OFFICE of the CHIEF INFORMATION SECURITY OFFICER 2011 Information Security and Privacy Annual Report
From the UW Chief Information Security Officer R The UW Office of the Chief Information Security Officer promotes a culture of information security and privacy. Services are designed to help UW units understand risks by analyzing and forecasting threats to information security, researching applicable information security and privacy laws, providing education on safeguarding institutional information, consulting on incident management, and managing policies and strategic solutions for UW s institutional information. More info ciso.uw.edu The Information Age is in full bloom at the University of Washington. The University s ability to succeed in its critical mission is dependent on dynamic and powerful information and communication technologies. Unprecedented access to an enormous and ever-growing volume of information and the ability to create, process, analyze and use it conveniently is now essential. However, these benefits come with unique security and privacy challenges. The goal of the Office of the Chief Information Security Officer (CISO) is to help the University community understand and manage those challenges. This goal allows the Office of the CISO team members to meet and collaborate with talented and dedicated colleagues across the entire University, and we view this as a privilege. It s a front-row seat on the inner workings of an incredible world of education, research, culture, and community events. Credits UW Office of the CISO WRITING: Kirk Bailey, Suzanne Blais, Bryan Egan, Zephyr McLaughlin, Ann Nagel, Daniel Schwalbe, Leif Tishendorf, Braden Vinroe CREATIVE DIRECTION AND EDITING: Melissa Albin-Wurzer PHOTOGRAPHY: Melissa Albin-Wurzer, Zephyr McLaughlin, Braden Vinroe UW Creative Communications DESIGN: Karin Mellskog Table of Contents Risk Management...1 Information Security and Privacy Landscape...1 2011 Accomplishments...2 Consulting...3 Threat Report...4 Visualizing Information Security and Privacy...6 Information Assurance Atlas...6 Privacy Program Updates...7 Data Security Agreement...7 Cloud Services Initiative...7 Incident Management Update...8 10 Things to Do to Secure Data And 5 Do Nots...8 2012 Goals...9
Risk Management The Office of the CISO takes a multi-faceted approach to addressing the UW s information security and privacy. We believe this approach supports the efforts to secure and protect UW data. On a semi-annual basis, representatives from the Office of the CISO, Office of Research, UW Medicine, and Office of Planning and Budgeting assess information security and privacy risk for all of the UW; this includes scoring 63 objectives and 49 threats. Direction and reviews for this risk assessment are provided by the Privacy Assurance and Systems Security Council, chaired by the UW CISO. Results are used to inform the UW s information security and privacy initiatives and services. ACCT ORG 5.00 POL ACCT ORG POL PHY ASSET 4.00 3.00 2.00 1.00 0.00 AUD RISK SAMPLE RISK REPORT PHY ASSET AUD RISK TECH PRI Risk Assessment Based On: 63 Objectives 49 Threats TECH PRI OPS IM OPS IM IMON EDU Capability Level Risk Score IMON EDU Threat Index Score High Medium Overall Risk Low ORG POL AUD RISK PRI IM EDU IMON OPS TECH PHY ASSET ACCT Spring Fall Biennium Goal Information Security and Privacy Landscape Developing and implementing a successful plan to address security and privacy challenges, assess risks, and protect UW information involves contending with the diverse elements of a changing landscape, including: Rollout of innovative technology across the UW with less time and resources to understand and address institutional risk. Reliance on Web-based technology, such as mobile technology, that is increasingly challenging to identify and secure. Increasing threats that target UW confidential information and intellectual property. Inconclusive forensic evidence for new technology solutions may result in the need for the UW to issue data breach notifications. This may cause unnecessary financial harm to the individuals the UW serves and unnecessary financial, operational, compliance, and reputational harm to the UW. Resource constraints that make UW institutional information, information systems, computerized devices and technology infrastructure more vulnerable. 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 1
Security by the Numbers In 2011, on average 7,000 emails per month received by security@uw.edu / abuse@uw.edu 200 trouble tickets per month handled by Information Security Engineers 50,000 intrusion attempts per day blocked by the intrusion prevention service 2011 Seminars The Office of the CISO staff led Information Assurance Seminars and information sessions on the following topics: Children, Information, and the UW Personally Identifiable Information (PII) and Social Media PII and the Underground Economy Best Practices for Securing UW Confidential Information Information Security Threat Landscape Information Security and Privacy Risk Management Privacy and Incident Management Policies 2011 assessment tools to help departments and business units assess risks and make 2011 Accomplishments Risk Management and Intelligence Published operational activity and trend reports. Initiated development of risk calculated decisions about information security and privacy. Developed initial concept for the Information Assurance Atlas. Policy Finalized policies for information security and privacy roles and responsibilities, incident management, and privacy. Published UW standard Online Privacy Statement and Web Site Terms and Conditions of Use. Audit & Compliance Strengthened UW s due care position by creating an authoritative list of information security and privacy laws applicable to UW. Established ongoing collaboration meetings with UW Internal Audit, UW Medicine IT Services, UW Medicine Compliance, and School of Medicine. Privacy Developed a foundation for a comprehensive privacy program that respects personally identifiable information and helps UW address privacy obligations and risks. Operational Management Enhanced security services and vulnerability assessment consulting services for departments and business units. Upgraded intrusion prevention systems to expand capabilities and performance. Organization & Authority Expanded the Privacy Assurance and Systems Security (PASS) Council membership to include additional representation from the School of Medicine and the Office of Research. In addition to the CISO chairing the PASS Council, members of the Office of the CISO participated in the following committees and councils: Data Management Committee Information Technology Risk Council Cloud Computing Compliance Committee UW Medicine Security Program Executive Committee UW Computing Directors Digital Millennium Copyright Act Committee Husky Card Advisory Committee Emergency Management Planning Committee Compliance Operations and Financial Council Steering Committee UW Healthcare Component Compliance Group Patient Privacy Advisory Committee Education Expanded the CISO website to include risk advisories and best practices for phishing, multifunction devices, and social media. Began publishing quarterly newsletters. Supported curriculum development or guest lectures for the Information School, Mathematics, and UW Bothell. Reviewed research proposals for Applied Physics Laboratory and the Information School. Supported rollout review for the Center for Commercialization s security industry-related product. Provided information security and privacy seminars for the UW community. C 2 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT
Consulting In 2011, we collaborated on specific topics, provided in-depth vulnerability assessments for departments and units, or supported projects in the following areas: BUSINESS UNIT, DEPARTMENT, COLLEGE, OR SCHOOL SECURITY PRIVACY OUTREACH BUSINESS UNIT, DEPARTMENT, COLLEGE, OR SCHOOL SECURITY PRIVACY OUTREACH Applied Physics Lab Arts & Sciences Dean s Office Attorney General s Office UW Division Center for Commercialization (C4C) Computer Science & Engineering Educational Outreach Foster School of Business Information School Intercollegiate Athletics (ICA) Library Systems School of Law School of Medicine School of Nursing The Graduate School The UW President s Office UW Bothell IT UW Tacoma IT External Affairs Government Relations Media Relations and Communications Office of Public Records and Open Meetings News and Information UW Marketing Finance & Facilities (F2) Financial Management Records Management Procurement Services Student Fiscal Services Internal Audit Treasury Investment Management Risk Management Facilities Services Transportation Services Campus Engineering and Operations Emergency Management Finance and Business Services Human Resources HR Campus Operations HR Information Systems Office of Planning and Budgeting Strategic Capital Resource Planning Information & Data Management Office of Research Office of Sponsored Programs Office of Research Information Systems Human Subjects Division Student Life Housing and Food Services Office of the Registrar Campus Life Student Financial Aid & Scholarships UW Police Department Undergraduate Academic Affairs Dream Project First Year Programs University Advancement Advancement Services Alumni Relations UW Information Technology Information Management Networks, Data Centers & Telecommunications Technology Management UW Medicine Compliance ITS Security Affiliate Institutions Seattle Children s Fred Hutchinson Cancer Research Center Northwest Hospital 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 3
Threat Report: 99% of What Happens is Not in the News News stories in 2011 were replete with phishing scams, point of sale system hacks, or website compromises that released the information of thousands even hundreds of thousands of users email addresses, passwords, credit card information, and other personal details. While it is important to be aware of the latest threats facing the UW in the ever-growing online world, it should not be forgotten that old players don t always leave the field. In 2011, approximately 14 million events were stopped at the network border by the UW TippingPoint Intrusion Prevention System (IPS) systems. Over 10 million of those blocks were for MS-RPC: Microsoft Server Service Buffer Overflow (see Table 1 below and Table 2 next page) which includes a number of exploits such as Sasser, released in 2004, Spybot, also released in 2004, and Conficker, released in 2009. These viruses may no longer be in the news, but they are still very much alive, infecting systems, causing headaches around the world, and threatening the UW network. News reports lead the public to believe that most exploits originate abroad in places such as China, the Russian Federation, or Romania, but in actuality, many viruses and scams are conceived here in the United States. (See Table 3 next page.) The importance of patching systems and updating antivirus software is not always taken seriously, and neither are common practices. Because the United States has one of the world s largest number of personal computer users, it also has the potential to possess one of the world s largest populations of infected and insecure computers. To help mitigate the risk of infected machines at UW, individuals should routinely check for and apply software patches and ensure that their antivirus is up to date. Department IT staff play a vital role by routinely communicating about and assisting users with patches and updates, and the Office of the CISO strives to keep departments and users informed about the information security threat landscape. Safeguarding personal data, computers, systems, and UW institutional information means striking a balance between staying informed of new threats while being aware of threats that no longer make the news. Table 1: A count of activities blocked by the UW TippingPoint Intrusion Prevention System (IPS) by type of activity. Invalid TCP Traffic: Possible nmap Scan (No Flags) Stacheldraht: Agent-to-Master Ping (General) DNS: Version Request (UDP) MS-SQL: Slammer-Sapphire Worm MS-RPC: DCOM ISystemActivator Overflow HTTP: PHP Code Injection SMB: ASN.1 Bitstring Processing Heap Overflow MS-RPC: LSASS Active Directory Interface Overflow Invalid TCP Traffic: Possible Recon Scan (SYN FIN) MS-RPC: Microsoft Server Service Buffer Overflow 119,221 124,647 163,060 180,919 184,198 226,936 294,903 349,922 612,096 10,604,682 Scale is discontinuous due to large number of blocks of Exploits such as Sasser, Spybot, and Conficker. 4 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT
Table 2: A count of activities blocked by the IPS on various ports. The most common blocks are for Windows File Sharing (445), and HTTP (80). Port # (Description) Scale is discontinuous due to large amount of blocked activity on Port 445. 445 (SMB) 11,163,834 80 (HTTP) 771,429 61947 (Unknown*) 41997 (Unknown*) 1434 (Microsoft SQL) 135 (Remote Procedure Call) 443 (HTTPS) 53 (DNS) 139 (NetBIOS) 23630 (Unknown*) 279,748 249,262 181,199 180,914 176,406 163,907 136,278 75,595 * Blocks on unknown ports are likely related to botnets or Peer-to-peer (P2P) activities. Table 3: Number of activities blocked by UW s TippingPoint devices by geographical location, as determined by Autonomous System Number (ASN). United States 2,483,001 Russian Federation 1,500,344 Taiwan Brazil 1,143,323 1,053,704 China South Korea Romania Japan Poland Hungary 471,587 446,868 411,666 395,765 382,825 351,953 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 5
Visualizing Information Security and Privacy With competing priorities and resource constraints, how do we as the UW community identify and protect our most important assets? P How do we show due care? What can we do to protect our information and systems in an effective and efficient manner? The UW Information Assurance Atlas Program will help address these and other challenging questions. By aggregating existing and new data sources the Atlas will provide important views of assets, threats, and risks. Information Assurance Atlas An information assurance atlas program with tools and services designed to support transparency, facilitate collaboration, and inform decision making around data, security, privacy, and risk. In fall 2011, the Office of the CISO developed the initial Atlas concept. Program planning and development will begin in 2012. If you are interested in following the Atlas progress, please contact ciso@uw.edu. Atlas Executive Summaries CISO Analysis Management Decisions Department/Unit Overview Communication, Information, Sharing, and Education Maps Risk Data Use Resources Policy and Best Practices Sources Existing Data Sources Data Provided by the Office of the CISO Data Provided by Department/Unit 6 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT
P Privacy Program Updates The Privacy Program made notable advancements in 2011. The Office of the CISO published a list of the privacy and information security laws that impart a duty upon the University to protect information. Our website summarizes the laws by subject area (Financial, Health Care, Research, etc.) and identifies the UW Subject Matter Expert (SME) and resources. We hosted the First Annual SME Symposium in December, where the SMEs were able to share their experiences and learn of legislative and enforcement developments in each area. We will continue to monitor legislative developments, and provide updates and confer with SMEs as necessary. 2011 was a key year for federal legislative initiatives in the field of Data Privacy. As of this writing, several items of legislation are again circulating throughout Congress. The Obama Administration has devoted resources and made several statements regarding the importance placed on data privacy. A key battleground concerns the enforcement of eventual policies, and whether this will lie with the Federal Communications Commission or the Federal Trade Commission. Data Security Agreement Other privacy projects included the revision of the Data Security Agreement (DSA) used in contract negotiations, as well as the addition of several interpretive documents to aid campus in the understanding and use of the DSA. A workshop was held in June with campus leaders to explain the revised DSA and accompanying materials, as well as to support the use and understanding of those materials. Acceptance of the documents by our key collaborators on campus has been widespread. Increased use of the documents has been seen at earlier and more critical stages of procurement and contract negotiations, reducing the University s risk and preserving the integrity of confidential information. Cloud Services Initiative As part the University s efforts to contract with Cloud service providers, the Office of CISO provided support by investigating and reviewing providers security strategies and operational practices. This included assessing risks and understanding answers to key questions for each provider: Does the provider have strong security controls? Does the provider have a qualified and experienced security team? What are the provider s policies related to security and privacy concerns? Where will the University users data reside and, if not inside the USA, what does that mean? If the service is compromised, what is the provider s capability for responding and recovering from the incident? Can the University s security professionals have access to the provider s investigation reports? What priority will University users have in that recovery process? 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 7
Incident Management Update Improvements to the incident response process at the University made great progress in 2011. Many of these improvements are due to the final approval of Administrative Policy Statement (APS) 2.5, Information Security and Privacy Incident Management Policy. 2 This policy improves the incident response process in a number of key ways. Potential information security events are now investigated based on data type instead of physical location. This gives Subject Matter Experts direct oversight of incidents. 10 Things to Do to Secure Data 1. Do know your data what you have, how much, and where. 2. Do think before sharing information on social networks. 3. Do audit data access permissions regularly. 4. Do use different passwords for different applications and systems. 5. Do update software regularly. 6. Do assess risks to your critical assets regularly. 7. Do assume that your data or systems could be compromised. 8. Do configure auditing, logging, and alerting on critical systems. 9. Do use the Data Security Agreement when sharing confidential data with vendors. 10. Do segment critical systems and sensitive data. And 5 Do Nots 1. Do not open email attachments or click on links in unexpected or suspicious email. 2. Do not assume vendors are doing what you think they are doing. 3. Do not retain unnecessary stores of confidential data. 4. Do not assume that cloud solutions are secure and robust. 5. Do not keep records past their retention period. Per APS 2.5, the designated officials mentioned in the chart below are responsible for responding to and managing information security and privacy incidents at the University. As needed, those designated officials assemble an incident management team with the appropriate Subject Matter Experts; the team provides advice on how business processes, laws, compliance obligations, and risks may impact the University. Designated Official Type of Information Organizational Area University Facility Security Officer, or his or her designee Chief Privacy Officer for the non-uw Medicine components of the hybrid entity, or his or her designee Chief Privacy Officer for UW Medicine, or his or her designee University Chief Information Security Officer, or his or her designee National security information or national security systems Protected health information Protected health information All information unrelated to national security information, national security systems, or protected health information All areas of the University Non-UW Medicine healthcare components of the University UW Medicine All areas of the University Administrative Policy Statement 2.5 also clearly states that University employees should report any potential incident and gives the investigative team the ability to garner resources to perform the investigations in a timely manner. In addition to the high-level policy approvals, the Office of the CISO continued developing internal procedures. The creation of an internal incident response plan has already led to faster response time and better cooperation with departments and business units when investigating potential incidents. 8 UW OFFICE OF THE CISO 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT
2012 2012 Goals Risk Management and Intelligence Complete development of risk assessment tools to help departments and business units assess risks and make calculated decisions about information security and privacy. Plan and develop the first phase of the Information Assurance Atlas. Streamline threat analysis to provide timely information to departments and business units. Policy Revise Administrative Policy Statement (APS) 2.1, Information Systems Security and APS 2.10, Minimum Data Security Standards. Publish University-wide Social Media and Networking Guidelines. Audit & Compliance Map the common requirements in the information security and privacy laws that are applicable to the University. Privacy Develop guidance and tools to help departments implement key concepts in APS 2.2, University Privacy Policy. Establish institutional resources for department and business unit risk assessment and consulting. Education Publish online information security and privacy training. Continue to provide quarterly information security and privacy seminars for the University community. 2012 Seminars In 2012, the Office of the CISO will hold quarterly Information Assurance Seminars with a roundtable format. Each quarter there will be a topic relating to information security and privacy best practices and risk management strategies. We will also provide the latest updates on continuously evolving subjects, such as the threat landscape, privacy laws and regulations, and mobile device security. More info ciso.washington.edu/events/ 2011 INFORMATION SECURITY AND PRIVACY ANNUAL REPORT UW OFFICE OF THE CISO 9
ciso.uw.edu