© CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 1

372 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
372
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • My name is Steven Miller. I’m …
  • We recognize that the role of technology is to facilitate schools’ primary mission – helping students learn.
  • The Lead Sponsors will provide their own statements in a few moments.
  • Looking at the data another way indicates that the sophistication of the attack tools is increasing while the amount of technical knowledge required to launch an attack is decreasing. Attack developers post their successes on electronic boards, news groups, magazines, and other publication sources. With more of the technical knowledge embedded into the “hacking tools”, more participants can take advantage of the exploit which has given rise to “script kiddies”. Current “rule of thumb” about finding an attack script: It takes less than 2 minutes for an unsophisticated attacker to download an automated tool from the Internet and attack a site. An estimated 3,000 attack programs are running across the Internet every minute of every day. It’s not a question of “if” but “when” and “how badly.”
  • CoSN is uniquely positioned to help district technology leaders learn from the experts, and from each other, in order to effectively deal with this issue. In developing a methodology, we are drawing on work conducted by the Software Engineering Institute at Carnegie Mellon University.
  • CoSN is uniquely positioned to help district technology leaders learn from the experts, and from each other, in order to effectively deal with this issue. In developing a methodology, we are drawing on work conducted by the Software Engineering Institute at Carnegie Mellon University.
  • As business knows, most system misuse and abuse is done by “insiders” But treating all users as if they are the enemy is a dead end. Locking everything down so it is “user proof” is a short-term tactic that is only useful in specific situations for specific purposes. It is not a long-term or overall strategy….. Schools exist for learning, for exploration, for experimentation and making mistakes. Maintaining an effective level of security will *always* require users to do a bit more work and take a bit more care than they would like to do. If they don’t feel that the system is making their jobs easier, if they don’t feel that the system is well run and trustworthy, if they don’t understand why this extra effort is needed and useful (and that they had a role in helping shape the rules they are following)…then they simply won’t do it.
  • We recognize that the role of technology is to facilitate schools’ primary mission – helping students learn.
  • Getting started means talking. A concerned superintendent can open a discussion with the district CTO with eight simple questions that connect quickly to fundamental aspects of IT security.
  • Getting started means talking. A concerned superintendent can open a discussion with the district CTO with eight simple questions that connect quickly to fundamental aspects of IT security.
  • As a next step, the CTO can run through the District Security Checklist to establish a quick assessment of the current state of security in the district. The maximum point total is 100. How does your district compare?
  • As a next step, the CTO can run through the District Security Checklist to establish a quick assessment of the current state of security in the district. The maximum point total is 100. How does your district compare?
  • As a next step, the CTO can run through the District Security Checklist to establish a quick assessment of the current state of security in the district. The maximum point total is 100. How does your district compare?
  • As business knows, most system misuse and abuse is done by “insiders” But treating all users as if they are the enemy is a dead end. Locking everything down so it is “user proof” is a short-term tactic that is only useful in specific situations for specific purposes. It is not a long-term or overall strategy….. Schools exist for learning, for exploration, for experimentation and making mistakes. Maintaining an effective level of security will *always* require users to do a bit more work and take a bit more care than they would like to do. If they don’t feel that the system is making their jobs easier, if they don’t feel that the system is well run and trustworthy, if they don’t understand why this extra effort is needed and useful (and that they had a role in helping shape the rules they are following)…then they simply won’t do it.
  • Formatted much like the familiar STaR charts now tailored for state evaluations in Texas, Tennessee, Florida, Massachusetts, and elsewhere, the Security planning grid can be used to identify current status and next steps.
  • Formatted much like the familiar STaR charts now tailored for state evaluations in Texas, Tennessee, Florida, Massachusetts, and elsewhere, the Security planning grid can be used to identify current status and next steps.
  • Formatted much like the familiar STaR charts now tailored for state evaluations in Texas, Tennessee, Florida, Massachusetts, and elsewhere, the Security planning grid can be used to identify current status and next steps.
  • Formatted much like the familiar STaR charts now tailored for state evaluations in Texas, Tennessee, Florida, Massachusetts, and elsewhere, the Security planning grid can be used to identify current status and next steps.
  • Formatted much like the familiar STaR charts now tailored for state evaluations in Texas, Tennessee, Florida, Massachusetts, and elsewhere, the Security planning grid can be used to identify current status and next steps.
  • Formatted much like the familiar STaR charts now tailored for state evaluations in Texas, Tennessee, Florida, Massachusetts, and elsewhere, the Security planning grid can be used to identify current status and next steps.
  • © CoSN/MNEP 2005 http://SecureDistrict.CoSN.org 1

    1. 1. A CoSN Leadership Initiative In Partnership with Mass Networks Education Partnership (MNEP) www.securedistrict.cosn.org
    2. 2. The Mission <ul><li>Provide vendor-neutral tools to help policy makers and technology leaders work together for effective action to: </li></ul><ul><li>1) analyze their district’s level of Cyber Security preparedness and vulnerability; 2) prioritize and implement the steps needed to improve their security status; </li></ul><ul><li>3) prepare to ensure operational continuity when a problem slips through. </li></ul><ul><li>… in ways that helps technology contribute to their school’s primary goal of teaching and learning </li></ul>
    3. 3. Cyber Security Sponsorship Additional support from: BellSouth Foundation, Enterasys, Microsoft, Sonic Wall, Sun Microsystems, and media partner CMP’s Technology & Learning magazine In collaboration with the Northwest Regional Education Laboratory
    4. 4. Attack Sophistication vs. Intruder Knowledge Source: www.cert.org
    5. 5. Why Worry?
    6. 6. Safety vs. Security <ul><li>Safety: Individual behavior </li></ul><ul><li>- Teaching someone to drive safely. </li></ul><ul><li>* Don’t give out personal information </li></ul><ul><li>* How to handle “inappropriate” material </li></ul><ul><li>Security: An organizational responsibility </li></ul><ul><li>- Making sure the car functions properly. </li></ul><ul><li>* Preventing virus penetrations </li></ul><ul><li>* Maintaining operational continuity during a crisis </li></ul>
    7. 7. Website: Home Page
    8. 8. The Planning Protocol   Outcome: Security Project Description goals processes resources decision-making standards Phase 1: Set Security Goals Outcome: Prioritized Risk Assessment A ranked list of vulnerabilities to guide Risk Reduction efforts Phase 2: Risk Analysis Outcome: Implemented Security Plan Risk Analysis and Risk Reduction Processes must be regularly repeated to ensure effectiveness Phase 3: Risk Reduction Outcome: Crisis Management Plan A blueprint for organizational continuity Phase 4: Crisis Management
    9. 9. Some of the Tools <ul><li>Ten Questions Superintendents Most Often Ask </li></ul><ul><li>Eight Questions A Superintendent Should Ask the Chief Technology Officer </li></ul><ul><li>Cyber Security: An Introductory Slide Show </li></ul><ul><li>Self-Assessment Checklist </li></ul><ul><li>Cyber Security Planning Grid </li></ul><ul><li>Security Planning Template </li></ul><ul><li>Cautionary Tales </li></ul><ul><li>Case Studies </li></ul><ul><li>Newsletter </li></ul><ul><li>Plus: Workshops, Webinars, and Articles </li></ul>
    10. 10. Eight Questions A Superintendent Should Ask The Chief Technology Officer <ul><li>Impact. Did security problems result in: </li></ul><ul><li>Loss of efficiency, productivity, or other costs? </li></ul><ul><li>Failure to meet district educational objectives? </li></ul><ul><li>Damage to reputation? </li></ul><ul><li>Harm to students or staff? </li></ul><ul><li>Causes. Were problems caused by: </li></ul><ul><li>Inadequate technical safeguards? </li></ul><ul><li>Insufficient staff training? </li></ul><ul><li>Unauthorized access to or use of systems by insiders? </li></ul><ul><li>Intrusion by outsiders? </li></ul><ul><li>Incidents . Over the past year: </li></ul><ul><li>Was confidential data compromised? </li></ul><ul><li>Was data lost or corrupted? </li></ul><ul><li>Was equipment stolen or misused? </li></ul><ul><li>Was email or Internet service interrupted? </li></ul><ul><li>Did virus or spam attacks cause shutdowns? </li></ul>Question 1: How are we doing so far?
    11. 11. Eight Questions A Superintendent Should Ask The Chief Technology Officer <ul><li>How are we doing so far? </li></ul><ul><li>Do we have a security plan? </li></ul><ul><li>Do we have adequate security and privacy policies in place? </li></ul><ul><li>Are our network security procedures and tools up to date? </li></ul><ul><li>Is our network perimeter secured against intrusion? </li></ul><ul><li>Is our network physically secure? </li></ul><ul><li>Have we made users part of the solution? </li></ul><ul><li>Are we prepared to survive a security crisis? </li></ul>
    12. 12. <ul><li>Five topic areas to get a handle on where the district is now </li></ul>District Security Checklist 5. Users 4. Physical and Environmental Security 3. IT Operations 2. Technology 1. Management Topic Area
    13. 13. District Security Checklist 5. Users 4. Physical and Environmental Security 3. IT Operations 2. Technology 1. Management Points Area Topic 10 Do you have a Security Plan, less than 12 months old, in place? 6 Is security planned and managed by a Security Leadership Team? 4 Do you have detailed District Security Policies in place? 10 Do you have an updated Crisis Management plan in place? 5 Have you performed a Security Audit in the past 12 months 1. Management Points Topic Area
    14. 14. District Security Checklist
    15. 15. Risk Reduction <ul><li>The Security Grid </li></ul><ul><ul><ul><li>Organized in Rubric format </li></ul></ul></ul><ul><ul><ul><ul><ul><li>You know where you are </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>You know what are the priority issues </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>You know what are the next steps </li></ul></ul></ul></ul></ul>
    16. 16. <ul><li>Provides benchmarks for assessing key security preparedness factors </li></ul><ul><li>Uses the same topic areas for consistency </li></ul><ul><li>Helps prioritize security improvement action steps </li></ul>Security Planning Grid Proactive participants in security Improved awareness, Mostly trained Limited awareness and training unaware of role in security End Users Stakeholders: secure mostly secure partially secure not secure Environmental & Physical: Infrastructure: seamless security mostly secure security roll out is incomplete broadly vulnerable Technology Network design and IT operations : Aligns security with organizational mission Supports and funds security Aware but little support provided Little participation in IT security Management Leadership: Advanced Adequate Developing Basic Security Area
    17. 17. Security Planning Grid A Chief Security Officer exists A staff person focuses on security CTO or other management staff also deals with security No one paying attention to security Security Staff Differentiated expertise, cross-trained Differentiated expertise Generalists; few network specialists Generalists lacking expertise Staff competency staff - computer ratio 1:250 staff - computer ratio 1:500 staff - computer ratio 1:750 staff - computer ratio 1:>750 IT Staffing Levels Security Implementation IT Crisis Mgt Plan fully tested. Updated IT Crisis Mgt Plan. Basic IT Crisis Mgt Plan. No Crisis Mgt Plan specifically for IT. Crisis Management Plan External security audit done. External security audit done. Internal security audit done. No security audit. Security Audit Security plan linked to goals & audit. Security plan linked to goals & audit. Basic security plan. No security plan. Security Plan Security Planning Strong leadership representation Stakeholder groups represented Informal Team   Security Team: Members School Board reviews Team accomplishments School Board approves Team purpose Team lacks formal authorization. No formal Security Team Security Team: Charter Security Management Strong support restrained by performance indicators. Effective communication. Commitment to TCO-based budgeting and HR needs. Appropriate communication. “ Security” is not a budget line item No support specifically for security Support: -- budget & staffing -- communication Policy meshes seamlessly with district mission. Policy ties technology use to mission. Policy in early stages, addresses legal issues. No policy specifically targets technology use. -- policy Awareness: desktop to internet Compliance: fully auditable Awareness: desktop to internet Compliance: not fully auditable Awareness : growing Compliance: OK at network level Awareness of legal issues: basic Extent of compliance: unknown -- legal compliance Security goals stated clearly. Security goals stated clearly. Security goals sketched out. No articulated security goals. Oversight: -- goals District Leadership Advanced Adequate Developing Basic Management
    18. 18. Phase Three: Risk Reduction Security Planning Grid Strong support restrained by performance indicators. Effective communication. Commitment to TCO-based budgeting and HR needs. Appropriate communication. Support is inconsistent. No budget line item for “Security” No support or communication specifically for security. Support: -- budget & staffing -- communication Policy meshes seamlessly with district mission. Policy ties technology use to mission. Policy in early stages, addresses legal issues. No policy specifically targets technology use. -- policy Awareness: desktop to internet Compliance: fully auditable Awareness: desktop to internet Compliance: not fully auditable Awareness : growing Compliance: OK at network level Awareness of legal issues: basic Extent of compliance: unknown -- legal compliance Security goals stated clearly. Security goals stated clearly. Security goals sketched out but little substance. No articulated security goals. Oversight: -- goals District Leadership Advanced Adequate Developing Basic Management
    19. 19. Phase Three: Risk Reduction Security Planning Grid Advanced Developing IT Crisis Mgt Plan fully tested. Updated IT Crisis Mgt Plan. Basic IT Crisis Mgt Plan. No Crisis Mgt Plan specifically for IT. Crisis Management Plan External security audit done. External security audit done. Internal security audit done. No security audit. Security Audit Security plan linked to goals & audit. Security plan linked to goals & audit. Basic security plan. No security plan. Security Plan Security Planning Adequate Basic Management
    20. 20. Security Planning Grid Phase Three: Risk Reduction Capacity for future demands Bottlenecks occur during peak demand Inadequate for accelerating demands Minimal: may match current needs Bandwidth, Internet Access    Internet Centralized WAN management. Redundancy for network components WAN complete; properly segmented Most building LANs standardized. Centralized mgt is incomplete WAN almost complete; building LANs not standardized. Redundancy only on most critical network components WAN incomplete; no redundancy or standardization Plan: -- Authorization -- Authentication Implementation: -- Standardization -- Centralized Mgt    WAN Design Full DMZ. All protection services are automated; network monitored in real time. Full DMZ. All email, web services protected. Automated patch management. Basic DMZ. Firewall functions separated from servers; patch mgt remains manual . No DMZ. No Virus protection , content filtering at minimal levels DMZ, Firewall, Virus Protection, Content and Spam Filters, VPN, Wireless Access    Perimeter Defense Appropriate Architecture with room to grow. Appropriate Architecture Architecture lacks capacity for growth Architecture at basic stage Architecture: overview Architecture Advanced Adequate Developing Basic Technology
    21. 21. Security Planning Grid Phase Three: Risk Reduction End user computer security is effective throughout district Fully automated updates or thin-client setup. Multi-tier user support results in significantly improved outcomes. End user computer security enforceable or verifiable. Automated patching and updates in most buildings User support meets minimal requirements End user computer security improved but not enforceable. Patching is manual but consistent User support frequently delayed End user computer security not enforceable or verifiable. Manual patching: inconsistent updates. Lack of user support severely limits productivity Installation, repair Patch Mgt, Updates Software Licensing Password Mgt User Support    End user computers -- clear policies -- effective, flexible standardization --Systems: highly reliable -- efficient maintenance -- appropriate documentation -- All vendors: fully audited -- Standards & policies in place. -- Systems rarely down -- routine maintenance but documentation still skimpy -- External vendors: not audited -- some standards, few policies -- Systems usually reliable -- monitoring & maintenance on critical devices -- External vendors: not verified -- Backups not secure --Few standards or policies --Systems occasionally down --No preventive maintenance --External vendors: not documented Backups Network Monitoring Documentation External Vendors ‘ Growth-oriented' 'Reliable technology' 'Growing pains' 'Fire-fighting' mode LAN Mgt IT Operations
    22. 22. http://SecureDistrict/CoSN.org
    23. 23. NEW -- CoSN Leadership Initiative <ul><li>Accessible Technologies for All Students </li></ul><ul><li>www.accessibletech4all.org </li></ul><ul><li>Increased Achievement and Success for All Students through the Use of Accessible Technologies </li></ul>
    24. 24. <ul><li>Taking Total Cost of Ownership (TCO) to the Classroom www.classroomtco.cosn.org </li></ul>Other CoSN Leadership Initiatives Safeguarding the Wired Schoolhouse www.safewiredschools.cosn.org 3D: Vision to Know & Do www.3d2know.cosn.org
    25. 25. <ul><li>CoSN’s mission is to advance the K-12 education community’s capacity to effectively use technology to improve learning through advocacy, policy and leadership development </li></ul><ul><ul><li> www.cosn.org </li></ul></ul><ul><ul><li>The Cyber Security project is done in partnership with: </li></ul></ul><ul><ul><li>Mass Networks Education Partnership </li></ul></ul><ul><ul><li> www.massnetworks.org </li></ul></ul><ul><ul><li>email: [email_address] </li></ul></ul><ul><ul><ul><li>http://securedistrict.cosn.org </li></ul></ul></ul>
    26. 26. Keith Krueger,CEO [email_address] www.cosn.org 1710 Rhode Island Avenue NW Suite 900 Washington, DC 20036-3007

    ×