence of social engineering Consequences 24

26 Information Security Awareness Security Awareness for: MANAGEMENT Involvement of IT management in senior management communication Understanding the importance of information security before the incidents happen Raising awareness of the needs for management support over institution-wide security awareness programme IT CENTRE Realising the senior management concern over information security Allocating resources for security awareness programmes Obtaining knowledge of up-to-date security threats Promoting the culture of security awareness within the university STAFF / STUDENTS Knowing information security via IT centre Understanding their roles in information security (e.g. regular reminders, training, campus security awareness campaign) Top down support for security awareness within University 25

27 Case Study IT Outsourcing IT Outsourcing Background University Outsourcing (partially) storage, spam filtering and online organiser anywhere Service Provider- Unqualified SAS70 Type II Certification What are the security concerns? 26

28 Case Study IT Outsourcing IT Outsourcing- Security Concerns Asset Identification correspondences Sensitive information ( contents/ attachments) Contacts information Vulnerabilities Unencrypted data transfer/ storage System security weaknesses (e.g. outdated patches) Different legal/ regulatory requirements over personal data Other concerns Uncontrollable/ unknown security standard Inability to review the security standard of the service provider Inadequate planning 27

29 Case Study IT Outsourcing IT Outsourcing- Best Practice Planning The Border- define the service to be outsourced (just ? Online organiser?) Compatibility with existing process and infrastructure Risk Assessment Evaluation of certification/ accreditation (e.g. SAS70, ISO27001) Agreement Ability to perform on-site due diligence Security review (by service provider or independent party) Service level agreement (security standard) Non-disclosure agreement On-going Annual security assessment/ certification review Perform on-site due diligence Monitoring service level 28

30 Summary Information Security in University Universities are valuable targets Information Security Management Identifying Information Assets Risk Assessment Security Controls Security Awareness Case Studies & Best Practice- IT Outsourcing 29