Your SlideShare is downloading. ×
The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

The Cost Of Preventing Breaches Educause Nat Conf Denver Nov 09


Published on

EDUCAUSE National Conference in Denver, Nov 09

EDUCAUSE National Conference in Denver, Nov 09

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Show movie
  • Transcript

    • 1. The Cost Of Preventing Breaches
      Tammy L. Clark, CISO, Georgia State University
      Adam Dodge, IT Security Officer, Eastern Illinois University
    • 2. Introducing…
      In the early years of Georgia State University’s Information Security program, Tammy was a very persistent Hacker whacker. It was a thankless job, but someone had to do it…
      Tammy Clark
    • 3. Key Topics For Today’s Discussion
      Today’s Threat Landscape
      Breaches and Root Causes
      What Seems to Be the Problem Here?!
      What Drives Change in Higher Ed?
      Can We Use Technology, Processes, and People Effectively to Assist with Breach Prevention?
      The ‘Nitty-Gritty’ About Our Information Security Programs
      Summary of Key Points
      Join in On the Fun With Questions or Comments
    • 4. Today’s Threat Landscape
      What are the prevalent threats we’re seeing out there that affect our end users?
      Lots of spear phishing
      Infected websites
      Social Engineering, Scams, Organized Crime
      Our IT orgs are dealing with increasingly sophisticated malware, SSH attacks, and OS/APP vulnerabilities. New exploits continue to be developed at a dizzying pace and our vendors can’t ever seem to keep up!
    • 5. Introducing…
      Adam maintains the Educational Security Incidents (ESI) site, which serves as a repository for reported information on security incidents that have occurred at institutions of higher education.
      Adam Dodge
    • 6. Breaches and Root Causes
      Educational Security Incidents (ESI) reports that in 2008:
      173 separate incidents were reported
      24.5% increase over 2007
      Primary Reasons:
      Unauthorized Disclosure - 75
      Theft - 40
      Unauthorized Access/Penetration – 35
      Additionally, Privacy Rights Clearinghouse reports that so far in 2009, 38 colleges have reported incidents out of 196 total incidents reported…
      Of these, 17 were due to theft; 11 to unauthorized access/penetration, and 10 were the result of unauthorized disclosure
    • 7. What Seems to Be the Problem Here!?
      Lack of Standardization/Plans, Policies and Standards
      Challenges in Data Classification and Risk Management
      Incorrectly configured/secured devices, apps and web sites
      Inadequate perimeter protection
      Lack of advanced intrusion detection & analysis skills
      Inadequate endpoint protection
      Lack of encryption
      Open Ended Culture
      Security ‘un-aware’ users—no ‘skin in the game’ or circumventing controls
    • 8. What Drives Change in Higher Ed?
      Let’s Face it--Data Breaches (either our own or a neighboring institution)
      Compliance: PCI, FERPA, HIPAA, GLBA, Red Flags, DMCA
      Research Grants that require minimum levels of security or compliance with FISMA or ISO 27001/2
      Budget Cuts
      Emergency Management
      Risk Management
      University President’s/Provost’s Priorities
    • 9. Can We Use Technology to Assist with Preventing Breaches?
      Network Intrusion Prevention, Intrusion Detection, Firewalls, AV and Anti-Spam Gateways, et al)
      Endpoint security tools and suites (AV, Anti-Spyware, Anti-Malware, Host firewalls/IPS, NAC, etc)
      Vulnerability Assessments
      Governance, Risk, and Compliance
      Data Loss Prevention
      Identity Access Management
      Security Information and Event Management
      The List Goes On…and On
      Bottom Line---$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    • 10. Is Process Development Important as Well?
      YES! Why?
      Myriad of Compliance Requirements
      Standards (ISO, FISMA, COBIT, ITIL) and Standardization (Yes! In higher Ed)
      Get Rid of Confidential Data We Don’t Need or Require!
      Data Classification and Risk Management
      Audits/Corrective & Preventive Measures
      Physical & Logical Controls to Integrate Into IT/Business Processes
      3rd parties processing or storing our data
      Contracts with customers on campus to manage their critical systems and data with central IT/Sec organizations
    • 11. And What About the People?!
      Authority (must) = Accountability (The Golden Rule)
      Make IT system/data protection everyone’s job!
      Responsible for Compliance – in Some Cases, Personal Liability
      Data Cleanup Parties including non-electronic formats
      Security Reviews and mandated controls for systems processing confidential data (require encryption, not running P2P apps, etc.)
      Lots and lots of Security Awareness Training!
    • 12. Higher Ed Information Security Programs—The ‘Nitty-Gritty’
    • 13. Reactive
      People – Depend on ‘security unaware’ End Users and (often) a Cheerleader ISO!
      Process – Too Busy Chasing the Threats and Incidents!
      Technology – Protecting either the outside perimeter or workstations/servers (AV, Firewalls)
      $$$ Investment in Breach Prevention - Low
      Aftermath of a potential breach – High Impact
      Information Security Program Maturity Index – 1 or 2 on the CMMI
      Largest Impacts to Information Security Programs in Reactive Mode - lots of unfunded mandates; inadequate resources and funding; threat of penalties/lawsuits due to noncompliance and lack of due diligence; difficulty detecting and responding to security incidents; increased reputational risk; high risk of widespread malware outbreaks and data breaches
    • 14. Proactive
      People – Emphasis on securing adequate resources
      Process – Huge investment in process development and awareness training
      Technology – Implement defense in depth architecture
      $$$ Investment in Breach Prevention – Very High
      Aftermath of a potential breach – Medium Impact
      Information Security Program Maturity Index – 3 or 4 on the CMMI
      Largest Impacts to Information Security Programs in Proactive Stage/Mode – Heavy infrastructure costs, resource intensive activities; paradigm shifts towards incorporating standards and regulatory guidance; increased standardization, risk management, and attention to building out a fully functional information security program; heavy reliance by the IT org on the Information Security Dept. staff to protect institutional data/IT resources
    • 15. Predictive
      People – Emphasis on integrating information security throughout the IT org and university
      Process – Continuing investment; Increased emphasis on security awareness education and training
      Technology –Emphasis on optimizing technology investment
      $$$ Investment in Breach Prevention –Spread and streamline costs as IS integrates throughout the IT org and campus
      Aftermath of a potential breach – Low Impact
      Information Security Program Maturity Index – 4 or 5 on the CMMI
      Largest Impacts to Information Security Programs in Predictive Stage/Mode – no information security silos; information security is integrated into every facet of the institution; data protection is everyone’s responsibility; authority=accountability; dedicated staff focus on core IS duties
    • 16. Case Study—Infosec@Ga State Univ
      2000-2003: Reactive Mode
      2004-2009: Proactive Mode
      2010: Moving into Predictive Mode
    • 17. Case study – Eastern Illinois Univ
    • 18. Summary of Key Points
      Threats continue to heavily target end users
      Human Errors account for over 70% of data breaches that Occur
      Information Security staffs should not be held accountable for protecting institutional assets and data
      Information Security needs to be integrated throughout our IT organizations and campuses
      In order to mature and ensure continuous improvement, information security programs must be adequately funded and ramped up in terms of people, process, and technology
      Effective policies, processes, guidelines, and security training/education must be emphasized and funded in terms of $$ and resources
      Building a solid community of ‘Security Aware’ users represents both our greatest challenge and our best defense against data breaches!
    • 19. Questions?
      Contact Tammy Clark at, 404 413 4509
      Contact Adam Dodge at
      Copyright Tammy L. Clark, Oct 2009.. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
    • 20. What did you think about this session?
      Your input is important to us!
      Click on “Evaluate This Session” on the conference program page.