Main Nav

EDUCAUSE Southeast Regional: Think Stops

Think Stops available at the Southeast Regional Conference each asked a different question to which attendees wrote responses, adding ideas, or building on the ideas of others. Here are photos of the white boards used for the Think Stops along with the ideas and thoughts generated. Thanks to Gerry Bayne, EDUCAUSE, for providing the photos.

EDUCAUSE Southeast Regional Think Stop #1  What are the most pressing issues on your campus?  Transcription follows the photo.

Tags from the Community

EDUCAUSE Western Regional: Think Stops

Think Stops available at the Western Regional Conference each asked a different question to which attendees wrote responses, adding ideas, or building on the ideas of others. Here are photos of the white boards used for the Think Stops along with the ideas and thoughts generated.  Thanks to Sue Bauer of California Lutheran University for providing the photos.

Tags from the Community

EDUCAUSE Western Regional: Linda Thor, President, Rio Salado College, All Aboard the Digital Express!

Summary:
All Aboard the Digital Express!
Linda Thor, President, Rio Salado College
 
2007 EDUCAUSE Western Regional Conference
May 7, 2007

San Francisco, CA


Abstract

Four distinct generations, from the tech-savvy to the tech-challenged, are enrolled in higher education today. Are we as educational leaders in tune with their wants and needs? In an era where students can text message their registrations, how many bells and whistles should we offer them? How do we manage to track trends? This presentation will explore possibilities and innovative solutions for the digital age.

Tags from the EDUCAUSE Library

Tags from the Community

EDUCAUSE Western Regional: On the Cutting Edge with Social Software in the Learning Process

Summary:
On the Cutting Edge with Social Software in the Learning Process
Panelist(s)
Peter Beyersdorf, Assistant Professor, San Jose State University

EDUCAUSE Security Conference: Incident Tracking and Reporting

Summary
Incident Tracking and Reporting
Kathy Bergsma, University of Florida
Joshua Beeman, University of Pennsylvania
 
2007 EDUCAUSE Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
 
Notes:
 
Kathy Bergsma reported on the UFL environment.

UFL has more than 50K students and is decentralized.
 
The first thing UFL tracks is the current contacts for security incident reporting.
It includes network managers, server managers, information security managers and administrators and others.
 
UFL has created an incident response standard that describes 8 response steps from discovery to resolution, establishes an incident response team, defines team and unit responsibilities, and sets up specific procedures for different types of incidents. It is available online at http://www.it.ufl.edu/policies/security/uf-it-sec-incident-response-rewrite.html
 
What UFL tracks:
  • incident identification sources such as IDS (Intrusion Detection System), Email abuse complaints, flow data, and honeypots (decoys)
  • critical elements such as IP address, unit, type, severity, containment and resolution times
 
Various options and tools are available for ticket creation when incidents are identified and the UFL incident response team receives daily reports on open tickets. In addition, bi-weekly automated reminders for open tickets are sent to their owners. The centralized unit enters a ticket from the point of discovery via IDS (currently using Dragon but switching to Snort)   The decentralized unit has access to enter updates on to the ticket thereafter. Everything is done via the web.
 
Vulnerability detection is done with continuous Nessus top-20 scans and the results are tracked in SQL.   They are able to find the weak spots in their systems and compare data from year to year. The hardware for this is distributed across three machines and takes up to 3 days for a complete scan.
 
Individual unit reports are generated each semester that compare the unit to the 5 most active units in regard to number of incidents, number of incidents adjusted for unit size, average number of days to contain incidents, number of critical vulnerabilities, and number of critical vulnerabilities adjusted for unit size. No unit wants to be in the top 5 group which are highlighted in bright primary colors that draw attention to their security issues. The report also posts the number of each incident type and the comparison to the previous semester.

Tags from the Community

EDUCAUSE Security Conference: Herding cats and campuses: addressing distributed security and compliance issues

Summary
Herding cats and campuses: addressing distributed security and compliance issues
Kathleen Kimball, Senior Director, ITS Security Operations and Services, PennState
David Lindstrom, Chief Privacy Office, PennState
 
2007 EDUCAUSE Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
 
Notes:
Kimball and Lindstrom began their presentation with a quick overview of their statewide environment which serves 83,721 students plus more than 60K staff and faculty at 24 campuses, a medical school, agriculture extensions, and their World Campus online learning program. They have one backbone network statewide and push terabits of data.
 
Their distributed governance and other issues make the security problem more difficult. Many users aren’t doing the “traditional” things like teaching and many are “home users” and that’s the level of their skills as well. In addition, culturally there is a tradition of independence among the campuses and the emphasis on process by committee and consensus makes for a slow process.
 
They see their major security threats coming from constant hostile probes in a situation where security is often dependent on non-technical users.
 
What’s happening in the security arena?
Watching trends they note that there is
  • growing sophistication of network attacks (bots, bots, and more bots)
  • increasing complexity of detecting and removing residual malicious software
  • growing number of vendor security updates to be handled
  • Increasingly mobile population of Internet capable devices connecting to unmanaged networks and then returning to PennState nets.
At the same time they see
  • decreasing amount of time for global spread of worms and other malware
  • less ability to stop intruders at the network border
  • less time available to keep up with vendor security updates
  • Decreasing window of time to detect and deter network based attacks.
Legal and regulatory landscape
Lindstrom suggested that when in doubt, laws are passed, or policy is written, in an attempt to control what is increasingly becoming uncontrollable. He pointed out the 9 or so policies that PennState has produced relating to security and privacy. 
 
Lindstrom and Kimball represent the two sides of the house:  administrative and academic and find that they work together well in their respective institutional duties to reasonably secure sensitive data in their care.
 
At PennState, the network is distributed and so is the responsibility for data security. Each Dean or Administrative Officer is responsible for the data security policies and security implementations in their respective units. These local policies have the force of overall university policy and are intended to be guidelines for systems administrators.
 
In order for any unit to connect to the university network they must have a network administrative, technical, and security contact. These folks are key in incident notifications. There are financial officers in each unit and they help with compliance issues. Currently the biggest problem is that only a network address is generally knows for university systems when an incident response begins.
 
Lindstrom noted that units handing administrative data have additional requirements that are outlined in their “Trusted Network Specifications” and access to the net is not given unless they sign in ink that they’ll be responsible. Units with an exception to hold SSNs have even more requirements. In spite of these policies and security precautions--there is a perceived gap between policy and performance for a number of reasons. Those reasons are primarily the plethora of compliance issues such as FERPA, HIPPA, Graham Leach Bliley, Pennsylvania’s Breach of Personal Information Notification, PCI-DSS (credit card industry standards) and undoubtedly more coming.
 
PennState feels that they must do better.
  • Improving the state of privacy and network security practices is essential and it is a distributed problem that needs a distributed solution
  • Raising the bar with regard to security practices and policies, ability to comply with existing policies and laws, and increase their agility for responding to new laws that come along. 
--and all of this across the 24+ fiefdoms that comprise PennState.
 
From this the PennState Information Privacy and Security (IPAS) project was born.
It developed from a joint effort between ITS and the Corporate Controller who sold university leadership on the gap between policy and practice. It is sponsored jointly by the Provost and CFO and the responsibility for oversight rests on the CIO and University Controller. Similarly, Kimball and Lindstrom represent the two sides of the house in their roles. It is a big enough central project that it was split 3 ways between budgets/budget executives. Audit, finance, corporate controller and firewall audit (small piece of the overall) was something they could all get their arms around.
 
IPAS
This is a multi-year, multi-phase, university-wide project with some overlap in the timing of the phases.
Phase 1 – evaluate and remediate if necessary PCI-DSS systems and networks
Phase 2 – take lessons learned and apply to systems and networks handling sensitive university information
 
Three project team members were drafted from existing staff for two year assignments to the project: Project Manager, Senior Network Analyst, and Project Technical Coordinator. Copies of the brochure for IPAS were distributed to the session attendees and it was noted that it includes these three staff members, their responsibilities, and their contact information. Leadership from distributed units provided the staff resources.
 
Lindstrom and Kimball listed the specifics of the two phases.

Tags from the EDUCAUSE Library

Tags from the Community

EDUCAUSE Security Conference: Who Owns the Data, Anyway?

Summary: 
Who Owns the Data, Anyway? Defining Data Stewardship
Cathy Hubbs, Director, IT Security, George Mason University
Robert Nakles, Executive Director, ITU Security and Project Office, George Mason University
 
EDUCAUSE Security Professionals Conference
Wednesday, April 11, 2007
Denver, CO
 
Notes:
 
Cathy Hubbs and Bob Nackles began their talk with some background information about their environment at George Mason University.
 
Mainframes to Enterprise Resource Planning
In the mainframe era of what now seems the distant past, just a few chosen people were involved with data at any given college or university. It was easier to be guardians of the data and the access points were limited. While many had access to the data, few had the ability to write to it. Few policies were needed.
 
Now everyone is involved with data starting with ERPs. We use a single database to store data across the institution and the ownership and responsibilities have become entangled. Today many people create data and even more people have access to read it. Today more policies are needed, the review process is much more stringent, and the policies have a greater impact on process.
 
ERPs bring a new complexity to the question of data ownership.

Tags from the EDUCAUSE Library

Tags from the Community

EDUCAUSE Security Conference: Secrets of Superspies

Summary
Secrets of Superspies
Ira Winkler, Author of Spies Among Us and
President, Internet Security Advisors Group
 
2007 EDUCAUSE Security Professionals Conference
Wednesday, April 11, 2007
Denver, CO
 
Notes:
 
Ira Winkler gave a lively and entertaining account of his work sorting out a variety of un-secure situations and offered specific recommendations based on his experiences.
 
Bad & Good Spies
Winkler said the 2nd worst spy in the world is ‘James Bond’ who is portrayed as someone who kills people, infiltrates enemy organizations and facilities, is feared by his enemies, and blows things up – but on the other hand he kills people, blows things up, is always known by his enemies and he always gets caught at some point which makes for longer and more interesting movies but isn’t the way good spies operate. 
 
The worst spy in the world is ‘Sydney Bristow’ from ‘Alias’. She does a good job at infiltrating but the bad guys are always prepared and one step ahead of her in protecting their information. Winkler said ‘Alias’ actually demonstrates good security programs – those put in place by the bad guys to thwart her efforts to obtain their secrets with ‘defense in depth’. She can be following leads to find the safe behind the picture but they are one step ahead of her with a booby-trapped safe.
 
Good spies aren’t noticeable, they find people or systems with information they want and they find ways to have that information given to them without incident. The bottom line message is that these may be good movies but in real life we want to create security with defense in depth that would make bad movies.
 
What do real spies do? They
  • Determine requirements – what they want to know
  • Determine who has it and how to collect it
  • Analyze information (this is the hard part)
  • Re-evaluate their needs (Do they need more information? Are there new requirements?)
In this ongoing loop, collection appears to be the apparent focus but the most critical piece is determining the requirements because you ‘need to know what you need to know’.
 
Science versus Art
Hackers like to portray themselves as artists as they need to be ‘special’
 
Spies are scientists with a methodical and repeatable process. They must have elements of ability, training, and practice. They can have only two of these but one must be training. If they don’t have training they can be dangerous.
 
Visualization skills are the key ability in this work. Good security people have ability, work in a process, and practice. The folks on the ‘good side’ don’t use their ability and process for criminal activity.
 
Operatives with 3 years of experience can rapidly recognize vulnerabilities and exploit them. Also real spies know how to protect themselves. 
 
Winkler noted that security and counterintelligence are totally separate activities. He shared an interesting story about spies gathering sensitive data via local Chinese restaurants.
 
You need to have common knowledge, exercise common sense, but awareness training is the most important aspect of a good security program.
  • Know the tricks of the trade and what to expect
  • Be right 100% of the time though your adversary only needs to be right once to win at this game
  • It’s not about protecting the computers; it’s about protecting the information on the computers.
Spies focus on information
  • Technology is only important because it provides access to information
  • Different classes of computers get different levels of protection
  • There can be tremendous threat but risk can be relatively small
Risk Management
Winkler suggested using a risk management equation where the threat*vulnerability is considered against the security countermeasures that mitigate risks. 
Threat is who or what is ‘out to get you.’ Vulnerability is the weakness that the threat can exploit. Value is the information or services you need to protect. Countermeasures are what you do to protect your value. Knowing these helps you determine where to spend effort and resources.   He indicated that the biggest risks are not malicious people, but rather people who do stupid things.
 
Security is about implementing countermeasures to mitigate risks and he offered two key points:
  • Don’t do security – manage it instead.
  • Don’t focus on the threat – focus on the mitigations
Winkler provided two case studies. The first was about testing the security of a nuclear facility which focused on the importance of process. If a spy knows the process and can take advantage of that knowledge and where the vulnerabilities in it may be, you are breach-able. In case the vulnerabilities that he exploited were all preventable. While people are fascinated by threats, it only takes bad intent to accomplish what he demonstrated in his breach of this sensitive facility. He said this is true for any attack.
 
Winkler also said that we must stop treating the bad guys as celebrities. Be they the Cloverdale teens who infiltrated the .mil domain or others. They are not dragons, they are snakes and good security people are not knights, they are exterminators. He did understand that the dragon/knight scenario is better for budgets. 
 
Moving into a discussion of budget issues, Winkler was clear that IT budgets and security/protection budgets are not the same and we must optimize risk. Potential loss should drive the budget. On measures of cost, there is a point where vulnerabilities plotted against countermeasures can give us a risk optimization. Risk should be a key consideration in determining the budget.
 
Things to Remember
In his closing statements, Winkler stressed
  • importance of awareness training
  • countermeasures should not be determined by budget or vendor hype
  • focus on information and services not on computers/technology
  • create defense in depth
  • focus on countermeasures that mitigate risk
…and indicated that realistic security is achievable.

EDUCAUSE Security Conference: Influencing the future of security in your organization

Summary:
Influencing the future of security in your organization
Pamela Fusco, Former EVP and Head Global Information Security, Citigroup Inc.
 
2007 Security Professionals Conference
Thursday, April 12, 2007
Denver, CO
 
Notes:
 
Fusco began by talking of the importance of having a business process as an anchor for your work. She has worked at a number of different companies (Merck, Digex, WorldCom, Citigroup, etc.), each of which was different and had a specific kind of security need.

Tags from the EDUCAUSE Library

Tags from the Community

EDUCAUSE North East Regional Computing Program Conference 2007. Summary: Universal Access to Human Knowledge

Summary
General Session
Wednesday, March 21, 2007
Worcester, Massachusetts
Title:
Universal Access to Human Knowledge (or Public Access to Digital Materials)
Speaker:
Brewster Kahle, Director and Cofounder, Digital Librarian, and Chairman of the Board, Internet Archive
Abstract:
The goal of universal access to our cultural heritage is within our grasp. With current digital technology we can build comprehensive collections, and with digital networks we can make these available to students and scholars all over the world. The current challenge is establishing the roles, rights, and responsibilities of our libraries and archives in providing public access to this information. With these roles defined, our institutions will help fulfill this epic opportunity of our digital age.
 
Notes:
Brewster Kahle’s primary mission in life is to take the published works of humankind and make them accessible to everyone (universally) in the world. He argues that this is the opportunity of our generation and if we don’t make them available now we will have lost our opportunity to do so.
 
Kahle noted that many kids today think everything is already on the Internet and available to them but they do not understand that the best we have to offer is not. He asked “what are the roles going to be as this digital information revolution rolls out?” Is there a role for universities or will the non-profits rise to the occasion?
 
The goal will be to process information from shelves to servers. Kahle noted that “Free to all” is inscribed over the door of the Boston Public Library. Library or access to information needs to be FREE so each individual will be able to do what is needed to do to create new ideas out of the old.
 
Kahle suggests that universal access is within our grasp and suggests that two key elements in its provision are the roles and politics that will undergird the work.
 
Digitization of text:
Kahle said that the digitization of all books and printed materials is within our grasp. A rough calculation is that it would take $60K to house the 26-28 million volumes in the Library of Congress on a Linux machine but if you actually like the book format then we might be looking at $750 million to scan each book and make it available using a scanner developed specifically for this purpose. The equipment is about $100K and the cost is about 10 cents per page which is cheaper than the cost of the building a library with the space needed to house the physical books.
 
They’ve also created a bookmobile which is actually a printmobile in that it can print a book on demand for about a penny a page. This will allow printing and binding your own books if you want paper instead of screen. The basic idea is that kids can make their own books at a low cost which is cheaper than the library can loan them since the print-on-demand system is based on toner ink instead of oil based ink. India, Egypt, and Uganda have systems operating now. 
 
He discussed the Open Content Alliance and The Million Book Project, funded by NSF and spearheaded by Carnegie Mellon University in the US but which has focused primarily in India where the cost of scanning materials is a third of the cost in the US. China and Egypt are also involved.

Tags from the Community

Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.