CyberSecurity - Linda Sharp


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CyberSecurity - Linda Sharp

  1. 1. Cyber Security Linda Sharp CoSN Cyber Security Project Director SchoolDude University 2009
  2. 2. Understanding the Issues <ul><li>Four Reasons to Pay Attention to K-12 Network Security </li></ul><ul><li>1. Protect data </li></ul><ul><li>2. Prevent misuse of resources </li></ul><ul><li>3. Prevent interruption of operations </li></ul><ul><li>( Protecting the Core Mission: Learning) </li></ul><ul><li>4. Keep kids safe </li></ul>SchoolDude University 2009
  3. 3. Reliance on Technology <ul><li>For instructional activities </li></ul><ul><li>For business operations </li></ul><ul><li>For student data and recordkeeping </li></ul><ul><li>For assessment and accountability </li></ul><ul><li>For internal and external communication </li></ul><ul><li>Other areas of reliance in your schools? </li></ul>SchoolDude University 2009
  4. 4. The Evolution of Intent From Hobbyists to Professionals SchoolDude University 2009 THREAT SEVERITY 1990 1995 2000 2005 WHAT’S NEXT? 2007 Threats becoming increasingly difficult to detect and mitigate FINANCIAL: Theft & Damage FAME: Viruses and Malware TESTING THE WATERS: Basic Intrusions and Viruses
  5. 5. Financial Impact <ul><li>2004 – Cyber Attack impact in business was $226 billion </li></ul><ul><li>2008 – One of top 4 US priority security issues. </li></ul><ul><li>Cyber Crime has overtaken drugs for financial impact. </li></ul>SchoolDude University 2009
  6. 6. Legal Impact <ul><li>FERPA </li></ul><ul><li>CIPA </li></ul><ul><li>HIPAA </li></ul><ul><li>COPA </li></ul><ul><li>FRCP 34 </li></ul>SchoolDude University 2009
  7. 7. Legal Impact <ul><li>Data </li></ul><ul><ul><li>Personal, Private, Sensitive Information </li></ul></ul><ul><li>Information Sharing </li></ul><ul><ul><li>Internal </li></ul></ul><ul><ul><li>External </li></ul></ul><ul><li>Backup/Restore </li></ul><ul><ul><li>Where and how </li></ul></ul>SchoolDude University 2009
  8. 8. Legal Impact <ul><li>Acceptable Use Policies (AUP) </li></ul><ul><ul><li>Who should sign AUP? </li></ul></ul><ul><ul><li>What should be included? </li></ul></ul><ul><ul><ul><li>Internet usage </li></ul></ul></ul><ul><ul><ul><li>Data protection and privacy </li></ul></ul></ul><ul><ul><ul><li>Rules/regulations </li></ul></ul></ul><ul><ul><ul><li>Consequences </li></ul></ul></ul>SchoolDude University 2009
  9. 9. Safety vs. Security <ul><li>Safety: Individual behavior </li></ul><ul><li>Security : An organizational responsibility </li></ul>SchoolDude University 2009
  10. 10. Five Guiding Questions <ul><li>What needs to be protected? </li></ul>SchoolDude University 2009
  11. 11. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul>SchoolDude University 2009
  12. 12. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul><ul><li>What are we protecting against? </li></ul>SchoolDude University 2009
  13. 13. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul><ul><li>What are we protecting against? </li></ul><ul><li>What happens if protection fails? </li></ul>SchoolDude University 2009
  14. 14. Five Guiding Questions <ul><li>What needs to be protected? </li></ul><ul><li>What are our weaknesses? </li></ul><ul><li>What are we protecting against? </li></ul><ul><li>What happens if protection fails? </li></ul><ul><li>What can we do to eliminate vulnerabilities and threats and reduce impacts? </li></ul>SchoolDude University 2009
  15. 15. Three Strategic Areas <ul><li>People </li></ul><ul><li>Policy </li></ul><ul><li>Technology </li></ul>SchoolDude University 2009
  16. 16. Three Action Themes <ul><li>Prevention </li></ul><ul><li>Monitoring </li></ul><ul><li>Maintenance </li></ul>SchoolDude University 2009
  17. 17. Questions to Ask <ul><li>Do we have a security plan? </li></ul>SchoolDude University 2009
  18. 18. Questions to Ask <ul><li>Do we have adequate security and privacy policies in place? </li></ul><ul><ul><li>District Security Rules </li></ul></ul><ul><ul><li>Legal Review </li></ul></ul><ul><ul><li>External Controls </li></ul></ul>SchoolDude University 2009
  19. 19. Questions to Ask <ul><li>Are our network security procedures and tools up to date? </li></ul><ul><ul><li>Hardware </li></ul></ul><ul><ul><li>Software </li></ul></ul><ul><ul><li>Monitoring </li></ul></ul>SchoolDude University 2009
  20. 20. Questions to Ask <ul><li>Is our network perimeter secured against intrusion? </li></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Laptops </li></ul></ul><ul><ul><li>Wireless Security </li></ul></ul><ul><ul><li>Passwords </li></ul></ul>SchoolDude University 2009
  21. 21. Questions to Ask <ul><ul><ul><ul><li>Is our network physically secure? </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Environmental Hazards </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Physical Security </li></ul></ul></ul></ul></ul>SchoolDude University 2009
  22. 22. Questions to Ask <ul><li>Have we made our users part of the solution? </li></ul><ul><ul><li>Awareness </li></ul></ul><ul><ul><li>Training </li></ul></ul><ul><ul><li>Communications </li></ul></ul>SchoolDude University 2009
  23. 23. Questions to Ask <ul><li>Are we prepared to survive a security crisis? </li></ul><ul><ul><li>Backups </li></ul></ul><ul><ul><li>Redundant Systems </li></ul></ul><ul><ul><li>Communications Plan </li></ul></ul><ul><ul><li>Preparedness </li></ul></ul>SchoolDude University 2009
  24. 24. Security Planning Protocol SchoolDude University 2009 Outcome: Security Project Description  goals  processes  resources  decision-making standards Phase 1: Create Leadership Team & Set Security Goals Outcome: Prioritized Risk Assessment A ranked list of vulnerabilities to guide the Risk Reduction Phase Phase 2: Risk Analysis Outcome: Implemented Security Plan Risk Analysis and Risk Reduction processes must be regularly repeated to ensure effectiveness Phase 3: Risk Reduction Outcome: Crisis Management Plan A blueprint for organizational continuity Phase 4: Crisis Management
  25. 25. Leadership Team <ul><li>Create Leadership Team and Set Security Goals </li></ul><ul><ul><ul><li>Purpose : Clarify IT’s role in district mission </li></ul></ul></ul><ul><ul><ul><li>Scope : Set boundaries and budgets </li></ul></ul></ul><ul><ul><ul><li>Values : Define internal expectations and external requirements for security </li></ul></ul></ul>SchoolDude University 2009
  26. 26. Leadership Team <ul><li>Leadership Team Personnel </li></ul><ul><li>IT Leadership </li></ul><ul><li>Administrators – district and building </li></ul><ul><li>Legal counsel </li></ul><ul><li>Human resources </li></ul><ul><li>Public relations representative </li></ul><ul><li>Teachers </li></ul>SchoolDude University 2009
  27. 27. District Security Checklist <ul><li>Self Assessment Checklist </li></ul>SchoolDude University 2009
  28. 28. Risk Analysis <ul><ul><ul><li>What’s at risk? </li></ul></ul></ul><ul><ul><ul><li>Vulnerabilities and Threats </li></ul></ul></ul><ul><ul><ul><ul><li>Identify impacts to </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>System </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>People </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>IT organizational issues </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Physical plant </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Stress Test </li></ul></ul></ul>SchoolDude University 2009
  29. 29. Security Planning Grid SchoolDude University 2009 Security Area Basic Developing Adequate Advanced Management Leadership: Little participation in IT security Aware but little support provided Supports and funds security Aligns security with organizational mission Technology Network design and IT operations : broadly vulnerable security roll out is incomplete mostly secure seamless security Environmental & Physical: Infrastructure: not secure partially secure mostly secure secure End Users Stakeholders: unaware of role in security Limited awareness and training Improved awareness, Mostly trained Proactive participants in security
  30. 30. Security Planning Grid <ul><li>Provides benchmarks for assessing key security preparedness factors </li></ul><ul><li>Uses the same topic areas for consistency </li></ul><ul><li>Helps prioritize security improvement action steps </li></ul>SchoolDude University 2009
  31. 31. Planning Security Grid <ul><ul><li>Prioritize solutions </li></ul></ul><ul><ul><li>Action plan </li></ul></ul><ul><ul><li>Revise SOP </li></ul></ul>SchoolDude University 2009
  32. 32. Plan, Test, Plan, Test….. <ul><ul><li>Scenario: &quot;Despite our best intentions...&quot; </li></ul></ul><ul><ul><ul><li>Financial system backups stored within a vault below ground </li></ul></ul></ul><ul><ul><ul><li>Vault walls are constructed of cinderblocks </li></ul></ul></ul><ul><ul><ul><li>Fire destroys the building </li></ul></ul></ul><ul><ul><ul><li>Very cool to the touch </li></ul></ul></ul><ul><ul><ul><li>-- vault becomes sauna, backup tapes destroyed </li></ul></ul></ul>SchoolDude University 2009
  33. 33. Plan, Test, Plan, Test….. <ul><ul><li>XXXXX School District </li></ul></ul><ul><ul><ul><li>Monday, February 11, 2008 </li></ul></ul></ul><ul><ul><ul><li>Break-In at XXX. in XXX, CA </li></ul></ul></ul><ul><ul><ul><li>&quot;Smash and Grab&quot; -- 1 computer stolen </li></ul></ul></ul><ul><ul><ul><li>One data file including personally identifiable information on approximately 3,500 school district employees and on the employees of 12 other school districts </li></ul></ul></ul>SchoolDude University 2009
  34. 34. Plan, Test, Plan, Test….. <ul><ul><ul><li>Decision to notify and “how to respond?&quot; </li></ul></ul></ul><ul><ul><ul><li>Notification authority rests with the Superintendent </li></ul></ul></ul><ul><ul><ul><li>Elected to follow aggressive path of notification and openness </li></ul></ul></ul><ul><ul><ul><li>E-Mails, letters, contact person, Website (blog) </li></ul></ul></ul>SchoolDude University 2009
  35. 35. <ul><li>The worst case scenario . . . </li></ul><ul><li>NO PLAN! </li></ul>SchoolDude University 2009
  36. 36. SchoolDude University 2009 Questions and Comments?
  37. 37. <ul><li> </li></ul>SchoolDude University 2009
  38. 38. Thank you Sponsors SchoolDude University 2009
  39. 39. <ul><li>Linda Sharp </li></ul><ul><li>CoSN Project Manager </li></ul><ul><li>Cyber Security </li></ul><ul><li>IT Crisis Preparedness </li></ul><ul><li>[email_address] </li></ul>SchoolDude University 2009