a blog about technology management

Educause Security Conference 2012

I am recently back from the Educause Security conference 2012 — my first time going to that conference. I should note that I am the security officer for the campus so this was a great opportunity to connect with folks who have been doing this for a long time.

It was quite a good conference and, based on a few discussions with other attendees, one role of the conference is to leave you unsettled due to how many security threats there are.  I mean, there are a lot.  And hearing from large Universities (that have security departments of 3-5 staff) about how they need to manage multiple data breaches of personally identifiable information (PII) leaves one restless at night.  The challenge with large Universities is how distributed information and systems can be.  At a small College with a single central IT department there is more control over the systems housing institutional data (and clear accountability).

REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) kept coming up and it clearly brings much value to its members.  First thing when I’m back in the office, join REN-ISAC.  One product I was very interested in was Cloudlock — enterprise control over your google docs domain.  You can retain docs after someone leaves, retain documents for legal discovery, audit access rights to comply with FERPA, HIPAA, PCI — just pick your abbreviation.  Of course it costs per user so this could offset any licensing savings you might be recouping with moving to google apps but it provides enterprise management tools that would make me rest easier at night.

Wednesday

The opening session was quite good — a record 440 attendees — and showed the importance of security for higher education. You can watch it here. Bridget-Anne Hampden, Deputy CIO at US Dept of Ed (Financial Aid), really brought the enormity of financial aid and the data that comes with it — $315 trillion in loans, 80 million “users,” 1 in 5 households has a student loan.  Her office is focusing on security practices at Colleges and Universities and we can expect to see an information security self-assessment questionnaire (along with remediation plans for security weaknesses) in about year followed by some spot checks of random schools.  They are finishing a similar focus on the lenders and some of their early findings where presented here.  She mentioned she was considering including a request that College and University Presidents get an annual security report from their staffs.  Hmmm, I always like to be early rather than late.  So I’m going to beta test such a report (really just for us in IT now) based on 2011-2012 data within our fiscal/audit year window.

Next up, Brian Tillett, Chief Security Strategist from Symantec shared some data from Symantec.  View the video for everything.  The big things I jotted down were

  • 1 in 299 emails are phishing
  • Hackers are patching the hole they used to get into a system to keep other hackers out
  • Some hacks are targeted, one group dropped infected thumb drives at a conference which contained malware designed for the attendee’s organization.  Guess what people do with free thumb drives?
  • Mobile malware is on the rise.  They’ve pulled 200 apps out of the app store due to malware. SMS payments offer a new way for malware to strike — you don’t see the charge for 28 days and then what is the recourse?
  • They did an experiment, the Honeystick Project, and purposely lost phones in 5 major cities.  50% of the lost phones were returned.  96% of the phones were examined by the finders for information.  There’s more details in the PDF that are interesting and alarming.

On to the sessions – first I attended “Winning the Battle against Phishing Scams.”  K-State has become the target of better and better phishing scams (“spear phishing”) over the years.  The presentation shows the progression from simple to crafty as well as who is falling for them — it’s not who you might expect.

After lunch I attended “Ensuring Electronic Data Records Integrity through a Simple Audit Process.”  I liked her CIA approach – confidentiality, integrity and availability.  NDSU has some clear policies and procedures defined for document imaging.  They have the challenge that their registrar “owns” the document imaging solution and not central IT.  The topic of de-provisioning accounts came up as a challenge in higher ed.  I can see that especially when you are in a distributed environment.  When someone changes jobs at a University their access needs to be changed — when this is distributed there is more chance for it not to happen.

Next up was “Network Security That Works for IT and Users.”  American University went with Impulse Point for their NAC (network access control) solution for all networks — wired and wireless for everyone.  They followed a similar path to my school — netreg until 2005, CISCO CleanAccess until 2011 (we’re both on Aruba wireless too).  We’ve enjoyed Impulse Point’s product as it recognizes every device so we can setup rules for each kind — we just use it on the student network currently.  They do use something called CloudPath for 802.1X wireless — we always run into the issue that when someone changes their password (which they should do) their wireless connection is using the old password so they quickly get locked out of their account due to multiple failures (intruder lockout).  So they are penalized in the end for doing the right thing.  It sounds promising but there is always a cost for adding another system into the mix.

Last up was “Securing the Human on Your Campus: How to Successfully Deploy Your Security Awareness Program.”  One of the great quotes from a session, I forget which, was that “the weakest security link is the person in front of the keyboard.”  That was true for our penetration test — everything held up to the attempts to gain entry — but all it takes is giving up a password and the best locks are bypassed. There was a great slide in the presentation that showed a table of all of the laws and regulations that higher ed has to comply with — GLBA, FERPA, HIPAA, PCI-DSS, Red Flag Rules, and more if you are a state school.  The Educause information security governance assessment tool was mentioned which is something I’ll be filling out.

Thursday

Thursday opened with a great general session panel from C-level folks from IT, financials and student affairs talking about “Ensuring Effective Communications for Information Security on Campus.”  You can watch it here.  A common theme was the need to communicate across functional areas in higher ed.  The CFO noted that ERP implementations often cost twice or three times the original cost often because the drive is to create the same screens you had in the old system.  This lead into a discussion of IT as an “at your service” organization vs. a partner and strategic force.  The former drives costs up for the institution the latter is the way to bringing value to the organization.  The Chief Information Security Officer (CISO) of the group noted that she tries not to be the person saying “no” (common for that role) but instead is the person saying “yes, but in this way.”  The CIO mentioned how IT can add value to student learning and especially retention through new tools like systems that raise flags early.  I enjoyed the CFO’s no-nonsense approach and the entire panel were great speakers.

Onto the smaller sessions, “Security on the Cheap: Creating a Cost-Effective Information Security Program” had an entertaining down-to-earth presenter from Columbia University.  I grabbed many great quotes from him

  • “security is a process not a program”
  • “security is a people and information business, not a technology business”
  • “develop a security philosophy”
  • “there is no perfect security”
  • “don’t buy a $1000 lock for $5 of data”
  • “move the security as close to the data as possible”

Columbia had a unique approach to security and I appreciated the perspective he had.  He figured if he can protect the world from Columbia then he is protecting Columbia from the world.

Last up was “Security Metrics: Telling the Right Story.”  Again another good PowerPoint to review.  He described what Cornell learned about picking metrics for assessing your security.  Some of the pitfalls he noted were very interesting

  • the work/effort trap – this is a common one to use but is only effective if you are trying to justify more staffing
  • confirmation bias – since you are looking for something specific you look narrowly for it and, voila, you find it
  • selection bias – since you are looking for something specific you look in places where you expect to find it and, voila, you find it.  Some tools have blind spots and you need to be aware of those.
  • unquantifiable risk – how do you measure the $ risk of something that has not happened yet
  • wrong data source – you might be looking in the wrong places, and self-reporting only gives a partial picture

He also mentioned Bob Lewis’ article, The four fallacies of IT metrics, that I will check out.  The presenter’s list of metrics was very useful and something I’ll take into account when building my beta test of an annual security report.  They were

  • # of system compromises
  • # of password compromises
  • # of requests for investigation
  • # of incidents involving reportable data (and # of identities compromised)
  • any other notable items
  • lastly some work effort numbers (even though he recommended not focusing on that)

All-in-all it was a valuable conference and the twitter activity was great.  Educause needs to archive those hashtag feeds.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by WordPress | Designed by Elegant Themes