Getting Started With Information Security A Shared Agenda Cedric Bennett Kent Wada EDUCAUSE Western...

Getting Started With Information Security

A Shared Agenda

Cedric BennettKent Wada

EDUCAUSE Western Regional Conference

March 3, 2004

March 3, 2004 Getting Started With Information Security -- EDUCAUSE Western Regional Conference 2

Some(!) real life areas of shared responsibility

Electronic communicationsPrivacy

Freedom of speech

Education

Outsourcing

AuthenticationResponsible use

E-business

Academic freedom

Records management

Asset Management

IP, Copyright, DMCA

Online CC payments

“The Web”

ResNet

Authorization

Bandwidth management

SpamIdentity theft

Policy, procedures

Risk management


Second half agenda

Privacy Electronic records and court orders Policy and procedures The mobile user Incident response Pulling it all together Futures


Privacy

… the right to be left alone … US Supreme Court Justice Louis Brandeis


Chip implant gets cash under your skinhttp://news.com.com/2100-1041-5111637.htmlStory last modified November 25, 2003, 9:32 AM PST

Applied Digital Solutions of Palm Beach, Fla., is hoping that Americans can be persuaded to implant RFID chips under their skin to identify themselves when going to a cash machine or in place of using a credit card. The surgical procedure, which is performed with local anesthetic, embeds a 12-by-2.1mm RFID tag in the flesh of a human arm.

Matthew Cossolotto, a spokesman for ADS who says he's been “chipped,” argues that competing proposals to embed RFID tags in key fobs or cards were flawed. “If you lose the RFID key fob or if it's stolen, someone else could use it and have access to your important accounts,” Cossolotto said. “VeriPay solves that problem. It's subdermal and very difficult to lose. You don't leave it sitting in the backseat of the taxi.”


Some legislation

Health Insurance Portability and Accountability Act (HIPAA) – personally identifiable patient information

Gramm–Leach–Bliley Act – financial information Federal Family Educational Rights and Privacy Act

(FERPA) – student information California Information Practices Act

SB1386 – disclosure of breaches of computerized personal information

cf. European privacy directive


Other external drivers

National Strategy to Secure Cyberspace “Should consideration be given to tying State or Federal

funding to [institutions of higher education] to compliance with certain cybersecurity benchmarks?”http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf

NASA IT Security Clause Final Rule in the Federal Register (67 FR 48814-48815) on

July 26, 2002

VISA Cardholder Information Security Program The “Digital Dozen:” 12 basic security requirements

http://www.usa.visa.com/business/merchants/cisp_index.html?it=il_/personal/secure_with_visa/securecommerceprogram.html


Some privacy challenges and overrides

Law enforcement

Security

Market research

Technology

Business need

Policy


Challenge: Business Need

The Perils of Privacy“Down the hall in the billing department, a clerk uses a lunch break to scan the Web for information on abuse victims. The information retrieved also flashes onto a screen in the boss's office, revealing a secret the employee never told anyone.”

Source: PC World, December 28, 1999

http://www.pcworld.com/news/article/0,aid,14557,00.asp


Challenge: Technology

Delete Should Mean Deletehttp://www.nytimes.com/2000/10/05/technology/06CYBERLAW.html

The geniuses who designed the modern world's computers probably thought they were doing mankind a favor when they decided that nothing, in fact, would ever be deleted when a computer user presses the Delete button. At least one prominent jurist, however, thinks Delete should mean just that.


Challenge: Law enforcement

Subpoenas, search warrants, summons oh my!


It’s not just email [A] group of technologists and policy wonks met … to discuss a

matter that some say is just as important to Internet privacy as any of the monolithic omniscient supercomputers being hatched in Washington... The humble Web server log.

Or more to the point, the countless thousands of logs routinely kept by servers throughout the Internet, each marking every visit to a given website, identifying what pages were viewed, what transactions made, and the Internet IP address of the visitor. Recent laws have made it easier for government agencies to get their hands on server log entries, and civil litigators are increasingly finding logs a valuable target for subpoenas.

From The trails left in Web server logs - and who's seeing themhttp://www.theregister.co.uk/content/55/30114.html


Electronic records retention

How long should email be kept? What about email server logs? Web server logs? Surveillance tapes? Voicemail messages? Etc. etc. etc.

Consider how to keep data only as long as it is needed, and no longer, lest it become a liability (the library model)

Who are your institutional partners in thinking about privacy and balancing institutional obligations?


Records

Electronic records must be seen in the context of all records (not just retention) But records such as server logs often flummox

the traditional framework Who is your institutional partner in this effort?


USA PATRIOT Act

Amends more than fifteen statutes (including FERPA)

Was intended in part to update wiretap and surveillance laws for the Internet era


Not just a theoretical issue

Since the Sept. 11, 2001, attacks, the Justice Department and FBI have dramatically increased the use of two little-known powers that allow authorities to tap telephones, seize bank and telephone records and obtain other information in counterterrorism investigations with no immediate court oversight, according to officials and newly disclosed documents.Washington Post, March 24, 2003


Policy, procedures and practices

Do you know what to do if an FBIagent shows up with a search warrant

for a computer?

Does the student employee sitting at the front desk of the library at 8PM on a Monday

evening know?


“IT” policies cover more than IT

IT affects everyone For example: before, advertising policies affected few

people on campus; now, potentially every web page is a marketing opportunity

Therefore, the IT policy process: is a collaboration between subject matter experts and

IT involves much wider review than many other policies makes meaningful promulgation a bigger challenge


Campus police

They are law enforcement They are also part of the campus

What does that mean?


Identity theft

The California Employment Development Department notified 90,600 people this week that their personal information, including Social Security numbers, may have been compromised by a hacker who accessed a state computer server in January.

From the San Francisco Chronicle, Saturday, February 14, 2004www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/02/14/

BUGEN510EG1.DTL


SB1386

New provision of the California Information Practices Act requiring disclosure of computer security breaches involving personal information of California residents About reducing identity theft Effective July 1, 2003

Federal legislation coming…?


Straightforward in concept, but the devil is in the details

Data is everywhere! What exactly is a security breach? Computer viruses and trojan horses Encryption of data What will the courts say?

Who are your institutional partners?


The mobile user

Telecommuters, visitors, etc. The equipment isn’t necessarily the

institution’s Relying on unreliable support Risks still accrue to the institution What about SB1386?


The mobile user

What are the institution’s rights? What are the tradeoffs?



http://www.wired.com/wired/archive/11.07/slammer.html


Incident response

“When computer security problems occur, it is critical for the affected organization to have a fast and effective means of responding.” “incident analysis and response, vulnerability handling,

intrusion detection, risk assessments, security consulting, and penetration testing.”

Organizational Models for Computer Security Incident Response Teamswww.sei.cmu.edu/publications/documents/03.reports/03hb001.html



A bigger picture

Can’t look at this piecemeal – will overwhelm you


EDUCAUSE Effective Security Practices Guide

www.educause.edu/security/guide


Futures

Some knotty problems


A policy-neutral core

In August 2002, the Recording Industry Association of America (RIAA) sued a group of U.S.-based Internet service providers, seeking to block access to a music-copying site in China. The suit was dropped when the offending site was shut down, but the event was widely regarded as a pivotal moment.

http://www.infoworld.com/article/03/11/21/46FEtroublefuture_1.html


The “nightmare” of anonymity JENIN, West Bank, Aug. 19 /PRNewswire/ -- … Earthstation 5

is at war with the Motion Picture Association of America (MPAA) and the Record Association of America (RIAA), and to make our point very clear that their governing laws and policys have absolutely no meaning to us here in Palestine, we will continue to add even more movies for FREE. … "File-sharers world-wide are learning that our Earthstation 5 software hides the identities of its users and their IP addresses so they can now freely share their music and movies online without the threat of a lawsuit from the RIAA and/or the MPAA," said Kabair. … Earth Station 5 is located both in Gaza and in the Jenin Refugee Camp of Palestine.http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK2.story&STORY=/www/story/08-19-2003/0002003023&EDATE=TUE+Aug+19+2003,+06:14+AM


The balancing act

Security protects privacy and reduces risk, legal and fiscal exposures

Security is now often mandated

Security is seen to intrude on privacy, academic freedom and freedom of speech

Security can reduce convenience and functionality

Security is often controversial at many levels

Date post:	22-Dec-2015
Category:	Documents
Upload:	prudence-paul
View:	214 times
Download:	0 times

Getting Started With Information Security A Shared Agenda Cedric Bennett Kent Wada EDUCAUSE Western...

Documents