|
About
Obstacles and Challenges
in the University Environment
Overview
of Most Prevalent Vulnerabilities and Threats
EDUCAUSE System Security Task Force
A Word of Advice About Security Vendors and Tools
10-Step Approach to Developing an Information
Security Program
Help
About:
Many universities
are encountering challenges in their attempts to respond to the ever-present
vulnerabilities and threats to their networks. The approaches taken
have run the gamut from assigning already-overburdened systems administrators
the added task of ensuring that their University's' systems are secure,
to bringing in outside consultants to implement perimeter-based security
solutions to build a "fortress" around the network that will
withstand Internet attacks.
Of those Universities
that are currently experiencing some degree or measure of success in
securing their network environments, the majority, if not all, have
developed a formal Information Security Department and hired at least
one dedicated security staff resource to manage it.
Following is information
on obstacles and challenges in the University environment, prevalent
vulnerabilities and threats, a brief overview of EDUCAUSE, advice about
security vendors and tools, and a ten-step methodology for developing
an Information Security Program at your University.
Obstacles
and Challenges in the University Environment
- The
light finally came on – security is a problem
- Lack
of funding for security tools
- Lack
of funding for experienced Information Security staff positions
- Lack
of security policies and guidelines
- Lack
of hardware/software standardization
- Lack
of security awareness among staff, students and faculty members on campuses.
An overview of creating a security program in a university environment.
Overview of Most Prevalent Vulnerabilities
and Threats
- Out-of-date
antivirus software protection
- “Weak”
or easily-guessed passwords or circumventing the entering of passwords
- Missing
vendor-supplied operating system or application patches and service
packs
- Systems
continuously logged into the network or with internal or external modem
connections
- Unprotected
systems (not behind firewalls or intrusion detection systems) which
allow insecure telnet connections, provide FTP or web services, and
allow anonymous connections that leave the entire network infrastructure
vulnerable to attacks
EDUCAUSE System Security Task Force
- Assist
universities in securing network infrastructures and in protecting systems
from both being attacked and from being used to attack other entities
- Committees
on security tools, policies, security awareness and emerging technologies
- The
EDUCAUSE System Security Task Force will soon have a website at http://www.educause.edu/security
- Strongly
recommended that universities take a proactive approach NOW to assessing
and correcting information security problems using the SANS organization’s
“Top Ten” vulnerabilities guidelines as starting points
- The
SANS “Top Ten” vulnerabilities guidelines can be found at http://www.sans.org/topten.htm
A Word of Advice About Security Vendors
and Tools
- No one vendor has the perfect tool or solution for you…you must
evaluate carefully what will secure your institution’s network infrastructure
effectively at a cost that you can afford
- Security vendors target the commercial market and price their
products per network node, per user, per server, per workstation, per
IP address
- "Grouping" University System of Georgia institutions
could yield some economies of scale with partnering vendors. For example,
Georgia State University has established a "partnership" with
Network ICE, where we can purchase their BlackICE defender product,
as well as other products they offer, at a markedly reduced price. They
are willing to include any other Georgia universities under the same
discount structures that we at Georgia State are currently entitled
to.
10-Step Approach to Developing
an Information Security Program
- A
centrally managed information security effort is most effective, even
if your campus IT system administration is decentralized
- Manage
part or all of your information security program or use third party
vendors and firms that will manage various aspects of it for you.
- To
make an informed decision you must have a detailed security assessment
of your network infrastructure that identifies risks.
| Step
One |
- Take
a “snapshot” to determine the state of information security at
your University as of today
- Gather
and review documentation on information security policies, plans,
procedures and guidelines with your IT staff and at the colleges
and departments on your campus if administration is decentralized
- Utilize an
automated scanning tool such as ISS’s Internet Scanner or WebTrend’s
Security Analyzer to assess the vulnerabilities and threats present
on systems at your university or…
- Hire
an outside party to conduct an audit/review/assessment
|
| Step
Two |
- Designate
or hire an Information Security Officer to develop and manage
the Information Security Program at your university
- What
qualifications should this person have?
- What
types of duties will they perform?
|
| Step
Three |
- Develop
an Information Security Strategic Plan (ISP)
- Define
how your information security program will enable the university’s
strategic goals and objectives and what will happen if preventive
measures are not put into place
- Link
the university’s strategic goals and objectives to the goals
and objectives of your information security program and the
results of the audit/assessment on your university’s network
infrastructure
- Updates
as part of Technology Master Plan Effort
|
| Step
Four |
- Develop
an Information Security Annual (Project) Plan for Year One of
your Information Security program
- Concentrate
on areas of concern from the audit/assessment you recently conducted
- The
IS Annual Plan will allow you to prioritize and define those things
that need to be accomplished to shore up your network’s defenses
against attacks, unauthorized intrusions, vulnerabilities and
threats
|
| Step
Five |
- Review
any existing security policies and guidelines currently in place
and determine where gaps exist between the current policies and
guidelines and the fulfillment of your Information Security program’s
goals and objectives over the next year
- For
example, you may want to consider modifying your “appropriate
use” policy to authorize scans of all systems connected to your
university’s network for the purposes of identifying vulnerabilities and threats…
|
| Step
Six |
- Develop
information security presentations to deliver to various audiences
at your university such as college and departmental deans and
vice presidents, IT committees, etc.
- Build
support for the Information Security Program and enlist participation,
funding, and cooperation through demonstrating the need and the
consequences of further inaction
|
| Step
Seven |
- Propose
and assemble a university-wide information security task force
or committee composed of representatives from each college and
department
- In order
to address the “Top Ten” vulnerabilities cited by the SANS Organization
in an effective and expedient manner, it would be advantageous
to work with an information security representative designated
by each college or department to focus on organizing your university’s
approach to resolving any security issues identified. Additionally,
this committee or task force would develop and recommend policies,
test and evaluate tools, develop guidelines, standards, and assist
with security awareness efforts
|
| Step
Eight |
- Start
a security awareness program
- The “weakest
link” in an information security program is an unaware user.
All the policies, tools, and guidelines won’t circumvent the disadvantage
of a user who is not aware of policies and who doesn’t practice
“safe” computing by maintaining anti virus software or by scanning
downloaded files from the Internet before installing them on a
workstation
|
| Step
Nine |
- Assemble
a Computer Emergency Response Team and accompanying policies and
procedures for computer incident handling
- Monitoring
incidents helps determine risks, threats and vulnerabilities that
are currently being exploited by attackers and unauthorized persons
- Designate
a focal point for receiving reports of computer incidents. Designate
members of the IT staff to take immediate actions that may include
temporarily disabling a network connection to prevent any further
attacks from a particular system
|
| Step
Ten |
- Take
a proactive approach to integrating information security into
your existing IT network infrastructure
- Consider
the security implications or risk factors of any new hardware
or software applications introduced into your network environment
- Obtain security
tools, such as intrusion detection systems and firewalls, which
will allow you to effectively detect, prevent, and respond to
attempted (or successful) intrusions and attacks on your university’s
network. Other important security measures are automated scanning
tools which will allow you to proactively assess hardware and
software applications on your campus for a wide range of vulnerabilities
and security problems
|
Help:
If you have questions,
or need assistance, please contact the
Help Center (404-651-4507 or help@gsu.edu).
|