Embed Size (px)
Citation preview
Lewis Watkins,CISO
Higher Ed.Challenges
CurrentThreats
Solutions andBest Practices
Information Security in Higher Education Today
1
Some Facts from the U. S. Secret Service and Verizon 2010 Breach Report• 98% of exposed data came from servers.
Make sure servers are professionally managed.• 85% of attacks were not complex.• 96% of breaches were avoidable using simple controls.
Security requires operational excellence!• 61% were discovered by a third party.• 86% of breached organizations had evidence in their log files.
Organizations have inadequate monitoring.
The Good News and Bad News
2
Current Threats
The future is already here – it's just not very evenly distributed.
William Gibson3
Gartner 2006 Prediction
4
Today’s Threats!
1. Attacks come 24/7 from anywhere in the world.
2. Unprotected computers are 100% assured of being compromised.
3. Attacks are much more sophisticated than just a year ago, and the motives are much more sinister.
4. Most owners of compromised computers have no knowledge that they have a problem.
5. Primary attackers of concern:1. Organized, professional crime organizations
2. Nation States
3. Quasi-political/terrorist organizations
5
Most Common Exposures within the UT System
1. Lost/Stolen Computers (that aren’t encrypted)
2. Paper Documents (old documents)
3. Business Partners (mistakes, contract violations, employees)
4. Insecure Applications (Its not the network)
5. Breached Electronic Files (Forgotten files)
6. Employee Errors
7. Employee Misconduct6
“Oh Toto, I don’t think we are in Kansas anymore!”
• State of Virginia medical data held for ransom• San Francisco network held hostage• Slacker harms University of Utah by PHI exposure• Stuxnet – worm targets Iran nuclear program• “Here you Have” virus (zero day)• UNC Professor fighting termination because of
exposure of 100,000 patient records• Drive-by malware – mostly unseen• Bots, Bots, Bots – Attacking others
7
Higher Ed. Challenges
8
Five Challenges of Higher Education Security
• The Complexity Problem: Universities are very complex. Information Security is complex. Security touches every operational aspect
of the university.
• The Scope Problem: Risks span the entire organization – and
beyond.
• The Quality Problem: Small errors can result in large security
vulnerabilities that result in breaches.
9
The Location Problem
We place data everywhere now…. USB Drives iPhone / Blackberry / Android / Smart Phones Netbooks / Laptops / Desktops/iPads Departmental Servers Central IT Servers Virtual Servers Consolidated Data Centers / Shared Services Outsourcers / Business Partners The “Cloud” Private Clouds / Public Clouds / Unsanctioned Clouds Other: Embedded Systems / Auto Systems (Nav & GPS)
10
PCI-DSS2004
GLB1999
FISMA2002
HITECH
HIPAA1996
FERPA1974
TAC 2021994
Information Security Compliance includes these and other regulations, Including….- TX Bus. & Com. Code Ch. 521- E-Discovery- Red Flag- Business Associate Agreements
Compliance Obligations
11
Worker Economic Stress
Fewer Workers to perform needed tasks.
Workers working under greater stress and fear.
12
Solutions andBest Practices
13
There are Solutions!
1. Make sure Data Owners are trained and engaged.
2. Take Inventory (as part of risk assessment process) Devices on your network Applications Data stores
3. Eliminate Unnecessary Data.
4. Make sure your security personnel have visibility into the environment.
5. Make sure your Information Security Officer has access to Executive management.
14
Cloud Computing
Unmanaged cloud computing poses risk to University data.
Well managed cloud computing holds promise of improved information security.
15
Implement and Track Best Practice Strategies
16
Questions?
Lewis Watkins, CISSPChief Information Security Officer [email protected](512) 499-4540
17
